AWSTemplateFormatVersion: 2010-09-09 Description: Deploys the EKS control plane (qs-1p7nknofn). Metadata: cfn-lint: { config: { ignore_checks: [W9002, W9003, W9004, W9006] } } Parameters: SecurityGroupIds: Type: List SubnetIds: Type: List RoleArn: Type: String AdditionalEKSAdminUserArn: Type: String Default: '' AdditionalEKSAdminRoleArn: Type: String Default: '' KubernetesVersion: Type: String Default: '' CustomNodeRole: Type: String Default: '' BastionRole: Type: String Default: '' FunctionRoleArn: Type: String EKSPublicAccessCIDRs: Type: List Default: 0.0.0.0/0 EKSPublicAccessEndpoint: Type: String AllowedValues: [Enabled, Disabled] Default: Disabled EKSPrivateAccessEndpoint: Type: String AllowedValues: [Enabled, Disabled] Default: Enabled EKSClusterLoggingTypes: Type: List Default: '' EKSEncryptSecrets: Type: String AllowedValues: [Enabled, Disabled] Default: Enabled EKSEncryptSecretsKmsKeyArn: Type: String Default: '' EKSClusterName: Type: String Conditions: AddUser: !Not [!Equals [!Ref AdditionalEKSAdminUserArn, '']] AddRole: !Not [!Equals [!Ref AdditionalEKSAdminRoleArn, '']] CustomNodeRoleProvided: !Not [!Equals [!Ref CustomNodeRole, '']] BastionRole: !Not [!Equals [!Ref BastionRole, '' ] ] EnablePrivateEndpoint: !Equals [!Ref EKSPrivateAccessEndpoint, Enabled] EnablePublicEndpoint: !Equals [!Ref EKSPublicAccessEndpoint, Enabled] CreateKey: !And - !Equals [!Ref EKSEncryptSecretsKmsKeyArn, ''] - !Equals [!Ref EKSEncryptSecrets, Enabled] EnableEncryption: !Equals [!Ref EKSEncryptSecrets, Enabled] LoggingEnabled: !Not [!Equals [!Select [0, !Ref EKSClusterLoggingTypes], '']] Resources: KMSKey: Condition: CreateKey Type: AWS::KMS::Key Metadata: cfn-lint: config: ignore_checks: [EIAMPolicyActionWildcard, EIAMPolicyWildcardResource, EKMSKeyEnableKeyRotation] ignore_reasons: EKMSKeyEnableKeyRotation: >- Need to experiment further with the effects of rotating keys and EKS secrets. EIAMPolicyWildcardResource: >- This is the default kms policy as per https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default. Properties: KeyPolicy: Version: 2012-10-17 Id: key-default-1 Statement: - Sid: Enable IAM User Permissions Effect: Allow Principal: AWS: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root Action: kms:* Resource: '*' EKS: Type: AWSQS::EKS::Cluster DependsOn: CleanupLoadBalancers Properties: Name: !Ref EKSClusterName ResourcesVpcConfig: SecurityGroupIds: !Ref SecurityGroupIds SubnetIds: !Ref SubnetIds PublicAccessCidrs: !Ref EKSPublicAccessCIDRs EndpointPrivateAccess: !If [EnablePrivateEndpoint, true, false] EndpointPublicAccess: !If [EnablePublicEndpoint, true, false] EnabledClusterLoggingTypes: !If [LoggingEnabled, !Ref EKSClusterLoggingTypes, !Ref AWS::NoValue] EncryptionConfig: !If - EnableEncryption - - Resources: [secrets] Provider: KeyArn: !If [CreateKey, !GetAtt KMSKey.Arn, !Ref EKSEncryptSecretsKmsKeyArn] - !Ref AWS::NoValue RoleArn: !Ref RoleArn Version: !Ref KubernetesVersion KubernetesApiAccess: Roles: - Arn: !Sub - arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${NodeRole} - NodeRole: !If - CustomNodeRoleProvided - !Ref CustomNodeRole - eks-quickstart-UnmanagedNodeInstance Username: system:node:{{EC2PrivateDNSName}} Groups: [system:bootstrappers, system:nodes, eks:kube-proxy-windows] - Arn: !Ref FunctionRoleArn Username: !Ref FunctionRoleArn Groups: [system:masters] - Arn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/awsqs-kubernetes-helm Username: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/awsqs-kubernetes-helm Groups: [system:masters] - Arn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/awsqs-kubernetes-get Username: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/awsqs-kubernetes-get Groups: [system:masters] - Arn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/awsqs-kubernetes-resource Username: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/awsqs-kubernetes-resource Groups: [system:masters] # We don't know whether GetCallerArn returned a user arn or a role arn, so we just add it to both - Arn: !GetAtt CallerArn.Arn Username: !GetAtt CallerArn.Arn Groups: [system:masters] - !If - BastionRole - Arn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${BastionRole} Username: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${BastionRole} Groups: [system:masters] - !Ref AWS::NoValue - !If - AddRole - Arn: !Ref AdditionalEKSAdminRoleArn Username: !Ref AdditionalEKSAdminRoleArn Groups: [system:masters] - !Ref AWS::NoValue Users: # We don't know whether GetCallerArn returned a user arn or a role arn, so we just add it to both - Arn: !GetAtt CallerArn.Arn Username: !GetAtt CallerArn.Arn Groups: [system:masters] - !If - AddUser - Arn: !Ref AdditionalEKSAdminUserArn Username: !Ref AdditionalEKSAdminUserArn Groups: [system:masters] - !Ref AWS::NoValue CleanupLoadBalancers: Type: Custom::CleanupLoadBalancers Properties: ServiceToken: !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-CleanupLoadBalancers ClusterName: !Ref EKSClusterName CallerArn: Type: Custom::GetCallerArn Properties: ServiceToken: !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-GetCallerArn ClusterOIDCProvider: Type: AWS::IAM::OIDCProvider Properties: ClientIdList: - sts.amazonaws.com - !Sub sts.${AWS::Region}.amazonaws.com ThumbprintList: # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html - 9e99a48a9960b14926bb7f3b02e22da2b0ab7280 Url: !GetAtt EKS.OIDCIssuerURL Outputs: EksArn: Value: !GetAtt EKS.Arn CAData: Value: !GetAtt EKS.CertificateAuthorityData EKSEndpoint: Value: !GetAtt EKS.Endpoint OIDCIssuerURL: Value: !GetAtt EKS.OIDCIssuerURL OIDCProviderArn: Value: !Ref ClusterOIDCProvider OIDCProviderEndpoint: Value: !Join ['', !Split [https://, !GetAtt EKS.OIDCIssuerURL]] EKSName: Value: !Ref EKS