AWSTemplateFormatVersion: 2010-09-09 Description: Prepare an existing EKS cluster (qs-1p817r5f9). Metadata: QuickStartDocumentation: EntrypointName: Prepare an existing EKS cluster Order: Index c AWS::CloudFormation::Interface: ParameterGroups: - Label: default: EKS cluster details Parameters: - KubeClusterName - VPCID - K8sSubnetIds - HttpProxy - ControlPlaneSecurityGroup - PerAccountSharedResources - PerRegionSharedResources - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3KeyPrefix - QSS3BucketRegion ParameterLabels: KubeClusterName: default: EKS cluster name ControlPlaneSecurityGroup: default: EKS security group K8sSubnetIds: default: EKS subnet IDs PerAccountSharedResources: default: Deploy account-level shared resources PerRegionSharedResources: default: Deploy Region-level shared resources VPCID: default: VPC ID QSS3BucketName: default: Quick Start S3 bucket name QSS3KeyPrefix: default: Quick Start S3 key prefix QSS3BucketRegion: default: Quick Start S3 bucket Region HttpProxy: default: HTTP proxy Parameters: KubeClusterName: Type: String Description: Name of the EKS cluster to enable for AWS CloudFormation. K8sSubnetIds: Type: String Description: >- (Optional) Comma-separated list of subnet IDs associated with the EKS cluster. There must be routes to the Kubernetes, AWS CloudFormation, and EKS endpoints. Leave this blank for publicly accessible clusters. Default: '' ControlPlaneSecurityGroup: Type: String Description: >- (Optional) Security group ID attached to the EKS cluster. This must allow egress traffic to the Kubernetes, AWS CloudFormation, and EKS endpoints. Leave this blank for publicly accessible clusters. Default: '' PerAccountSharedResources: Type: String Description: >- Choose "No" if you already deployed the EKS account shared resources in this AWS account. AllowedValues: [AutoDetect, 'Yes', 'No'] Default: AutoDetect PerRegionSharedResources: Type: String Description: >- Choose "No" if you already deployed the EKS shared resources stack in your Region. AllowedValues: [AutoDetect, 'Yes', 'No'] Default: AutoDetect VPCID: Type: AWS::EC2::VPC::Id Description: >- ID of the VPC that contains your EKS cluster (example: vpc-0343606e). QSS3BucketName: Type: String Description: >- S3 bucket name for the Quick Start assets. This string can include numbers, lowercase letters, and hyphens (-). It cannot start or end with a hyphen (-). AllowedPattern: ^[0-9a-z]+([0-9a-z-]*[0-9a-z])*$ ConstraintDescription: >- Quick Start bucket name can include numbers, lowercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart QSS3KeyPrefix: Type: String Description: >- S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), periods (.) and forward slash (/). AllowedPattern: ^[0-9a-zA-Z-/.]*$ ConstraintDescription: >- Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), periods (.) and forward slash (/). Default: quickstart-amazon-eks/ QSS3BucketRegion: Type: String Description: >- Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value. Default: us-east-1 HttpProxy: Type: String Description: >- (Optional) HTTP(S) proxy configuration. If you provide a value, all worker nodes and pod egress traffic uses this proxy (example: http://10.101.0.100:3128/). Default: '' Conditions: DetectSharedStacks: !And - !Equals [!Ref PerAccountSharedResources, AutoDetect] - !Equals [!Ref PerRegionSharedResources, AutoDetect] CreatePerAccountSharedResources: !Equals [!Ref PerAccountSharedResources, 'Yes'] CreatePerRegionSharedResources: !Equals [!Ref PerRegionSharedResources, 'Yes'] UsingDefaultBucket: !Equals [!Ref QSS3BucketName, aws-quickstart] Resources: CloudFormationKubernetesVPCRoleExists: Metadata: DependsOn: - !If [CreatePerRegionSharedResources, !Ref RegionalSharedResources, !Ref AWS::NoValue] - !If [CreatePerAccountSharedResources, !Ref AccountSharedResources, !Ref AWS::NoValue] - !If [DetectSharedStacks, !Ref AutoDetectSharedResources, !Ref AWS::NoValue] Type: Custom::ResourceReader Properties: ServiceToken: !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-ResourceReader AwsCliCommand: >- iam list-roles --query 'Roles[?RoleName==`CloudFormation-Kubernetes-VPC`].RoleName | {RoleName: [0]}' IdField: RoleName AutoDetectSharedResources: Type: AWS::CloudFormation::Stack Condition: DetectSharedStacks Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/workloads/amazon-eks-prerequisites.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Ref QSS3KeyPrefix AccountSharedResources: Type: AWS::CloudFormation::Stack Condition: CreatePerAccountSharedResources DeletionPolicy: Retain Metadata: { cfn-lint: { config: { ignore_checks: [W3011] } } } Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/amazon-eks-per-account-resources.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Tags: [{ Key: eks-quickstart, Value: AccountSharedResources }] RegionalSharedResources: Type: AWS::CloudFormation::Stack Condition: CreatePerRegionSharedResources DeletionPolicy: Retain Metadata: cfn-lint: { config: { ignore_checks: [W3011] } } DependsOn: !If [CreatePerAccountSharedResources, !Ref AccountSharedResources, !Ref AWS::NoValue] Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/amazon-eks-per-region-resources.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: QSS3BucketName: !Ref QSS3BucketName QSS3KeyPrefix: !Ref QSS3KeyPrefix Tags: [{ Key: eks-quickstart, Value: RegionalSharedResources }] IamStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/workloads/amazon-eks-iam.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: QSS3BucketName: !Ref QSS3BucketName CreateBastionRole: Disabled BastionIAMRoleName: '' CloudFormationKubernetesVPCRoleExists: !Ref CloudFormationKubernetesVPCRoleExists FunctionStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/workloads/amazon-eks-functions.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: QSS3KeyPrefix: !Ref QSS3KeyPrefix KubernetesResourceVPCProxyRoleArn: !GetAtt IamStack.Outputs.KubernetesResourceVPCProxyRoleArn KubernetesAdminRoleArn: !GetAtt IamStack.Outputs.KubernetesAdminRoleArn ControlPlaneSecurityGroup: !Ref ControlPlaneSecurityGroup VPCID: !Ref VPCID EKSSubnetIds: !Ref K8sSubnetIds EKSClusterName: !Ref KubeClusterName HttpProxy: !Ref HttpProxy Outputs: EKSAdminRoleArn: Value: !GetAtt IamStack.Outputs.KubernetesAdminRoleArn HelmRoleArn: Value: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/awsqs-kubernetes-helm Rules: AutoDetectSharedParams: RuleCondition: !Or - !Equals [!Ref PerRegionSharedResources, AutoDetect] - !Equals [!Ref PerAccountSharedResources, AutoDetect] Assertions: - Assert: !And - !Equals [!Ref PerRegionSharedResources, AutoDetect] - !Equals [!Ref PerAccountSharedResources, AutoDetect] AssertDescription: AutDetect must be set/unset for both PerRegionSharedResources and PerAccountSharedResources