AWSTemplateFormatVersion: "2010-09-09" Description: Deploys IAM roles and policies required for the AWS EKS Quick Start (qs-1p7nknohl) Parameters: LambdaZipsBucketName: Description: Bucket Name where the lambda zip files should be placed Type: String QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: 'Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).' Default: aws-quickstart Description: 'S3 bucket name for the Quick Start assets. This string can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).' Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/.]*$ ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), dots(.) and forward slash (/). Default: quickstart-amazon-eks/ Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), dots(.) and forward slash (/). Type: String DeleteLambdaZipsBucketContents: Type: String AllowedValues: [ "True", "False" ] Default: "False" KubeConfigBucket: Type: String KubeConfigKey: Type: String Default: ".kube/config.enc" CreateBastionRole: Type: String Default: "Enabled" AllowedValues: ["Enabled", "Disabled"] BastionIAMRoleName: Type: String Default: "" Conditions: CreateDeleteBucketContentsRole: !Equals [!Ref 'DeleteLambdaZipsBucketContents', "True"] EnableBastionRole: !Equals [!Ref CreateBastionRole, "Enabled"] CustomBastionRole: !Not [!Equals [!Ref 'BastionIAMRoleName', '']] UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] Resources: DeleteBucketContentsRole: Condition: CreateDeleteBucketContentsRole Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - !Sub 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' Policies: - PolicyName: deletebucketcontents PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: s3:* Resource: - !Sub 'arn:aws:s3:::${LambdaZipsBucketName}/*' - !Sub 'arn:aws-cn:s3:::${LambdaZipsBucketName}' CopyZipsRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' Policies: - PolicyName: lambda-copier PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: s3:GetObject Resource: !Sub - 'arn:aws:s3:::${BucketName}/${QSS3KeyPrefix}*' - BucketName: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] - Effect: Allow Action: - s3:PutObject - s3:DeleteObject Resource: !Sub 'arn:${AWS::Partition}:s3:::${LambdaZipsBucketName}/${QSS3KeyPrefix}*' ControlPlaneProvisionRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: !GetAtt QuickStartStackMakerRole.Arn Action: sts:AssumeRole - !If - EnableBastionRole - Effect: Allow Principal: AWS: !GetAtt BastionRole.Arn Action: sts:AssumeRole - !Ref AWS::NoValue - !If - CustomBastionRole - Effect: Allow Principal: AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${BastionIAMRoleName}' Action: sts:AssumeRole - !Ref AWS::NoValue - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: eksStackPolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - cloudformation:* - eks:* - ec2:DescribeSecurityGroups - ec2:DescribeSubnets - ec2:DescribeVpcs - lambda:InvokeFunction Resource: "*" - Effect: Allow Action: s3:GetObject Resource: !Sub - "arn:${AWS::Partition}:s3:::${BucketName}/*" - BucketName: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - ec2:CreateNetworkInterface - ec2:DescribeNetworkInterfaces - ec2:DeleteNetworkInterface Resource: - "*" - Action: "kms:decrypt" Effect: Allow Resource: "*" - Action: "s3:GetObject" Effect: Allow Resource: !Sub "arn:${AWS::Partition}:s3:::${KubeConfigBucket}/${KubeConfigKey}" - Effect: Allow Action: - lambda:AddPermission - lambda:RemovePermission Resource: "*" - Effect: Allow Action: - events:PutRule - events:DeleteRule - events:PutTargets - events:RemoveTargets Resource: "*" ControlPlaneRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: eks.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEKSClusterPolicy' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEKSServicePolicy' ControlPlanePassRole: Type: "AWS::IAM::Policy" Properties: PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: iam:PassRole Resource: !GetAtt ControlPlaneRole.Arn PolicyName: !Sub "${AWS::StackName}-ControlPlanePassRole" Roles: [ !Ref ControlPlaneProvisionRole ] QuickStartStackMakerRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole Path: / Policies: - PolicyName: CfnStackAssumeRole PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - lambda:AddPermission - lambda:RemovePermission Resource: "*" - Effect: Allow Action: - events:PutRule - events:DeleteRule - events:PutTargets - events:RemoveTargets Resource: "*" - Effect: Allow Action: - iam:PassRole Resource: !GetAtt ControlPlaneRole.Arn - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: - !Sub 'arn:${AWS::Partition}:logs:*:*:*' NodeInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - !Ref NodeInstanceRole NodeInstanceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: "/" ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEKS_CNI_Policy' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonElasticFileSystemReadOnlyAccess' Policies: - PolicyName: QSBucketAccess PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: s3:GetObject Resource: !Sub - "arn:${AWS::Partition}:s3:::${BucketName}/${QSS3KeyPrefix}*" - BucketName: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] BastionRole: Condition: EnableBastionRole Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: ec2.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: QSBucketAccess PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: s3:GetObject Resource: !Sub - "arn:${AWS::Partition}:s3:::${BucketName}/*" - BucketName: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] - Effect: Allow Action: - logs:CreateLogStream - logs:GetLogEvents - logs:PutLogEvents - logs:DescribeLogGroups - logs:DescribeLogStreams - logs:PutRetentionPolicy - logs:PutMetricFilter - logs:CreateLogGroup Resource: !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*:*" - Effect: Allow Action: - ec2:AssociateAddress - ec2:DescribeAddresses - eks:ListClusters Resource: "*" ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM' KubeConfigUploadRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: ['sts:AssumeRole'] Effect: Allow Principal: Service: [lambda.amazonaws.com] Version: '2012-10-17' Path: / Policies: - PolicyName: LambdaRole PolicyDocument: Version: '2012-10-17' Statement: - Action: - 'logs:CreateLogGroup' - 'logs:CreateLogStream' - 'logs:PutLogEvents' Effect: Allow Resource: !Sub "arn:${AWS::Partition}:logs:*:*:*" - Action: - 's3:PutObject' - 's3:PutObjectAcl' - 's3:DeleteObject' Effect: Allow Resource: !Sub "arn:${AWS::Partition}:s3:::${KubeConfigBucket}/${KubeConfigKey}" - Action: "kms:encrypt" Effect: Allow Resource: "*" CleanupLoadBalancersRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: ['sts:AssumeRole'] Effect: Allow Principal: Service: [lambda.amazonaws.com] Version: '2012-10-17' Path: / Policies: - PolicyName: LambdaRole PolicyDocument: Version: '2012-10-17' Statement: - Action: - 'logs:CreateLogGroup' - 'logs:CreateLogStream' - 'logs:PutLogEvents' Effect: Allow Resource: !Sub "arn:${AWS::Partition}:logs:*:*:*" - Action: - 'elasticloadbalancing:DescribeLoadBalancers' - 'elasticloadbalancing:DescribeTags' - 'elasticloadbalancing:DeleteLoadBalancer' - 'ec2:DescribeTags' - 'ec2:DeleteSecurityGroup' - 'ec2:DescribeNetworkInterfaces' - 'ec2:DescribeSecurityGroups' - 'ec2:RevokeSecurityGroupEgress' - 'ec2:RevokeSecurityGroupIngress' Effect: Allow Resource: "*" CleanupSecurityGroupDependenciesRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: ['sts:AssumeRole'] Effect: Allow Principal: Service: [lambda.amazonaws.com] Version: '2012-10-17' Path: / Policies: - PolicyName: LambdaRole PolicyDocument: Version: '2012-10-17' Statement: - Action: - 'logs:CreateLogGroup' - 'logs:CreateLogStream' - 'logs:PutLogEvents' Effect: Allow Resource: !Sub "arn:${AWS::Partition}:logs:*:*:*" - Action: - 'ec2:DescribeNetworkInterfaces' - 'ec2:DescribeSecurityGroups' - 'ec2:RevokeSecurityGroupEgress' - 'ec2:RevokeSecurityGroupIngress' - 'ec2:DeleteNetworkInterface' - 'ec2:DetachNetworkInterface' Effect: Allow Resource: "*" GetCallerArnRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: ['sts:AssumeRole'] Effect: Allow Principal: Service: [lambda.amazonaws.com] Version: '2012-10-17' Path: / Policies: - PolicyName: LambdaRole PolicyDocument: Version: '2012-10-17' Statement: - Action: - 'logs:CreateLogGroup' - 'logs:CreateLogStream' - 'logs:PutLogEvents' Effect: Allow Resource: !Sub "arn:${AWS::Partition}:logs:*:*:*" - Action: - 'cloudformation:DescribeStacks' - 'cloudtrail:LookupEvents' Effect: Allow Resource: "*" Outputs: DeleteBucketContentsRoleArn: Value: !If [ CreateDeleteBucketContentsRole, !GetAtt DeleteBucketContentsRole.Arn, "" ] CopyZipsRoleArn: Value: !GetAtt CopyZipsRole.Arn QuickStartStackMakerRoleArn: Value: !GetAtt QuickStartStackMakerRole.Arn ControlPlaneRoleArn: Value: !GetAtt ControlPlaneRole.Arn ControlPlaneProvisionRoleArn: Value: !GetAtt ControlPlaneProvisionRole.Arn NodeInstanceProfile: Value: !Ref NodeInstanceProfile NodeInstanceRoleArn: Value: !GetAtt NodeInstanceRole.Arn NodeInstanceRoleName: Value: !Ref NodeInstanceRole BastionRole: Value: !If [EnableBastionRole, !Ref BastionRole, ""] KubeConfigUploadRoleArn: Value: !GetAtt KubeConfigUploadRole.Arn CleanupLoadBalancersRoleArn: Value: !GetAtt CleanupLoadBalancersRole.Arn CleanupSecurityGroupDependenciesRoleArn: Value: !GetAtt CleanupSecurityGroupDependenciesRole.Arn GetCallerArnRoleArn: Value: !GetAtt GetCallerArnRole.Arn