AWSTemplateFormatVersion: '2010-09-09' Description: RKE2 Kubernetes/Rancher Manager with EKS Cluster CloudFormation Template Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: "AWS Configuration Options" Parameters: - VolumeSize - VPCCidr - AllowedCidr - Label: default: "Rancher Configuration Options" Parameters: - RancherClusterToken - RancherBootstrapPassword Parameters: VolumeSize: Description: "Volume Size for Rancher Nodes (Default: 128)" Type: Number MinValue: '25' Default: '128' VPCCidr: Description: "VPC CIDR - First 2 Octects Only (Default: 10.0)" Type: String MinLength: '3' MaxLength: '7' Default: '10.0' AllowedPattern: (\d{1,3})\.(\d{1,3}) ConstraintDescription: must be a valid dot-separated string of the form x.x AllowedCidr: Description: "Allow CIDR for Inbound Traffic to Rancher (Default: 0.0.0.0/0)" Type: String Default: '0.0.0.0/0' WorkshopC9InstanceVolumeSize: Type: Number Description: The Size in GB of the Cloud9 Instance Volume. Default: 32 RancherClusterToken: Description: "Cluster Join Token for RKE2 Cluster (Default: Pa22word)" Type: String Default: Pa22word MinLength: '5' MaxLength: '200' NoEcho: true RancherBootstrapPassword: Description: "Initial Password to Access Rancher Manager (Default: Pa22word)" Type: String Default: Pa22word MinLength: '5' MaxLength: '50' NoEcho: true AssetsBucketName: Description: AWS Workshop Studio Assets Bucket Name Type: String AssetsBucketPrefix: Description: AWS Workshop Studio Assets Bucket Prefix Type: String Mappings: AWSRegionArch2AMI: us-east-1: HVM64: ami-0c5e3d1f21d6ce27f us-west-2: HVM64: ami-06980da992b300927 Resources: ###### # SM # ###### PlaceSecret: Type: AWS::SecretsManager::Secret Properties: Description: 'Rancher user and pasword combination' Name: RancherPass SecretString: !Sub - 'username: admin, password: ${RanchPassword}' - { RanchPassword: !Ref RancherBootstrapPassword } ####### # VPC # ####### RancherVPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Join - '' - - !Ref 'VPCCidr' - .0.0/16 EnableDnsSupport: 'true' EnableDnsHostnames: 'true' Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - rancher-vpc ################## # Public Subnets # ################## RancherPublicSubnet1: Type: AWS::EC2::Subnet DeletionPolicy: Delete Properties: CidrBlock: !Join - '' - - !Ref 'VPCCidr' - .1.0/24 MapPublicIpOnLaunch: 'true' VpcId: !Ref 'RancherVPC' AvailabilityZone: !Select - 0 - Fn::GetAZs: !Ref 'AWS::Region' Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - rancher-public-1 RancherPublicSubnet2: Type: AWS::EC2::Subnet DeletionPolicy: Delete Properties: CidrBlock: !Join - '' - - !Ref 'VPCCidr' - .2.0/24 MapPublicIpOnLaunch: 'true' VpcId: !Ref 'RancherVPC' AvailabilityZone: !Select - 1 - Fn::GetAZs: !Ref 'AWS::Region' Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - rancher-public-2 RancherPublicSubnet3: Type: AWS::EC2::Subnet DeletionPolicy: Delete Properties: CidrBlock: !Join - '' - - !Ref 'VPCCidr' - .3.0/24 MapPublicIpOnLaunch: 'true' VpcId: !Ref 'RancherVPC' AvailabilityZone: !Select - 2 - Fn::GetAZs: !Ref 'AWS::Region' Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - rancher-public-3 ################### # Private Subnets # ################### RancherPrivateSubnet1: Type: AWS::EC2::Subnet DeletionPolicy: Delete Properties: CidrBlock: !Join - '' - - !Ref 'VPCCidr' - .10.0/24 MapPublicIpOnLaunch: 'false' VpcId: !Ref 'RancherVPC' AvailabilityZone: !Select - 0 - Fn::GetAZs: !Ref 'AWS::Region' Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - rancher-private-1 RancherPrivateSubnet2: Type: AWS::EC2::Subnet DeletionPolicy: Delete Properties: CidrBlock: !Join - '' - - !Ref 'VPCCidr' - .11.0/24 MapPublicIpOnLaunch: 'false' VpcId: !Ref 'RancherVPC' AvailabilityZone: !Select - 1 - Fn::GetAZs: !Ref 'AWS::Region' Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - rancher-private-2 RancherPrivateSubnet3: Type: AWS::EC2::Subnet DeletionPolicy: Delete Properties: CidrBlock: !Join - '' - - !Ref 'VPCCidr' - .12.0/24 MapPublicIpOnLaunch: 'false' VpcId: !Ref 'RancherVPC' AvailabilityZone: !Select - 2 - Fn::GetAZs: !Ref 'AWS::Region' Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - rancher-private-3 ######################### # NAT Gateway (Private) # ######################### RancherNATGateway: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt 'RancherNATGatewayEIP.AllocationId' SubnetId: !Ref 'RancherPublicSubnet1' Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - rancher-nat-gateway RancherNATGatewayEIP: Type: AWS::EC2::EIP Properties: Domain: vpc PrivateRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref 'RancherVPC' Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - private-rt-table RouteNATGateway: DependsOn: - RancherNATGateway Type: AWS::EC2::Route Properties: RouteTableId: !Ref 'PrivateRouteTable' DestinationCidrBlock: '0.0.0.0/0' NatGatewayId: !Ref 'RancherNATGateway' PrivateRouteTableAssociation1: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref 'PrivateRouteTable' SubnetId: !Ref 'RancherPrivateSubnet1' PrivateRouteTableAssociation2: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref 'PrivateRouteTable' SubnetId: !Ref 'RancherPrivateSubnet2' PrivateRouteTableAssociation3: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref 'PrivateRouteTable' SubnetId: !Ref 'RancherPrivateSubnet3' ############################# # Internet Gateway (Public) # ############################# PublicInternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - rancher-igw PublicGatewayAttachment: DependsOn: PublicInternetGateway Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref 'RancherVPC' InternetGatewayId: !Ref 'PublicInternetGateway' PublicRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref 'RancherVPC' Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - public-rt-table PublicRouteToGateway: Type: AWS::EC2::Route DependsOn: PublicGatewayAttachment Properties: DestinationCidrBlock: '0.0.0.0/0' RouteTableId: !Ref 'PublicRouteTable' GatewayId: !Ref 'PublicInternetGateway' PublicRouteTableAssociation1: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref 'PublicRouteTable' SubnetId: !Ref 'RancherPublicSubnet1' PublicRouteTableAssociation2: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref 'PublicRouteTable' SubnetId: !Ref 'RancherPublicSubnet2' PublicRouteTableAssociation3: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref 'PublicRouteTable' SubnetId: !Ref 'RancherPublicSubnet3' ############# # IAM Roles # ############# RancherCPRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: - !GetAtt RancherCloudCredentialUser.Arn Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: / Policies: - PolicyName: rancher-instance-policy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - autoscaling:DescribeAutoScalingGroups - autoscaling:DescribeLaunchConfigurations - autoscaling:DescribeTags - ec2:DescribeInstances - ec2:DescribeRegions - ec2:DescribeRouteTables - ec2:DescribeSecurityGroups - ec2:DescribeSubnets - ec2:DescribeVolumes - ec2:DescribeAvailabilityZones - ec2:CreateSecurityGroup - ec2:CreateTags - ec2:CreateVolume - ec2:ModifyInstanceAttribute - ec2:ModifyVolume - ec2:AttachVolume - ec2:AuthorizeSecurityGroupIngress - ec2:CreateRoute - ec2:DeleteRoute - ec2:DeleteSecurityGroup - ec2:DeleteVolume - ec2:DetachVolume - ec2:RevokeSecurityGroupIngress - ec2:DescribeVpcs - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners - elasticloadbalancing:ConfigureHealthCheck - elasticloadbalancing:DeleteLoadBalancer - elasticloadbalancing:DeleteLoadBalancerListeners - elasticloadbalancing:DescribeLoadBalancers - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DetachLoadBalancerFromSubnets - elasticloadbalancing:DeregisterInstancesFromLoadBalancer - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer - elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer - elasticloadbalancing:AddTags - elasticloadbalancing:CreateListener - elasticloadbalancing:CreateTargetGroup - elasticloadbalancing:DeleteListener - elasticloadbalancing:DeleteTargetGroup - elasticloadbalancing:DescribeListeners - elasticloadbalancing:DescribeLoadBalancerPolicies - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:DescribeTargetHealth - elasticloadbalancing:ModifyListener - elasticloadbalancing:ModifyTargetGroup - elasticloadbalancing:RegisterTargets - elasticloadbalancing:DeregisterTargets - elasticloadbalancing:SetLoadBalancerPoliciesOfListener - iam:CreateServiceLinkedRole - kms:DescribeKey - kms:ListKeys Resource: '*' RancherCPInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: InstanceProfileName: rancher-profile Path: / Roles: - !Ref 'RancherCPRole' RancherCloudCredentialUser: Type: AWS::IAM::User Properties: UserName: rancher-cloud-credential-user RancherCloudCredentialsPolicy: Type: 'AWS::IAM::Policy' DependsOn: RancherCloudCredentialUser Properties: PolicyName: rancher-cloud-credential-policy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - ec2:* - cloudformation:* - eks:* - kms:Decrypt - kms:GenerateDataKeyWithoutPlaintext - kms:Encrypt - kms:DescribeKey - kms:CreateGrant - iam:PassRole - iam:ListRoles - iam:ListRoleTags - iam:ListInstanceProfilesForRole - iam:ListInstanceProfiles - iam:ListAttachedRolePolicies - iam:GetRole - iam:GetInstanceProfile - iam:DetachRolePolicy - iam:AttachRolePolicy - iam:AddRoleToInstanceProfile - iam:CreateInstanceProfile - iam:CreateRole - iam:CreateServiceLinkedRole - iam:DeleteInstanceProfile - iam:DeleteRole - iam:RemoveRoleFromInstanceProfile Resource: '*' Users: - !Ref RancherCloudCredentialUser RancherCloudCredentialKey: Type: AWS::IAM::AccessKey DependsOn: RancherCloudCredentialUser Properties: UserName: !Ref RancherCloudCredentialUser RancherInstanceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: - !GetAtt RancherCloudCredentialUser.Arn Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: / Policies: - PolicyName: rancher-instance-policy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - autoscaling:DescribeAutoScalingGroups - autoscaling:DescribeAutoScalingInstances Resource: '*' RancherInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: / Roles: - !Ref 'RancherInstanceRole' ############### # Autoscaling # ############### RancherCPLaunchTemplate: Type: AWS::EC2::LaunchTemplate Properties: LaunchTemplateName: !Join - '-' - - !Ref 'AWS::StackName' - cp-launch-template LaunchTemplateData: IamInstanceProfile: Arn: !GetAtt RancherInstanceProfile.Arn DisableApiTermination: 'true' ImageId: !FindInMap - AWSRegionArch2AMI - !Ref 'AWS::Region' - HVM64 InstanceType: 'm5.xlarge' SecurityGroupIds: - !GetAtt 'RancherCPSecurityGroup.GroupId' - !GetAtt 'RancherIngressSecurityGroup.GroupId' BlockDeviceMappings: - Ebs: VolumeSize: !Ref 'VolumeSize' VolumeType: gp2 DeleteOnTermination: true Encrypted: true DeviceName: /dev/sda1 UserData: !Base64 Fn::Join: - '' - - "#!/bin/bash -xe\n" - "echo 'Initializing RKE2..'\n" - !Join - ' ' - - init-rke2.sh - 'server' - !Ref 'RancherClusterToken' - !GetAtt 'RancherCPELB.DNSName' - !Ref 'AWS::Region' - "\n" - "echo 'Initializing Rancher..'\n" - !Join - ' ' - - init-rancher.sh - !GetAtt 'RancherELB.DNSName' - !Ref 'RancherBootstrapPassword' - "\n" RancherCPAutoScalingGroup: Type: AWS::AutoScaling::AutoScalingGroup Properties: LaunchTemplate: LaunchTemplateId: !Ref 'RancherCPLaunchTemplate' Version: !GetAtt 'RancherCPLaunchTemplate.LatestVersionNumber' LoadBalancerNames: - !Ref 'RancherCPELB' MaxSize: '3' MinSize: '3' DesiredCapacity: '3' VPCZoneIdentifier: - !Ref 'RancherPrivateSubnet1' - !Ref 'RancherPrivateSubnet2' - !Ref 'RancherPrivateSubnet3' Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - cp-asg PropagateAtLaunch: true RancherWorkerLaunchTemplate: Type: AWS::EC2::LaunchTemplate DependsOn: - RancherCPAutoScalingGroup Properties: LaunchTemplateName: !Join - '-' - - !Ref 'AWS::StackName' - worker-launch-template LaunchTemplateData: DisableApiTermination: 'true' ImageId: !FindInMap - AWSRegionArch2AMI - !Ref 'AWS::Region' - HVM64 InstanceType: 'm5.xlarge' SecurityGroupIds: - !GetAtt 'RancherCPSecurityGroup.GroupId' - !GetAtt 'RancherIngressSecurityGroup.GroupId' BlockDeviceMappings: - Ebs: VolumeSize: !Ref 'VolumeSize' VolumeType: gp2 DeleteOnTermination: true Encrypted: true DeviceName: /dev/sda1 UserData: !Base64 Fn::Join: - '' - - "#!/bin/bash -xe\n" - "echo 'Initializing RKE2..'\n" - !Join - ' ' - - init-rke2.sh - 'agent' - !Ref 'RancherClusterToken' - !GetAtt 'RancherCPELB.DNSName' - !Ref 'AWS::Region' - "\n" RancherWorkerAutoScalingGroup: Type: AWS::AutoScaling::AutoScalingGroup DependsOn: - RancherCPAutoScalingGroup Properties: LaunchTemplate: LaunchTemplateId: !Ref 'RancherWorkerLaunchTemplate' Version: !GetAtt 'RancherWorkerLaunchTemplate.LatestVersionNumber' LoadBalancerNames: - !Ref 'RancherCPELB' - !Ref 'RancherELB' MaxSize: '3' MinSize: '3' DesiredCapacity: '3' VPCZoneIdentifier: - !Ref 'RancherPrivateSubnet1' - !Ref 'RancherPrivateSubnet2' - !Ref 'RancherPrivateSubnet3' Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - worker-asg PropagateAtLaunch: true ########################### # ElasticFileSystem (EFS) # ########################### RancherEFS: Type: 'AWS::EFS::FileSystem' Properties: BackupPolicy: Status: ENABLED PerformanceMode: generalPurpose Encrypted: true LifecyclePolicies: - TransitionToIA: AFTER_30_DAYS - TransitionToPrimaryStorageClass: AFTER_1_ACCESS FileSystemTags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - efs MountTargetPrivateSubnet1: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref RancherEFS SubnetId: !Ref RancherPrivateSubnet1 SecurityGroups: - !Ref RancherEFSSecurityGroup MountTargetPrivateSubnet2: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref RancherEFS SubnetId: !Ref RancherPrivateSubnet2 SecurityGroups: - !Ref RancherEFSSecurityGroup MountTargetPrivateSubnet3: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref RancherEFS SubnetId: !Ref RancherPrivateSubnet3 SecurityGroups: - !Ref RancherEFSSecurityGroup ################### # Security Groups # ################### RancherEFSSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: !Ref 'RancherVPC' GroupDescription: Enable EFS access from Rancher subnets to port 2049 SecurityGroupEgress: - IpProtocol: '-1' FromPort: '0' ToPort: '65535' CidrIp: '0.0.0.0/0' SecurityGroupIngress: - IpProtocol: tcp FromPort: '2049' ToPort: '2049' CidrIp: !Join - '' - - !Ref 'VPCCidr' - .11.0/24 - IpProtocol: tcp FromPort: '2049' ToPort: '2049' CidrIp: !Join - '' - - !Ref 'VPCCidr' - .12.0/24 - IpProtocol: tcp FromPort: '2049' ToPort: '2049' CidrIp: !Join - '' - - !Ref 'VPCCidr' - .13.0/24 RancherCPSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: !Ref 'RancherVPC' GroupDescription: Enable HTTP/HTTPS access via port 80/443 SecurityGroupEgress: - IpProtocol: '-1' FromPort: '0' ToPort: '65535' CidrIp: '0.0.0.0/0' SecurityGroupIngress: - IpProtocol: tcp FromPort: '9345' ToPort: '9345' SourceSecurityGroupId: !GetAtt 'RancherCPELBSecurityGroup.GroupId' - IpProtocol: tcp FromPort: '6443' ToPort: '6443' SourceSecurityGroupId: !GetAtt 'RancherCPELBSecurityGroup.GroupId' RancherIngressSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: !Ref 'RancherVPC' GroupDescription: Enable HTTP/HTTPS access via port 80/443 SecurityGroupEgress: - IpProtocol: '-1' FromPort: '0' ToPort: '65535' CidrIp: '0.0.0.0/0' SecurityGroupIngress: - IpProtocol: tcp FromPort: '30080' ToPort: '30080' SourceSecurityGroupId: !GetAtt 'RancherIngressELBSG.GroupId' - IpProtocol: tcp FromPort: '30443' ToPort: '30443' SourceSecurityGroupId: !GetAtt 'RancherIngressELBSG.GroupId' - IpProtocol: '-1' FromPort: '0' ToPort: '65535' SourceSecurityGroupId: !GetAtt 'RancherCPSecurityGroup.GroupId' RancherCPELBSecurityGroup: Type: AWS::EC2::SecurityGroup DependsOn: PublicInternetGateway Properties: VpcId: !Ref 'RancherVPC' GroupDescription: Enable controlplane connectivity SecurityGroupEgress: - IpProtocol: '-1' FromPort: '0' ToPort: '65535' CidrIp: '0.0.0.0/0' SecurityGroupIngress: - IpProtocol: tcp FromPort: '6443' ToPort: '6443' CidrIp: !Ref AllowedCidr - IpProtocol: tcp FromPort: '9345' ToPort: '9345' CidrIp: !Ref AllowedCidr RancherIngressELBSG: Type: AWS::EC2::SecurityGroup Properties: VpcId: !Ref 'RancherVPC' GroupDescription: Enable controlplane connectivity SecurityGroupEgress: - IpProtocol: '-1' FromPort: '0' ToPort: '65535' CidrIp: '0.0.0.0/0' SecurityGroupIngress: - IpProtocol: tcp FromPort: '80' ToPort: '80' CidrIp: !Ref AllowedCidr - IpProtocol: tcp FromPort: '443' ToPort: '443' CidrIp: !Ref AllowedCidr ################## # Load Balancers # ################## RancherCPELB: Type: AWS::ElasticLoadBalancing::LoadBalancer Properties: Subnets: - !Ref 'RancherPublicSubnet1' - !Ref 'RancherPublicSubnet2' - !Ref 'RancherPublicSubnet3' SecurityGroups: - !Ref 'RancherCPELBSecurityGroup' CrossZone: 'true' Listeners: - LoadBalancerPort: '6443' InstancePort: '6443' Protocol: TCP - LoadBalancerPort: '9345' InstancePort: '9345' Protocol: TCP HealthCheck: Target: TCP:6443 HealthyThreshold: '3' UnhealthyThreshold: '5' Interval: '30' Timeout: '5' RancherELB: DependsOn: PublicInternetGateway Type: AWS::ElasticLoadBalancing::LoadBalancer Properties: Subnets: - !Ref 'RancherPublicSubnet1' - !Ref 'RancherPublicSubnet2' - !Ref 'RancherPublicSubnet3' SecurityGroups: - !Ref 'RancherIngressELBSG' CrossZone: 'true' Listeners: - LoadBalancerPort: '80' InstancePort: '30080' Protocol: TCP - LoadBalancerPort: '443' InstancePort: '30443' Protocol: TCP HealthCheck: Target: TCP:30080 HealthyThreshold: '3' UnhealthyThreshold: '5' Interval: '30' Timeout: '5' ########### # AWS EKS # ########### EksAllAccessManagedPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - eks:* Resource: "*" - Effect: Allow Action: - ssm:GetParameter - ssm:GetParameters Resource: - !Sub "arn:aws:ssm:*:${AWS::AccountId}:parameter/aws/*" - "arn:aws:ssm:*::parameter/aws/*" - Effect: Allow Action: - kms:CreateGrant - kms:DescribeKey Resource: "*" - Effect: Allow Action: - logs:PutRetentionPolicy Resource: "*" IAMLimitedAccessManagedPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - iam:CreateInstanceProfile - iam:DeleteInstanceProfile - iam:GetInstanceProfile - iam:RemoveRoleFromInstanceProfile - iam:GetRole - iam:CreateRole - iam:DeleteRole - iam:AttachRolePolicy - iam:PutRolePolicy - iam:ListInstanceProfiles - iam:AddRoleToInstanceProfile - iam:ListInstanceProfilesForRole - iam:PassRole - iam:DetachRolePolicy - iam:DeleteRolePolicy - iam:GetRolePolicy - iam:GetOpenIDConnectProvider - iam:CreateOpenIDConnectProvider - iam:DeleteOpenIDConnectProvider - iam:TagOpenIDConnectProvider - iam:ListAttachedRolePolicies - iam:TagRole - iam:GetPolicy - iam:CreatePolicy - iam:DeletePolicy - iam:ListPolicyVersions Resource: - !Sub "arn:aws:iam::${AWS::AccountId}:instance-profile/*" - !Sub "arn:aws:iam::${AWS::AccountId}:role/*" - !Sub "arn:aws:iam::${AWS::AccountId}:policy/eksctl-*" - !Sub "arn:aws:iam::${AWS::AccountId}:oidc-provider/*" - !Sub "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup" - !Sub "arn:aws:iam::${AWS::AccountId}:role/eksctl-managed-*" - Effect: Allow Action: - iam:GetRole Resource: - !Sub "arn:aws:iam::${AWS::AccountId}:role/*" - Effect: Allow Action: - iam:CreateServiceLinkedRole - kms:DescribeKey - kms:ListKeys Resource: "*" Condition: StringEquals: "iam:AWSServiceName": - "eks.amazonaws.com" - "eks-nodegroup.amazonaws.com" - "eks-fargate.amazonaws.com" EKSCTLRole: Type: AWS::IAM::Role DependsOn: - EksAllAccessManagedPolicy - IAMLimitedAccessManagedPolicy Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: / ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonEC2FullAccess - arn:aws:iam::aws:policy/AWSCloudFormationFullAccess - !Ref IAMLimitedAccessManagedPolicy - !Ref EksAllAccessManagedPolicy EKSCTLInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: InstanceProfileName: eksctl-creator Path: / Roles: - !Ref 'EKSCTLRole' EKSClusterRole: Type: AWS::IAM::Role DeletionPolicy: Delete Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - eks.amazonaws.com - ec2.amazonaws.com - iam.amazonaws.com - cloudformation.amazonaws.com Action: - sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy EKSNodeGroupRole: Type: AWS::IAM::Role DeletionPolicy: Delete Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - eks.amazonaws.com - ec2.amazonaws.com - iam.amazonaws.com - cloudformation.amazonaws.com Action: - sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy EKSCloud9Env: Type: AWS::Cloud9::EnvironmentEC2 Properties: AutomaticStopTimeMinutes: 120 ImageId: 'amazonlinux-2-x86_64' InstanceType: 't2.medium' Name: 'AWS-RGS-Workshop' SubnetId: !Ref RancherPublicSubnet1 KMSSecretsKey: Type: AWS::KMS::Key Properties: Description: "key for EKS secrets encryption" Enabled: true KeyPolicy: Version: '2012-10-17' Id: key-default-1 Statement: - Sid: Enable IAM User Permissions Effect: Allow Principal: AWS: !Sub arn:aws:iam::${AWS::AccountId}:root Action: kms:* Resource: '*' Outputs: CloudCredentialArn: Description: AWS Credential ARN Value: !GetAtt RancherCloudCredentialUser.Arn CloudCredentialKey: Description: AWS Access Key (Sensitive!) Value: !Ref RancherCloudCredentialKey CloudCredentialSecret: Description: AWS Secret Key (Sensitive!) Value: !GetAtt RancherCloudCredentialKey.SecretAccessKey RancherURL: Description: Rancher Manager Access URL Value: !GetAtt RancherELB.DNSName Cloud9IDE: Value: Fn::Join: - '' - - https:// - Ref: AWS::Region - ".console.aws.amazon.com/cloud9/ide/" - Ref: EKSCloud9Env - "?region=" - Ref: AWS::Region