AWSTemplateFormatVersion: 2010-09-09
Description: Deploys an EKS cluster into an existing VPC (qs-1p7nknoi6).
Transform: [QuickStartParameterResolver]
# QuickStartParameterResolver interpolates the ~~/<ConfigSetName>/*~~ values
# below into the values of the resolved SSM parameter via the
# QuickStartParameterResolver macro resource in the
# amazon-eks-per-region-resources.template.yaml template.
Metadata:
  cfn-lint: { config: { ignore_checks: [W9002, W9003, W9004, W9006] } }
  ConfigSetName: !Ref ConfigSetName
Parameters:
  KeyPairName:
    Type: String
    Default: ''
  QSS3BucketName:
    Type: String
    AllowedPattern: ^[0-9a-z]+([0-9a-z-]*[0-9a-z])*$
    Default: aws-quickstart
  QSS3KeyPrefix:
    AllowedPattern: ^[0-9a-zA-Z-/.]*$
    Default: quickstart-amazon-eks/
    Type: String
  QSS3BucketRegion:
    Default: us-east-1
    Description: The Region where the Quick Start S3 bucket (QSS3BucketName) is
      hosted. When using your own bucket, you must specify this value.
    Type: String
  RemoteAccessCIDR:
    Type: String
    AllowedPattern: ^(disabled-onlyssmaccess|pl-([0-9a-f]{8}|[0-9a-f]{17})|(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2])))$
    ConstraintDescription: >-
      Must be disabled-onlyssmaccess, an IPv4 CIDR block (x.x.x.x/x), or a
      VPC prefix list (pl-01234567).
    Default: disabled-onlyssmaccess
  EKSPublicAccessEndpoint:
    Type: String
    AllowedValues: [Enabled, Disabled]
    Default: Disabled
  AdditionalEKSAdminUserArn:
    Type: String
    Default: ''
  AdditionalEKSAdminRoleArn:
    Type: String
    Default: ''
  NodeInstanceType:
    Default: t3.medium
    Type: String
  NumberOfNodes:
    Default: 3
    Type: Number
  MaxNumberOfNodes:
    Default: 3
    Type: Number
  VPCID:
    Type: AWS::EC2::VPC::Id
  PublicSubnet1ID:
    Type: String
    Default: ''
  PublicSubnet2ID:
    Type: String
    Default: ''
  PublicSubnet3ID:
    Type: String
    Default: ''
  PrivateSubnet1ID:
    Type: AWS::EC2::Subnet::Id
  PrivateSubnet2ID:
    Type: String
    Default: ''
  PrivateSubnet3ID:
    Type: String
    Default: ''
  ProvisionClusterAutoScaler:
    Type: String
    AllowedValues: [Enabled, Disabled]
    Default: Disabled
  ProvisionMetricsServer:
    Type: String
    AllowedValues: [Enabled, Disabled]
    Default: Disabled
  ProvisionLoadBalancerController:
    Type: String
    AllowedValues: [Enabled, Disabled]
    Default: Disabled
  ProvisionCertManager:
    Type: String
    AllowedValues: [Enabled, Disabled]
    Default: Disabled
  GrafanaIntegration:
    Type: String
    AllowedValues: [Enabled, Disabled]
    Default: Disabled
  PrometheusIntegration:
    Type: String
    AllowedValues: [Enabled, Disabled]
    Default: Disabled
  ProvisionBastionHost:
    Type: String
    AllowedValues: [Enabled, Disabled]
    Default: Enabled
  BastionAMIID:
    Type: String
    Default: ''
  EfsStorageClass:
    Type: String
    AllowedValues: [Enabled, Disabled]
    Default: Disabled
  HttpProxy:
    Type: String
    Default: ''
  FargateNamespaces:
    Type: String
    Default: ''
  FargateLabels:
    Type: String
    Default: ''
  EKSClusterName:
    Type: String
    Default: ''
  SnykIntegrationId:
    Type: String
    Default: ''
  SnykIntegration:
    Type: String
    AllowedValues: [Enabled, Disabled]
    Default: Disabled
  NewRelicLicenseKey:
    Type: String
    Default: ''
    NoEcho: true
  NewRelicIntegration:
    Type: String
    AllowedValues: [Enabled, Disabled]
    Default: Disabled
  CalicoIntegration:
    Type: String
    AllowedValues: [Enabled, Disabled]
    Default: Disabled
  RafaySysIntegration:
    Type: String
    AllowedValues: [Enabled, Disabled]
    Default: Disabled
  RafaySysProject:
    Type: String
    Default: defaultproject
  RafaySysBootstrapBucket:
    Type: String
    Default: ''
  RafaySysBootstrapKey:
    Type: String
    Default: ''
  RafaySysApiKey:
    Type: String
    Default: ''
  RafaySysApiSecret:
    Type: String
    Default: ''
    NoEcho: true
  RafaySysFirstName:
    Type: String
    Default: ''
  RafaySysLastName:
    Type: String
    Default: ''
  RafaySysOrganizationName:
    Type: String
    Default: ''
  RafaySysEmail:
    Type: String
    Default: ''
  ConfigSetName:
    Type: String
  TestSuite:
    Type: String
    AllowedValues: [Enabled, Disabled]
    Default: Disabled
  NodeInstanceFamily:
    AllowedValues: [Standard, ARM, GPU]
    Type: String
  NodeGroupOS:
    Type: String
    AllowedValues:
      - Amazon Linux 2
      - Bottlerocket
      - Windows
    Default: Amazon Linux 2
  NodeGroupType:
    Type: String
    AllowedValues: [Managed, Unmanaged]
    Default: Managed
  RancherIntegration:
    Type: String
    AllowedValues: [Enabled, Disabled]
    Default: Disabled
  RancherDomainName:
    Type: String
    Default: rancher.aws.private
  MuleSoftRtfIntegration:
    Type: String
    AllowedValues: [Enabled, Disabled]
    Default: Disabled
  RTFFabricName:
    Type: String
    Default: ''
  OrgID:
    Type: String
    Default: ''
  UserName:
    Type: String
    Default: ''
  Password:
    Type: String
    NoEcho: true
    Default: ''
  MuleLicenseKeyinbase64:
    Type: String
    Default: ''
Mappings:
  Config:
    Prefix: { Value: eks-quickstart }
    ParameterPrefix: { Value: /quickstart/amazon-eks }
    Namespace:
      Prometheus: prometheus
  # RegionMap:
  #   # Retained in case needed at a future point.
  #   # https://docs.aws.amazon.com/eks/latest/userguide/add-ons-images.html
  #   af-south-1:
  #     Registry: 877085696533.dkr.ecr.af-south-1.amazonaws.com
  #   ap-east-1:
  #     Registry: 800184023465.dkr.ecr.ap-east-1.amazonaws.com
  #   ap-northeast-1:
  #     Registry: 602401143452.dkr.ecr.ap-northeast-1.amazonaws.com
  #   ap-northeast-2:
  #     Registry: 602401143452.dkr.ecr.ap-northeast-2.amazonaws.com
  #   ap-northeast-3:
  #     Registry: 602401143452.dkr.ecr.ap-northeast-3.amazonaws.com
  #   ap-south-1:
  #     Registry: 602401143452.dkr.ecr.ap-south-1.amazonaws.com
  #   ap-south-2:
  #     Registry: 900889452093.dkr.ecr.ap-south-2.amazonaws.com
  #   ap-southeast-1:
  #     Registry: 602401143452.dkr.ecr.ap-southeast-1.amazonaws.com
  #   ap-southeast-2:
  #     Registry: 602401143452.dkr.ecr.ap-southeast-2.amazonaws.com
  #   ap-southeast-3:
  #     Registry: 296578399912.dkr.ecr.ap-southeast-3.amazonaws.com
  #   # ap-southeast-4:
  #   #   Registry:
  #   ca-central-1:
  #     Registry: 602401143452.dkr.ecr.ca-central-1.amazonaws.com
  #   cn-north-1:
  #     Registry: 918309763551.dkr.ecr.cn-north-1.amazonaws.com.cn
  #   cn-northwest-1:
  #     Registry: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn
  #   eu-central-1:
  #     Registry: 602401143452.dkr.ecr.eu-central-1.amazonaws.com
  #   eu-central-2:
  #     Registry: 900612956339.dkr.ecr.eu-central-2.amazonaws.com
  #   eu-north-1:
  #     Registry: 602401143452.dkr.ecr.eu-north-1.amazonaws.com
  #   eu-south-1:
  #     Registry: 590381155156.dkr.ecr.eu-south-1.amazonaws.com
  #   eu-south-2:
  #     Registry: 455263428931.dkr.ecr.eu-south-2.amazonaws.com
  #   eu-west-1:
  #     Registry: 602401143452.dkr.ecr.eu-west-1.amazonaws.com
  #   eu-west-2:
  #     Registry: 602401143452.dkr.ecr.eu-west-2.amazonaws.com
  #   eu-west-3:
  #     Registry: 602401143452.dkr.ecr.eu-west-3.amazonaws.com
  #   me-central-1:
  #     Registry: 759879836304.dkr.ecr.me-central-1.amazonaws.com
  #   me-south-1:
  #     Registry: 558608220178.dkr.ecr.me-south-1.amazonaws.com
  #   sa-east-1:
  #     Registry: 602401143452.dkr.ecr.sa-east-1.amazonaws.com
  #   us-east-1:
  #     Registry: 602401143452.dkr.ecr.us-east-1.amazonaws.com
  #   us-east-2:
  #     Registry: 602401143452.dkr.ecr.us-east-2.amazonaws.com
  #   us-gov-east-1:
  #     Registry: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com
  #   us-gov-west-1:
  #     Registry: 013241004608.dkr.ecr.us-gov-west-1.amazonaws.com
  #   us-west-1:
  #     Registry: 602401143452.dkr.ecr.us-west-1.amazonaws.com
  #   us-west-2:
  #     Registry: 602401143452.dkr.ecr.us-west-2.amazonaws.com
Conditions:
  Commercial: !Equals [!Ref AWS::Partition, aws]
  EnableProxy: !Not [!Equals [!Ref HttpProxy, '']]
  DeployTestStack: !Equals [!Ref TestSuite, Enabled]
  EnableSnyk: !Equals [!Ref SnykIntegration, Enabled]
  EnableNewRelic: !Equals [!Ref NewRelicIntegration, Enabled]
  EnableCalico: !Equals [!Ref CalicoIntegration, Enabled]
  EnableRafaySys: !Equals [!Ref RafaySysIntegration, Enabled]
  EnableFargate: !Not [!Equals [!Ref FargateNamespaces, '']]
  EnableRancher: !Equals [!Ref RancherIntegration, Enabled]
  EnableMuleSoftRtf: !Equals [!Ref MuleSoftRtfIntegration, Enabled]
  3AZDeployment: !Not [!Equals [!Ref PrivateSubnet3ID, '']]
  2AZDeployment: !Or
    - !Not [!Equals [!Ref PrivateSubnet2ID, '']]
    - !Not [!Equals [!Ref PrivateSubnet3ID, '']]
  EnablePublicSubnets: !Not [!Equals [!Ref PublicSubnet1ID, '']]
  DefaultBastionBootstrap: !Equals [~~/<ConfigSetName>/bastion/BastionBootstrapScript~~, '']
  EnableBastion: !And
    - !Equals [!Ref ProvisionBastionHost, Enabled]
    - !Not [!Equals [!Ref PublicSubnet1ID, '']]
  EnableBastionWithEIP: !And
    - !Condition EnableBastion
    - !Not [!Equals [!Ref RemoteAccessCIDR, disabled-onlyssmaccess]]
  CustomBastionRole: !Not [!Equals [~~/<ConfigSetName>/bastion/BastionIAMRoleName~~, '']]
  AdditionalVars: !Not [!Equals [~~/<ConfigSetName>/bastion/BastionVariables~~, '']]
  EnableClusterAutoScaler: !Equals [!Ref ProvisionClusterAutoScaler, Enabled]
  EnableMetricsServer: !Equals [!Ref ProvisionMetricsServer, Enabled]
  EnableLoadBalancerController: !Equals [!Ref ProvisionLoadBalancerController, Enabled]
  EnableCertManager: !Equals [!Ref ProvisionCertManager, Enabled]
  EnableGrafana: !Equals [!Ref GrafanaIntegration, Enabled]
  EnablePrometheus: !Equals [!Ref PrometheusIntegration, Enabled]
  EnableEfs: !Equals [!Ref EfsStorageClass, Enabled]
  EnableWindows: !Equals [!Ref NodeGroupOS, Windows]
  UsingDefaultBucket: !Equals [!Ref QSS3BucketName, aws-quickstart]
  GenerateClusterName: !Equals [!Ref EKSClusterName, '']
  UseKeyPair: !Not [!Equals [!Ref KeyPairName, '']]
  UseUnmanagedNodeGroup: !Equals [!Ref NodeGroupType, Unmanaged]
Resources:
  BastionEksPermissions:
    Type: AWS::IAM::Policy
    Condition: EnableBastion
    Properties:
      PolicyName: AllowEKSClusterOperations
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - eks:DescribeCluster
              - eks:DescribeUpdate
              - eks:ListUpdates
              - eks:UpdateClusterVersion
            Resource: !GetAtt EKSControlPlane.Outputs.EksArn
      Roles:
        - !GetAtt IamStack.Outputs.BastionRole
  BastionStack:
    Type: AWS::CloudFormation::Stack
    Condition: EnableBastion
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-linux-bastion/templates/linux-bastion-entrypoint-existing-vpc.template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        BastionHostName: EKSBastion
        BastionBanner: !Sub
          - s3://${S3Bucket}/${QSS3KeyPrefix}submodules/quickstart-linux-bastion/scripts/banner_message.txt
          - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
        EnableBanner: true
        BastionTenancy: default
        NumBastionHosts: 1
        OSImageOverride: !Ref BastionAMIID
        VPCID: !Ref VPCID
        PublicSubnet1ID: !If [EnableBastionWithEIP, !Ref PublicSubnet1ID, !Ref PrivateSubnet1ID]
        PublicSubnet2ID: !If [2AZDeployment, !If [EnableBastionWithEIP, !Ref PublicSubnet2ID, !Ref PrivateSubnet2ID], !Ref AWS::NoValue]
        KeyPairName: !Ref KeyPairName
        QSS3BucketName: !Ref QSS3BucketName
        QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-linux-bastion/
        QSS3BucketRegion: !Ref QSS3BucketRegion
        RemoteAccessCIDR: !Ref RemoteAccessCIDR
        BastionInstanceType: ~~/<ConfigSetName>/bastion/BastionInstanceType~~
        RootVolumeSize: ~~/<ConfigSetName>/bastion/BastionRootVolumeSize~~
        AlternativeInitializationScript: !If
          - DefaultBastionBootstrap
          - !Sub
              - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/bastion_bootstrap.sh
              - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
                S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
          - ~~/<ConfigSetName>/bastion/BastionBootstrapScript~~
        AlternativeIAMRole: !GetAtt IamStack.Outputs.BastionRole
        BastionAMIOS: ~~/<ConfigSetName>/bastion/BastionOS~~
        OndemandPercentage: ~~/<ConfigSetName>/bastion/OnDemandPercentage~~
        EnableTCPForwarding: ~~/<ConfigSetName>/bastion/BastionEnableTCPForwarding~~
        EnableX11Forwarding: ~~/<ConfigSetName>/bastion/BastionEnableX11Forwarding~~
        EnvironmentVariables: !Sub
          - >
            K8S_CLUSTER_NAME=${EKSControlPlane.Outputs.EKSName},
            KUBECTL_VERSION=${KubectlVersion}${Joiner}
            ${BastionVariables}
          - Joiner: !If [AdditionalVars, ',', '']
            BastionVariables: ~~/<ConfigSetName>/bastion/BastionVariables~~
            KubectlVersion: ~~/<ConfigSetName>/controlplane/KubectlVersion~~
  NodeGroupStack:
    Type: AWS::CloudFormation::Stack
    DependsOn: [EKSControlPlane]
    Metadata:
      DependsOn:
        - !If [EnableWindows, !Ref WindowsSupportNodeGroupStack, !Ref AWS::NoValue]
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-amazon-eks-nodegroup/templates/amazon-eks-nodegroup.template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        HttpProxy: !Ref HttpProxy
        KeyPairName: !If [UseKeyPair, !Ref KeyPairName, !Ref AWS::NoValue]
        NodeGroupOS: !Ref NodeGroupOS
        VPCID: !Ref VPCID
        Subnet1ID: !Ref PrivateSubnet1ID
        Subnet2ID: !If [2AZDeployment, !Ref PrivateSubnet2ID, !Ref AWS::NoValue]
        Subnet3ID: !If [3AZDeployment, !Ref PrivateSubnet3ID, !Ref AWS::NoValue]
        KubernetesVersion: ~~/<ConfigSetName>/controlplane/KubernetesVersion~~
        NodeInstanceType: !Ref NodeInstanceType
        NumberOfNodes: !Ref NumberOfNodes
        MaxNumberOfNodes: !Ref MaxNumberOfNodes
        NodeGroupName: ~~/<ConfigSetName>/default-nodegroup/NodeGroupName~~
        NodeVolumeSize: ~~/<ConfigSetName>/default-nodegroup/NodeVolumeSize~~
        CustomAmiId: ~~/<ConfigSetName>/default-nodegroup/CustomAmiId~~
        AmiRootVolumeDeviceName: ~~/<ConfigSetName>/default-nodegroup/AmiRootVolumeDeviceName~~
        EKSClusterName: !If [GenerateClusterName, !Ref GenerateClusterName, !Ref EKSClusterName]
        NodeInstanceFamily: !Ref NodeInstanceFamily
        NodeGroupType: !Ref NodeGroupType
        OndemandPercentage: ~~/<ConfigSetName>/default-nodegroup/OnDemandPercentage~~
        NodeInstanceType2: ~~/<ConfigSetName>/default-nodegroup/NodeInstanceType2~~
        NodeInstanceType3: ~~/<ConfigSetName>/default-nodegroup/NodeInstanceType3~~
        NodeInstanceType4: ~~/<ConfigSetName>/default-nodegroup/NodeInstanceType4~~
        Labels: ~~/<ConfigSetName>/default-nodegroup/Labels~~
        Taints: ~~/<ConfigSetName>/default-nodegroup/Taints~~
        NodeSecurityGroupId: ~~/<ConfigSetName>/default-nodegroup/NodeSecurityGroupId~~
        LaunchTemplateId: ~~/<ConfigSetName>/default-nodegroup/LaunchTemplateId~~
        LaunchTemplateVersion: ~~/<ConfigSetName>/default-nodegroup/LaunchTemplateVersion~~
        WindowsVersion: ~~/<ConfigSetName>/windows-nodegroup/WindowsNodeVersion~~
        WindowsEdition: ~~/<ConfigSetName>/windows-nodegroup/WindowsNodeEdition~~
        EC2MetadataPutResponseHopLimit: ~~/<ConfigSetName>/default-nodegroup/EC2MetadataPutResponseHopLimit~~
        EC2MetadataHttpTokens: ~~/<ConfigSetName>/default-nodegroup/EC2MetadataHttpTokens~~
        MaxNodesUnavailable: ~~/<ConfigSetName>/default-nodegroup/MaxNodesUnavailable~~
        MaxNodesUnavailablePercentage: ~~/<ConfigSetName>/default-nodegroup/MaxNodesUnavailablePercentage~~
  WindowsSupportNodeGroupStack:
    Type: AWS::CloudFormation::Stack
    Condition: EnableWindows
    DependsOn: EKSControlPlane
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-amazon-eks-nodegroup/templates/amazon-eks-nodegroup.template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        HttpProxy: !Ref HttpProxy
        KeyPairName: !If [UseKeyPair, !Ref KeyPairName, !Ref AWS::NoValue]
        NodeGroupOS: Amazon Linux 2
        VPCID: !Ref VPCID
        Subnet1ID: !Ref PrivateSubnet1ID
        Subnet2ID: !If [2AZDeployment, !Ref PrivateSubnet2ID, !Ref AWS::NoValue]
        Subnet3ID: !If [3AZDeployment, !Ref PrivateSubnet3ID, !Ref AWS::NoValue]
        NodeInstanceType: t3.large
        NumberOfNodes: 2
        NodeGroupName: windows-support-al2
        NodeVolumeSize: 20
        EKSClusterName: !If [GenerateClusterName, !Ref GenerateClusterName, !Ref EKSClusterName]
        NodeInstanceFamily: Standard
        NodeGroupType: Managed
        EC2MetadataPutResponseHopLimit: ~~/<ConfigSetName>/default-nodegroup/EC2MetadataPutResponseHopLimit~~
        EC2MetadataHttpTokens: ~~/<ConfigSetName>/default-nodegroup/EC2MetadataHttpTokens~~
  BastionSShToNodes:
    Type: AWS::EC2::SecurityGroupIngress
    Condition: EnableBastion
    Properties:
      Description: Allow SSH from Bastion server to Nodes
      GroupId: !GetAtt NodeGroupStack.Outputs.EKSNodeSecurityGroup
      SourceSecurityGroupId: !GetAtt BastionStack.Outputs.BastionSecurityGroupID
      IpProtocol: tcp
      ToPort: 22
      FromPort: 22
  BastionToAPIServerAccess:
    Type: AWS::EC2::SecurityGroupIngress
    Condition: EnableBastion
    Properties:
      Description: Allow Bastion server to communicate with the cluster API Server
      GroupId: !Ref ControlPlaneSecurityGroup
      SourceSecurityGroupId: !GetAtt BastionStack.Outputs.BastionSecurityGroupID
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
  CloudFormationKubernetesVPCRoleExists:
    Type: Custom::ResourceReader
    Properties:
      ServiceToken: !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-ResourceReader
      AwsCliCommand: >
        iam list-roles --query 'Roles[?RoleName==`CloudFormation-Kubernetes-VPC`].RoleName | {RoleName: [0]}'
      IdField: RoleName
  IamStack:
    Type: AWS::CloudFormation::Stack
    DependsOn:
      - ControlPlaneSecurityGroupIngress
        # Artificial dependency for cluster security group deletion timing in
        # CleanupControlPlaneSecurityGroupDependencies
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/workloads/amazon-eks-iam.template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        QSS3BucketName: !Ref QSS3BucketName
        CreateBastionRole: !If [CustomBastionRole, Disabled, !Ref ProvisionBastionHost]
        BastionIAMRoleName: ~~/<ConfigSetName>/bastion/BastionIAMRoleName~~
        CloudFormationKubernetesVPCRoleExists: !Ref CloudFormationKubernetesVPCRoleExists
  FunctionStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/workloads/amazon-eks-functions.template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        QSS3KeyPrefix: !Ref QSS3KeyPrefix
        KubernetesAdminRoleArn: !GetAtt IamStack.Outputs.KubernetesAdminRoleArn
        ControlPlaneSecurityGroup: !Ref ControlPlaneSecurityGroup
        VPCID: !Ref VPCID
        EKSSubnetIds: !If
          - 3AZDeployment
          - !Sub ${PrivateSubnet1ID},${PrivateSubnet2ID},${PrivateSubnet3ID}
          - !If
              - 2AZDeployment
              - !Sub ${PrivateSubnet1ID},${PrivateSubnet2ID}
              - !Ref PrivateSubnet1ID
        EKSClusterName: !If [GenerateClusterName, !Ref GenerateClusterName, !Ref EKSClusterName]
        HttpProxy: !Ref HttpProxy
  ClusterAutoScalerStack:
    Type: AWS::CloudFormation::Stack
    Condition: EnableClusterAutoScaler
    DependsOn: [ControlPlaneSecurityGroupIngress]
    Metadata:
      DependsOn:
        - !If [EnableFargate, !Ref FargateStack, !Ref AWS::NoValue]
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/workloads/amazon-eks-cluster-autoscaler.template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        EksClusterName: !GetAtt EKSControlPlane.Outputs.EKSName
        KubernetesVersion: ~~/<ConfigSetName>/controlplane/KubernetesVersion~~
        OIDCProviderArn: !GetAtt AwsNodeIrsaStack.Outputs.OIDCProviderArn
        OIDCProviderEndpoint: !GetAtt AwsNodeIrsaStack.Outputs.OIDCProviderEndpoint
  MetricsServerStack:
    Type: AWS::CloudFormation::Stack
    Condition: EnableMetricsServer
    DependsOn: [ControlPlaneSecurityGroupIngress]
    Metadata:
      DependsOn:
        - !If [EnableWindows, !Ref WindowsSupportStack, !Ref AWS::NoValue]
        - !If [EnableFargate, !Ref FargateStack, !Ref AWS::NoValue]
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/workloads/amazon-eks-metrics-server.template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        EksClusterName: !GetAtt EKSControlPlane.Outputs.EKSName
        OIDCProviderArn: !GetAtt AwsNodeIrsaStack.Outputs.OIDCProviderArn
        OIDCProviderEndpoint: !GetAtt AwsNodeIrsaStack.Outputs.OIDCProviderEndpoint
  EfsStack:
    Type: AWS::CloudFormation::Stack
    Condition: EnableEfs
    DependsOn: [AmazonEksEfsCsiDriverHelmChart]
    Metadata:
      DependsOn:
        - !If [EnableFargate, !Ref FargateStack, !Ref AWS::NoValue]
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/workloads/amazon-eks-efs.template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        ClusterName: !GetAtt EKSControlPlane.Outputs.EKSName
        NodeGroupSecurityGroup: !GetAtt NodeGroupStack.Outputs.EKSNodeSecurityGroup
        PrivateSubnet1ID: !Ref PrivateSubnet1ID
        PrivateSubnet2ID: !If [2AZDeployment, !Ref PrivateSubnet2ID, !Ref AWS::NoValue]
        PrivateSubnet3ID: !If [3AZDeployment, !Ref PrivateSubnet3ID, !Ref AWS::NoValue]
        PerformanceMode: ~~/<ConfigSetName>/efs/EfsPerformanceMode~~
        EfsProvisionedThroughputInMibps: ~~/<ConfigSetName>/efs/EfsProvisionedThroughputInMibps~~
        ThroughputMode: ~~/<ConfigSetName>/efs/EfsThroughputMode~~
  CleanupLambdas:
    Type: Custom::CleanupLambdas
    DependsOn: CleanupControlPlaneSecurityGroupDependencies
    Properties:
      ServiceToken: !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-CleanupLambdas
      SecurityGroupId: !GetAtt ControlPlaneSecurityGroup.GroupId
  CleanupControlPlaneSecurityGroupDependencies:
    Type: Custom::CleanupSecurityGroupDependencies
    Properties:
      ServiceToken: !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-CleanupSecurityGroupDependencies
      Region: !Ref AWS::Region
      SecurityGroups: [!GetAtt ControlPlaneSecurityGroup.GroupId]
  ControlPlaneSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Cluster communication
      VpcId: !Ref VPCID
  ControlPlaneSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    DependsOn: [CleanupControlPlaneSecurityGroupDependencies]
    Properties:
      Description: Allow SG members to access k8s api
      GroupId: !Ref ControlPlaneSecurityGroup
      SourceSecurityGroupId: !Ref ControlPlaneSecurityGroup
      IpProtocol: tcp
      FromPort: 443
      ToPort: 443
  EKSControlPlane:
    Type: AWS::CloudFormation::Stack
    DependsOn:
      - CleanupControlPlaneSecurityGroupDependencies
      - ControlPlaneSecurityGroupIngress
      - FunctionStack
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/workloads/amazon-eks-controlplane.template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        SecurityGroupIds: !Ref ControlPlaneSecurityGroup
        SubnetIds: !If
          - EnablePublicSubnets
          - !If
              - 3AZDeployment
              - !Sub ${PrivateSubnet1ID},${PrivateSubnet2ID},${PrivateSubnet3ID},${PublicSubnet1ID},${PublicSubnet2ID},${PublicSubnet3ID}
              - !If
                  - 2AZDeployment
                  - !Sub ${PrivateSubnet1ID},${PrivateSubnet2ID},${PublicSubnet1ID},${PublicSubnet2ID}
                  - !Sub ${PrivateSubnet1ID},${PublicSubnet1ID}
          - !If
              - 3AZDeployment
              - !Sub ${PrivateSubnet1ID},${PrivateSubnet2ID},${PrivateSubnet3ID}
              - !If
                  - 2AZDeployment
                  - !Sub ${PrivateSubnet1ID},${PrivateSubnet2ID}
                  - !Ref PrivateSubnet1ID
        RoleArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/eks-quickstart-ControlPlane
        AdditionalEKSAdminUserArn: !Ref AdditionalEKSAdminUserArn
        AdditionalEKSAdminRoleArn: !Ref AdditionalEKSAdminRoleArn
        KubernetesVersion: ~~/<ConfigSetName>/controlplane/KubernetesVersion~~
        BastionRole: !GetAtt IamStack.Outputs.BastionRole
        FunctionRoleArn: !GetAtt IamStack.Outputs.KubernetesAdminRoleArn
        EKSPublicAccessCIDRs: ~~/<ConfigSetName>/controlplane/EKSPublicAccessCIDRs~~
        EKSPublicAccessEndpoint: !Ref EKSPublicAccessEndpoint
        EKSPrivateAccessEndpoint: ~~/<ConfigSetName>/controlplane/EKSPrivateAccessEndpoint~~
        EKSClusterLoggingTypes: ~~/<ConfigSetName>/controlplane/EKSClusterLoggingTypes~~
        EKSEncryptSecrets: ~~/<ConfigSetName>/controlplane/EKSEncryptSecrets~~
        EKSEncryptSecretsKmsKeyArn: ~~/<ConfigSetName>/controlplane/EKSEncryptSecretsKmsKeyArn~~
        EKSClusterName: !If [GenerateClusterName, !Ref GenerateClusterName, !Ref EKSClusterName]
  PrometheusStack:
    Type: AWS::CloudFormation::Stack
    Condition: EnablePrometheus
    DependsOn: [ControlPlaneSecurityGroupIngress, NodeGroupStack, EbsStorageClass]
    Metadata:
      DependsOn:
        - !If [EnableFargate, !Ref FargateStack, !Ref AWS::NoValue]
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-eks-prometheus/templates/eks-prometheus.template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        KubeClusterName: !GetAtt EKSControlPlane.Outputs.EKSName
        Namespace: !FindInMap [Config, Namespace, Prometheus]
  GrafanaStack:
    Type: AWS::CloudFormation::Stack
    Condition: EnableGrafana
    DependsOn: [ControlPlaneSecurityGroupIngress, NodeGroupStack, EbsStorageClass]
    Metadata:
      DependsOn:
        - !If [EnableFargate, !Ref FargateStack, !Ref AWS::NoValue]
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-eks-grafana/templates/eks-grafana.template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        KubeClusterName: !GetAtt EKSControlPlane.Outputs.EKSName
  FargateStack:
    Type: AWS::CloudFormation::Stack
    Condition: EnableFargate
    Properties:
      TemplateURL: !Sub
         - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/workloads/amazon-eks-fargate-profile.template.yaml
         - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
           S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        ClusterName: !GetAtt EKSControlPlane.Outputs.EKSName
        FargateExecutionRoleArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/eks-quickstart-FargateExecution
        Namespaces: !Ref FargateNamespaces
        Labels: !Ref FargateLabels
        Subnets: !If
          - 3AZDeployment
          - !Sub ${PrivateSubnet1ID},${PrivateSubnet2ID},${PrivateSubnet3ID}
          - !If
              - 2AZDeployment
              - !Sub ${PrivateSubnet1ID},${PrivateSubnet2ID}
              - !Ref PrivateSubnet1ID
  CertManagerStack:
    Type: AWS::CloudFormation::Stack
    Condition: EnableCertManager
    DependsOn: [ControlPlaneSecurityGroupIngress, NodeGroupStack]
    Metadata:
      DependsOn:
        - !If [EnableWindows, !Ref WindowsSupportStack, !Ref AWS::NoValue]
        - !If [EnablePrometheus, !Ref PrometheusStack, !Ref AWS::NoValue]
        - !If [EnableFargate, !Ref FargateStack, !Ref AWS::NoValue]
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/workloads/amazon-eks-cert-manager.template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        EksClusterName: !GetAtt EKSControlPlane.Outputs.EKSName
        OIDCProviderArn: !GetAtt AwsNodeIrsaStack.Outputs.OIDCProviderArn
        OIDCProviderEndpoint: !GetAtt AwsNodeIrsaStack.Outputs.OIDCProviderEndpoint
        PrometheusEnabled: !If [EnablePrometheus, 'true', 'false']
        FargateEnabled: !If [EnableFargate, 'true', 'false']
  LoadBalancerStack:
    Type: AWS::CloudFormation::Stack
    Condition: EnableLoadBalancerController
    DependsOn: [ControlPlaneSecurityGroupIngress, NodeGroupStack]
    Metadata:
      DependsOn:
        - !If [EnableCertManager, !Ref CertManagerStack, !Ref AWS::NoValue]
        - !If [EnableWindows, !Ref WindowsSupportStack, !Ref AWS::NoValue]
        - !If [EnableFargate, !Ref FargateStack, !Ref AWS::NoValue]
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/workloads/amazon-eks-load-balancer-controller.template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        OIDCProviderArn: !GetAtt AwsNodeIrsaStack.Outputs.OIDCProviderArn
        OIDCProviderEndpoint: !GetAtt AwsNodeIrsaStack.Outputs.OIDCProviderEndpoint
        EksClusterName: !GetAtt EKSControlPlane.Outputs.EKSName
        VpcId: !Ref VPCID
  GenerateClusterName:
    Type: Custom::GenerateClusterName
    Condition: GenerateClusterName
    Properties:
      ServiceToken: !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-GenerateClusterName
  TestSuiteStack:
    Type: AWS::CloudFormation::Stack
    Condition: DeployTestStack
    DependsOn: [ControlPlaneSecurityGroupIngress, NodeGroupStack]
    Metadata:
      DependsOn:
        - !If [EnableWindows, !Ref WindowsSupportStack, !Ref AWS::NoValue]
        - !If [EnableFargate, !Ref FargateStack, !Ref AWS::NoValue]
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/tests/amazon-eks-test.template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        ClusterName: !GetAtt EKSControlPlane.Outputs.EKSName
        TestWindows: !If [EnableWindows, Enabled, Disabled]
        WindowsVersion: ~~/<ConfigSetName>/windows-nodegroup/WindowsNodeVersion~~
        ManifestUrl: !Sub
        - s3://${S3Bucket}/${QSS3KeyPrefix}scripts/test-manifest.yaml
        - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
  NewRelicStack:
    Type: AWS::CloudFormation::Stack
    Condition: EnableNewRelic
    DependsOn: [ControlPlaneSecurityGroupIngress, FunctionStack, NodeGroupStack, EbsStorageClass]
    Metadata:
      DependsOn:
        - !If [EnableFargate, !Ref FargateStack, !Ref AWS::NoValue]
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-eks-newrelic-infrastructure/templates/new-relic-infrastructure.template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        KubeClusterName: !GetAtt EKSControlPlane.Outputs.EKSName
        NewRelicLicenseKey: !Ref NewRelicLicenseKey
  SnykStack:
    Type: AWS::CloudFormation::Stack
    DependsOn: [ControlPlaneSecurityGroupIngress, FunctionStack, NodeGroupStack, EbsStorageClass]
    Condition: EnableSnyk
    Metadata:
      DependsOn:
        - !If [EnableFargate, !Ref FargateStack, !Ref AWS::NoValue]
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-eks-snyk/templates/eks-snyk.template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        KubeClusterName: !GetAtt EKSControlPlane.Outputs.EKSName
        SnykIntegrationId: !Ref SnykIntegrationId
        Namespace: snyk-monitor
  CalicoStack:
    Type: AWS::CloudFormation::Stack
    Condition: EnableCalico
    DependsOn: [FunctionStack, ControlPlaneSecurityGroupIngress, NodeGroupStack, EbsStorageClass]
    Metadata:
      DependsOn:
        - !If [EnableFargate, !Ref FargateStack, !Ref AWS::NoValue]
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-eks-tigera-calico/templates/eks-calico-entrypoint.template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        KubeClusterName: !GetAtt EKSControlPlane.Outputs.EKSName
        QSS3BucketName: !Ref QSS3BucketName
        QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-eks-tigera-calico/
        QSS3BucketRegion: !Ref QSS3BucketRegion
  RafaySysStack:
    Type: AWS::CloudFormation::Stack
    Condition: EnableRafaySys
    DependsOn: [FunctionStack, ControlPlaneSecurityGroupIngress, EbsStorageClass]
    Metadata:
      DependsOn:
        - !If [EnableFargate, !Ref FargateStack, !Ref AWS::NoValue]
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-eks-rafay-systems/templates/eks-rafay.template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        EksClusterName: !GetAtt EKSControlPlane.Outputs.EKSName
        QSS3BucketName: !Ref QSS3BucketName
        QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-eks-rafay-systems/
        Project: !Ref RafaySysProject
        BootstrapBucket: !Ref RafaySysBootstrapBucket
        BootstrapKey: !Ref RafaySysBootstrapKey
        ApiKey: !Ref RafaySysApiKey
        ApiSecret: !Ref RafaySysApiSecret
        FirstName: !Ref RafaySysFirstName
        LastName: !Ref RafaySysLastName
        OrganizationName: !Ref RafaySysOrganizationName
        Email: !Ref RafaySysEmail
  WindowsSupportStack:
    Type: AWS::CloudFormation::Stack
    DependsOn: [WindowsSupportNodeGroupStack]
    Condition: EnableWindows
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/workloads/amazon-eks-windows-support.template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        ClusterName: !GetAtt EKSControlPlane.Outputs.EKSName
  RancherStack:
    Type: AWS::CloudFormation::Stack
    Condition: EnableRancher
    DependsOn: [FunctionStack, ControlPlaneSecurityGroupIngress, EbsStorageClass]
    Metadata:
      DependsOn:
        - !If [EnableFargate, !Ref FargateStack, !Ref AWS::NoValue]
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-eks-rancher/templates/rancher.template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        PrivateSubnet1ID: !Ref PrivateSubnet1ID
        EKSClusterName: !GetAtt EKSControlPlane.Outputs.EKSName
        DomainName: !Ref RancherDomainName
        IAMRole: !GetAtt IamStack.Outputs.BastionRole
        SecurityGroup: !GetAtt NodeGroupStack.Outputs.EKSNodeSecurityGroup
        QSS3BucketName: !Ref QSS3BucketName
        QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-eks-rancher/
        QSS3BucketRegion: !Ref QSS3BucketRegion
  MuleSoftRtfStack:
    Type: AWS::CloudFormation::Stack
    Condition: EnableMuleSoftRtf
    DependsOn: [FunctionStack, ControlPlaneSecurityGroupIngress, EbsStorageClass]
    Metadata:
      DependsOn:
        - !If [EnableFargate, !Ref FargateStack, !Ref AWS::NoValue]
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-eks-mulesoft-runtime-fabric/templates/mule-rtf-template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        PrivateSubnet1ID: !Ref PrivateSubnet1ID
        EKSClusterName: !GetAtt EKSControlPlane.Outputs.EKSName
        RTFFabricName: !Ref RTFFabricName
        OrgID: !Ref OrgID
        UserName: !Ref UserName
        Password: !Ref Password
        MuleLicenseKeyinbase64: !Ref MuleLicenseKeyinbase64
        IAMRole: !GetAtt IamStack.Outputs.BastionRole
        SecurityGroup: !GetAtt NodeGroupStack.Outputs.EKSNodeSecurityGroup
        QSS3BucketName: !Ref QSS3BucketName
        QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-eks-mulesoft-runtime-fabric/
        QSS3BucketRegion: !Ref QSS3BucketRegion
  ConfigureProxy:
    Type: Custom::KubeManifest
    Condition: EnableProxy
    Properties:
      ServiceToken: !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-KubeManifest-${EKSControlPlane.Outputs.EKSName}
      HttpProxy: !Ref HttpProxy
      VpcId: !Ref VPCID
      ClusterName: !GetAtt EKSControlPlane.Outputs.EKSName
  AwsNodeIrsaStack:
    Type: AWS::CloudFormation::Stack
    DependsOn: NodeGroupStack
    Properties:
      TemplateURL: !Sub
        - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/workloads/aws-node-daemonset-IRSA.template.yaml
        - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion]
          S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName]
      Parameters:
        OIDCProviderArn: !GetAtt EKSControlPlane.Outputs.OIDCProviderArn
        OIDCProviderEndpoint: !GetAtt EKSControlPlane.Outputs.OIDCProviderEndpoint
        ClusterName: !GetAtt EKSControlPlane.Outputs.EKSName
        KubectlVersion: ~~/<ConfigSetName>/controlplane/KubectlVersion~~
  AmazonEksEbsCsiDriverRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument: !Sub |
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Federated": "${AwsNodeIrsaStack.Outputs.OIDCProviderArn}"
              },
              "Action": "sts:AssumeRoleWithWebIdentity",
              "Condition": {
                "StringEquals": {
                  "${AwsNodeIrsaStack.Outputs.OIDCProviderEndpoint}:aud": [
                    "sts.amazonaws.com",
                    "sts.${AWS::Region}.amazonaws.com"
                  ],
                  "${AwsNodeIrsaStack.Outputs.OIDCProviderEndpoint}:sub": "system:serviceaccount:kube-system:ebs-csi-controller-sa"
                }
              }
            }
          ]
        }
      ManagedPolicyArns:
        - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy
        - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
        - !If [Commercial, !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonElasticContainerRegistryPublicReadOnly', !Ref AWS::NoValue]
      Policies:
        - PolicyName: AmazonEbsCsiDeviceEncryption
          # https://docs.aws.amazon.com/eks/latest/userguide/csi-iam-role.html#Prerequisites
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - kms:CreateGrant
                  - kms:ListGrants
                  - kms:RevokeGrant
                Resource: !Sub arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*
                Condition: { Bool: { kms:GrantIsForAWSResource: true } }
              - Effect: Allow
                Action:
                  - kms:Decrypt
                  - kms:DescribeKey
                  - kms:Encrypt
                  - kms:GenerateDataKey
                  - kms:GenerateDataKeyWithoutPlaintext
                  - kms:GenerateDataKeyPair
                  - kms:GenerateDataKeyPairWithoutPlaintext
                  - kms:ReEncryptFrom
                  - kms:ReEncryptTo
                Resource: !Sub arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*
  AmazonEksEbsCsiDriverAddon:
  # Credit to [Satya Dillikar](https://github.com/satya-dillikar) of VMware for
  # the EKS add-on implementation idea for the EBS CSI driver.
  # https://github.com/vmware-tap-on-public-cloud/quickstart-vmware-tanzu-application-platform/pull/15
    Type: AWS::EKS::Addon
    Metadata:
      DependsOn:
        - !If [EnableWindows, !Ref WindowsSupportStack, !Ref AWS::NoValue]
    Properties:
      AddonName: aws-ebs-csi-driver
      ClusterName: !GetAtt EKSControlPlane.Outputs.EKSName
      ResolveConflicts: NONE
      ServiceAccountRoleArn: !GetAtt AmazonEksEbsCsiDriverRole.Arn
  AwsNodeTerminationHandlerRole:
    Type: AWS::IAM::Role
    Condition: UseUnmanagedNodeGroup
    Properties:
      AssumeRolePolicyDocument: !Sub |
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Federated": "${AwsNodeIrsaStack.Outputs.OIDCProviderArn}"
              },
              "Action": "sts:AssumeRoleWithWebIdentity",
              "Condition": {
                "StringEquals": {
                  "${AwsNodeIrsaStack.Outputs.OIDCProviderEndpoint}:aud": [
                    "sts.amazonaws.com",
                    "sts.${AWS::Region}.amazonaws.com"
                  ],
                  "${AwsNodeIrsaStack.Outputs.OIDCProviderEndpoint}:sub": "system:serviceaccount:kube-system:aws-node-termination-handler"
                }
              }
            }
          ]
        }
      ManagedPolicyArns:
        - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
        - !If [Commercial, !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonElasticContainerRegistryPublicReadOnly', !Ref AWS::NoValue]
  AwsNodeTerminationHandlerHelmChart:
    # https://docs.aws.amazon.com/eks/latest/userguide/autoscaling.html
    # https://artifacthub.io/packages/helm/aws/aws-node-termination-handler
    # https://github.com/aws/eks-charts/tree/master/stable/aws-node-termination-handler
    Type: AWSQS::Kubernetes::Helm
    Condition: UseUnmanagedNodeGroup
    Metadata:
      DependsOn:
        - !If [EnablePrometheus, !Ref PrometheusStack, !Ref AWS::NoValue]
    Properties:
      ClusterID: !GetAtt EKSControlPlane.Outputs.EKSName
      Namespace: kube-system
      Chart: aws/aws-node-termination-handler
      Repository: https://aws.github.io/eks-charts
      Values:
        enablePrometheusServer: !If [EnablePrometheus, 'true', 'false']
        image.repository: public.ecr.aws/aws-ec2/aws-node-termination-handler
        nodeSelector.kubernetes\.io/os: linux
        rbac.pspEnabled: 'false'  # Pod Security Policy is officially deprecated in 1.25+
        serviceAccount.annotations.eks\.amazonaws\.com/role-arn: !GetAtt AwsNodeTerminationHandlerRole.Arn
        serviceAccount.create: 'true'
        serviceAccount.name: aws-node-termination-handler
  EbsStorageClass:
    Type: AWSQS::Kubernetes::Resource
    DependsOn: [AmazonEksEbsCsiDriverAddon]
    UpdateReplacePolicy: Delete
    DeletionPolicy: Retain
    Properties:
      ClusterName: !GetAtt EKSControlPlane.Outputs.EKSName
      Namespace: default
      Manifest: !Sub
        - |
          apiVersion: storage.k8s.io/v1
          kind: StorageClass
          metadata:
            name: ebs-sc
          provisioner: ebs.csi.aws.com
          volumeBindingMode: WaitForFirstConsumer
          parameters:
            fsType: ${FsType}
        - FsType: !If [EnableWindows, ntfs, ext4]
  AmazonEksEfsCsiDriverRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument: !Sub |
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Federated": "${AwsNodeIrsaStack.Outputs.OIDCProviderArn}"
              },
              "Action": "sts:AssumeRoleWithWebIdentity",
              "Condition": {
                "StringEquals": {
                  "${AwsNodeIrsaStack.Outputs.OIDCProviderEndpoint}:aud": [
                    "sts.amazonaws.com",
                    "sts.${AWS::Region}.amazonaws.com"
                  ],
                  "${AwsNodeIrsaStack.Outputs.OIDCProviderEndpoint}:sub": "system:serviceaccount:kube-system:efs-csi-controller-sa"
                }
              }
            }
          ]
        }
      ManagedPolicyArns:
        - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
        - !If [Commercial, !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonElasticContainerRegistryPublicReadOnly', !Ref AWS::NoValue]
      Policies:
        - PolicyName: AmazonEksEfsCsiDriverPolicy
          # https://docs.aws.amazon.com/eks/latest/userguide/efs-csi.html#efs-create-iam-resources
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - ec2:DescribeAvailabilityZones
                Resource: '*'
              - Effect: Allow
                Action:
                  - elasticfilesystem:DescribeAccessPoints
                  - elasticfilesystem:DescribeFileSystems
                  - elasticfilesystem:DescribeMountTargets
                Resource:
                  - !Sub arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/*
                  - !Sub arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/*
              - Effect: Allow
                Action:
                  - elasticfilesystem:CreateAccessPoint
                Resource: !Sub arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/*
                Condition: { StringLike: { aws:RequestTag/efs.csi.aws.com/cluster: 'true' } }
              - Effect: Allow
                Action: elasticfilesystem:DeleteAccessPoint
                Resource: !Sub arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/*
                Condition: { StringLike: { aws:ResourceTag/efs.csi.aws.com/cluster: 'true' } }
  AmazonEksEfsCsiDriverHelmChart:
    Type: AWSQS::Kubernetes::Helm
    Condition: EnableEfs
    Properties:
      ClusterID: !GetAtt EKSControlPlane.Outputs.EKSName
      Namespace: kube-system
      Chart: aws-efs-csi-driver/aws-efs-csi-driver
      Repository: https://kubernetes-sigs.github.io/aws-efs-csi-driver/
      Version: 2.3.6
        # 20230207: Issues with pod deployment step in 2.3.7
        # TODO: Remove version pin once resolved
      Values:
        controller.serviceAccount.annotations.eks\.amazonaws\.com/role-arn: !GetAtt AmazonEksEfsCsiDriverRole.Arn
        controller.serviceAccount.create: 'true'
        controller.serviceAccount.name: efs-csi-controller-sa
        image.repository: public.ecr.aws/efs-csi-driver/amazon/aws-efs-csi-driver
        nodeSelector.kubernetes\.io/os: linux
Outputs:
  BastionIP:
    Value: !If
      - EnableBastion
      - !If [EnableBastionWithEIP, !GetAtt BastionStack.Outputs.EIP1, !Ref RemoteAccessCIDR]
      - ''
  BastionSecurityGroup:
    Value: !If [EnableBastion, !GetAtt BastionStack.Outputs.BastionSecurityGroupID, '']
  BastionAutoScalingGroup:
    Value: !If [EnableBastion, !GetAtt BastionStack.Outputs.BastionAutoScalingGroup, '']
  EKSClusterName:
    Value: !GetAtt EKSControlPlane.Outputs.EKSName
  ControlPlaneSecurityGroup:
    Value: !GetAtt ControlPlaneSecurityGroup.GroupId
  NodeGroupSecurityGroup:
    Value: !GetAtt NodeGroupStack.Outputs.EKSNodeSecurityGroup
  NodeAutoScalingGroup:
    Value: !GetAtt NodeGroupStack.Outputs.NodeAutoScalingGroup
  OIDCIssuerURL:
    Value : !GetAtt EKSControlPlane.Outputs.OIDCIssuerURL
  OIDCProviderArn:
    Value: !GetAtt EKSControlPlane.Outputs.OIDCProviderArn
  OIDCProviderEndpoint:
    Value: !GetAtt EKSControlPlane.Outputs.OIDCProviderEndpoint