AWSTemplateFormatVersion: "2010-09-09"
Resources:
  ControlPlaneRole:
    Type: "AWS::IAM::Role"
    Properties:
      Policies:
        - PolicyName: ec2-describe-policy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - ec2:DescribeAccountAttributes
                  - ec2:DescribeAddresses
                  - ec2:DescribeInternetGateways
                Resource: '*'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: eks.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEKSClusterPolicy'
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEKSServicePolicy'
  ExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      MaxSessionDuration: 8400
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - "lambda.amazonaws.com"
                - "resources.cloudformation.amazonaws.com"
            Action: sts:AssumeRole
      Path: "/"
      Policies:
        - PolicyName: ResourceTypePolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                    - "secretsmanager:GetSecretValue"
                    - "kms:Decrypt"
                    - "eks:DescribeCluster"
                    - "s3:GetObject"
                    - "sts:AssumeRole"
                    - "iam:PassRole"
                    - "ec2:CreateNetworkInterface"
                    - "ec2:DeleteNetworkInterface"
                    - "ec2:Describe*"
                    - "logs:CreateLogGroup"
                    - "logs:CreateLogStream"
                    - "logs:PutLogEvents"
                    - "lambda:*"
                    - "cloudformation:ListExports"
                    - "ssm:*Parameter"
                Resource: "*"
  LogDeliveryRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - cloudformation.amazonaws.com
                - resources.cloudformation.amazonaws.com
            Action: sts:AssumeRole
      Path: "/"
      Policies:
        - PolicyName: ResourceTypePolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - "logs:CreateLogGroup"
                  - "logs:CreateLogStream"
                  - "logs:DescribeLogGroups"
                  - "logs:DescribeLogStreams"
                  - "logs:PutLogEvents"
                  - "cloudwatch:ListMetrics"
                  - "cloudwatch:PutMetricData"
                Resource: "*"
  VPCStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: 'https://aws-quickstart.s3.us-east-1.amazonaws.com/quickstart-aws-vpc/templates/aws-vpc.template.yaml'
      Parameters:
        AvailabilityZones: !Sub 
         - "${AZ1},${AZ2}"
         - AZ1: !Select [0, Fn::GetAZs: !Ref 'AWS::Region']
           AZ2: !Select [1, Fn::GetAZs: !Ref 'AWS::Region']
        NumberOfAZs: 2
        PrivateSubnet1ACIDR: '10.0.0.0/24'
        PrivateSubnet2ACIDR: '10.0.1.0/24'
        PrivateSubnet3ACIDR: '10.0.2.0/24'
        PrivateSubnetATag2: "kubernetes.io/role/internal-elb="
        PublicSubnet1CIDR: '10.0.10.0/24'
        PublicSubnet2CIDR: '10.0.11.0/24'
        PublicSubnet3CIDR: '10.0.12.0/24'
        PublicSubnetTag2: "kubernetes.io/role/elb="
        VPCCIDR: '10.0.0.0/16'
  ControlPlaneSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Cluster communication
      VpcId: !GetAtt VPCStack.Outputs.VPCID
  Cluster:
    Type: "AWSQS::EKS::Cluster"
    Properties:
      Name: k8s-contract-test
      RoleArn: !GetAtt ControlPlaneRole.Arn
      KubernetesNetworkConfig:
        ServiceIpv4Cidr: "192.168.0.0/16"
      ResourcesVpcConfig:
        SubnetIds:
          - !GetAtt VPCStack.Outputs.PrivateSubnet1AID
          - !GetAtt VPCStack.Outputs.PrivateSubnet2AID
        SecurityGroupIds:
          - !Ref ControlPlaneSecurityGroup
        PublicAccessCidrs:
          - 0.0.0.0/0
        EndpointPublicAccess: true
      KubernetesApiAccess:
        Roles:
          - Arn: !GetAtt ExecutionRole.Arn
            Username: "AdminRole"
            Groups: [ "system:masters" ]
  WorkerRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy'
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEKS_CNI_Policy'
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly'
  EKSNodegroup:
    Type: 'AWS::EKS::Nodegroup'
    Properties:
      ClusterName: !Ref Cluster
      NodeRole: !GetAtt WorkerRole.Arn
      ScalingConfig:
        MinSize: 1
        DesiredSize: 1
        MaxSize: 3
      Subnets:
        - !GetAtt VPCStack.Outputs.PrivateSubnet1AID
        - !GetAtt VPCStack.Outputs.PrivateSubnet2AID
Outputs:
  ClusterName:
    Value: !Ref Cluster
    Export:
      Name: AwsqsEksClusterContractTestClusterName
  ExecutionRoleArn:
    Value: !GetAtt ExecutionRole.Arn
  LogRoleArn:
    Value: !GetAtt LogDeliveryRole.Arn