AWSTemplateFormatVersion: 2010-09-09 Description: >- Deploys IAM roles and policies required for the AWS EKS Quick Start (qs-1p7nknohl). Metadata: cfn-lint: { config: { ignore_checks: [W9002, W9003, W9004, W9006] } } Parameters: QSS3BucketName: Type: String AllowedPattern: ^[0-9a-z]+([0-9a-z-]*[0-9a-z])*$ CreateBastionRole: Type: String Default: Enabled AllowedValues: [Enabled, Disabled] BastionIAMRoleName: Type: String Default: '' CloudFormationKubernetesVPCRoleExists: Type: String Default: '' Conditions: EnableBastionRole: !Equals [!Ref CreateBastionRole, Enabled] UsingDefaultBucket: !Equals [!Ref QSS3BucketName, aws-quickstart] CreateCloudFormationKubernetesVPCRole: !Not - !Equals [!Ref CloudFormationKubernetesVPCRoleExists, CloudFormation-Kubernetes-VPC] Resources: KubernetesAdminRole: Type: AWS::IAM::Role Metadata: cfn-lint: config: ignore_checks: [EIAMPolicyWildcardResource] ignore_reasons: EIAMPolicyWildcardResource: >- Action eks:DescribeAddonConfiguration requires a wildcard resource. As of 2023-02-05, cfn-lint falsely reports this as an issue. Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: eksStackPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - eks:CreateCluster - eks:DescribeAddonConfiguration - eks:DescribeAddonVersions - eks:ListClusters Resource: '*' - Effect: Allow Action: - eks:AccessKubernetesApi - eks:AssociateEncryptionConfig - eks:AssociateIdentityProviderConfig - eks:CreateAddon - eks:CreateFargateProfile - eks:CreateNodegroup - eks:DeleteAddon - eks:DeleteCluster - eks:DeleteNodegroup - eks:DeleteFargateProfile - eks:DescribeAddon - eks:DescribeCluster - eks:DescribeFargateProfile - eks:DescribeIdentityProviderConfig - eks:DescribeNodegroup - eks:DescribeUpdate - eks:DisassociateIdentityProviderConfig - eks:ListAddons - eks:ListFargateProfiles - eks:ListIdentityProviderConfigs - eks:ListNodegroups - eks:ListTagsForResource - eks:ListUpdates - eks:TagResource - eks:UntagResource - eks:UpdateAddon - eks:UpdateClusterConfig - eks:UpdateClusterVersion - eks:UpdateNodegroupConfig - eks:UpdateNodegroupVersion Resource: - !Sub arn:${AWS::Partition}:eks:${AWS::Region}:${AWS::AccountId}:addon/*/*/* - !Sub arn:${AWS::Partition}:eks:${AWS::Region}:${AWS::AccountId}:cluster/* - !Sub arn:${AWS::Partition}:eks:${AWS::Region}:${AWS::AccountId}:fargateprofile/*/*/* - !Sub arn:${AWS::Partition}:eks:${AWS::Region}:${AWS::AccountId}:identityproviderconfig/*/*/*/* - !Sub arn:${AWS::Partition}:eks:${AWS::Region}:${AWS::AccountId}:nodegroup/*/*/* - Effect: Allow Action: - ec2:DescribeNetworkInterfaces - ec2:DescribeSecurityGroups - ec2:DescribeSubnets - ec2:DescribeVpcs Resource: '*' - Effect: Allow Action: - ec2:CreateNetworkInterface - ec2:DeleteNetworkInterface Resource: - !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:*/* # https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-permissions - Effect: Allow Action: - events:DeleteRule - events:PutRule - events:PutTargets - events:RemoveTargets Resource: - !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/* # Default event bus - !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/*/* # Custom event bus - Effect: Allow Action: - lambda:AddPermission - lambda:InvokeFunction - lambda:RemovePermission Resource: !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:* - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: - !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:* - !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*:log-stream:* - Effect: Allow Action: s3:GetObject Resource: !Sub arn:${AWS::Partition}:s3:::*/* BastionRole: Condition: EnableBastionRole Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: !Sub ec2.${AWS::URLSuffix} Action: sts:AssumeRole Policies: - PolicyName: QSBucketAccess PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - ec2:DescribeAddresses - eks:ListClusters Resource: '*' - Effect: Allow Action: ec2:AssociateAddress Resource: - !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:elastic-ip/* - !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/* - !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/* - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:DescribeLogGroups - logs:DescribeLogStreams - logs:GetLogEvents - logs:PutLogEvents - logs:PutMetricFilter - logs:PutRetentionPolicy Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*:* - Effect: Allow Action: s3:GetObject Resource: !Sub - arn:${AWS::Partition}:s3:::${BucketName}/* - BucketName: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore - !Sub arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy CloudFormationKubernetesVPCRole: Type: Custom::CreateCloudFormationKubernetesVPCRole Condition: CreateCloudFormationKubernetesVPCRole Properties: ServiceToken: !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-CloudFormationVPCRoleCreation Partition: !Ref AWS::Partition Outputs: KubernetesAdminRoleArn: Value: !GetAtt KubernetesAdminRole.Arn BastionRole: Value: !If [EnableBastionRole, !Ref BastionRole, !Ref BastionIAMRoleName]