AWSTemplateFormatVersion: 2010-09-09
Description: >-
Shared resources required by all Amazon EKS Quick Start stacks in this
account (qs-1r0qgtn7j).
Conditions:
Commercial: !Equals [!Ref AWS::Partition, aws]
Resources:
CopyZipsRole:
Type: AWS::IAM::Role
Properties:
RoleName: eks-quickstart-CopyZips
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: lambda-zips-s3-read
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: s3:GetObject
Resource: !Sub arn:${AWS::Partition}:s3:::*/*
GenerateClusterNameRole:
Type: AWS::IAM::Role
Properties:
RoleName: eks-quickstart-GenerateClusterName
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
ResourceReaderRole:
Type: AWS::IAM::Role
Properties:
RoleName: eks-quickstart-ResourceReader
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- !Sub arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess
CreateVpcRoleRole:
Type: AWS::IAM::Role
Properties:
RoleName: eks-quickstart-CreateVpcRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: create-role
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: iam:CreateRole
Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/CloudFormation-Kubernetes-VPC
- Effect: Allow
Action: iam:AttachRolePolicy
Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/CloudFormation-Kubernetes-VPC
Condition:
ArnEquals:
iam:PolicyARN:
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaENIManagementAccess
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
DeleteBucketContentsRole:
Type: AWS::IAM::Role
Properties:
RoleName: eks-quickstart-DeleteBucketContents
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
ControlPlaneRole:
Type: AWS::IAM::Role
Properties:
RoleName: eks-quickstart-ControlPlane
Policies:
- PolicyName: ec2-describe-policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- ec2:DescribeAccountAttributes
- ec2:DescribeAddresses
- ec2:DescribeInternetGateways
Resource: '*'
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: eks.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEKSClusterPolicy
- !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEKSServicePolicy
- !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEKSVPCResourceController
CleanupLoadBalancersRole:
Type: AWS::IAM::Role
Metadata:
cfn-lint:
config:
ignore_checks: [EIAMPolicyWildcardResource]
ignore_reasons:
EIAMPolicyWildcardResource: >-
Action elasticloadbalancing:DescribeTags requires a wildcard
resource. As of 2023-02-05, cfn-lint falsely reports this as an
issue.
Properties:
RoleName: eks-quickstart-CleanupLoadBalancers
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Path: /
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: LambdaRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- ec2:DescribeTags
- ec2:DescribeNetworkInterfaces
- ec2:DescribeSecurityGroups
Resource: '*'
- Effect: Allow
Action:
- ec2:DeleteNetworkInterface
- ec2:DetachNetworkInterface
Resource:
- !Sub arn:${AWS::Partition}:ec2:*:${AWS::AccountId}:instance/*
- !Sub arn:${AWS::Partition}:ec2:*:${AWS::AccountId}:network-interface/*
- Effect: Allow
Action:
- ec2:DeleteSecurityGroup
- ec2:RevokeSecurityGroupEgress
- ec2:RevokeSecurityGroupIngress
Resource: !Sub arn:${AWS::Partition}:ec2:*:${AWS::AccountId}:security-group/*
- Effect: Allow
Action:
- elasticloadbalancing:DescribeLoadBalancers
- elasticloadbalancing:DescribeTags
Resource: '*'
- Effect: Allow
Action:
- elasticloadbalancing:DeleteLoadBalancer
Resource:
- !Sub arn:${AWS::Partition}:elasticloadbalancing:*:${AWS::AccountId}:loadbalancer/app/*/* # ALB
- !Sub arn:${AWS::Partition}:elasticloadbalancing:*:${AWS::AccountId}:loadbalancer/net/*/* # NLB
- !Sub arn:${AWS::Partition}:elasticloadbalancing:*:${AWS::AccountId}:loadbalancer/* # Classic
CleanupSecurityGroupDependenciesRole:
Type: AWS::IAM::Role
Properties:
RoleName: eks-quickstart-CleanupSecurityGroupDependencies
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Path: /
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: LambdaRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- ec2:DescribeNetworkInterfaces
- ec2:DescribeSecurityGroups
Resource: '*'
- Effect: Allow
Action:
- ec2:DeleteNetworkInterface
- ec2:DetachNetworkInterface
Resource:
- !Sub arn:${AWS::Partition}:ec2:*:${AWS::AccountId}:instance/*
- !Sub arn:${AWS::Partition}:ec2:*:${AWS::AccountId}:network-interface/*
- Effect: Allow
Action:
- ec2:DeleteSecurityGroup
- ec2:RevokeSecurityGroupEgress
- ec2:RevokeSecurityGroupIngress
Resource: !Sub arn:${AWS::Partition}:ec2:*:${AWS::AccountId}:security-group/*
CleanupLambdasRole:
Type: AWS::IAM::Role
Properties:
RoleName: eks-quickstart-CleanupLambdas
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Path: /
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: LambdaRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: lambda:ListFunctions
Resource: '*'
- Effect: Allow
Action:
- lambda:DeleteFunction
- lambda:UpdateFunctionConfiguration
Resource: !Sub arn:${AWS::Partition}:lambda:*:${AWS::AccountId}:function:*
GetCallerArnRole:
Type: AWS::IAM::Role
Properties:
RoleName: eks-quickstart-GetCallerArn
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Path: /
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: LambdaRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: cloudformation:DescribeStacks
Resource: !Sub arn:${AWS::Partition}:cloudformation:*:${AWS::AccountId}:stack/*/*
- Effect: Allow
Action: cloudtrail:LookupEvents
Resource: '*'
RegisterTypeRole:
Type: AWS::IAM::Role
Properties:
RoleName: eks-quickstart-RegisterType
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Path: /
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: ResourceTypePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: sts:GetCallerIdentity
Resource: '*'
- Effect: Allow
Action:
- cloudformation:DeregisterType
- cloudformation:DescribeType
- cloudformation:DescribeTypeRegistration
- cloudformation:ListTypeVersions
- cloudformation:RegisterType
- cloudformation:SetTypeDefaultVersion
Resource: '*'
- Effect: Allow
Action:
- iam:AttachRolePolicy
- iam:CreateRole
- iam:PassRole
Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/*
- Effect: Allow
Action:
- iam:CreatePolicy
- iam:CreatePolicyVersion
- iam:DeletePolicyVersion
- iam:ListPolicyVersions
Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/*
- Effect: Allow
Action: s3:GetObject
Resource: !Sub arn:${AWS::Partition}:s3:::*/*
- Effect: Allow
Action:
- ssm:GetParameter
- ssm:PutParameter
Resource: !Sub arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:parameter/*
NodeSGRole:
Type: AWS::IAM::Role
Properties:
RoleName: eks-quickstart-NodeSG
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: DescribeNodeGroups
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: eks:DescribeNodeGroup
Resource: !Sub arn:${AWS::Partition}:eks:*:${AWS::AccountId}:nodegroup/*/*/*
FargateExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: eks-quickstart-FargateExecution
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: eks-fargate-pods.amazonaws.com
Action: sts:AssumeRole
Path: /
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy
FargateProfileRole:
Type: AWS::IAM::Role
Properties:
RoleName: eks-quickstart-FargateProfile
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Path: /
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: ResourceTypePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: ec2:DescribeSubnets
Resource: '*'
- Effect: Allow
Action:
- eks:DescribeFargateProfile
- eks:CreateFargateProfile
- eks:DeleteFargateProfile
Resource:
- !Sub arn:${AWS::Partition}:eks:*:${AWS::AccountId}:cluster/*
- !Sub arn:${AWS::Partition}:eks:*:${AWS::AccountId}:fargateprofile/*/*/*
- Effect: Allow
Action:
- iam:PassRole
- iam:GetRole
- iam:CreateServiceLinkedRole
Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/*
QuickStartParameterResolverRole:
Type: AWS::IAM::Role
Properties:
RoleName: eks-quickstart-QuickStartParameterResolver
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Path: /
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: param-resolver
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- ssm:GetParametersByPath
- ssm:GetParameters
- ssm:GetParameterHistory
- ssm:GetParameter
Resource: !Sub arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:parameter/quickstart/amazon-eks/*
UnmanagedNodeInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
InstanceProfileName: !Ref UnmanagedNodeInstanceRole
Path: /
Roles:
- !Ref UnmanagedNodeInstanceRole
ManagedNodeInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
InstanceProfileName: !Ref ManagedNodeInstanceRole
Path: /
Roles:
- !Ref ManagedNodeInstanceRole
UnmanagedNodeInstanceRole:
Type: AWS::IAM::Role
Properties:
RoleName: eks-quickstart-UnmanagedNodeInstance
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: !Sub ec2.${AWS::URLSuffix}
Action: sts:AssumeRole
Path: /
Policies:
- PolicyName: cfn-signal
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: cloudformation:SignalResource
Resource: !Sub arn:${AWS::Partition}:cloudformation:*:${AWS::AccountId}:stack/*/*
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore
- !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy
- !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEKS_CNI_Policy
- !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
- !Sub arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy
- !If [Commercial, !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonElasticContainerRegistryPublicReadOnly', !Ref AWS::NoValue]
ManagedNodeInstanceRole:
Type: AWS::IAM::Role
Properties:
RoleName: eks-quickstart-ManagedNodeInstance
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: !Sub ec2.${AWS::URLSuffix}
Action: sts:AssumeRole
Path: /
Policies:
- PolicyName: cfn-signal
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- cloudformation:SignalResource
Resource: !Sub arn:${AWS::Partition}:cloudformation:*:${AWS::AccountId}:stack/*/*
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore
- !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy
- !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEKS_CNI_Policy
- !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
- !Sub arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy
- !If [Commercial, !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonElasticContainerRegistryPublicReadOnly', !Ref AWS::NoValue]
CloudFormationVPCRoleCreationRole:
Type: AWS::IAM::Role
Properties:
RoleName: eks-quickstart-CloudFormationVPCRoleCreation
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: create-role
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: iam:CreateRole
Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/CloudFormation-Kubernetes-VPC
- PolicyName: attach-role-policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: iam:AttachRolePolicy
Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/CloudFormation-Kubernetes-VPC
Condition:
ArnEquals:
iam:PolicyARN:
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaENIManagementAccess