AWSTemplateFormatVersion: '2010-09-09' Conditions: GovCloudCondition: Fn::Equals: - Ref: AWS::Region - us-gov-west-1 Description: '(qs-1nltbq5f3) OpenShift+VPC, License: Apache 2.0 (Please do not remove) November, 29, 2017' Mappings: AWSAMIRegionMap: AMI: RHEL74HVM: RHEL-7.4_HVM_GA-20170808-x86_64-2-Hourly2-GP2 ap-southeast-2: RHEL74HVM: ami-ccecf5af eu-central-1: RHEL74HVM: ami-d74be5b8 eu-west-1: RHEL74HVM: ami-bb9a6bc2 us-east-1: RHEL74HVM: ami-c998b6b2 us-east-2: RHEL74HVM: ami-cfdafaaa us-west-2: RHEL74HVM: ami-9fa343e7 LinuxAMINameMap: Redhat-Enterprise-Linux-7: Code: RHEL74HVM Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Network Configuration Parameters: - VPCID - VPCCIDR - PrivateSubnet1ID - PrivateSubnet2ID - PrivateSubnet3ID - PublicSubnet1ID - PublicSubnet2ID - PublicSubnet3ID - RemoteAccessCIDR - ContainerAccessCIDR - Label: default: Amazon EC2 Configuration Parameters: - KeyPairName - Label: default: OpenShift Nodes Configuration Parameters: - NumberOfMaster - NumberOfEtcd - NumberOfNodes - MasterInstanceType - OpenShiftOptions - OpenShiftAdminPassword - Label: default: Ansible Playbook Configuration Parameters: - AnsiblePlaybookType - AnsiblePlaybookGitRepoTag - Label: default: Red Hat Subscription Information Parameters: - RedhatSubscriptionUserName - RedhatSubscriptionPassword - RedhatSubscriptionPoolID - Label: default: AWS Quick Start Configuration Parameters: - QSS3BucketName - QSS3KeyPrefix ParameterLabels: AnsiblePlaybookGitRepoTag: default: Git Repo Release Version AnsiblePlaybookType: default: Ansible Playbook Mode ContainerAccessCIDR: default: Allowed External Access CIDR (OCP Router) KeyPairName: default: SSH Key Name MasterInstanceType: default: Master Instance Type NumberOfEtcd: default: Number of Etcds NumberOfMaster: default: Number of Masters NumberOfNodes: default: Number of Nodes OpenShiftAdminPassword: default: OpenShift UI Password OpenShiftOptions: default: (Optional) PrivateSubnet1ID: default: Private Subnet 1 ID PrivateSubnet2ID: default: Private Subnet 2 ID PrivateSubnet3ID: default: Private Subnet 3 ID PublicSubnet1ID: default: Public Subnet 1 ID PublicSubnet2ID: default: Public Subnet 2 ID PublicSubnet3ID: default: Public Subnet 3 ID QSS3BucketName: default: Quick Start S3 Bucket Name QSS3KeyPrefix: default: Quick Start S3 Key Prefix RedhatSubscriptionPassword: default: Red Hat Subscription Password RedhatSubscriptionPoolID: default: Red Hat Pool ID RedhatSubscriptionUserName: default: Red Hat Subscription User Name RemoteAccessCIDR: default: Allowed External Access CIDR (OCP UI) VPCCIDR: default: VPC CIDR VPCID: default: VPC ID Outputs: ContainerAccessELBName: Description: Use this ELB to expose ports to the internet Value: Fn::Join: - '' - - http:// - Fn::GetAtt: - ContainerAccessELB - DNSName OpenShiftUI: Description: The URL OpenShiftUI Value: Fn::Join: - '' - - https:// - Fn::GetAtt: - OpenShiftMasterELB - DNSName - :8443/ Parameters: AnsiblePlaybookGitRepoTag: Default: 3.6.173.0.5-5 Description: Only Used if [OpenSource-Version] is selected. List of Development Releases available here -> https://github.com/openshift/openshift-ansible/releases Type: String AnsiblePlaybookType: AllowedValues: - Subscription-Version - OpenSource-Version Default: Subscription-Version Description: Note:This QuickStart only supports OpenSource-Version for Development Purposes! Type: String ContainerAccessCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x Description: The CIDR IP range that is permitted to access the instances We recommend that you set this value to a trusted IP range. Type: String KeyPairName: Description: Name of an existing EC2 key pair. All instances will launch with this key pair. Type: AWS::EC2::KeyPair::KeyName MasterInstanceType: AllowedValues: - t2.large - m4.xlarge - m4.2xlarge - m4.4xlarge - m4.10xlarge - c4.large - c4.xlarge - c4.2xlarge - c4.4xlarge - c4.8xlarge ConstraintDescription: Must contain valid instance type Default: m4.xlarge Description: Type of EC2 instance for the Master instances Type: String NumberOfEtcd: AllowedValues: - '3' Default: '3' Description: This Deployment requires 3 OpenShift Etcd instances Type: Number NumberOfMaster: AllowedValues: - '3' Default: '3' Description: This Deployment requires 3 OpenShift Master instances Type: Number NumberOfNodes: Default: '3' Description: The desired capacity for the OpenShift node instances Type: Number OpenShiftAdminPassword: AllowedPattern: (?=^.{6,255}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.* Description: Password for OpenShift Admin UI Must be at least 8 characters containing letters and (minimum 1 capital letter), numbers and symbols MaxLength: '12' MinLength: '8' NoEcho: 'true' Type: String OpenShiftOptions: Default: '' Description: (Optional) Leave Blank Unless Type: String PrivateSubnet1ID: Description: ID of private subnet 1 in Availability Zone 1 for the Workload (e.g., subnet-a0246dcd) Type: AWS::EC2::Subnet::Id PrivateSubnet2ID: Description: ID of private subnet 2 in Availability Zone 2 for the Workload (e.g., subnet-b1f432cd) Type: AWS::EC2::Subnet::Id PrivateSubnet3ID: Description: ID of private subnet 2 in Availability Zone 3 for the Workload (e.g., subnet-b1f4a2cd) Type: AWS::EC2::Subnet::Id PublicSubnet1ID: Description: ID of public subnet 1 in Availability Zone 1 for the ELB load balancer (e.g., subnet-9bc642ac) Type: AWS::EC2::Subnet::Id PublicSubnet2ID: Description: ID of public subnet 2 in Availability Zone 2 for the ELB load balancer (e.g., subnet-e3246d8e) Type: AWS::EC2::Subnet::Id PublicSubnet3ID: Description: ID of public subnet 2 in Availability Zone 3 for the ELB load balancer (e.g., subnet-e324ad8e) Type: AWS::EC2::Subnet::Id QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: quickstart-reference Description: S3 bucket name for the Quick Start assets. This string can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: redhat/openshift/latest/ Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Type: String RedhatSubscriptionPassword: Description: Enter Redhat RHN Password NoEcho: 'true' Type: String RedhatSubscriptionPoolID: Description: Enter Redhat RHN PoolID Type: String RedhatSubscriptionUserName: Description: Enter Redhat RHN User Name Type: String RemoteAccessCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x Description: The CIDR IP range that is permitted to access the instances We recommend that you set this value to a trusted IP range. Type: String VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/16 Description: CIDR block for the VPC Type: String VPCID: Description: ID of your existing VPC for deployment Type: AWS::EC2::VPC::Id Resources: AnsibleConfigServer: CreationPolicy: ResourceSignal: Timeout: PT240M DependsOn: OpenShiftNodeASG Metadata: AWS::CloudFormation::Init: AddPublicKey: commands: append-publickey: command: cat /root/.ssh/public.key >>/root/.ssh/authorized_keys ignoreErrors: 'false' CfgAnsible: commands: disable-host-key-checking: command: sed -i 's/#host_key_checking = False/host_key_checking = False/g' /etc/ansible/ansible.cfg ignoreErrors: 'false' packages: yum: ansible: [] GetPublicKey: files: /root/.ssh/public.key: content: Fn::Join: - '' - - '#QuickStart Generated ' - Fn::GetAtt: - GetRSA - PUB - ' ' group: root mode: '000400' owner: root NetworkManager: commands: start_enable_nm: command: systemctl start NetworkManager && systemctl enable NetworkManager ignoreErrors: 'false' SetPrivateKey: files: /root/.ssh/id_rsa: content: Fn::Join: - '' - - Fn::GetAtt: - GetRSA - PEM - ' ' group: root mode: '000400' owner: root configSets: cfg_ansible: - CfgAnsible cfg_networkmgr: - rpms - NetworkManager cfg_node_keys: - GetPublicKey - AddPublicKey - SetPrivateKey rpms: packages: yum: NetworkManager: [] Properties: IamInstanceProfile: Ref: SetupRoleProfile ImageId: Fn::FindInMap: - AWSAMIRegionMap - Ref: AWS::Region - RHEL74HVM InstanceType: Ref: MasterInstanceType KeyName: Ref: KeyPairName NetworkInterfaces: - AssociatePublicIpAddress: 'true' DeleteOnTermination: 'true' DeviceIndex: '0' GroupSet: - Ref: OpenShiftSecurityGroup SubnetId: Ref: PublicSubnet1ID Tags: - Key: Name Value: ansible-configserver UserData: Fn::Base64: Fn::Join: - '' - - '#!/bin/bash' - ' ' - 'echo "========================================================================================================================" ' - "echo \"\t------------------[] Starting: Load QuickStart Common\"\n" - ' ' - QSLOCATION= - Fn::Sub: - https://${QSS3BucketName}.${S3Region}.amazonaws.com/${QSS3KeyPrefix} - S3Region: Fn::If: - GovCloudCondition - s3-us-gov-west-1 - s3 - ' ' - 'UTIL="${QSLOCATION}submodules/quickstart-linux-utilities/quickstart-cfn-tools.source" ' - "P=/tmp/quickstart-cfn-tools.source \n" - '#qs_retry_command is not available (use until loop) ' - 'curl --retry 10 -s ${UTIL} -o ${P} || n=0; until [[ $n -ge 50 ]]; do curl -s ${UTIL} -o ${P} && break; n=$[$n+1]; done ' - 'source ${P} ' - "echo \"\t------------------[] Finished: Load QuickStart Common\"\n" - 'echo "========================================================================================================================" ' - ' ' - "echo \"\t------------------[] Starting: aws cfn-bootstrap installation\ \ via [qs_bootstrap_pip, qs_aws-cfn-bootstrap]\"\n" - "qs_bootstrap_pip || qs_err \" pip bootstrap failed \" \n" - 'qs_aws-cfn-bootstrap || qs_err " cfn bootstrap failed " ' - "echo \"\t------------------[] Finished: aws cfn-bootstrap installation\"\ \n" - ' ' - "echo \"\t------------------[] Starting: epel configuration via [qs_enable_epel]\"\ \n" - '# Needed for initial Ansible availability ' - 'qs_enable_epel &> /var/log/userdata.qs_enable_epel.log || qs_err " enable epel failed " ' - "echo \"\t------------------[] Completed epel configuration \"\n" - ' ' - "echo \"\t------------------[] Starting: installation of awscli \"\n" - 'pip install awscli &> /var/log/userdata.awscli_install.log || qs_err " awscli install failed " ' - "echo \"\t------------------[] Completed: install of awscli \"\n" - ' ' - 'echo "========================================================================================================================" ' - "echo \"\t------------------[] Completed: QuickStart Common Utils \"\ \n" - ' ' - "echo \"[INFO] Configuring External LoadBalancer for OpenShift UI\"\ \ \n" - 'aws autoscaling attach-load-balancers --auto-scaling-group-name ' - Ref: OpenShiftMasterASG - ' --load-balancer-names ' - Ref: OpenShiftMasterInternalELB - ' --region ' - Ref: AWS::Region - ' ' - "echo \"[INFO] Configuring External LoadBalancer for ContainerAccess\ \ UI\" \n" - 'aws autoscaling attach-load-balancers --auto-scaling-group-name ' - Ref: OpenShiftNodeASG - ' --load-balancer-names ' - Ref: ContainerAccessELB - ' --region ' - Ref: AWS::Region - ' ' - 'echo "========================================================================================================================" ' - "echo \"\t------------------[]Attach to Subscription pool\"\n" - SCRIPT_PATH= - Fn::Sub: s3://${QSS3BucketName}/${QSS3KeyPrefix} - ' ' - "aws s3 cp ${SCRIPT_PATH}scripts/redhat_ose-register.sh ~/redhat_ose-register.sh\ \ \n" - 'chmod 755 ~/redhat_ose-register.sh ' - 'qs_retry_command 20 ~/redhat_ose-register.sh ' - Fn::Sub: '${RedhatSubscriptionUserName} ${RedhatSubscriptionPassword} ${RedhatSubscriptionPoolID} ' - ' ' - 'echo "========================================================================================================================" ' - "echo \"\t------------------[] Check if Subscription is Attached! if\ \ not fail Stack\"\n" - ' ' - "echo \" \t------------------[] Start of main execution block\"\n" - "yum repolist | grep OpenShift \n" - "if [[ $? == 0 ]] \n" - "then \n" - "echo \"\t------------------[] Starting OpenShift Configuration\" \n" - "echo \"[INFO] Generating Ansible inventory \" \n" - "aws s3 cp ${SCRIPT_PATH}scripts/get_nodes.py ~/get_nodes.py \n" - 'pip install boto3 &> /var/log/userdata.boto3_install.log || qs_err " boto3 install failed " ' - 'python ~/get_nodes.py ' - Ref: AWS::Region - ' ' - Ref: OpenShiftMasterASG - ' ' - 'masters ' - ' > /tmp/openshift_instances-master' - ' ' - 'python ~/get_nodes.py ' - Ref: AWS::Region - ' ' - Ref: OpenShiftEtcdASG - ' ' - etcd > /tmp/openshift_instances-etcd - ' ' - 'python ~/get_nodes.py ' - Ref: AWS::Region - ' ' - Ref: OpenShiftNodeASG - ' ' - nodes > /tmp/openshift_instances-nodes - ' ' - '# Start cfn-configset [cfg_node_keys] ' - 'cfn-init -v ' - '--stack ' - Ref: AWS::StackName - ' --resource AnsibleConfigServer' - ' --configsets cfg_node_keys ' - ' --region ' - Ref: AWS::Region - ' ' - '# Start cfn-configset [cfg_ansible] ' - 'cfn-init -v ' - ' --stack ' - Ref: AWS::StackName - ' --resource AnsibleConfigServer ' - ' --configsets cfg_ansible ' - ' --region ' - Ref: AWS::Region - ' ' - 'echo "Begin OpenShift configuration" ' - 'aws s3 cp ' - Fn::Sub: s3://${QSS3BucketName}/${QSS3KeyPrefix} - "scripts/openshift_config_ose.yml ~/openshift_config.yml \n" - "cat ~/openshift_config.yml >/etc/ansible/hosts \n" - echo " - Ref: OpenShiftOptions - '"' - ">>/etc/ansible/hosts \n" - "echo \"[INFO] Ansible Generated\" \n" - MASTER_ELBDNSNAME= - Fn::GetAtt: - OpenShiftMasterELB - DNSName - ' ' - INTERNAL_MASTER_ELBDNSNAME= - Fn::GetAtt: - OpenShiftMasterInternalELB - DNSName - ' ' - NODE_ELBDNSNAME= - Fn::GetAtt: - ContainerAccessELB - DNSName - ' ' - "echo \"[INFO] Configuring OpenShift Variable\" \n" - "echo openshift_master_cluster_hostname=${INTERNAL_MASTER_ELBDNSNAME}\ \ >> /etc/ansible/hosts \n" - "echo openshift_master_cluster_public_hostname=${MASTER_ELBDNSNAME}\ \ >> /etc/ansible/hosts \n" - "echo openshift_hostname=${INTERNAL_MASTER_ELBDNSNAME} >> /etc/ansible/hosts\ \ \n" - "echo \"[INFO] Configured OpenShift Variable\" \n" - "cat /tmp/openshift_instances-* >>/etc/ansible/hosts \n" - "sed -i 's/#pipelining = False/pipelining = True/g' /etc/ansible/ansible.cfg\ \ \n" - "sed -i 's/#log_path/log_path/g' /etc/ansible/ansible.cfg \n" - "echo \"[INFO] Poll till all nodes are under Ansible (max tries = 50)\"\ \ \n" - "qs_retry_command 50 ansible -m ping all \n" - ' ' - '#Install dependencies and update OS ' - 'yum -y install wget git net-tools bind-utils iptables-services bridge-utils bash-completion kexec-tools sos psacct ' - "yum -y update \n" - 'yum -y install atomic-openshift-utils ' - 'yum -y install atomic-openshift-excluder atomic-openshift-docker-excluder ' - PLAYBOOK=" - Ref: AnsiblePlaybookType - '" ' - "if [ $PLAYBOOK == \"Subscription-Version\" ]; then \n" - ' echo "[INFO] Using Builtin Playbooks" ' - 'else ' - " echo \"[INFO] Override Builtin Playbooks\" \n" - " touch ~/override_Playbooks \n" - CURRENT_PLAYBOOK_VERSION=https://github.com/openshift/openshift-ansible/archive/openshift-ansible- - Ref: AnsiblePlaybookGitRepoTag - '.tar.gz ' - "curl --retry 5 -Ls ${CURRENT_PLAYBOOK_VERSION} -o openshift-ansible.tar.gz\ \ \n" - "tar -zxf openshift-ansible.tar.gz \n" - "mkdir -p /usr/share/ansible \n" - "mv openshift-ansible-* /usr/share/ansible/openshift-ansible \n" - fi - ' ' - 'yum -y install atomic-openshift-excluder atomic-openshift-docker-excluder ' - 'atomic-openshift-excluder unexclude ' - "echo \"[INFO] Starting OpenShift Cluster Build (Beginning Ansible Playbook\ \ run!!!)\" \n" - 'date >>~/playbooks.info ' - 'ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/byo/config.yml || qs_err " ansible-playbook failed!! " ' - 'date >>~/playbooks.info ' - "echo \"[INFO] Finished OpenShift Cluster Build (Completed Ansible Playbook\ \ run!!!)\" \n" - ' ' - "echo \"[INFO] Adding OpenShift Users\" \n" - 'ansible masters -a "htpasswd -b /etc/origin/master/htpasswd admin ' - Ref: OpenShiftAdminPassword - '" ' - "echo \"[INFO] Added OpenShift Users\" \n" - "echo \"[INFO] Finished OpenShift Cluster Build\" \n" - 'echo "[INFO] Signaling Stack ....." ' - '# Signal resource using [qs_status] via cfn-init ' - cfn-signal -e $? - ' --stack ' - Ref: AWS::StackName - ' --resource AnsibleConfigServer ' - ' --region ' - Ref: AWS::Region - ' ' - 'echo "End cfn stack signaling" ' - "echo \"\t#################[] End of main execution block \" \n" - 'else ' - "echo \" \t#################[] Start of else block \" \n" - 'echo "[REASON] Failed to Acquire OpenShift Entitlement, Check you PoolID and RHN UserName/Password " >~/failure_reason ' - 'echo "[INFO] Signaling Stack ....." ' - cfn-signal -e 1 - ' --stack ' - Ref: AWS::StackName - ' --resource AnsibleConfigServer ' - ' --region ' - Ref: AWS::Region - ' ' - "echo \" \t#################[] End of else block \" \n" - 'fi ' Type: AWS::EC2::Instance ContainerAccessELB: Properties: ConnectionSettings: IdleTimeout: 1200 CrossZone: true HealthCheck: HealthyThreshold: '2' Interval: '30' Target: TCP:22 Timeout: '3' UnhealthyThreshold: '3' Listeners: - InstancePort: '8080' InstanceProtocol: TCP LoadBalancerPort: '8080' Protocol: TCP - InstancePort: '80' InstanceProtocol: TCP LoadBalancerPort: '80' Protocol: TCP SecurityGroups: - Ref: OpenShiftNodeSecurityGroup Subnets: - Ref: PublicSubnet1ID - Ref: PublicSubnet2ID - Ref: PublicSubnet3ID Type: AWS::ElasticLoadBalancing::LoadBalancer GetRSA: DependsOn: - KeyGen Properties: ResourceProperties: LogicalResourceId: KeyGenLogicalResourceId RequestId: Fn::Join: - '' - - Ref: AWS::StackId - RequestId RequestType: Create ResponseURL: Fn::Join: - '' - - http://ResponseURL - Ref: AWS::StackId - RequestId ServiceToken: Fn::GetAtt: - KeyGen - Arn StackId: Ref: AWS::StackId Type: Custom::GenerateKeys KeyGen: Properties: Code: S3Bucket: Fn::Sub: quickstart-reference-lambda-${AWS::Region} S3Key: Fn::Sub: generate_sshkeys/genrsa_lambda.zip Handler: service.handler Role: Fn::GetAtt: - LambdaExecutionRole - Arn Runtime: python3.8 Timeout: '5' Type: AWS::Lambda::Function LambdaExecutionRole: Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - lambda.amazonaws.com Version: '2012-10-17' Path: / Policies: - PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: arn:aws:logs:*:*:* - Action: - cloudformation:DescribeStacks Effect: Allow Resource: '*' Version: '2012-10-17' PolicyName: lambda_policy Type: AWS::IAM::Role OpenShiftEtcdASG: DependsOn: OpenShiftMasterASG Properties: DesiredCapacity: Ref: NumberOfEtcd LaunchConfigurationName: Ref: OpenShiftEtcdLaunchConfig MaxSize: Ref: NumberOfEtcd MinSize: '2' Tags: - Key: Name PropagateAtLaunch: 'true' Value: openshift-etcd VPCZoneIdentifier: - Ref: PrivateSubnet1ID - Ref: PrivateSubnet2ID - Ref: PrivateSubnet3ID Type: AWS::AutoScaling::AutoScalingGroup OpenShiftEtcdLaunchConfig: Metadata: AWS::CloudFormation::Init: AddPublicKey: commands: append-publickey: command: cat /root/.ssh/public.key >>/root/.ssh/authorized_keys ignoreErrors: 'false' GetPublicKey: files: /root/.ssh/public.key: content: Fn::Join: - '' - - '#QuickStart Generated ' - Fn::GetAtt: - GetRSA - PUB - ' ' group: root mode: '000400' owner: root NetworkManager: commands: start_enable_nm: command: systemctl start NetworkManager && systemctl enable NetworkManager ignoreErrors: 'false' configSets: quickstart: - GetPublicKey - AddPublicKey - rpms - NetworkManager rpms: packages: yum: NetworkManager: [] Properties: BlockDeviceMappings: - DeviceName: /dev/sda1 Ebs: VolumeSize: '80' IamInstanceProfile: Ref: SetupRoleProfile ImageId: Fn::FindInMap: - AWSAMIRegionMap - Ref: AWS::Region - RHEL74HVM InstanceMonitoring: 'true' InstanceType: Ref: MasterInstanceType KeyName: Ref: KeyPairName SecurityGroups: - Ref: OpenShiftSecurityGroup UserData: Fn::Base64: Fn::Join: - '' - - '#!/bin/bash' - ' ' - 'echo "========================================================================================================================" ' - "echo \"\t------------------[] Starting: Load QuickStart Common\"\n" - ' ' - QSLOCATION= - Fn::Sub: - https://${QSS3BucketName}.${S3Region}.amazonaws.com/${QSS3KeyPrefix} - S3Region: Fn::If: - GovCloudCondition - s3-us-gov-west-1 - s3 - ' ' - 'UTIL="${QSLOCATION}submodules/quickstart-linux-utilities/quickstart-cfn-tools.source" ' - "P=/tmp/quickstart-cfn-tools.source \n" - '#qs_retry_command is not available (use until loop) ' - 'curl --retry 10 -s ${UTIL} -o ${P} || n=0; until [[ $n -ge 50 ]]; do curl -s ${UTIL} -o ${P} && break; n=$[$n+1]; done ' - 'source ${P} ' - "echo \"\t------------------[] Finished: Load QuickStart Common\"\n" - 'echo "========================================================================================================================" ' - ' ' - "echo \"\t------------------[] Starting: aws cfn-bootstrap installation\ \ via [qs_bootstrap_pip, qs_aws-cfn-bootstrap]\"\n" - "qs_bootstrap_pip || qs_err \" pip bootstrap failed \" \n" - 'qs_aws-cfn-bootstrap || qs_err " cfn bootstrap failed " ' - "echo \"\t------------------[] Finished: aws cfn-bootstrap installation\"\ \n" - ' ' - "echo \"\t------------------[] Starting: epel configuration via [qs_enable_epel]\"\ \n" - '# Needed for initial Ansible availability ' - 'qs_enable_epel &> /var/log/userdata.qs_enable_epel.log || qs_err " enable epel failed " ' - "echo \"\t------------------[] Completed epel configuration \"\n" - ' ' - "echo \"\t------------------[] Starting: installation of awscli \"\n" - 'pip install awscli &> /var/log/userdata.awscli_install.log || qs_err " awscli install failed " ' - "echo \"\t------------------[] Completed: install of awscli \"\n" - ' ' - 'echo "========================================================================================================================" ' - "echo \"\t------------------[] Completed: QuickStart Common Utils \"\ \n" - ' ' - 'echo "========================================================================================================================" ' - "echo \"\t------------------[]Attach to Subscription pool\"\n" - SCRIPT_PATH= - Fn::Sub: s3://${QSS3BucketName}/${QSS3KeyPrefix} - ' ' - "aws s3 cp ${SCRIPT_PATH}scripts/redhat_ose-register.sh ~/redhat_ose-register.sh\ \ \n" - 'chmod 755 ~/redhat_ose-register.sh ' - 'qs_retry_command 20 ~/redhat_ose-register.sh ' - Fn::Sub: '${RedhatSubscriptionUserName} ${RedhatSubscriptionPassword} ${RedhatSubscriptionPoolID} ' - ' ' - 'echo "========================================================================================================================" ' - "yum repolist | grep OpenShift \n" - '# Start cfn-init [GetPublicKey, AddPublicKey] ' - 'cfn-init -v ' - ' --stack ' - Ref: AWS::StackName - ' --resource OpenShiftEtcdLaunchConfig ' - ' --configsets quickstart ' - ' --region ' - Ref: AWS::Region - ' ' - yum install -y atomic-openshift-docker-excluder atomic-openshift-node atomic-openshift-sdn-ovs ceph-common conntrack-tools dnsmasq docker docker-client docker-common docker-rhel-push-plugin glusterfs glusterfs-client-xlators glusterfs-fuse glusterfs-libs iptables-services iscsi-initiator-utils iscsi-initiator-utils-iscsiuio tuned-profiles-atomic-openshift-node - ' ' Type: AWS::AutoScaling::LaunchConfiguration OpenShiftInternalSecurityGroup: Properties: GroupDescription: Allow access to the Workload instances SecurityGroupIngress: - CidrIp: 0.0.0.0/0 IpProtocol: '-1' VpcId: Ref: VPCID Type: AWS::EC2::SecurityGroup OpenShiftMasterASG: DependsOn: GetRSA Properties: DesiredCapacity: Ref: NumberOfMaster LaunchConfigurationName: Ref: OpenShiftMasterASLaunchConfig LoadBalancerNames: - Ref: OpenShiftMasterELB MaxSize: Ref: NumberOfMaster MinSize: '2' Tags: - Key: Name PropagateAtLaunch: 'true' Value: openshift-master VPCZoneIdentifier: - Ref: PrivateSubnet1ID - Ref: PrivateSubnet2ID - Ref: PrivateSubnet3ID Type: AWS::AutoScaling::AutoScalingGroup OpenShiftMasterASLaunchConfig: DependsOn: GetRSA Metadata: AWS::CloudFormation::Init: AddPublicKey: commands: append-publickey: command: cat /root/.ssh/public.key >>/root/.ssh/authorized_keys ignoreErrors: 'false' GetPublicKey: files: /root/.ssh/public.key: content: Fn::Join: - '' - - '#QuickStart Generated ' - Fn::GetAtt: - GetRSA - PUB - ' ' group: root mode: '000400' owner: root NetworkManager: commands: start_enable_nm: command: systemctl start NetworkManager && systemctl enable NetworkManager ignoreErrors: 'false' configSets: quickstart: - GetPublicKey - AddPublicKey - rpms - NetworkManager rpms: packages: yum: NetworkManager: [] Properties: BlockDeviceMappings: - DeviceName: /dev/sda1 Ebs: VolumeSize: '80' IamInstanceProfile: Ref: SetupRoleProfile ImageId: Fn::FindInMap: - AWSAMIRegionMap - Ref: AWS::Region - RHEL74HVM InstanceMonitoring: 'true' InstanceType: Ref: MasterInstanceType KeyName: Ref: KeyPairName SecurityGroups: - Ref: OpenShiftSecurityGroup UserData: Fn::Base64: Fn::Join: - '' - - '#!/bin/bash' - ' ' - 'echo "========================================================================================================================" ' - "echo \"\t------------------[] Starting: Load QuickStart Common\"\n" - ' ' - QSLOCATION= - Fn::Sub: - https://${QSS3BucketName}.${S3Region}.amazonaws.com/${QSS3KeyPrefix} - S3Region: Fn::If: - GovCloudCondition - s3-us-gov-west-1 - s3 - ' ' - 'UTIL="${QSLOCATION}submodules/quickstart-linux-utilities/quickstart-cfn-tools.source" ' - "P=/tmp/quickstart-cfn-tools.source \n" - '#qs_retry_command is not available (use until loop) ' - 'curl --retry 10 -s ${UTIL} -o ${P} || n=0; until [[ $n -ge 50 ]]; do curl -s ${UTIL} -o ${P} && break; n=$[$n+1]; done ' - 'source ${P} ' - "echo \"\t------------------[] Finished: Load QuickStart Common\"\n" - 'echo "========================================================================================================================" ' - ' ' - "echo \"\t------------------[] Starting: aws cfn-bootstrap installation\ \ via [qs_bootstrap_pip, qs_aws-cfn-bootstrap]\"\n" - "qs_bootstrap_pip || qs_err \" pip bootstrap failed \" \n" - 'qs_aws-cfn-bootstrap || qs_err " cfn bootstrap failed " ' - "echo \"\t------------------[] Finished: aws cfn-bootstrap installation\"\ \n" - ' ' - "echo \"\t------------------[] Starting: epel configuration via [qs_enable_epel]\"\ \n" - '# Needed for initial Ansible availability ' - 'qs_enable_epel &> /var/log/userdata.qs_enable_epel.log || qs_err " enable epel failed " ' - "echo \"\t------------------[] Completed epel configuration \"\n" - ' ' - "echo \"\t------------------[] Starting: installation of awscli \"\n" - 'pip install awscli &> /var/log/userdata.awscli_install.log || qs_err " awscli install failed " ' - "echo \"\t------------------[] Completed: install of awscli \"\n" - ' ' - 'echo "========================================================================================================================" ' - "echo \"\t------------------[] Completed: QuickStart Common Utils \"\ \n" - ' ' - 'echo "========================================================================================================================" ' - "echo \"\t------------------[]Attach to Subscription pool\"\n" - SCRIPT_PATH= - Fn::Sub: s3://${QSS3BucketName}/${QSS3KeyPrefix} - ' ' - "aws s3 cp ${SCRIPT_PATH}scripts/redhat_ose-register.sh ~/redhat_ose-register.sh\ \ \n" - 'chmod 755 ~/redhat_ose-register.sh ' - 'qs_retry_command 20 ~/redhat_ose-register.sh ' - Fn::Sub: '${RedhatSubscriptionUserName} ${RedhatSubscriptionPassword} ${RedhatSubscriptionPoolID} ' - ' ' - 'echo "========================================================================================================================" ' - ' ' - '# Start cfn-init [GetPublicKey, AddPublicKey] ' - 'cfn-init -v ' - ' --stack ' - Ref: AWS::StackName - ' --resource OpenShiftMasterASLaunchConfig ' - ' --configsets quickstart ' - ' --region ' - Ref: AWS::Region - ' ' - yum install -y atomic-openshift-docker-excluder atomic-openshift-node atomic-openshift-sdn-ovs ceph-common conntrack-tools dnsmasq docker docker-client docker-common docker-rhel-push-plugin glusterfs glusterfs-client-xlators glusterfs-fuse glusterfs-libs iptables-services iscsi-initiator-utils iscsi-initiator-utils-iscsiuio tuned-profiles-atomic-openshift-node - ' ' Type: AWS::AutoScaling::LaunchConfiguration OpenShiftMasterELB: Properties: ConnectionSettings: IdleTimeout: 1200 CrossZone: true HealthCheck: HealthyThreshold: '2' Interval: '30' Target: TCP:22 Timeout: '3' UnhealthyThreshold: '3' Listeners: - InstancePort: '9000' InstanceProtocol: TCP LoadBalancerPort: '9000' Protocol: TCP - InstancePort: '8443' InstanceProtocol: TCP LoadBalancerPort: '8443' Protocol: TCP - InstancePort: '80' InstanceProtocol: TCP LoadBalancerPort: '80' Protocol: TCP - InstancePort: '443' InstanceProtocol: TCP LoadBalancerPort: '443' Protocol: TCP SecurityGroups: - Ref: OpenShiftSecurityGroup Subnets: - Ref: PublicSubnet1ID - Ref: PublicSubnet2ID - Ref: PublicSubnet3ID Type: AWS::ElasticLoadBalancing::LoadBalancer OpenShiftMasterInternalELB: Properties: ConnectionSettings: IdleTimeout: 1200 CrossZone: true HealthCheck: HealthyThreshold: '2' Interval: '30' Target: TCP:22 Timeout: '3' UnhealthyThreshold: '3' Listeners: - InstancePort: '8443' InstanceProtocol: TCP LoadBalancerPort: '8443' Protocol: TCP - InstancePort: '80' InstanceProtocol: TCP LoadBalancerPort: '80' Protocol: TCP - InstancePort: '443' InstanceProtocol: TCP LoadBalancerPort: '443' Protocol: TCP Scheme: internal SecurityGroups: - Ref: OpenShiftInternalSecurityGroup Subnets: - Ref: PrivateSubnet1ID - Ref: PrivateSubnet2ID - Ref: PrivateSubnet3ID Type: AWS::ElasticLoadBalancing::LoadBalancer OpenShiftNodeASG: DependsOn: OpenShiftMasterASG Properties: DesiredCapacity: Ref: NumberOfNodes LaunchConfigurationName: Ref: OpenShiftNodesLaunchConfig LoadBalancerNames: - Ref: OpenShiftNodeInternalELB MaxSize: Ref: NumberOfNodes MinSize: '2' Tags: - Key: Name PropagateAtLaunch: 'true' Value: openshift-nodes VPCZoneIdentifier: - Ref: PrivateSubnet1ID - Ref: PrivateSubnet2ID - Ref: PrivateSubnet3ID Type: AWS::AutoScaling::AutoScalingGroup OpenShiftNodeInternalELB: Properties: HealthCheck: HealthyThreshold: '2' Interval: '30' Target: TCP:22 Timeout: '3' UnhealthyThreshold: '3' Listeners: - InstancePort: '8080' InstanceProtocol: TCP LoadBalancerPort: '8080' Protocol: TCP - InstancePort: '80' InstanceProtocol: TCP LoadBalancerPort: '80' Protocol: TCP Scheme: internal SecurityGroups: - Ref: OpenShiftSecurityGroup Subnets: - Ref: PrivateSubnet1ID - Ref: PrivateSubnet2ID - Ref: PrivateSubnet3ID Type: AWS::ElasticLoadBalancing::LoadBalancer OpenShiftNodeSecurityGroup: Properties: GroupDescription: Allow access to the Workload instances SecurityGroupIngress: - CidrIp: Ref: VPCCIDR IpProtocol: '-1' - CidrIp: Ref: ContainerAccessCIDR FromPort: '8080' IpProtocol: tcp ToPort: '8080' - CidrIp: Ref: ContainerAccessCIDR FromPort: '80' IpProtocol: tcp ToPort: '80' VpcId: Ref: VPCID Type: AWS::EC2::SecurityGroup OpenShiftNodesLaunchConfig: Metadata: AWS::CloudFormation::Init: AddPublicKey: commands: append-publickey: command: cat /root/.ssh/public.key >>/root/.ssh/authorized_keys ignoreErrors: 'false' GetPublicKey: files: /root/.ssh/public.key: content: Fn::Join: - '' - - '#QuickStart Generated ' - Fn::GetAtt: - GetRSA - PUB - ' ' group: root mode: '000400' owner: root NetworkManager: commands: start_enable_nm: command: systemctl start NetworkManager && systemctl enable NetworkManager ignoreErrors: 'false' configSets: quickstart: - GetPublicKey - AddPublicKey - rpms - NetworkManager rpms: packages: yum: NetworkManager: [] Properties: BlockDeviceMappings: - DeviceName: /dev/sda1 Ebs: VolumeSize: '80' VolumeType: gp2 - DeviceName: /dev/xvdb Ebs: VolumeSize: '110' VolumeType: gp2 IamInstanceProfile: Ref: SetupRoleProfile ImageId: Fn::FindInMap: - AWSAMIRegionMap - Ref: AWS::Region - RHEL74HVM InstanceMonitoring: 'true' InstanceType: Ref: MasterInstanceType KeyName: Ref: KeyPairName SecurityGroups: - Ref: OpenShiftSecurityGroup UserData: Fn::Base64: Fn::Join: - '' - - '#!/bin/bash' - ' ' - 'echo "========================================================================================================================" ' - "echo \"\t------------------[] Starting: Load QuickStart Common\"\n" - ' ' - QSLOCATION= - Fn::Sub: - https://${QSS3BucketName}.${S3Region}.amazonaws.com/${QSS3KeyPrefix} - S3Region: Fn::If: - GovCloudCondition - s3-us-gov-west-1 - s3 - ' ' - 'UTIL="${QSLOCATION}submodules/quickstart-linux-utilities/quickstart-cfn-tools.source" ' - "P=/tmp/quickstart-cfn-tools.source \n" - '#qs_retry_command is not available (use until loop) ' - 'curl --retry 10 -s ${UTIL} -o ${P} || n=0; until [[ $n -ge 50 ]]; do curl -s ${UTIL} -o ${P} && break; n=$[$n+1]; done ' - 'source ${P} ' - "echo \"\t------------------[] Finished: Load QuickStart Common\"\n" - 'echo "========================================================================================================================" ' - ' ' - "echo \"\t------------------[] Starting: aws cfn-bootstrap installation\ \ via [qs_bootstrap_pip, qs_aws-cfn-bootstrap]\"\n" - "qs_bootstrap_pip || qs_err \" pip bootstrap failed \" \n" - 'qs_aws-cfn-bootstrap || qs_err " cfn bootstrap failed " ' - "echo \"\t------------------[] Finished: aws cfn-bootstrap installation\"\ \n" - ' ' - "echo \"\t------------------[] Starting: epel configuration via [qs_enable_epel]\"\ \n" - '# Needed for initial Ansible availability ' - 'qs_enable_epel &> /var/log/userdata.qs_enable_epel.log || qs_err " enable epel failed " ' - "echo \"\t------------------[] Completed epel configuration \"\n" - ' ' - "echo \"\t------------------[] Starting: installation of awscli \"\n" - 'pip install awscli &> /var/log/userdata.awscli_install.log || qs_err " awscli install failed " ' - "echo \"\t------------------[] Completed: install of awscli \"\n" - ' ' - 'echo "========================================================================================================================" ' - "echo \"\t------------------[] Completed: QuickStart Common Utils \"\ \n" - ' ' - 'echo "========================================================================================================================" ' - "echo \"\t------------------[]Attach to Subscription pool\"\n" - SCRIPT_PATH= - Fn::Sub: s3://${QSS3BucketName}/${QSS3KeyPrefix} - ' ' - "aws s3 cp ${SCRIPT_PATH}scripts/redhat_ose-register.sh ~/redhat_ose-register.sh\ \ \n" - 'chmod 755 ~/redhat_ose-register.sh ' - 'qs_retry_command 20 ~/redhat_ose-register.sh ' - Fn::Sub: '${RedhatSubscriptionUserName} ${RedhatSubscriptionPassword} ${RedhatSubscriptionPoolID} ' - ' ' - 'echo "========================================================================================================================" ' - ' ' - '# Configure Storage ' - "yum install docker -y \n" - "systemctl enable docker.service \n" - "systemctl start docker.service \n" - "echo \"CONTAINER_THINPOOL=docker-pool\" >> /etc/sysconfig/docker-storage-setup\ \ \n" - "echo \"DEVS=/dev/xvdb\" >> /etc/sysconfig/docker-storage-setup \n" - "echo \"VG=docker-vg\" >>/etc/sysconfig/docker-storage-setup \n" - "echo \"STORAGE_DRIVER=devicemapper\" >> /etc/sysconfig/docker-storage-setup\ \ \n" - 'docker-storage-setup ' - 'rm -rf /var/lib/docker ' - 'systemctl restart docker ' - '# Start cfn-init [GetPublicKey, AddPublicKey] ' - 'cfn-init -v ' - ' --stack ' - Ref: AWS::StackName - ' --resource OpenShiftNodesLaunchConfig ' - ' --configsets quickstart ' - ' --region ' - Ref: AWS::Region - ' ' - yum install -y atomic-openshift-docker-excluder atomic-openshift-node atomic-openshift-sdn-ovs ceph-common conntrack-tools dnsmasq docker docker-client docker-common docker-rhel-push-plugin glusterfs glusterfs-client-xlators glusterfs-fuse glusterfs-libs iptables-services iscsi-initiator-utils iscsi-initiator-utils-iscsiuio tuned-profiles-atomic-openshift-node - ' ' Type: AWS::AutoScaling::LaunchConfiguration OpenShiftSecurityGroup: Properties: GroupDescription: Allow access to the Workload instances SecurityGroupIngress: - CidrIp: Ref: VPCCIDR IpProtocol: '-1' - CidrIp: Ref: RemoteAccessCIDR FromPort: '8443' IpProtocol: tcp ToPort: '8444' - CidrIp: Ref: RemoteAccessCIDR FromPort: '22' IpProtocol: tcp ToPort: '22' VpcId: Ref: VPCID Type: AWS::EC2::SecurityGroup SetupRole: Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - ec2.amazonaws.com Path: / Policies: - PolicyDocument: Statement: - Action: - s3:GetObject Effect: Allow Resource: Fn::Sub: arn:aws:s3:::${QSS3BucketName}/${QSS3KeyPrefix}* Version: '2012-10-17' PolicyName: aws-quick-start-s3-policy - PolicyDocument: Statement: - Action: - autoscaling:Describe* - autoscaling:AttachLoadBalancers - ec2:Describe* Effect: Allow Resource: '*' PolicyName: WorkloadSetup Type: AWS::IAM::Role SetupRoleProfile: Properties: Path: / Roles: - Ref: SetupRole Type: AWS::IAM::InstanceProfile Rules: SubnetsInVPC: Assertions: - Assert: Fn::EachMemberIn: - Fn::ValueOfAll: - AWS::EC2::Subnet::Id - VpcId - Fn::RefAll: AWS::EC2::VPC::Id AssertDescription: All subnets must in the VPC