AWSTemplateFormatVersion: 2010-09-09 Description: >- Deploys Lambda functions required for the AWS EKS Quick Start (qs-1p7nknoh4). Metadata: cfn-lint: { config: { ignore_checks: [W9002, W9003, W9004, W9006] } } Parameters: QSS3KeyPrefix: Type: String KubernetesAdminRoleArn: Type: String VPCID: Type: AWS::EC2::VPC::Id ControlPlaneSecurityGroup: Type: String EKSSubnetIds: Type: List EKSClusterName: Type: String HttpProxy: Type: String Default: '' Conditions: NoProxy: !Equals [!Ref HttpProxy, ''] Resources: CleanupLambdaSecurityGroupDependencies: Type: Custom::CleanupSecurityGroupDependencies Properties: ServiceToken: !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-CleanupSecurityGroupDependencies Region: !Ref AWS::Region SecurityGroups: [!Ref EKSLambdaSecurityGroup] EKSLambdaSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: >- Security group for lambda to communicate with cluster API. VpcId: !Ref VPCID ClusterControlPlaneSecurityGroupIngress: Type: AWS::EC2::SecurityGroupIngress DependsOn: [CleanupLambdaSecurityGroupDependencies] Properties: Description: Allow lambda to communicate with the cluster API Server. GroupId: !Ref ControlPlaneSecurityGroup SourceSecurityGroupId: !Ref EKSLambdaSecurityGroup IpProtocol: tcp ToPort: 443 FromPort: 443 GetVpcCidr: Type: Custom::ResourceReader Properties: ServiceToken: !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-ResourceReader AwsCliCommand: !Sub ec2 describe-vpcs --vpc-id ${VPCID} --query 'Vpcs[0].{CidrBlock:CidrBlock}' IdField: CidrBlock GetKubectlLayerArn: Type: Custom::ResourceReader Properties: ServiceToken: !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-ResourceReader AwsCliCommand: lambda list-layer-versions --layer-name eks-quickstart-Kubectl --query 'max_by(LayerVersions, &Version)' IdField: LayerVersionArn GetCrHelperLayerArn: Type: Custom::ResourceReader Properties: ServiceToken: !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-ResourceReader AwsCliCommand: lambda list-layer-versions --layer-name eks-quickstart-CrHelper --query 'max_by(LayerVersions, &Version)' IdField: LayerVersionArn GetAwsCliLayerArn: Type: Custom::ResourceReader Properties: ServiceToken: !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-ResourceReader AwsCliCommand: lambda list-layer-versions --layer-name eks-quickstart-AwsCli --query 'max_by(LayerVersions, &Version)' IdField: LayerVersionArn KubeResourceFunction: Type: AWS::Lambda::Function DependsOn: [ClusterControlPlaneSecurityGroupIngress] Properties: FunctionName: !Sub awsqs-kubernetes-resource-proxy-${EKSClusterName} Handler: awsqs_kubernetes_resource.utils.proxy_wrap MemorySize: 256 Role: !Ref KubernetesAdminRoleArn Runtime: python3.8 Timeout: 900 Code: S3Bucket: !Sub eks-quickstart-lambdazips-${AWS::Region}-${AWS::AccountId} S3Key: !Sub ${QSS3KeyPrefix}functions/packages/kubernetesResources/awsqs_kubernetes_apply_vpc.zip Environment: Variables: KUBECONFIG: /tmp/.kube/config HTTPS_PROXY: !If [NoProxy, !Ref AWS::NoValue, !Ref HttpProxy] HTTP_PROXY: !If [NoProxy, !Ref AWS::NoValue, !Ref HttpProxy] NO_PROXY: !Sub ${GetVpcCidr},localhost,127.0.0.1,169.254.169.254,.internal VpcConfig: SecurityGroupIds: [!Ref EKSLambdaSecurityGroup] SubnetIds: !Ref EKSSubnetIds LegacyKubeManifestFunction: Type: AWS::Lambda::Function DependsOn: [ClusterControlPlaneSecurityGroupIngress] Properties: FunctionName: !Sub eks-quickstart-KubeManifest-${EKSClusterName} Handler: index.handler MemorySize: 256 Role: !Ref KubernetesAdminRoleArn Runtime: python3.9 Timeout: 900 Layers: [!Ref GetKubectlLayerArn, !Ref GetCrHelperLayerArn, !Ref GetAwsCliLayerArn] Code: S3Bucket: !Sub eks-quickstart-lambdazips-${AWS::Region}-${AWS::AccountId} S3Key: !Sub ${QSS3KeyPrefix}functions/packages/KubeManifest/lambda.zip Environment: Variables: KUBECONFIG: /tmp/.kube/config HTTPS_PROXY: !If [NoProxy, !Ref AWS::NoValue, !Ref HttpProxy] HTTP_PROXY: !If [NoProxy, !Ref AWS::NoValue, !Ref HttpProxy] NO_PROXY: !Sub ${GetVpcCidr},localhost,127.0.0.1,169.254.169.254,.internal VpcConfig: SecurityGroupIds: [!Ref ControlPlaneSecurityGroup] SubnetIds: !Ref EKSSubnetIds LegacyKubeGetFunction: Type: AWS::Lambda::Function DependsOn: [ClusterControlPlaneSecurityGroupIngress] Properties: FunctionName: !Sub eks-quickstart-KubeGet-${EKSClusterName} Handler: index.handler MemorySize: 256 Role: !Ref KubernetesAdminRoleArn Runtime: python3.9 Timeout: 900 Layers: [!Ref GetKubectlLayerArn, !Ref GetCrHelperLayerArn, !Ref GetAwsCliLayerArn] Environment: Variables: KUBECONFIG: /tmp/.kube/config HTTPS_PROXY: !If [NoProxy, !Ref AWS::NoValue, !Ref HttpProxy] HTTP_PROXY: !If [NoProxy, !Ref AWS::NoValue, !Ref HttpProxy] NO_PROXY: !Sub ${GetVpcCidr},localhost,127.0.0.1,169.254.169.254,.internal Code: S3Bucket: !Sub eks-quickstart-lambdazips-${AWS::Region}-${AWS::AccountId} S3Key: !Sub ${QSS3KeyPrefix}functions/packages/KubeGet/lambda.zip VpcConfig: SecurityGroupIds: [!Ref ControlPlaneSecurityGroup] SubnetIds: !Ref EKSSubnetIds