From 0fe3c4372a30c710497680ab05c3ba73f00efec8 Mon Sep 17 00:00:00 2001
From: Hector Vido <hector_vido@yahoo.com.br>
Date: Thu, 27 Feb 2025 11:34:36 -0300
Subject: [PATCH] Changed the default value for
 OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY to true

---
 .../ipi-aws-pre-publicsubnets-chain.yaml      |   1 -
 .../ipi-conf-aws-publicsubnets-commands.sh    |  14 +-
 ...-conf-aws-user-min-permissions-commands.sh | 496 +++++++++---------
 .../aws/ipi-install-install-aws-ref.yaml      |   2 +-
 .../install/ipi-install-install-ref.yaml      |   2 +-
 .../ipi/install/ipi-install-chain.yaml        |   1 +
 6 files changed, 267 insertions(+), 249 deletions(-)

diff --git a/ci-operator/step-registry/ipi/aws/pre/publicsubnets/ipi-aws-pre-publicsubnets-chain.yaml b/ci-operator/step-registry/ipi/aws/pre/publicsubnets/ipi-aws-pre-publicsubnets-chain.yaml
index 7575d8371c99e..084b25cec10e9 100644
--- a/ci-operator/step-registry/ipi/aws/pre/publicsubnets/ipi-aws-pre-publicsubnets-chain.yaml
+++ b/ci-operator/step-registry/ipi/aws/pre/publicsubnets/ipi-aws-pre-publicsubnets-chain.yaml
@@ -1,7 +1,6 @@
 chain:
   as: ipi-aws-pre-publicsubnets
   steps:
-  - chain: ipi-conf-aws-publicsubnets
   - chain: ipi-install
   documentation: |-
     The IPI setup step contains all steps that provision an OpenShift cluster
diff --git a/ci-operator/step-registry/ipi/conf/aws/publicsubnets/ipi-conf-aws-publicsubnets-commands.sh b/ci-operator/step-registry/ipi/conf/aws/publicsubnets/ipi-conf-aws-publicsubnets-commands.sh
index 57f36f11a7b0d..ae2af567c9828 100755
--- a/ci-operator/step-registry/ipi/conf/aws/publicsubnets/ipi-conf-aws-publicsubnets-commands.sh
+++ b/ci-operator/step-registry/ipi/conf/aws/publicsubnets/ipi-conf-aws-publicsubnets-commands.sh
@@ -4,7 +4,16 @@ set -o nounset
 set -o errexit
 set -o pipefail
 
-export AWS_SHARED_CREDENTIALS_FILE="${CLUSTER_PROFILE_DIR}/.awscred"
+if [[ "${OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY:-true}" != "true" ]]; then
+	return
+fi
+
+if [[ -f "${SHARED_DIR}/aws_minimal_permission" ]]; then
+    echo "Setting AWS credential with minimal permision for installer"
+    export AWS_SHARED_CREDENTIALS_FILE=${SHARED_DIR}/aws_minimal_permission
+else
+    export AWS_SHARED_CREDENTIALS_FILE=${CLUSTER_PROFILE_DIR}/.awscred
+fi
 
 function join_by { local IFS="$1"; shift; echo "$*"; }
 
@@ -190,8 +199,7 @@ Outputs:
 EOF
 
 # The above cloudformation template's max zones account is 3
-if [[ "${ZONES_COUNT}" -gt 3 ]]
-then
+if [[ "${ZONES_COUNT}" -gt 3 ]]; then
   ZONES_COUNT=3
 fi
 
diff --git a/ci-operator/step-registry/ipi/conf/aws/user-min-permissions/ipi-conf-aws-user-min-permissions-commands.sh b/ci-operator/step-registry/ipi/conf/aws/user-min-permissions/ipi-conf-aws-user-min-permissions-commands.sh
index be58e2aeb4b14..b3d944e2e046a 100644
--- a/ci-operator/step-registry/ipi/conf/aws/user-min-permissions/ipi-conf-aws-user-min-permissions-commands.sh
+++ b/ci-operator/step-registry/ipi/conf/aws/user-min-permissions/ipi-conf-aws-user-min-permissions-commands.sh
@@ -60,7 +60,6 @@ if [ "${FIPS_ENABLED:-false}" = "true" ]; then
     export OPENSHIFT_INSTALL_SKIP_HOSTCRYPT_VALIDATION=true
 fi
 
-
 if [[ "${AWS_INSTALL_USE_MINIMAL_PERMISSIONS}" == "yes" ]]; then
 
 	export AWS_SHARED_CREDENTIALS_FILE="${CLUSTER_PROFILE_DIR}/.awscred"
@@ -84,191 +83,191 @@ if [[ "${AWS_INSTALL_USE_MINIMAL_PERMISSIONS}" == "yes" ]]; then
 	USER_POLICY_FILE="${SHARED_DIR}/${USER_POLICY_FILENAME}"
 	PERMISION_LIST="${ARTIFACT_DIR}/permision_list.txt"
 
-	if ((ocp_major_version < 4 || (ocp_major_version == 4 && ocp_minor_version < 18))); then
+	if [[ ${ocp_major_version} -lt 4 || (${ocp_major_version} -eq 4 && ${ocp_minor_version} -lt 18) ]]; then
 		# There is no installer support for generating permissions prior to 4.18, so we generate one ourselves
 
-		cat <<EOF >"${PERMISION_LIST}"
-autoscaling:DescribeAutoScalingGroups
-ec2:AllocateAddress
-ec2:AssociateAddress
-ec2:AssociateDhcpOptions
-ec2:AssociateRouteTable
-ec2:AttachInternetGateway
-ec2:AttachNetworkInterface
-ec2:AuthorizeSecurityGroupEgress
-ec2:AuthorizeSecurityGroupIngress
-ec2:CopyImage
-ec2:CreateDhcpOptions
-ec2:CreateInternetGateway
-ec2:CreateNatGateway
-ec2:CreateNetworkInterface
-ec2:CreateRoute
-ec2:CreateRouteTable
-ec2:CreateSecurityGroup
-ec2:CreateSubnet
-ec2:CreateTags
-ec2:CreateVolume
-ec2:CreateVpc
-ec2:CreateVpcEndpoint
-ec2:DeleteDhcpOptions
-ec2:DeleteInternetGateway
-ec2:DeleteNatGateway
-ec2:DeleteNetworkInterface
-ec2:DeleteRoute
-ec2:DeleteRouteTable
-ec2:DeleteSecurityGroup
-ec2:DeleteSnapshot
-ec2:DeleteSubnet
-ec2:DeleteTags
-ec2:DeleteVolume
-ec2:DeleteVpc
-ec2:DeleteVpcEndpoints
-ec2:DeregisterImage
-ec2:DescribeAccountAttributes
-ec2:DescribeAddresses
-ec2:DescribeAvailabilityZones
-ec2:DescribeDhcpOptions
-ec2:DescribeImages
-ec2:DescribeInstanceAttribute
-ec2:DescribeInstanceCreditSpecifications
-ec2:DescribeInstances
-ec2:DescribeInstanceTypeOfferings
-ec2:DescribeInstanceTypes
-ec2:DescribeInternetGateways
-ec2:DescribeKeyPairs
-ec2:DescribeNatGateways
-ec2:DescribeNetworkAcls
-ec2:DescribeNetworkInterfaces
-ec2:DescribePrefixLists
-ec2:DescribeRegions
-ec2:DescribeRouteTables
-ec2:DescribeSecurityGroups
-ec2:DescribeSubnets
-ec2:DescribeTags
-ec2:DescribeVolumes
-ec2:DescribeVpcAttribute
-ec2:DescribeVpcClassicLink
-ec2:DescribeVpcClassicLinkDnsSupport
-ec2:DescribeVpcEndpoints
-ec2:DescribeVpcs
-ec2:DetachInternetGateway
-ec2:DisassociateRouteTable
-ec2:GetEbsDefaultKmsKeyId
-ec2:ModifyInstanceAttribute
-ec2:ModifyNetworkInterfaceAttribute
-ec2:ModifySubnetAttribute
-ec2:ModifyVpcAttribute
-ec2:ReleaseAddress
-ec2:ReplaceRouteTableAssociation
-ec2:RevokeSecurityGroupEgress
-ec2:RevokeSecurityGroupIngress
-ec2:RunInstances
-ec2:TerminateInstances
-elasticloadbalancing:AddTags
-elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
-elasticloadbalancing:AttachLoadBalancerToSubnets
-elasticloadbalancing:ConfigureHealthCheck
-elasticloadbalancing:CreateListener
-elasticloadbalancing:CreateLoadBalancer
-elasticloadbalancing:CreateLoadBalancerListeners
-elasticloadbalancing:CreateTargetGroup
-elasticloadbalancing:DeleteLoadBalancer
-elasticloadbalancing:DeleteTargetGroup
-elasticloadbalancing:DeregisterInstancesFromLoadBalancer
-elasticloadbalancing:DeregisterTargets
-elasticloadbalancing:DescribeInstanceHealth
-elasticloadbalancing:DescribeListeners
-elasticloadbalancing:DescribeLoadBalancerAttributes
-elasticloadbalancing:DescribeLoadBalancers
-elasticloadbalancing:DescribeTags
-elasticloadbalancing:DescribeTargetGroupAttributes
-elasticloadbalancing:DescribeTargetGroups
-elasticloadbalancing:DescribeTargetHealth
-elasticloadbalancing:ModifyLoadBalancerAttributes
-elasticloadbalancing:ModifyTargetGroup
-elasticloadbalancing:ModifyTargetGroupAttributes
-elasticloadbalancing:RegisterInstancesWithLoadBalancer
-elasticloadbalancing:RegisterTargets
-elasticloadbalancing:SetLoadBalancerPoliciesOfListener
-iam:AddRoleToInstanceProfile
-iam:CreateInstanceProfile
-iam:CreateRole
-iam:DeleteAccessKey
-iam:DeleteInstanceProfile
-iam:DeleteRole
-iam:DeleteRolePolicy
-iam:DeleteUser
-iam:DeleteUserPolicy
-iam:GetInstanceProfile
-iam:GetRole
-iam:GetRolePolicy
-iam:GetUser
-iam:GetUserPolicy
-iam:ListAccessKeys
-iam:ListAttachedRolePolicies
-iam:ListInstanceProfiles
-iam:ListInstanceProfilesForRole
-iam:ListRolePolicies
-iam:ListRoles
-iam:ListUserPolicies
-iam:ListUsers
-iam:PassRole
-iam:PutRolePolicy
-iam:PutUserPolicy
-iam:RemoveRoleFromInstanceProfile
-iam:SimulatePrincipalPolicy
-iam:TagRole
-iam:TagUser
-iam:UntagRole
-route53:ChangeResourceRecordSets
-route53:ChangeTagsForResource
-route53:CreateHostedZone
-route53:DeleteHostedZone
-route53:GetChange
-route53:GetHostedZone
-route53:ListHostedZones
-route53:ListHostedZonesByName
-route53:ListResourceRecordSets
-route53:ListTagsForResource
-route53:UpdateHostedZoneComment
-s3:AbortMultipartUpload
-s3:CreateBucket
-s3:DeleteBucket
-s3:DeleteObject
-s3:GetAccelerateConfiguration
-s3:GetBucketAcl
-s3:GetBucketCors
-s3:GetBucketLocation
-s3:GetBucketLogging
-s3:GetBucketObjectLockConfiguration
-s3:GetBucketPublicAccessBlock
-s3:GetBucketReplication
-s3:GetBucketRequestPayment
-s3:GetBucketTagging
-s3:GetBucketVersioning
-s3:GetBucketWebsite
-s3:GetEncryptionConfiguration
-s3:GetLifecycleConfiguration
-s3:GetObject
-s3:GetObjectAcl
-s3:GetObjectTagging
-s3:GetObjectVersion
-s3:GetReplicationConfiguration
-s3:HeadBucket
-s3:ListBucket
-s3:ListBucketMultipartUploads
-s3:ListBucketVersions
-s3:PutBucketAcl
-s3:PutBucketPublicAccessBlock
-s3:PutBucketTagging
-s3:PutEncryptionConfiguration
-s3:PutLifecycleConfiguration
-s3:PutObject
-s3:PutObjectAcl
-s3:PutObjectTagging
-servicequotas:ListAWSDefaultServiceQuotas
-tag:GetResources
-EOF
+		cat <<-EOF > "${PERMISION_LIST}"
+			autoscaling:DescribeAutoScalingGroups
+			ec2:AllocateAddress
+			ec2:AssociateAddress
+			ec2:AssociateDhcpOptions
+			ec2:AssociateRouteTable
+			ec2:AttachInternetGateway
+			ec2:AttachNetworkInterface
+			ec2:AuthorizeSecurityGroupEgress
+			ec2:AuthorizeSecurityGroupIngress
+			ec2:CopyImage
+			ec2:CreateDhcpOptions
+			ec2:CreateInternetGateway
+			ec2:CreateNatGateway
+			ec2:CreateNetworkInterface
+			ec2:CreateRoute
+			ec2:CreateRouteTable
+			ec2:CreateSecurityGroup
+			ec2:CreateSubnet
+			ec2:CreateTags
+			ec2:CreateVolume
+			ec2:CreateVpc
+			ec2:CreateVpcEndpoint
+			ec2:DeleteDhcpOptions
+			ec2:DeleteInternetGateway
+			ec2:DeleteNatGateway
+			ec2:DeleteNetworkInterface
+			ec2:DeleteRoute
+			ec2:DeleteRouteTable
+			ec2:DeleteSecurityGroup
+			ec2:DeleteSnapshot
+			ec2:DeleteSubnet
+			ec2:DeleteTags
+			ec2:DeleteVolume
+			ec2:DeleteVpc
+			ec2:DeleteVpcEndpoints
+			ec2:DeregisterImage
+			ec2:DescribeAccountAttributes
+			ec2:DescribeAddresses
+			ec2:DescribeAvailabilityZones
+			ec2:DescribeDhcpOptions
+			ec2:DescribeImages
+			ec2:DescribeInstanceAttribute
+			ec2:DescribeInstanceCreditSpecifications
+			ec2:DescribeInstances
+			ec2:DescribeInstanceTypeOfferings
+			ec2:DescribeInstanceTypes
+			ec2:DescribeInternetGateways
+			ec2:DescribeKeyPairs
+			ec2:DescribeNatGateways
+			ec2:DescribeNetworkAcls
+			ec2:DescribeNetworkInterfaces
+			ec2:DescribePrefixLists
+			ec2:DescribeRegions
+			ec2:DescribeRouteTables
+			ec2:DescribeSecurityGroups
+			ec2:DescribeSubnets
+			ec2:DescribeTags
+			ec2:DescribeVolumes
+			ec2:DescribeVpcAttribute
+			ec2:DescribeVpcClassicLink
+			ec2:DescribeVpcClassicLinkDnsSupport
+			ec2:DescribeVpcEndpoints
+			ec2:DescribeVpcs
+			ec2:DetachInternetGateway
+			ec2:DisassociateRouteTable
+			ec2:GetEbsDefaultKmsKeyId
+			ec2:ModifyInstanceAttribute
+			ec2:ModifyNetworkInterfaceAttribute
+			ec2:ModifySubnetAttribute
+			ec2:ModifyVpcAttribute
+			ec2:ReleaseAddress
+			ec2:ReplaceRouteTableAssociation
+			ec2:RevokeSecurityGroupEgress
+			ec2:RevokeSecurityGroupIngress
+			ec2:RunInstances
+			ec2:TerminateInstances
+			elasticloadbalancing:AddTags
+			elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
+			elasticloadbalancing:AttachLoadBalancerToSubnets
+			elasticloadbalancing:ConfigureHealthCheck
+			elasticloadbalancing:CreateListener
+			elasticloadbalancing:CreateLoadBalancer
+			elasticloadbalancing:CreateLoadBalancerListeners
+			elasticloadbalancing:CreateTargetGroup
+			elasticloadbalancing:DeleteLoadBalancer
+			elasticloadbalancing:DeleteTargetGroup
+			elasticloadbalancing:DeregisterInstancesFromLoadBalancer
+			elasticloadbalancing:DeregisterTargets
+			elasticloadbalancing:DescribeInstanceHealth
+			elasticloadbalancing:DescribeListeners
+			elasticloadbalancing:DescribeLoadBalancerAttributes
+			elasticloadbalancing:DescribeLoadBalancers
+			elasticloadbalancing:DescribeTags
+			elasticloadbalancing:DescribeTargetGroupAttributes
+			elasticloadbalancing:DescribeTargetGroups
+			elasticloadbalancing:DescribeTargetHealth
+			elasticloadbalancing:ModifyLoadBalancerAttributes
+			elasticloadbalancing:ModifyTargetGroup
+			elasticloadbalancing:ModifyTargetGroupAttributes
+			elasticloadbalancing:RegisterInstancesWithLoadBalancer
+			elasticloadbalancing:RegisterTargets
+			elasticloadbalancing:SetLoadBalancerPoliciesOfListener
+			iam:AddRoleToInstanceProfile
+			iam:CreateInstanceProfile
+			iam:CreateRole
+			iam:DeleteAccessKey
+			iam:DeleteInstanceProfile
+			iam:DeleteRole
+			iam:DeleteRolePolicy
+			iam:DeleteUser
+			iam:DeleteUserPolicy
+			iam:GetInstanceProfile
+			iam:GetRole
+			iam:GetRolePolicy
+			iam:GetUser
+			iam:GetUserPolicy
+			iam:ListAccessKeys
+			iam:ListAttachedRolePolicies
+			iam:ListInstanceProfiles
+			iam:ListInstanceProfilesForRole
+			iam:ListRolePolicies
+			iam:ListRoles
+			iam:ListUserPolicies
+			iam:ListUsers
+			iam:PassRole
+			iam:PutRolePolicy
+			iam:PutUserPolicy
+			iam:RemoveRoleFromInstanceProfile
+			iam:SimulatePrincipalPolicy
+			iam:TagRole
+			iam:TagUser
+			iam:UntagRole
+			route53:ChangeResourceRecordSets
+			route53:ChangeTagsForResource
+			route53:CreateHostedZone
+			route53:DeleteHostedZone
+			route53:GetChange
+			route53:GetHostedZone
+			route53:ListHostedZones
+			route53:ListHostedZonesByName
+			route53:ListResourceRecordSets
+			route53:ListTagsForResource
+			route53:UpdateHostedZoneComment
+			s3:AbortMultipartUpload
+			s3:CreateBucket
+			s3:DeleteBucket
+			s3:DeleteObject
+			s3:GetAccelerateConfiguration
+			s3:GetBucketAcl
+			s3:GetBucketCors
+			s3:GetBucketLocation
+			s3:GetBucketLogging
+			s3:GetBucketObjectLockConfiguration
+			s3:GetBucketPublicAccessBlock
+			s3:GetBucketReplication
+			s3:GetBucketRequestPayment
+			s3:GetBucketTagging
+			s3:GetBucketVersioning
+			s3:GetBucketWebsite
+			s3:GetEncryptionConfiguration
+			s3:GetLifecycleConfiguration
+			s3:GetObject
+			s3:GetObjectAcl
+			s3:GetObjectTagging
+			s3:GetObjectVersion
+			s3:GetReplicationConfiguration
+			s3:HeadBucket
+			s3:ListBucket
+			s3:ListBucketMultipartUploads
+			s3:ListBucketVersions
+			s3:PutBucketAcl
+			s3:PutBucketPublicAccessBlock
+			s3:PutBucketTagging
+			s3:PutEncryptionConfiguration
+			s3:PutLifecycleConfiguration
+			s3:PutObject
+			s3:PutObjectAcl
+			s3:PutObjectTagging
+			servicequotas:ListAWSDefaultServiceQuotas
+			tag:GetResources
+		EOF
 
 		if [[ ${CREDENTIALS_MODE} == "Mint" ]] || [[ ${CREDENTIALS_MODE} == "" ]]; then
 			echo "iam:CreateAccessKey" >> "${PERMISION_LIST}"
@@ -278,40 +277,40 @@ EOF
 		# additional permisions for 4.11+
 		if ((ocp_minor_version >= 11 && ocp_major_version == 4)); then
 			# base
-			echo "ec2:DeletePlacementGroup" >>"${PERMISION_LIST}"
-			echo "s3:GetBucketPolicy" >>"${PERMISION_LIST}"
+			echo "ec2:DeletePlacementGroup" >> "${PERMISION_LIST}"
+			echo "s3:GetBucketPolicy" >> "${PERMISION_LIST}"
 		fi
 
 		# additional permisions for 4.14+
 		if ((ocp_minor_version >= 14 && ocp_major_version == 4)); then
 			# base
-			echo "ec2:DescribeSecurityGroupRules" >>"${PERMISION_LIST}"
+			echo "ec2:DescribeSecurityGroupRules" >> "${PERMISION_LIST}"
 		fi
 
 		# additional permisions for 4.15+
 		if ((ocp_minor_version >= 15 && ocp_major_version == 4)); then
 			# base
-			echo "iam:TagInstanceProfile" >>"${PERMISION_LIST}"
+			echo "iam:TagInstanceProfile" >> "${PERMISION_LIST}"
 		fi
 
 		# additional permisions for 4.16+
 		if ((ocp_minor_version >= 16 && ocp_major_version == 4)); then
 			# base
-			echo "elasticloadbalancing:SetSecurityGroups" >>"${PERMISION_LIST}"
-			echo "s3:PutBucketPolicy" >>"${PERMISION_LIST}"
+			echo "elasticloadbalancing:SetSecurityGroups" >> "${PERMISION_LIST}"
+			echo "s3:PutBucketPolicy" >> "${PERMISION_LIST}"
 		fi
 
 		# Shared-VPC (4.14+)
 		# https://issues.redhat.com/browse/OCPBUGS-17751
 		# platform.aws.hostedZoneRole
 		if grep -q "hostedZoneRole" "${CONFIG}"; then
-			echo "sts:AssumeRole" >>"${PERMISION_LIST}"
+			echo "sts:AssumeRole" >> "${PERMISION_LIST}"
 		fi
 
 		# byo public ipv4 pool (4.16+)
 		# platform.aws.publicIpv4Pool
 		if grep -q "publicIpv4Pool" "${CONFIG}"; then
-			echo "ec2:DisassociateAddress" >>"${PERMISION_LIST}"
+			echo "ec2:DisassociateAddress" >> "${PERMISION_LIST}"
 		fi
 
 		# byo IAM Profile (4.17+)
@@ -320,14 +319,14 @@ EOF
 		# compute[0].platform.aws.iamProfile
 		# controlPlane.platform.aws.iamProfile
 		if grep -q "iamProfile" "${CONFIG}"; then
-			echo "tag:UntagResources" >>"${PERMISION_LIST}"
-			echo "iam:UntagInstanceProfile" >>"${PERMISION_LIST}"
+			echo "tag:UntagResources" >> "${PERMISION_LIST}"
+			echo "iam:UntagInstanceProfile" >> "${PERMISION_LIST}"
 		fi
 
 		# Shared network
 		# platform.aws.subnets
 		if grep -q "subnets" "${CONFIG}"; then
-			echo "tag:UntagResources" >>"${PERMISION_LIST}"
+			echo "tag:UntagResources" >> "${PERMISION_LIST}"
 		fi
 
 	else
@@ -355,9 +354,19 @@ EOF
 
 		rm -rf "${dir}"
 	fi
-
-	create_jsoner_py
 	
+	# Force all clusters when not configured
+	# explicitly to use public IP avoiding NAT
+	if [[ "${OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY:-true}" == "true" ]]; then
+		cat >> "${PERMISION_LIST}" <<-EOF
+			sqs:*
+			cloudformation:CreateStack
+			cloudformation:DescribeStacks
+		EOF
+	fi
+	
+	create_jsoner_py
+
 	# generate policy file and save it to shared dir so later steps have access to it.
 	cat "${PERMISION_LIST}" | sort | uniq | python3 ${JSONER_PY} >"${USER_POLICY_FILE}"
 
@@ -369,60 +378,61 @@ else
 	echo "Custom AWS user with minimal permissions is disabled for installer. Using AWS user from cluster profile."
 fi
 
-
-
 if [[ "${AWS_CCOCTL_USE_MINIMAL_PERMISSIONS}" == "yes" ]]; then
 
 	USER_POLICY_FILENAME="aws-permissions-policy-creds-ccoctl.json"
 	USER_POLICY_FILE="${SHARED_DIR}/${USER_POLICY_FILENAME}"
 
 	PERMISION_LIST="${ARTIFACT_DIR}/permision_list_ccoctl.txt"
-	cat <<EOF > "${PERMISION_LIST}"
-cloudfront:ListCloudFrontOriginAccessIdentities
-cloudfront:ListDistributions
-cloudfront:ListTagsForResource
-iam:CreateOpenIDConnectProvider
-iam:CreateRole
-iam:DeleteOpenIDConnectProvider
-iam:DeleteRole
-iam:DeleteRolePolicy
-iam:GetOpenIDConnectProvider
-iam:GetRole
-iam:GetUser
-iam:ListOpenIDConnectProviders
-iam:ListRolePolicies
-iam:ListRoles
-iam:PutRolePolicy
-iam:TagOpenIDConnectProvider
-iam:TagRole
-s3:CreateBucket
-s3:DeleteBucket
-s3:DeleteObject
-s3:GetBucketAcl
-s3:GetBucketTagging
-s3:GetObject
-s3:GetObjectAcl
-s3:GetObjectTagging
-s3:ListBucket
-s3:PutBucketAcl
-s3:PutBucketPolicy
-s3:PutBucketPublicAccessBlock
-s3:PutBucketTagging
-s3:PutObject
-s3:PutObjectAcl
-s3:PutObjectTagging
-EOF
+	cat <<-EOF > "${PERMISION_LIST}"
+		cloudfront:ListCloudFrontOriginAccessIdentities
+		cloudfront:ListDistributions
+		cloudfront:ListTagsForResource
+		iam:CreateOpenIDConnectProvider
+		iam:CreateRole
+		iam:DeleteOpenIDConnectProvider
+		iam:DeleteRole
+		iam:DeleteRolePolicy
+		iam:GetOpenIDConnectProvider
+		iam:GetRole
+		iam:GetUser
+		iam:ListOpenIDConnectProviders
+		iam:ListRolePolicies
+		iam:ListRoles
+		iam:PutRolePolicy
+		iam:TagOpenIDConnectProvider
+		iam:TagRole
+		s3:CreateBucket
+		s3:DeleteBucket
+		s3:DeleteObject
+		s3:GetBucketAcl
+		s3:GetBucketTagging
+		s3:GetObject
+		s3:GetObjectAcl
+		s3:GetObjectTagging
+		s3:ListBucket
+		s3:PutBucketAcl
+		s3:PutBucketPolicy
+		s3:PutBucketPublicAccessBlock
+		s3:PutBucketTagging
+		s3:PutObject
+		s3:PutObjectAcl
+		s3:PutObjectTagging
+	EOF
+
 	if [[ "${STS_USE_PRIVATE_S3}" == "yes" ]]; then
 		# enable option --create-private-s3-bucket
-		echo "cloudfront:CreateCloudFrontOriginAccessIdentity" >> "${PERMISION_LIST}"
-		echo "cloudfront:CreateDistribution" >> "${PERMISION_LIST}"
-		echo "cloudfront:DeleteCloudFrontOriginAccessIdentity" >> "${PERMISION_LIST}"
-		echo "cloudfront:DeleteDistribution" >> "${PERMISION_LIST}"
-		echo "cloudfront:GetCloudFrontOriginAccessIdentity" >> "${PERMISION_LIST}"
-		echo "cloudfront:GetCloudFrontOriginAccessIdentityConfig" >> "${PERMISION_LIST}"
-		echo "cloudfront:GetDistribution" >> "${PERMISION_LIST}"
-		echo "cloudfront:TagResource" >> "${PERMISION_LIST}"
-		echo "cloudfront:UpdateDistribution" >> "${PERMISION_LIST}"
+		cat <<-EOF > "${PERMISION_LIST}"
+			cloudfront:CreateCloudFrontOriginAccessIdentity
+			cloudfront:CreateDistribution
+			cloudfront:DeleteCloudFrontOriginAccessIdentity
+			cloudfront:DeleteDistribution
+			cloudfront:GetCloudFrontOriginAccessIdentity
+			cloudfront:GetCloudFrontOriginAccessIdentityConfig
+			cloudfront:GetDistribution
+			cloudfront:TagResource
+			cloudfront:UpdateDistributio
+		EOF
   	fi
 
 	create_jsoner_py
diff --git a/ci-operator/step-registry/ipi/install/install/aws/ipi-install-install-aws-ref.yaml b/ci-operator/step-registry/ipi/install/install/aws/ipi-install-install-aws-ref.yaml
index 6356cff928ee1..0489ab3d24b7b 100644
--- a/ci-operator/step-registry/ipi/install/install/aws/ipi-install-install-aws-ref.yaml
+++ b/ci-operator/step-registry/ipi/install/install/aws/ipi-install-install-aws-ref.yaml
@@ -41,7 +41,7 @@ ref:
   - name: EDGE_NODE_WORKER_ASSIGN_PUBLIC_IP
     default: "no"
   - name: OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY
-    default: ""
+    default: "true"
     documentation: "Whether to use public only subnets. Implies no NAT gateways. Requires a VPC to be configured prior to install"
   - name: TF_LOG
     default: "INFO"
diff --git a/ci-operator/step-registry/ipi/install/install/ipi-install-install-ref.yaml b/ci-operator/step-registry/ipi/install/install/ipi-install-install-ref.yaml
index eb422b8c6b2c9..3480dde5ac5bd 100644
--- a/ci-operator/step-registry/ipi/install/install/ipi-install-install-ref.yaml
+++ b/ci-operator/step-registry/ipi/install/install/ipi-install-install-ref.yaml
@@ -56,7 +56,7 @@ ref:
     default: "false"
     documentation:  "Use AWS Spot Instances for *master* nodes. Set to 'true' to opt into spot instances. Explicitly set to 'false' to opt out. Leave unset for the default, which may change. Note that spot masters are only supported when installing with a) CAPI; or b) newer installer versions (see https://github.com/openshift/installer/pull/8349). A preflight check will fail if this variable is set to 'true' for an unsupported configuration."
   - name: OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY
-    default: ""
+    default: "true"
     documentation: "Whether to use only public subnets for AWS. Implies no NAT Gateways. Requires a VPC to be configured prior to install."
   dependencies:
   - name: "release:latest"
diff --git a/ci-operator/step-registry/ipi/install/ipi-install-chain.yaml b/ci-operator/step-registry/ipi/install/ipi-install-chain.yaml
index 7c772c2d6f15d..4ccd1052e7525 100644
--- a/ci-operator/step-registry/ipi/install/ipi-install-chain.yaml
+++ b/ci-operator/step-registry/ipi/install/ipi-install-chain.yaml
@@ -4,6 +4,7 @@ chain:
   - ref: ipi-install-rbac
   - ref: openshift-cluster-bot-rbac
   - ref: ipi-install-hosted-loki
+  - ref: ipi-conf-aws-publicsubnets 
   - ref: ipi-install-install
   - ref: ipi-install-times-collection
   - ref: nodes-readiness