diff --git a/pkg/cfn/template/testdata/addon-example-1.json b/pkg/cfn/template/testdata/addon-example-1.json index 3cd6451ac42..12c71dcf137 100644 --- a/pkg/cfn/template/testdata/addon-example-1.json +++ b/pkg/cfn/template/testdata/addon-example-1.json @@ -1 +1,41 @@ -{"AWSTemplateFormatVersion":"2010-09-09","Description":"IAM role for serviceaccount \"default/sa-1\" [created and managed by eksctl]","Resources":{"Role1":{"Type":"AWS::IAM::Role","Properties":{"AssumeRolePolicyDocument":{"Statement":[{"Action":["sts:AssumeRoleWithWebIdentity"],"Condition":{"StringEquals":{"oidc.eks.us-west-2.amazonaws.com/id/A39A2842863C47208955D753DE205E6E:aud":"sts.amazonaws.com","oidc.eks.us-west-2.amazonaws.com/id/A39A2842863C47208955D753DE205E6E:sub":"system:serviceaccount:default:sa-1"}},"Effect":"Allow","Principal":{"Federated":"arn:aws:iam::456123987123:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/A39A2842863C47208955D753DE205E6E"}}],"Version":"2012-10-17"},"ManagedPolicyArns":["arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"]}}},"Outputs":{"Role1":{"Value":{"Fn::GetAtt":"Role1.Arn"}}}} \ No newline at end of file +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "IAM role for serviceaccount \"default/sa-1\" [created and managed by eksctl]", + "Resources": { + "Role1": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRoleWithWebIdentity" + ], + "Condition": { + "StringEquals": { + "oidc.eks.us-west-2.amazonaws.com/id/A39A2842863C47208955D753DE205E6E:aud": "sts.amazonaws.com", + "oidc.eks.us-west-2.amazonaws.com/id/A39A2842863C47208955D753DE205E6E:sub": "system:serviceaccount:default:sa-1" + } + }, + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::456123987123:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/A39A2842863C47208955D753DE205E6E" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" + ] + } + } + }, + "Outputs": { + "Role1": { + "Value": { + "Fn::GetAtt": "Role1.Arn" + } + } + } +} diff --git a/pkg/cfn/template/testdata/cluster-example-1.json b/pkg/cfn/template/testdata/cluster-example-1.json index 575418bb149..e8a865e5e94 100644 --- a/pkg/cfn/template/testdata/cluster-example-1.json +++ b/pkg/cfn/template/testdata/cluster-example-1.json @@ -1 +1,664 @@ -{"AWSTemplateFormatVersion":"2010-09-09","Description":"EKS cluster (dedicated VPC: true, dedicated IAM: true) [created and managed by eksctl]","Resources":{"ClusterSharedNodeSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"GroupDescription":"Communication between all nodes in the cluster","Tags":[{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/ClusterSharedNodeSecurityGroup"}}],"VpcId":{"Ref":"VPC"}}},"ControlPlane":{"Type":"AWS::EKS::Cluster","Properties":{"Name":"wonderful-party-1565212003","ResourcesVpcConfig":{"SecurityGroupIds":[{"Ref":"ControlPlaneSecurityGroup"}],"SubnetIds":[{"Ref":"SubnetPublicUSWEST2B"},{"Ref":"SubnetPublicUSWEST2D"},{"Ref":"SubnetPublicUSWEST2C"},{"Ref":"SubnetPrivateUSWEST2B"},{"Ref":"SubnetPrivateUSWEST2D"},{"Ref":"SubnetPrivateUSWEST2C"}]},"RoleArn":{"Fn::GetAtt":"ServiceRole.Arn"},"Version":"1.13"}},"ControlPlaneSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"GroupDescription":"Communication between the control plane and worker nodegroups","Tags":[{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/ControlPlaneSecurityGroup"}}],"VpcId":{"Ref":"VPC"}}},"IngressInterNodeGroupSG":{"Type":"AWS::EC2::SecurityGroupIngress","Properties":{"Description":"Allow nodes to communicate with each other (all ports)","FromPort":0,"GroupId":{"Ref":"ClusterSharedNodeSecurityGroup"},"IpProtocol":"-1","SourceSecurityGroupId":{"Ref":"ClusterSharedNodeSecurityGroup"},"ToPort":65535}},"InternetGateway":{"Type":"AWS::EC2::InternetGateway","Properties":{"Tags":[{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/InternetGateway"}}]}},"NATGateway":{"Type":"AWS::EC2::NatGateway","Properties":{"AllocationId":{"Fn::GetAtt":"NATIP.AllocationId"},"SubnetId":{"Ref":"SubnetPublicUSWEST2B"},"Tags":[{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/NATGateway"}}]}},"NATIP":{"Type":"AWS::EC2::EIP","Properties":{"Domain":"vpc"}},"NATPrivateSubnetRouteUSWEST2B":{"Type":"AWS::EC2::Route","Properties":{"DestinationCidrBlock":"0.0.0.0/0","NatGatewayId":{"Ref":"NATGateway"},"RouteTableId":{"Ref":"PrivateRouteTableUSWEST2B"}}},"NATPrivateSubnetRouteUSWEST2C":{"Type":"AWS::EC2::Route","Properties":{"DestinationCidrBlock":"0.0.0.0/0","NatGatewayId":{"Ref":"NATGateway"},"RouteTableId":{"Ref":"PrivateRouteTableUSWEST2C"}}},"NATPrivateSubnetRouteUSWEST2D":{"Type":"AWS::EC2::Route","Properties":{"DestinationCidrBlock":"0.0.0.0/0","NatGatewayId":{"Ref":"NATGateway"},"RouteTableId":{"Ref":"PrivateRouteTableUSWEST2D"}}},"PolicyCloudWatchMetrics":{"Type":"AWS::IAM::Policy","Properties":{"PolicyDocument":{"Statement":[{"Action":["cloudwatch:PutMetricData"],"Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"},"PolicyName":{"Fn::Sub":"${AWS::StackName}-PolicyCloudWatchMetrics"},"Roles":[{"Ref":"ServiceRole"}]}},"PolicyNLB":{"Type":"AWS::IAM::Policy","Properties":{"PolicyDocument":{"Statement":[{"Action":["elasticloadbalancing:*","ec2:CreateSecurityGroup","ec2:Describe*"],"Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"},"PolicyName":{"Fn::Sub":"${AWS::StackName}-PolicyNLB"},"Roles":[{"Ref":"ServiceRole"}]}},"PrivateRouteTableUSWEST2B":{"Type":"AWS::EC2::RouteTable","Properties":{"Tags":[{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/PrivateRouteTableUSWEST2B"}}],"VpcId":{"Ref":"VPC"}}},"PrivateRouteTableUSWEST2C":{"Type":"AWS::EC2::RouteTable","Properties":{"Tags":[{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/PrivateRouteTableUSWEST2C"}}],"VpcId":{"Ref":"VPC"}}},"PrivateRouteTableUSWEST2D":{"Type":"AWS::EC2::RouteTable","Properties":{"Tags":[{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/PrivateRouteTableUSWEST2D"}}],"VpcId":{"Ref":"VPC"}}},"PublicRouteTable":{"Type":"AWS::EC2::RouteTable","Properties":{"Tags":[{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/PublicRouteTable"}}],"VpcId":{"Ref":"VPC"}}},"PublicSubnetRoute":{"Type":"AWS::EC2::Route","Properties":{"DestinationCidrBlock":"0.0.0.0/0","GatewayId":{"Ref":"InternetGateway"},"RouteTableId":{"Ref":"PublicRouteTable"}}},"RouteTableAssociationPrivateUSWEST2B":{"Type":"AWS::EC2::SubnetRouteTableAssociation","Properties":{"RouteTableId":{"Ref":"PrivateRouteTableUSWEST2B"},"SubnetId":{"Ref":"SubnetPrivateUSWEST2B"}}},"RouteTableAssociationPrivateUSWEST2C":{"Type":"AWS::EC2::SubnetRouteTableAssociation","Properties":{"RouteTableId":{"Ref":"PrivateRouteTableUSWEST2C"},"SubnetId":{"Ref":"SubnetPrivateUSWEST2C"}}},"RouteTableAssociationPrivateUSWEST2D":{"Type":"AWS::EC2::SubnetRouteTableAssociation","Properties":{"RouteTableId":{"Ref":"PrivateRouteTableUSWEST2D"},"SubnetId":{"Ref":"SubnetPrivateUSWEST2D"}}},"RouteTableAssociationPublicUSWEST2B":{"Type":"AWS::EC2::SubnetRouteTableAssociation","Properties":{"RouteTableId":{"Ref":"PublicRouteTable"},"SubnetId":{"Ref":"SubnetPublicUSWEST2B"}}},"RouteTableAssociationPublicUSWEST2C":{"Type":"AWS::EC2::SubnetRouteTableAssociation","Properties":{"RouteTableId":{"Ref":"PublicRouteTable"},"SubnetId":{"Ref":"SubnetPublicUSWEST2C"}}},"RouteTableAssociationPublicUSWEST2D":{"Type":"AWS::EC2::SubnetRouteTableAssociation","Properties":{"RouteTableId":{"Ref":"PublicRouteTable"},"SubnetId":{"Ref":"SubnetPublicUSWEST2D"}}},"ServiceRole":{"Type":"AWS::IAM::Role","Properties":{"AssumeRolePolicyDocument":{"Statement":[{"Action":["sts:AssumeRole"],"Effect":"Allow","Principal":{"Service":["eks.amazonaws.com"]}}],"Version":"2012-10-17"},"ManagedPolicyArns":["arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"]}},"SubnetPrivateUSWEST2B":{"Type":"AWS::EC2::Subnet","Properties":{"AvailabilityZone":"us-west-2b","CidrBlock":"192.168.96.0/19","Tags":[{"Key":"kubernetes.io/role/internal-elb","Value":"1"},{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/SubnetPrivateUSWEST2B"}}],"VpcId":{"Ref":"VPC"}}},"SubnetPrivateUSWEST2C":{"Type":"AWS::EC2::Subnet","Properties":{"AvailabilityZone":"us-west-2c","CidrBlock":"192.168.160.0/19","Tags":[{"Key":"kubernetes.io/role/internal-elb","Value":"1"},{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/SubnetPrivateUSWEST2C"}}],"VpcId":{"Ref":"VPC"}}},"SubnetPrivateUSWEST2D":{"Type":"AWS::EC2::Subnet","Properties":{"AvailabilityZone":"us-west-2d","CidrBlock":"192.168.128.0/19","Tags":[{"Key":"kubernetes.io/role/internal-elb","Value":"1"},{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/SubnetPrivateUSWEST2D"}}],"VpcId":{"Ref":"VPC"}}},"SubnetPublicUSWEST2B":{"Type":"AWS::EC2::Subnet","Properties":{"AvailabilityZone":"us-west-2b","CidrBlock":"192.168.0.0/19","Tags":[{"Key":"kubernetes.io/role/elb","Value":"1"},{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/SubnetPublicUSWEST2B"}}],"VpcId":{"Ref":"VPC"}}},"SubnetPublicUSWEST2C":{"Type":"AWS::EC2::Subnet","Properties":{"AvailabilityZone":"us-west-2c","CidrBlock":"192.168.64.0/19","Tags":[{"Key":"kubernetes.io/role/elb","Value":"1"},{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/SubnetPublicUSWEST2C"}}],"VpcId":{"Ref":"VPC"}}},"SubnetPublicUSWEST2D":{"Type":"AWS::EC2::Subnet","Properties":{"AvailabilityZone":"us-west-2d","CidrBlock":"192.168.32.0/19","Tags":[{"Key":"kubernetes.io/role/elb","Value":"1"},{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/SubnetPublicUSWEST2D"}}],"VpcId":{"Ref":"VPC"}}},"VPC":{"Type":"AWS::EC2::VPC","Properties":{"CidrBlock":"192.168.0.0/16","EnableDnsHostnames":true,"EnableDnsSupport":true,"Tags":[{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/VPC"}}]}},"VPCGatewayAttachment":{"Type":"AWS::EC2::VPCGatewayAttachment","Properties":{"InternetGatewayId":{"Ref":"InternetGateway"},"VpcId":{"Ref":"VPC"}}}},"Outputs":{"ARN":{"Export":{"Name":{"Fn::Sub":"${AWS::StackName}::ARN"}},"Value":{"Fn::GetAtt":"ControlPlane.Arn"}},"CertificateAuthorityData":{"Value":{"Fn::GetAtt":"ControlPlane.CertificateAuthorityData"}},"ClusterStackName":{"Value":{"Ref":"AWS::StackName"}},"Endpoint":{"Export":{"Name":{"Fn::Sub":"${AWS::StackName}::Endpoint"}},"Value":{"Fn::GetAtt":"ControlPlane.Endpoint"}},"FeatureNATMode":{"Value":"Single"},"SecurityGroup":{"Export":{"Name":{"Fn::Sub":"${AWS::StackName}::SecurityGroup"}},"Value":{"Ref":"ControlPlaneSecurityGroup"}},"ServiceRoleARN":{"Export":{"Name":{"Fn::Sub":"${AWS::StackName}::ServiceRoleARN"}},"Value":{"Fn::GetAtt":"ServiceRole.Arn"}},"SharedNodeSecurityGroup":{"Export":{"Name":{"Fn::Sub":"${AWS::StackName}::SharedNodeSecurityGroup"}},"Value":{"Ref":"ClusterSharedNodeSecurityGroup"}},"SubnetsPrivate":{"Export":{"Name":{"Fn::Sub":"${AWS::StackName}::SubnetsPrivate"}},"Value":{"Fn::Join":[",",[{"Ref":"SubnetPrivateUSWEST2B"},{"Ref":"SubnetPrivateUSWEST2D"},{"Ref":"SubnetPrivateUSWEST2C"}]]}},"SubnetsPublic":{"Export":{"Name":{"Fn::Sub":"${AWS::StackName}::SubnetsPublic"}},"Value":{"Fn::Join":[",",[{"Ref":"SubnetPublicUSWEST2B"},{"Ref":"SubnetPublicUSWEST2D"},{"Ref":"SubnetPublicUSWEST2C"}]]}},"VPC":{"Export":{"Name":{"Fn::Sub":"${AWS::StackName}::VPC"}},"Value":{"Ref":"VPC"}}}} +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "EKS cluster (dedicated VPC: true, dedicated IAM: true) [created and managed by eksctl]", + "Resources": { + "ClusterSharedNodeSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Communication between all nodes in the cluster", + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/ClusterSharedNodeSecurityGroup" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "ControlPlane": { + "Type": "AWS::EKS::Cluster", + "Properties": { + "Name": "wonderful-party-1565212003", + "ResourcesVpcConfig": { + "SecurityGroupIds": [ + { + "Ref": "ControlPlaneSecurityGroup" + } + ], + "SubnetIds": [ + { + "Ref": "SubnetPublicUSWEST2B" + }, + { + "Ref": "SubnetPublicUSWEST2D" + }, + { + "Ref": "SubnetPublicUSWEST2C" + }, + { + "Ref": "SubnetPrivateUSWEST2B" + }, + { + "Ref": "SubnetPrivateUSWEST2D" + }, + { + "Ref": "SubnetPrivateUSWEST2C" + } + ] + }, + "RoleArn": { + "Fn::GetAtt": "ServiceRole.Arn" + }, + "Version": "1.13" + } + }, + "ControlPlaneSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Communication between the control plane and worker nodegroups", + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/ControlPlaneSecurityGroup" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "IngressInterNodeGroupSG": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "Description": "Allow nodes to communicate with each other (all ports)", + "FromPort": 0, + "GroupId": { + "Ref": "ClusterSharedNodeSecurityGroup" + }, + "IpProtocol": "-1", + "SourceSecurityGroupId": { + "Ref": "ClusterSharedNodeSecurityGroup" + }, + "ToPort": 65535 + } + }, + "InternetGateway": { + "Type": "AWS::EC2::InternetGateway", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/InternetGateway" + } + } + ] + } + }, + "NATGateway": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "AllocationId": { + "Fn::GetAtt": "NATIP.AllocationId" + }, + "SubnetId": { + "Ref": "SubnetPublicUSWEST2B" + }, + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/NATGateway" + } + } + ] + } + }, + "NATIP": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc" + } + }, + "NATPrivateSubnetRouteUSWEST2B": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "NATGateway" + }, + "RouteTableId": { + "Ref": "PrivateRouteTableUSWEST2B" + } + } + }, + "NATPrivateSubnetRouteUSWEST2C": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "NATGateway" + }, + "RouteTableId": { + "Ref": "PrivateRouteTableUSWEST2C" + } + } + }, + "NATPrivateSubnetRouteUSWEST2D": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "NATGateway" + }, + "RouteTableId": { + "Ref": "PrivateRouteTableUSWEST2D" + } + } + }, + "PolicyCloudWatchMetrics": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "cloudwatch:PutMetricData" + ], + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": { + "Fn::Sub": "${AWS::StackName}-PolicyCloudWatchMetrics" + }, + "Roles": [ + { + "Ref": "ServiceRole" + } + ] + } + }, + "PolicyNLB": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "elasticloadbalancing:*", + "ec2:CreateSecurityGroup", + "ec2:Describe*" + ], + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": { + "Fn::Sub": "${AWS::StackName}-PolicyNLB" + }, + "Roles": [ + { + "Ref": "ServiceRole" + } + ] + } + }, + "PrivateRouteTableUSWEST2B": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/PrivateRouteTableUSWEST2B" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "PrivateRouteTableUSWEST2C": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/PrivateRouteTableUSWEST2C" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "PrivateRouteTableUSWEST2D": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/PrivateRouteTableUSWEST2D" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "PublicRouteTable": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/PublicRouteTable" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "PublicSubnetRoute": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "InternetGateway" + }, + "RouteTableId": { + "Ref": "PublicRouteTable" + } + } + }, + "RouteTableAssociationPrivateUSWEST2B": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "PrivateRouteTableUSWEST2B" + }, + "SubnetId": { + "Ref": "SubnetPrivateUSWEST2B" + } + } + }, + "RouteTableAssociationPrivateUSWEST2C": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "PrivateRouteTableUSWEST2C" + }, + "SubnetId": { + "Ref": "SubnetPrivateUSWEST2C" + } + } + }, + "RouteTableAssociationPrivateUSWEST2D": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "PrivateRouteTableUSWEST2D" + }, + "SubnetId": { + "Ref": "SubnetPrivateUSWEST2D" + } + } + }, + "RouteTableAssociationPublicUSWEST2B": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "PublicRouteTable" + }, + "SubnetId": { + "Ref": "SubnetPublicUSWEST2B" + } + } + }, + "RouteTableAssociationPublicUSWEST2C": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "PublicRouteTable" + }, + "SubnetId": { + "Ref": "SubnetPublicUSWEST2C" + } + } + }, + "RouteTableAssociationPublicUSWEST2D": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "PublicRouteTable" + }, + "SubnetId": { + "Ref": "SubnetPublicUSWEST2D" + } + } + }, + "ServiceRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "eks.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" + ] + } + }, + "SubnetPrivateUSWEST2B": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": "us-west-2b", + "CidrBlock": "192.168.96.0/19", + "Tags": [ + { + "Key": "kubernetes.io/role/internal-elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/SubnetPrivateUSWEST2B" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "SubnetPrivateUSWEST2C": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": "us-west-2c", + "CidrBlock": "192.168.160.0/19", + "Tags": [ + { + "Key": "kubernetes.io/role/internal-elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/SubnetPrivateUSWEST2C" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "SubnetPrivateUSWEST2D": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": "us-west-2d", + "CidrBlock": "192.168.128.0/19", + "Tags": [ + { + "Key": "kubernetes.io/role/internal-elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/SubnetPrivateUSWEST2D" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "SubnetPublicUSWEST2B": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": "us-west-2b", + "CidrBlock": "192.168.0.0/19", + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/SubnetPublicUSWEST2B" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "SubnetPublicUSWEST2C": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": "us-west-2c", + "CidrBlock": "192.168.64.0/19", + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/SubnetPublicUSWEST2C" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "SubnetPublicUSWEST2D": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": "us-west-2d", + "CidrBlock": "192.168.32.0/19", + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/SubnetPublicUSWEST2D" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "VPC": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "192.168.0.0/16", + "EnableDnsHostnames": true, + "EnableDnsSupport": true, + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/VPC" + } + } + ] + } + }, + "VPCGatewayAttachment": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "InternetGatewayId": { + "Ref": "InternetGateway" + }, + "VpcId": { + "Ref": "VPC" + } + } + } + }, + "Outputs": { + "ARN": { + "Export": { + "Name": { + "Fn::Sub": "${AWS::StackName}::ARN" + } + }, + "Value": { + "Fn::GetAtt": "ControlPlane.Arn" + } + }, + "CertificateAuthorityData": { + "Value": { + "Fn::GetAtt": "ControlPlane.CertificateAuthorityData" + } + }, + "ClusterStackName": { + "Value": { + "Ref": "AWS::StackName" + } + }, + "Endpoint": { + "Export": { + "Name": { + "Fn::Sub": "${AWS::StackName}::Endpoint" + } + }, + "Value": { + "Fn::GetAtt": "ControlPlane.Endpoint" + } + }, + "FeatureNATMode": { + "Value": "Single" + }, + "SecurityGroup": { + "Export": { + "Name": { + "Fn::Sub": "${AWS::StackName}::SecurityGroup" + } + }, + "Value": { + "Ref": "ControlPlaneSecurityGroup" + } + }, + "ServiceRoleARN": { + "Export": { + "Name": { + "Fn::Sub": "${AWS::StackName}::ServiceRoleARN" + } + }, + "Value": { + "Fn::GetAtt": "ServiceRole.Arn" + } + }, + "SharedNodeSecurityGroup": { + "Export": { + "Name": { + "Fn::Sub": "${AWS::StackName}::SharedNodeSecurityGroup" + } + }, + "Value": { + "Ref": "ClusterSharedNodeSecurityGroup" + } + }, + "SubnetsPrivate": { + "Export": { + "Name": { + "Fn::Sub": "${AWS::StackName}::SubnetsPrivate" + } + }, + "Value": { + "Fn::Join": [ + ",", + [ + { + "Ref": "SubnetPrivateUSWEST2B" + }, + { + "Ref": "SubnetPrivateUSWEST2D" + }, + { + "Ref": "SubnetPrivateUSWEST2C" + } + ] + ] + } + }, + "SubnetsPublic": { + "Export": { + "Name": { + "Fn::Sub": "${AWS::StackName}::SubnetsPublic" + } + }, + "Value": { + "Fn::Join": [ + ",", + [ + { + "Ref": "SubnetPublicUSWEST2B" + }, + { + "Ref": "SubnetPublicUSWEST2D" + }, + { + "Ref": "SubnetPublicUSWEST2C" + } + ] + ] + } + }, + "VPC": { + "Export": { + "Name": { + "Fn::Sub": "${AWS::StackName}::VPC" + } + }, + "Value": { + "Ref": "VPC" + } + } + } +} diff --git a/pkg/cfn/template/testdata/cluster-example-2.json b/pkg/cfn/template/testdata/cluster-example-2.json index bd3a352bf20..9157fd7414e 100644 --- a/pkg/cfn/template/testdata/cluster-example-2.json +++ b/pkg/cfn/template/testdata/cluster-example-2.json @@ -1 +1,664 @@ -{"AWSTemplateFormatVersion":"2010-09-09","Description":"EKS cluster (dedicated VPC: true, dedicated IAM: true) [created and managed by eksctl]","Resources":{"ClusterSharedNodeSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"GroupDescription":"Communication between all nodes in the cluster","Tags":[{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/ClusterSharedNodeSecurityGroup"}}],"VpcId":{"Ref":"VPC"}}},"ControlPlane":{"Type":"AWS::EKS::Cluster","Properties":{"Name":"example-2","ResourcesVpcConfig":{"SecurityGroupIds":[{"Ref":"ControlPlaneSecurityGroup"}],"SubnetIds":[{"Ref":"SubnetPublicUSWEST2C"},{"Ref":"SubnetPublicUSWEST2D"},{"Ref":"SubnetPublicUSWEST2B"},{"Ref":"SubnetPrivateUSWEST2B"},{"Ref":"SubnetPrivateUSWEST2C"},{"Ref":"SubnetPrivateUSWEST2D"}]},"RoleArn":{"Fn::GetAtt":"ServiceRole.Arn"},"Version":"1.13"}},"ControlPlaneSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"GroupDescription":"Communication between the control plane and worker nodegroups","Tags":[{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/ControlPlaneSecurityGroup"}}],"VpcId":{"Ref":"VPC"}}},"IngressInterNodeGroupSG":{"Type":"AWS::EC2::SecurityGroupIngress","Properties":{"Description":"Allow nodes to communicate with each other (all ports)","FromPort":0,"GroupId":{"Ref":"ClusterSharedNodeSecurityGroup"},"IpProtocol":"-1","SourceSecurityGroupId":{"Ref":"ClusterSharedNodeSecurityGroup"},"ToPort":65535}},"InternetGateway":{"Type":"AWS::EC2::InternetGateway","Properties":{"Tags":[{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/InternetGateway"}}]}},"NATGateway":{"Type":"AWS::EC2::NatGateway","Properties":{"AllocationId":{"Fn::GetAtt":"NATIP.AllocationId"},"SubnetId":{"Ref":"SubnetPublicUSWEST2D"},"Tags":[{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/NATGateway"}}]}},"NATIP":{"Type":"AWS::EC2::EIP","Properties":{"Domain":"vpc"}},"NATPrivateSubnetRouteUSWEST2B":{"Type":"AWS::EC2::Route","Properties":{"DestinationCidrBlock":"0.0.0.0/0","NatGatewayId":{"Ref":"NATGateway"},"RouteTableId":{"Ref":"PrivateRouteTableUSWEST2B"}}},"NATPrivateSubnetRouteUSWEST2C":{"Type":"AWS::EC2::Route","Properties":{"DestinationCidrBlock":"0.0.0.0/0","NatGatewayId":{"Ref":"NATGateway"},"RouteTableId":{"Ref":"PrivateRouteTableUSWEST2C"}}},"NATPrivateSubnetRouteUSWEST2D":{"Type":"AWS::EC2::Route","Properties":{"DestinationCidrBlock":"0.0.0.0/0","NatGatewayId":{"Ref":"NATGateway"},"RouteTableId":{"Ref":"PrivateRouteTableUSWEST2D"}}},"PolicyCloudWatchMetrics":{"Type":"AWS::IAM::Policy","Properties":{"PolicyDocument":{"Statement":[{"Action":["cloudwatch:PutMetricData"],"Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"},"PolicyName":{"Fn::Sub":"${AWS::StackName}-PolicyCloudWatchMetrics"},"Roles":[{"Ref":"ServiceRole"}]}},"PolicyNLB":{"Type":"AWS::IAM::Policy","Properties":{"PolicyDocument":{"Statement":[{"Action":["elasticloadbalancing:*","ec2:CreateSecurityGroup","ec2:Describe*"],"Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"},"PolicyName":{"Fn::Sub":"${AWS::StackName}-PolicyNLB"},"Roles":[{"Ref":"ServiceRole"}]}},"PrivateRouteTableUSWEST2B":{"Type":"AWS::EC2::RouteTable","Properties":{"Tags":[{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/PrivateRouteTableUSWEST2B"}}],"VpcId":{"Ref":"VPC"}}},"PrivateRouteTableUSWEST2C":{"Type":"AWS::EC2::RouteTable","Properties":{"Tags":[{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/PrivateRouteTableUSWEST2C"}}],"VpcId":{"Ref":"VPC"}}},"PrivateRouteTableUSWEST2D":{"Type":"AWS::EC2::RouteTable","Properties":{"Tags":[{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/PrivateRouteTableUSWEST2D"}}],"VpcId":{"Ref":"VPC"}}},"PublicRouteTable":{"Type":"AWS::EC2::RouteTable","Properties":{"Tags":[{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/PublicRouteTable"}}],"VpcId":{"Ref":"VPC"}}},"PublicSubnetRoute":{"Type":"AWS::EC2::Route","Properties":{"DestinationCidrBlock":"0.0.0.0/0","GatewayId":{"Ref":"InternetGateway"},"RouteTableId":{"Ref":"PublicRouteTable"}}},"RouteTableAssociationPrivateUSWEST2B":{"Type":"AWS::EC2::SubnetRouteTableAssociation","Properties":{"RouteTableId":{"Ref":"PrivateRouteTableUSWEST2B"},"SubnetId":{"Ref":"SubnetPrivateUSWEST2B"}}},"RouteTableAssociationPrivateUSWEST2C":{"Type":"AWS::EC2::SubnetRouteTableAssociation","Properties":{"RouteTableId":{"Ref":"PrivateRouteTableUSWEST2C"},"SubnetId":{"Ref":"SubnetPrivateUSWEST2C"}}},"RouteTableAssociationPrivateUSWEST2D":{"Type":"AWS::EC2::SubnetRouteTableAssociation","Properties":{"RouteTableId":{"Ref":"PrivateRouteTableUSWEST2D"},"SubnetId":{"Ref":"SubnetPrivateUSWEST2D"}}},"RouteTableAssociationPublicUSWEST2B":{"Type":"AWS::EC2::SubnetRouteTableAssociation","Properties":{"RouteTableId":{"Ref":"PublicRouteTable"},"SubnetId":{"Ref":"SubnetPublicUSWEST2B"}}},"RouteTableAssociationPublicUSWEST2C":{"Type":"AWS::EC2::SubnetRouteTableAssociation","Properties":{"RouteTableId":{"Ref":"PublicRouteTable"},"SubnetId":{"Ref":"SubnetPublicUSWEST2C"}}},"RouteTableAssociationPublicUSWEST2D":{"Type":"AWS::EC2::SubnetRouteTableAssociation","Properties":{"RouteTableId":{"Ref":"PublicRouteTable"},"SubnetId":{"Ref":"SubnetPublicUSWEST2D"}}},"ServiceRole":{"Type":"AWS::IAM::Role","Properties":{"AssumeRolePolicyDocument":{"Statement":[{"Action":["sts:AssumeRole"],"Effect":"Allow","Principal":{"Service":["eks.amazonaws.com"]}}],"Version":"2012-10-17"},"ManagedPolicyArns":["arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"]}},"SubnetPrivateUSWEST2B":{"Type":"AWS::EC2::Subnet","Properties":{"AvailabilityZone":"us-west-2b","CidrBlock":"192.168.128.0/19","Tags":[{"Key":"kubernetes.io/role/internal-elb","Value":"1"},{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/SubnetPrivateUSWEST2B"}}],"VpcId":{"Ref":"VPC"}}},"SubnetPrivateUSWEST2C":{"Type":"AWS::EC2::Subnet","Properties":{"AvailabilityZone":"us-west-2c","CidrBlock":"192.168.160.0/19","Tags":[{"Key":"kubernetes.io/role/internal-elb","Value":"1"},{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/SubnetPrivateUSWEST2C"}}],"VpcId":{"Ref":"VPC"}}},"SubnetPrivateUSWEST2D":{"Type":"AWS::EC2::Subnet","Properties":{"AvailabilityZone":"us-west-2d","CidrBlock":"192.168.96.0/19","Tags":[{"Key":"kubernetes.io/role/internal-elb","Value":"1"},{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/SubnetPrivateUSWEST2D"}}],"VpcId":{"Ref":"VPC"}}},"SubnetPublicUSWEST2B":{"Type":"AWS::EC2::Subnet","Properties":{"AvailabilityZone":"us-west-2b","CidrBlock":"192.168.32.0/19","Tags":[{"Key":"kubernetes.io/role/elb","Value":"1"},{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/SubnetPublicUSWEST2B"}}],"VpcId":{"Ref":"VPC"}}},"SubnetPublicUSWEST2C":{"Type":"AWS::EC2::Subnet","Properties":{"AvailabilityZone":"us-west-2c","CidrBlock":"192.168.64.0/19","Tags":[{"Key":"kubernetes.io/role/elb","Value":"1"},{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/SubnetPublicUSWEST2C"}}],"VpcId":{"Ref":"VPC"}}},"SubnetPublicUSWEST2D":{"Type":"AWS::EC2::Subnet","Properties":{"AvailabilityZone":"us-west-2d","CidrBlock":"192.168.0.0/19","Tags":[{"Key":"kubernetes.io/role/elb","Value":"1"},{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/SubnetPublicUSWEST2D"}}],"VpcId":{"Ref":"VPC"}}},"VPC":{"Type":"AWS::EC2::VPC","Properties":{"CidrBlock":"192.168.0.0/16","EnableDnsHostnames":true,"EnableDnsSupport":true,"Tags":[{"Key":"Name","Value":{"Fn::Sub":"${AWS::StackName}/VPC"}}]}},"VPCGatewayAttachment":{"Type":"AWS::EC2::VPCGatewayAttachment","Properties":{"InternetGatewayId":{"Ref":"InternetGateway"},"VpcId":{"Ref":"VPC"}}}},"Outputs":{"ARN":{"Export":{"Name":{"Fn::Sub":"${AWS::StackName}::ARN"}},"Value":{"Fn::GetAtt":"ControlPlane.Arn"}},"CertificateAuthorityData":{"Value":{"Fn::GetAtt":"ControlPlane.CertificateAuthorityData"}},"ClusterStackName":{"Value":{"Ref":"AWS::StackName"}},"Endpoint":{"Export":{"Name":{"Fn::Sub":"${AWS::StackName}::Endpoint"}},"Value":{"Fn::GetAtt":"ControlPlane.Endpoint"}},"FeatureNATMode":{"Value":"Single"},"SecurityGroup":{"Export":{"Name":{"Fn::Sub":"${AWS::StackName}::SecurityGroup"}},"Value":{"Ref":"ControlPlaneSecurityGroup"}},"ServiceRoleARN":{"Export":{"Name":{"Fn::Sub":"${AWS::StackName}::ServiceRoleARN"}},"Value":{"Fn::GetAtt":"ServiceRole.Arn"}},"SharedNodeSecurityGroup":{"Export":{"Name":{"Fn::Sub":"${AWS::StackName}::SharedNodeSecurityGroup"}},"Value":{"Ref":"ClusterSharedNodeSecurityGroup"}},"SubnetsPrivate":{"Export":{"Name":{"Fn::Sub":"${AWS::StackName}::SubnetsPrivate"}},"Value":{"Fn::Join":[",",[{"Ref":"SubnetPrivateUSWEST2B"},{"Ref":"SubnetPrivateUSWEST2C"},{"Ref":"SubnetPrivateUSWEST2D"}]]}},"SubnetsPublic":{"Export":{"Name":{"Fn::Sub":"${AWS::StackName}::SubnetsPublic"}},"Value":{"Fn::Join":[",",[{"Ref":"SubnetPublicUSWEST2C"},{"Ref":"SubnetPublicUSWEST2D"},{"Ref":"SubnetPublicUSWEST2B"}]]}},"VPC":{"Export":{"Name":{"Fn::Sub":"${AWS::StackName}::VPC"}},"Value":{"Ref":"VPC"}}}} +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "EKS cluster (dedicated VPC: true, dedicated IAM: true) [created and managed by eksctl]", + "Resources": { + "ClusterSharedNodeSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Communication between all nodes in the cluster", + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/ClusterSharedNodeSecurityGroup" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "ControlPlane": { + "Type": "AWS::EKS::Cluster", + "Properties": { + "Name": "example-2", + "ResourcesVpcConfig": { + "SecurityGroupIds": [ + { + "Ref": "ControlPlaneSecurityGroup" + } + ], + "SubnetIds": [ + { + "Ref": "SubnetPublicUSWEST2C" + }, + { + "Ref": "SubnetPublicUSWEST2D" + }, + { + "Ref": "SubnetPublicUSWEST2B" + }, + { + "Ref": "SubnetPrivateUSWEST2B" + }, + { + "Ref": "SubnetPrivateUSWEST2C" + }, + { + "Ref": "SubnetPrivateUSWEST2D" + } + ] + }, + "RoleArn": { + "Fn::GetAtt": "ServiceRole.Arn" + }, + "Version": "1.13" + } + }, + "ControlPlaneSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Communication between the control plane and worker nodegroups", + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/ControlPlaneSecurityGroup" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "IngressInterNodeGroupSG": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "Description": "Allow nodes to communicate with each other (all ports)", + "FromPort": 0, + "GroupId": { + "Ref": "ClusterSharedNodeSecurityGroup" + }, + "IpProtocol": "-1", + "SourceSecurityGroupId": { + "Ref": "ClusterSharedNodeSecurityGroup" + }, + "ToPort": 65535 + } + }, + "InternetGateway": { + "Type": "AWS::EC2::InternetGateway", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/InternetGateway" + } + } + ] + } + }, + "NATGateway": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "AllocationId": { + "Fn::GetAtt": "NATIP.AllocationId" + }, + "SubnetId": { + "Ref": "SubnetPublicUSWEST2D" + }, + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/NATGateway" + } + } + ] + } + }, + "NATIP": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc" + } + }, + "NATPrivateSubnetRouteUSWEST2B": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "NATGateway" + }, + "RouteTableId": { + "Ref": "PrivateRouteTableUSWEST2B" + } + } + }, + "NATPrivateSubnetRouteUSWEST2C": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "NATGateway" + }, + "RouteTableId": { + "Ref": "PrivateRouteTableUSWEST2C" + } + } + }, + "NATPrivateSubnetRouteUSWEST2D": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "NATGateway" + }, + "RouteTableId": { + "Ref": "PrivateRouteTableUSWEST2D" + } + } + }, + "PolicyCloudWatchMetrics": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "cloudwatch:PutMetricData" + ], + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": { + "Fn::Sub": "${AWS::StackName}-PolicyCloudWatchMetrics" + }, + "Roles": [ + { + "Ref": "ServiceRole" + } + ] + } + }, + "PolicyNLB": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "elasticloadbalancing:*", + "ec2:CreateSecurityGroup", + "ec2:Describe*" + ], + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": { + "Fn::Sub": "${AWS::StackName}-PolicyNLB" + }, + "Roles": [ + { + "Ref": "ServiceRole" + } + ] + } + }, + "PrivateRouteTableUSWEST2B": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/PrivateRouteTableUSWEST2B" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "PrivateRouteTableUSWEST2C": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/PrivateRouteTableUSWEST2C" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "PrivateRouteTableUSWEST2D": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/PrivateRouteTableUSWEST2D" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "PublicRouteTable": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/PublicRouteTable" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "PublicSubnetRoute": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "InternetGateway" + }, + "RouteTableId": { + "Ref": "PublicRouteTable" + } + } + }, + "RouteTableAssociationPrivateUSWEST2B": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "PrivateRouteTableUSWEST2B" + }, + "SubnetId": { + "Ref": "SubnetPrivateUSWEST2B" + } + } + }, + "RouteTableAssociationPrivateUSWEST2C": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "PrivateRouteTableUSWEST2C" + }, + "SubnetId": { + "Ref": "SubnetPrivateUSWEST2C" + } + } + }, + "RouteTableAssociationPrivateUSWEST2D": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "PrivateRouteTableUSWEST2D" + }, + "SubnetId": { + "Ref": "SubnetPrivateUSWEST2D" + } + } + }, + "RouteTableAssociationPublicUSWEST2B": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "PublicRouteTable" + }, + "SubnetId": { + "Ref": "SubnetPublicUSWEST2B" + } + } + }, + "RouteTableAssociationPublicUSWEST2C": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "PublicRouteTable" + }, + "SubnetId": { + "Ref": "SubnetPublicUSWEST2C" + } + } + }, + "RouteTableAssociationPublicUSWEST2D": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "PublicRouteTable" + }, + "SubnetId": { + "Ref": "SubnetPublicUSWEST2D" + } + } + }, + "ServiceRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "eks.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" + ] + } + }, + "SubnetPrivateUSWEST2B": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": "us-west-2b", + "CidrBlock": "192.168.128.0/19", + "Tags": [ + { + "Key": "kubernetes.io/role/internal-elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/SubnetPrivateUSWEST2B" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "SubnetPrivateUSWEST2C": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": "us-west-2c", + "CidrBlock": "192.168.160.0/19", + "Tags": [ + { + "Key": "kubernetes.io/role/internal-elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/SubnetPrivateUSWEST2C" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "SubnetPrivateUSWEST2D": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": "us-west-2d", + "CidrBlock": "192.168.96.0/19", + "Tags": [ + { + "Key": "kubernetes.io/role/internal-elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/SubnetPrivateUSWEST2D" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "SubnetPublicUSWEST2B": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": "us-west-2b", + "CidrBlock": "192.168.32.0/19", + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/SubnetPublicUSWEST2B" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "SubnetPublicUSWEST2C": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": "us-west-2c", + "CidrBlock": "192.168.64.0/19", + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/SubnetPublicUSWEST2C" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "SubnetPublicUSWEST2D": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": "us-west-2d", + "CidrBlock": "192.168.0.0/19", + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/SubnetPublicUSWEST2D" + } + } + ], + "VpcId": { + "Ref": "VPC" + } + } + }, + "VPC": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "192.168.0.0/16", + "EnableDnsHostnames": true, + "EnableDnsSupport": true, + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::StackName}/VPC" + } + } + ] + } + }, + "VPCGatewayAttachment": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "InternetGatewayId": { + "Ref": "InternetGateway" + }, + "VpcId": { + "Ref": "VPC" + } + } + } + }, + "Outputs": { + "ARN": { + "Export": { + "Name": { + "Fn::Sub": "${AWS::StackName}::ARN" + } + }, + "Value": { + "Fn::GetAtt": "ControlPlane.Arn" + } + }, + "CertificateAuthorityData": { + "Value": { + "Fn::GetAtt": "ControlPlane.CertificateAuthorityData" + } + }, + "ClusterStackName": { + "Value": { + "Ref": "AWS::StackName" + } + }, + "Endpoint": { + "Export": { + "Name": { + "Fn::Sub": "${AWS::StackName}::Endpoint" + } + }, + "Value": { + "Fn::GetAtt": "ControlPlane.Endpoint" + } + }, + "FeatureNATMode": { + "Value": "Single" + }, + "SecurityGroup": { + "Export": { + "Name": { + "Fn::Sub": "${AWS::StackName}::SecurityGroup" + } + }, + "Value": { + "Ref": "ControlPlaneSecurityGroup" + } + }, + "ServiceRoleARN": { + "Export": { + "Name": { + "Fn::Sub": "${AWS::StackName}::ServiceRoleARN" + } + }, + "Value": { + "Fn::GetAtt": "ServiceRole.Arn" + } + }, + "SharedNodeSecurityGroup": { + "Export": { + "Name": { + "Fn::Sub": "${AWS::StackName}::SharedNodeSecurityGroup" + } + }, + "Value": { + "Ref": "ClusterSharedNodeSecurityGroup" + } + }, + "SubnetsPrivate": { + "Export": { + "Name": { + "Fn::Sub": "${AWS::StackName}::SubnetsPrivate" + } + }, + "Value": { + "Fn::Join": [ + ",", + [ + { + "Ref": "SubnetPrivateUSWEST2B" + }, + { + "Ref": "SubnetPrivateUSWEST2C" + }, + { + "Ref": "SubnetPrivateUSWEST2D" + } + ] + ] + } + }, + "SubnetsPublic": { + "Export": { + "Name": { + "Fn::Sub": "${AWS::StackName}::SubnetsPublic" + } + }, + "Value": { + "Fn::Join": [ + ",", + [ + { + "Ref": "SubnetPublicUSWEST2C" + }, + { + "Ref": "SubnetPublicUSWEST2D" + }, + { + "Ref": "SubnetPublicUSWEST2B" + } + ] + ] + } + }, + "VPC": { + "Export": { + "Name": { + "Fn::Sub": "${AWS::StackName}::VPC" + } + }, + "Value": { + "Ref": "VPC" + } + } + } +}