--- AWSTemplateFormatVersion: "2010-09-09" Description: "This creates an EKS cluster, and sets up Discngine 3decision infrastructure. (qs-1snm79fed)." Metadata: QuickStartDocumentation: EntrypointName: "Launch into an existing VPC" LintSpellExclude: - Discngine - 3decision - namespace AWS::CloudFormation::Interface: ParameterGroups: - Label: default: "Network configuration" Parameters: - VPCID - PublicSubnet1ID - PublicSubnet2ID - PublicSubnet3ID - PrivateSubnet1ID - PrivateSubnet2ID - PrivateSubnet3ID - RemoteAccessCIDR - Label: default: Amazon EC2 configuration Parameters: - KeyPairName - Label: default: Amazon EKS configuration Parameters: - ConfigSetName - KubernetesVersion - NodeVolumeSize - NodeInstanceType - NumberOfNodes - AdditionalEKSAdminUserArn - AdditionalEKSAdminRoleArn - ProvisionBastionHost - CustomAmiId - NodeGroupName - Label: default: Discngine 3decision network configuration Parameters: - DomainName - MainSubdomain - ApiSubdomain - HelpSubdomain - HostedZoneId - CertificateArn - LoadBalancerType - LoadBalancerClass - Label: default : Discngine 3decision database configuration Parameters: - DBSnapshotIdentifier - DBInstanceIdentifier - DBName - DBInstanceClass - DBMultiZone - Label: default: Discngine 3decision kube configuration Parameters: - TNamespace - JWTSecretName - Label: default: Discngine 3decision authentication configuration Parameters: - AzureClientId - AzureTenant - AzureSecret - AzureRedirectUri - OktaClientId - OktaSecret - OktaDomain - OktaServerId - OktaRedirectUri - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix - PerAccountSharedResources - PerRegionSharedResources ParameterLabels: KeyPairName: default: SSH key name PrivateSubnet1ID: default: Private subnet 1 ID PrivateSubnet2ID: default: Private subnet 2 ID PrivateSubnet3ID: default: Private subnet 3 ID PublicSubnet1ID: default: Public subnet 1 ID PublicSubnet2ID: default: Public subnet 2 ID PublicSubnet3ID: default: Public subnet 3 ID QSS3BucketName: default: Quick Start S3 bucket name QSS3BucketRegion: default: Quick Start S3 bucket region QSS3KeyPrefix: default: Quick Start S3 key prefix RemoteAccessCIDR: default: Allowed external access CIDR VPCID: default: VPC ID PerAccountSharedResources: default: Per account shared resources PerRegionSharedResources: default: Per region shared resources NodeInstanceType: default: Node instance type NumberOfNodes: default: Number of nodes AdditionalEKSAdminUserArn: default: Additional EKS admin ARN (IAM user) AdditionalEKSAdminRoleArn: default: Additional EKS admin ARN (IAM role) ConfigSetName: default: Config set name KubernetesVersion: default: Kubernetes version CustomAmiId: default: Custom AMI Id NodeVolumeSize: default: Size of worker nodes volumes NodeGroupName: default: Name of the node group DBSnapshotIdentifier: default: Identifier of the database snapshot DBInstanceIdentifier: default: Identifier of the database DBName: default: Name of the database DBInstanceClass: default: Instance type of the database DBMultiZone: default: Whether the DB is highly available TNamespace: default: 3decision Helm chart namespace JWTSecretName: default: Secret Name HostedZoneId: default: Route 53 hosted zone Id DomainName: default: Domain name used for load balancing MainSubdomain: default: Subdomain name for app landing page ApiSubdomain: default: Subdomain of the api HelpSubdomain: default: Subdomain of the help page CertificateArn: default: Arn of a certificate LoadBalancerType: default: Type of loadbalancer created LoadBalancerClass: default: Loadbalancer class ProvisionBastionHost: default: Whether to provision a bastion host AzureClientId: default: Azure app client id AzureSecret: default: Azure app secret AzureTenant: default: Azure tenant AzureRedirectUri: default: Azure app redirect uri OktaClientId: default: Okta app client id OktaSecret: default: Okta app secret OktaDomain: default: Okta domain OktaServerId: default: Okta server id OktaRedirectUri: default: Okta app redirect uri Parameters: KeyPairName: Description: A public/private key pair, which allows you to connect securely to your instance after it launches. Type: AWS::EC2::KeyPair::KeyName ConstraintDescription: Must be the name of an existing Keyname NodeInstanceType: Type: String Default: t3.xlarge Description: EKS node instance type. We recommend using t3.xlarge as this is the minimal required node shape, but scaling is not noticeable by scaling this up. AllowedValues: - t3.xlarge - t3.2xlarge - m5.xlarge - m5.2xlarge - m5.4xlarge - m5.12xlarge - m5.24xlarge - c5.2xlarge - c5.4xlarge - c5.9xlarge - c5.18xlarge - i3.large - i3.xlarge - i3.2xlarge - i3.4xlarge - i3.8xlarge - i3.16xlarge - x1.16xlarge - x1.32xlarge - p3.2xlarge - p3.8xlarge - p3.16xlarge - r5.large - r5.xlarge - r5.2xlarge - r5.4xlarge - r5.12xlarge - r5.24xlarge - r5d.large - r5d.xlarge - r5d.2xlarge - r5d.4xlarge - r5d.12xlarge - r5d.24xlarge - z1d.large - z1d.xlarge - z1d.2xlarge - z1d.3xlarge - z1d.6xlarge - z1d.12xlarge VPCID: Description: "Required: The ID of the VPC." Type: String PublicSubnet1ID: Default: "" Description: "Optional: The ID of the public subnet located in Availability Zone 1." Type: String PublicSubnet2ID: Default: "" Description: "Optional: The ID of the public subnet located in Availability Zone 2." Type: String PublicSubnet3ID: Default: "" Description: "Optional: The ID of the public subnet 3 located in Availability Zone 3." Type: String PrivateSubnet1ID: Description: "Required: The ID of the private subnet located in Availability Zone 1." Type: String PrivateSubnet2ID: Description: "Required: The ID of the private subnet located in Availability Zone 2." Type: String PrivateSubnet3ID: Description: "Optional: The ID of the private subnet 3 located in Availability Zone 3." Type: String QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: S3 bucket name for the Quick Start assets. This string can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3BucketRegion: Default: 'eu-central-1' Description: "The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value." Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: quickstart-discngine-3decision/ Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Type: String RemoteAccessCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x Description: The CIDR IP range that is permitted to access the bastion instance. This will have no effect if the bastion creation is set to false. Default: "127.0.0.1/32" Type: String ConfigSetName: Type: String Default: "dng-3decision" Description: "Required: SSM Name used to map advanced parameters to an EKS cluster." KubernetesVersion: # https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-release-calendar Type: String Description: Kubernetes control plane version. AllowedValues: ['1.22'] Default: '1.22' NodeVolumeSize: Type: String Default: 100 Description: "Required: Size of EBS volumes attached to worker nodes. Increase this size if your pods are getting evicted with a disk pressure annotation." CustomAmiId: Type: String Default: "" Description: "Optional: If an AMI ID is specified, it is used instead of the default EKS images for cluster nodes." NodeGroupName: Type: String Default: "Default" Description: "Optional: Name of the NodeGroup created in EKS. This should usually not be changed" PerAccountSharedResources: Type: String AllowedValues: ['AutoDetect', 'Yes', 'No'] Default: 'AutoDetect' Description: You can set "Yes" or "No" according to whether another EKS quickstart has been deployed in your account. Setting "AutoDetect" will check that for you. However, this option should not be used if you have SCPs blocking all access in certain regions as all cloudformation stacks will be listed in all regions. PerRegionSharedResources: Type: String AllowedValues: ['AutoDetect', 'Yes', 'No'] Default: 'AutoDetect' Description: You can set "Yes" or "No" according to whether another EKS quickstart has been deployed in your region. Setting "AutoDetect" will check that for you. NumberOfNodes: Default: 3 Description: The number of Amazon EKS node instances. The default is one for each of the three Availability Zones. Type: Number DBSnapshotIdentifier: Default: "" Description: "Optional: the snapshot arn used for the database. If left empty, the default snapshot will be used. But if you wish to have an encrypted database, you will have to copy the public snapshot locally and select encryption and use that arn" Type: String DBInstanceIdentifier: Default: db3dec Description: "Required: The database instance name. This defaults to db3dec." Type: String MinLength: '1' MaxLength: '8' AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ConstraintDescription: must begin with a letter and contain only alphanumeric characters. DBName: Default: ORCL Description: "Required: The name given to the RDS Oracle database. This defaults to ORCL." Type: String MinLength: '1' MaxLength: '8' AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ConstraintDescription: must begin with a letter and contain only alphanumeric characters. DBInstanceClass: AllowedValues: - db.t3.medium - db.t3.large - db.t3.xlarge - db.t3.2xlarge - db.m5.large - db.m5.xlarge - db.m5.2xlarge - db.m5.4xlarge Default: db.t3.xlarge Description: Amazon RDS instance type for the Oracle Database instance. We recommend t3.xlarge for production use as a lower shape will be rather slow. Type: String DBMultiZone: Description: High Availability (Multi-AZ) for Oracle RDS. More information is available here - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html. Type: String AllowedValues: [ 'true', 'false' ] Default: 'false' TNamespace: Default: tdecision Description: "Required: The name of the kubernetes namespace in which the 3decision helm chart will be deployed. This will default to tdecision if not given. The namespace will be created if it doesn't already exists." Type: String JWTSecretName: Default: "3dec-JWT-ssh" Description: "Name of the secret created in secrets manager that will contain an ssh key fed to the application." Type: String AdditionalEKSAdminUserArn: Default: "" Description: "Optional: IAM user Amazon Resource Name (ARN) to be granted administrative access to the EKS cluster." Type: String AdditionalEKSAdminRoleArn: Default: "" Description: "Optional: IAM role Amazon Resource Name (ARN) to be granted administrative access to the EKS cluster." Type: String HostedZoneId: Default: "" Description: "Optional: Creates dns records for the given route 53 hosted zone if given." Type: String DomainName: Description: "Required: Root domain name used for load balancer rules This is only the root domain name not the fqdn, eg: example.com" Type: String MainSubdomain: Default: "3decision" Description: "Required: Name used for the main app subdomain" Type: String ApiSubdomain: Default: "3decision-api" Description: "Required: Name used for the api subdomain" Type: String HelpSubdomain: Default: "3decision-help" Description: "Required: Name used for the help subdomain" Type: String CertificateArn: Default: "" Description: "Optional: Arn of a certificate of the associated domain you want added to the load balancer" Type: String LoadBalancerType: AllowedValues: - internet-facing - internal Default: "internal" Description: "Type of loadbalancer created. This can either be equal to internet-facing for public loadbalancer or internal for private loadbalancers" Type: String LoadBalancerClass: AllowedValues: - alb - nginx Default: "alb" Description: "Type of loadbalancer created. This will create an application loadBalancer by default and should generally not be changed. By selecting nginx you will have a classic load balancer with a self signed certificate." Type: String ProvisionBastionHost: Type: String AllowedValues: [ "Enabled", "Disabled" ] Default: "Disabled" Description: Choose "Enabled" to create a bastion host. This could be used to debug EKS nodes. AzureClientId: Type: String Default: "" Description: "Optional: Will enable azure authentication if set. Client id of azure app" AzureTenant: Type: String Default: "" Description: "Conditional: Should be given if azure client id variable is set. Tenant id of the azure app" AzureSecret: Type: String Default: "" Description: "Conditional: Should be given if azure client id variable is set. Secret of the azure app" AzureRedirectUri: Type: String Default: "" Description: "Conditional: Should be given if azure client id variable is set. This is the redirect_uri set in the azure app, by default should be https://./auth/azure/callback" OktaClientId: Type: String Default: "" Description: "Optional: Will enable okta authentication if set. Client ID of the okta app" OktaSecret: Type: String Default: "" Description: "Conditional: Should be given if okta client id variable is set. Secret of the okta app" OktaDomain: Type: String Default: "" Description: "Conditional: Should be given if okta client id variable is set. Domain of the okta environment" OktaServerId: Type: String Default: "" Description: "Conditional: Should be given if okta client id variable is set. Server Id of the okta environment" OktaRedirectUri: Type: String Default: "" Description: "Conditional: Should be given if okta client id variable is set. This is the redirect_uri set in the okta app, by default should be https://./auth/okta/callback" Rules: DiscngineSupportedRegionRule: Assertions: - Assert: Fn::Contains: - - us-east-1 - eu-central-1 - !Ref AWS::Region AssertDescription: The Quick Start is supported only in us-east-1 and eu-central-1 AWS Regions. Please contact Discngine to request support for other Regions. Mappings: Config: Prefix: { Value: 'eks-quickstart' } Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] Resources: AdvancedConfigDefaultsStack: Type: AWS::CloudFormation::Stack Metadata: { cfn-lint: { config: { ignore_checks: [E9902, W9901] } } } UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-amazon-eks/templates/amazon-eks-advanced-configuration.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: ConfigSetName: !Ref ConfigSetName KubernetesVersion: !Ref KubernetesVersion NodeVolumeSize: !Ref NodeVolumeSize CustomAmiId: !Ref CustomAmiId NodeGroupName: !Ref NodeGroupName EKSStack: Type: AWS::CloudFormation::Stack UpdateReplacePolicy: Delete DeletionPolicy: Delete DependsOn: AdvancedConfigDefaultsStack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-amazon-eks/templates/amazon-eks-entrypoint-existing-vpc.template.yaml' - S3Region: !If [ UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion ] S3Bucket: !If [ UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName ] Parameters: PublicSubnet1ID: !Ref PublicSubnet1ID PublicSubnet2ID: !Ref PublicSubnet2ID PublicSubnet3ID: !Ref PublicSubnet3ID KeyPairName: !Ref KeyPairName QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Sub "${QSS3KeyPrefix}submodules/quickstart-amazon-eks/" PrivateSubnet1ID: !Ref PrivateSubnet1ID PrivateSubnet2ID: !Ref PrivateSubnet2ID PrivateSubnet3ID: !Ref PrivateSubnet3ID NumberOfNodes: !Ref NumberOfNodes ConfigSetName: !Ref ConfigSetName NodeInstanceType: !Ref NodeInstanceType RemoteAccessCIDR: !Ref RemoteAccessCIDR VPCID: !Ref VPCID PerAccountSharedResources: !Ref PerAccountSharedResources PerRegionSharedResources: !Ref PerRegionSharedResources ClusterAutoScaler: 'Enabled' EKSPublicAccessEndpoint: 'Enabled' AdditionalEKSAdminUserArn: !Ref AdditionalEKSAdminUserArn AdditionalEKSAdminRoleArn: !Ref AdditionalEKSAdminRoleArn ProvisionBastionHost: !Ref ProvisionBastionHost NodeGroupArn: Type: Custom::CliQuery DependsOn: [ AdvancedConfigDefaultsStack, EKSStack ] Properties: ServiceToken: !Sub ['arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${Prefix}-ResourceReader', {Prefix: !FindInMap [Config, Prefix, Value]}] AwsCliCommand: !Sub "eks describe-nodegroup --cluster-name ${EKSStack.Outputs.EKSClusterName} --nodegroup-name ${NodeGroupName} --query 'nodegroup.{nodeRole: nodeRole}'" IdField: 'nodeRole' 3decisionStack: Type: AWS::CloudFormation::Stack UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/discngine-3decision.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Ref QSS3KeyPrefix VPCID: !Ref VPCID EKSClusterName: !GetAtt EKSStack.Outputs.EKSClusterName DBInstanceIdentifier: !Ref DBInstanceIdentifier DBName: !Ref DBName DBInstanceClass: !Ref DBInstanceClass DBMultiZone: !Ref DBMultiZone DBSubnets: !Join [ ",", [ !Ref PrivateSubnet1ID, !Ref PrivateSubnet2ID, !Ref PrivateSubnet3ID ] ] TNamespace: !Ref TNamespace JWTSecretName: !Ref JWTSecretName NodeSecurityGroup: !GetAtt EKSStack.Outputs.NodeGroupSecurityGroup HostedZoneId: !Ref HostedZoneId DomainName: !Ref DomainName CertificateArn: !Ref CertificateArn LoadBalancerType: !Ref LoadBalancerType LoadBalancerClass: !Ref LoadBalancerClass DBSnapshotIdentifier: !Ref DBSnapshotIdentifier AzureClientId: !Ref AzureClientId AzureTenant: !Ref AzureTenant AzureSecret: !Ref AzureSecret AzureRedirectUri: !Ref AzureRedirectUri OktaClientId: !Ref OktaClientId OktaSecret: !Ref OktaSecret OktaDomain: !Ref OktaDomain OktaServerId: !Ref OktaServerId OktaRedirectUri: !Ref OktaRedirectUri MainSubdomain: !Ref MainSubdomain ApiSubdomain: !Ref ApiSubdomain HelpSubdomain: !Ref HelpSubdomain NodeGroupArn: !Ref NodeGroupArn