AWSTemplateFormatVersion: 2010-09-09 Description: >- AWS CloudFormation template for deploying VMware Tanzu Application Platform (TAP) on Amazon EKS in an existing VPC. **WARNING** This template creates AWS resources. You will be billed for the AWS resources used if you create a stack from this template. (qs-1t1t2pssu) Metadata: LICENSE: Apache License, Version 2.0 QuickStartDocumentation: EntrypointName: Launch into an existing VPC Order: 2 SentenceCaseExclude: - Application - Bootstrap - Build - Cluster - Essentials - Network - Platform - Service - Stacks - Tanzu AWS::CloudFormation::Interface: ParameterGroups: - Label: default: VMware Tanzu Network configuration Parameters: - AcceptEULAs - AcceptCEIP - TanzuNetUsername - TanzuNetPassword - TanzuNetApiToken - TanzuNetRelocateImages - Label: default: VMware Tanzu Application Platform configuration Parameters: - TAPDomainName - TAPClusterArch - Label: default: Basic configuration Parameters: - KeyPairName - RemoteAccessCidr - Label: default: VPC network configuration Parameters: - VpcId - PrivateSubnet1Id - PrivateSubnet2Id - PrivateSubnet3Id - PublicSubnet1Id - Label: default: Amazon EKS configuration Parameters: - NodeInstanceType - NodeVolumeSize - NumberOfNodes - MaxNumberOfNodes - Label: default: AWS Quick Start S3 bucket configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix ParameterLabels: AcceptEULAs: default: Have you read and accepted all applicable VMware Tanzu Network EULAs? AcceptCEIP: default: Have you already read and accepted the VMware CEIP policy? KeyPairName: default: EC2 key pair name VpcId: default: VPC ID PrivateSubnet1Id: default: Private subnet 1 ID PrivateSubnet2Id: default: Private subnet 2 ID PrivateSubnet3Id: default: Private subnet 3 ID PublicSubnet1Id: default: Public subnet 1 ID RemoteAccessCidr: default: Remote access CIDR TAPDomainName: default: Domain name TAPClusterArch: default: EKS single or multi cluster NodeInstanceType: default: Instance type NodeVolumeSize: default: Volume size NumberOfNodes: default: Number of nodes MaxNumberOfNodes: default: Maximum number of nodes TanzuNetUsername: default: Username TanzuNetPassword: default: Password TanzuNetApiToken: default: API token TanzuNetRelocateImages: default: Relocate TAP images QSS3BucketName: default: Name QSS3BucketRegion: default: Region QSS3KeyPrefix: default: Key prefix Parameters: AcceptEULAs: Type: String Description: >- Choose Yes if you have already accepted the Cluster Essentials for VMware Tanzu (https://network.tanzu.vmware.com/products/tanzu-cluster-essentials/) and VMware Tanzu Application Platform (https://network.tanzu.vmware.com/products/tanzu-application-platform/) end-user license agreements (EULAs). TAP will fail to install successfully if both EULAs have not been accepted for the specified VMware Tanzu Network user account. AllowedValues: - 'Yes' - 'No' Default: 'No' AcceptCEIP: Type: String Description: >- Choose Yes if you have read and accepted the VMware customer experience improvement program (CEIP) policy (https://www.vmware.com/solutions/trustvmware/ceip.html). AllowedValues: - 'Yes' - 'No' Default: 'No' TAPDomainName: Type: String Description: >- Private DNS domain name for accessing the TAP graphical user interface (GUI) and project URLs. AllowedPattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ #! from cnrs TAPClusterArch: Type: String Description: TAP cluster architecture. AllowedValues: - multi - single Default: single VpcId: Type: AWS::EC2::VPC::Id Description: >- ID of your existing VPC (example: vpc-0343606e). PublicSubnet1Id: Type: AWS::EC2::Subnet::Id Description: >- ID of the public subnet in Availability Zone 1 of your existing VPC (example: subnet-a0246dcd). PrivateSubnet1Id: Type: AWS::EC2::Subnet::Id Description: >- ID of the private subnet in Availability Zone 1 of your existing VPC (example: subnet-fe9a8b32). PrivateSubnet2Id: Type: AWS::EC2::Subnet::Id Description: >- ID of the private subnet in Availability Zone 2 of your existing VPC (example: subnet-be8b01ea). PrivateSubnet3Id: Type: String Description: >- ID of the private subnet in Availability Zone 3 of your existing VPC (example: subnet-abd39039). AllowedPattern: ^(subnet-([0-9a-f]{8}|[0-9a-f]{17})|)$ ConstraintDescription: Must be a valid VPC subnet ID or blank. Default: '' KeyPairName: Type: AWS::EC2::KeyPair::KeyName Description: >- The name of the EC2 key pair used for SSH access to the Linux bastion host / bootstrap instance and EKS cluster nodes, and for encrypting the Windows bastion host password. As of June 21, 2022, only RSA key types are supported due to Windows instances not supporting ED25519. For more information, refer to Amazon EC2 key pairs and Windows instances (https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-key-pairs.html). NumberOfNodes: Type: Number Description: Minimum number of nodes to create for the TAP EKS cluster. MinValue: 3 MaxValue: 450 Default: 3 MaxNumberOfNodes: Type: Number Description: >- Maximum number of available nodes for the TAP EKS cluster in auto scaling. MinValue: 4 MaxValue: 450 Default: 6 NodeInstanceType: Type: String Description: Amazon EKS cluster node instance type. AllowedValues: - c4.4xlarge - c4.8xlarge - c5.2xlarge - c5.4xlarge - c5.9xlarge - c5.12xlarge - c5.18xlarge - c5.24xlarge - c5.metal - c5a.2xlarge - c5a.4xlarge - c5a.8xlarge - c5a.12xlarge - c5a.16xlarge - c5a.24xlarge - c5ad.2xlarge - c5ad.4xlarge - c5ad.8xlarge - c5ad.12xlarge - c5ad.16xlarge - c5ad.24xlarge - c5d.2xlarge - c5d.4xlarge - c5d.9xlarge - c5d.12xlarge - c5d.18xlarge - c5d.24xlarge - c5d.metal - c5n.2xlarge - c5n.4xlarge - c5n.9xlarge - c5n.18xlarge - c5n.metal - d2.xlarge - d2.2xlarge - d2.4xlarge - d2.8xlarge - f1.2xlarge - f1.4xlarge - f1.16xlarge - g3.4xlarge - g3.8xlarge - g3.16xlarge - g3s.xlarge - g4dn.xlarge - g4dn.2xlarge - g4dn.4xlarge - g4dn.8xlarge - g4dn.12xlarge - g4dn.16xlarge - g4dn.metal - h1.2xlarge - h1.4xlarge - h1.8xlarge - h1.16xlarge - i3.xlarge - i3.2xlarge - i3.4xlarge - i3.8xlarge - i3.16xlarge - i3.metal - i3en.xlarge - i3en.2xlarge - i3en.3xlarge - i3en.6xlarge - i3en.12xlarge - i3en.24xlarge - i3en.metal - inf1.2xlarge - inf1.6xlarge - inf1.24xlarge - m4.xlarge - m4.2xlarge - m4.4xlarge - m4.10xlarge - m4.16xlarge - m5.xlarge - m5.2xlarge - m5.4xlarge - m5.8xlarge - m5.12xlarge - m5.16xlarge - m5.24xlarge - m5.metal - m5a.xlarge - m5a.2xlarge - m5a.4xlarge - m5a.8xlarge - m5a.12xlarge - m5a.16xlarge - m5a.24xlarge - m5ad.xlarge - m5ad.2xlarge - m5ad.4xlarge - m5ad.8xlarge - m5ad.12xlarge - m5ad.16xlarge - m5ad.24xlarge - m5d.xlarge - m5d.2xlarge - m5d.4xlarge - m5d.8xlarge - m5d.12xlarge - m5d.16xlarge - m5d.24xlarge - m5d.metal - m5dn.xlarge - m5dn.2xlarge - m5dn.4xlarge - m5dn.8xlarge - m5dn.12xlarge - m5dn.16xlarge - m5dn.24xlarge - m5n.xlarge - m5n.2xlarge - m5n.4xlarge - m5n.8xlarge - m5n.12xlarge - m5n.16xlarge - m5n.24xlarge - p2.xlarge - p2.8xlarge - p2.16xlarge - p3.2xlarge - p3.8xlarge - p3.16xlarge - p3dn.24xlarge - r4.xlarge - r4.2xlarge - r4.4xlarge - r4.8xlarge - r4.16xlarge - r5.xlarge - r5.2xlarge - r5.4xlarge - r5.8xlarge - r5.12xlarge - r5.16xlarge - r5.24xlarge - r5.metal - r5a.xlarge - r5a.2xlarge - r5a.4xlarge - r5a.8xlarge - r5a.12xlarge - r5a.16xlarge - r5a.24xlarge - r5ad.xlarge - r5ad.2xlarge - r5ad.4xlarge - r5ad.8xlarge - r5ad.12xlarge - r5ad.16xlarge - r5ad.24xlarge - r5d.xlarge - r5d.2xlarge - r5d.4xlarge - r5d.8xlarge - r5d.12xlarge - r5d.16xlarge - r5d.24xlarge - r5d.metal - r5dn.xlarge - r5dn.2xlarge - r5dn.4xlarge - r5dn.8xlarge - r5dn.12xlarge - r5dn.16xlarge - r5dn.24xlarge - r5n.xlarge - r5n.2xlarge - r5n.4xlarge - r5n.8xlarge - r5n.12xlarge - r5n.16xlarge - r5n.24xlarge - t2.xlarge - t2.2xlarge - t3.xlarge - t3.2xlarge - t3a.xlarge - t3a.2xlarge - x1.16xlarge - x1.32xlarge - x1e.xlarge - x1e.2xlarge - x1e.4xlarge - x1e.8xlarge - x1e.16xlarge - x1e.32xlarge - z1d.xlarge - z1d.2xlarge - z1d.3xlarge - z1d.6xlarge - z1d.12xlarge - z1d.metal ConstraintDescription: Must be a supported EC2 instance type. Default: m5.xlarge NodeVolumeSize: Type: Number Description: Amazon EBS root volume size for Amazon EKS nodes. MinValue: 100 MaxValue: 16384 Default: 100 RemoteAccessCidr: Type: String Description: >- IPv4 CIDR block permitted to connect to the Windows and Linux bastion hosts. We recommend that you set this value to a trusted network. AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/0-32 TanzuNetUsername: Type: String Description: >- VMware Tanzu Network username. To create an account, sign up at https://network.tanzu.vmware.com. NoEcho: false TanzuNetPassword: Type: String Description: VMware Tanzu Network password. NoEcho: true TanzuNetApiToken: Type: String Description: >- VMware Tanzu Network user account and authentication (UAA) API refresh token. For more information, refer to the VMware Tanzu Network API documentation (https://network.tanzu.vmware.com/docs/api). NoEcho: true TanzuNetRelocateImages: Type: String Description: >- Choose Yes to relocate TAP images from the VMware Tanzu Network registry to your ECR registry from before attempting installation. If you do not relocate images, Tanzu Application Platform will depend directly on the VMware Tanzu Network registry for its continued operation. Relocating images will add approximately 1 hour to deployment time. AllowedValues: - 'Yes' - 'No' Default: 'No' QSS3BucketName: Type: String Description: >- Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). For more information, refer to https://aws-quickstart.github.io/option1.html. MinLength: 3 MaxLength: 63 AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: >- The Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart QSS3KeyPrefix: Type: String Description: >- S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. For more information, refer to https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html and https://aws-quickstart.github.io/option1.html. AllowedPattern: ^([0-9a-zA-Z-.]+/)*$ ConstraintDescription: The Quick Start S3 key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). Default: quickstart-vmware-tanzu-application-platform/ QSS3BucketRegion: Type: String Description: >- AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing this Region updates code references to point to a new Quick Start location. When using your own bucket, specify the Region. For more information, refer to https://aws-quickstart.github.io/option1.html. Default: us-east-1 Mappings: Versions: current: TAP: 1.5.2 EKS: '1.24' #! https://docs.aws.amazon.com/eks/latest/userguide/install-kubectl.html Kubectl: 1.24.13/2023-05-11 WindowsKubectl: 1.24.13/2023-05-11 ClusterEssentialsVersion: 1.5.1 #! Note: this is not the hash of the tanzunet artifact, but rather the image hash for the bundle image; #! You can get it e.g. by #! docker pull registry.tanzu.vmware.com/tanzu-cluster-essentials/cluster-essentials-bundle:1.5.1 ClusterEssentialsHash: sha256:c7b0988cf3e982625287b241db5d78c30780886dfe9ada01559bb5cd341e6181 #! You can find version here https://github.com/pivotal-cf/om/releases OmCLI: 7.9.0 #! You can find the versions here https://github.com/docker/docker-credential-helpers/releases DockerCredPass: 0.7.0 AwsAmiRegionMap: af-south-1: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' ap-east-1: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' ap-northeast-1: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' ap-northeast-2: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' ap-northeast-3: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' ap-south-1: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' ap-southeast-1: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' ap-southeast-2: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' ap-southeast-3: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' ca-central-1: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' cn-north-1: US2204HVM: ami-051468c74b28583e6 WS2022FullBase: ami-0d5c69cd276561585 cn-northwest-1: US2204HVM: ami-0ccdfe9ea19c6b1da WS2022FullBase: ami-0482ef6efa5fce019 eu-central-1: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' eu-north-1: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' eu-south-1: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' eu-west-1: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' eu-west-2: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' eu-west-3: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' me-central-1: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' me-south-1: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' sa-east-1: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' us-east-1: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' us-east-2: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' us-gov-east-1: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' us-gov-west-1: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' us-west-1: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' us-west-2: US2204HVM: '{{resolve:ssm:/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id}}' WS2022FullBase: '{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base}}' TanzuNetRegistryServer: Server: Name: registry.tanzu.vmware.com Apps: Sample: Name: tanzu-java-web-app-workload Namespace: tap-workload OotbRepoPrefix: tap-supply-chain Config: | apiVersion: carto.run/v1alpha1 kind: Workload metadata: name: tanzu-java-web-app-workload labels: apps.tanzu.vmware.com/workload-type: web app.kubernetes.io/part-of: tanzu-java-web-app apps.tanzu.vmware.com/has-tests: true spec: params: - name: annotations value: autoscaling.knative.dev/minScale: "1" source: git: url: https://github.com/sample-accelerators/tanzu-java-web-app ref: branch: main #! The indirection is just there, because in Fn::FindInMap we can only #! use Fn::Ref & Fn::FindInMap, but e.g. not Fn::Sub :( TimeoutMap: multi: MapName: TimeoutsMultiCluster single: MapName: TimeoutsSingleCluster TimeoutsSingleCluster: 'No': #! single cluster deployment without relocation CloudInit: "3300" # 55m TAPInstall: "2100" # 35m TAPWorkloadInstall: "900" # 15m TAPTests: "300" # 5m 'Yes': #! single cluster deployment with relocation CloudInit: "4800" # 80m TAPInstall: "3600" # 60m TAPWorkloadInstall: "900" # 15m TAPTests: "300" # 5m TimeoutsMultiCluster: 'No': #! multi cluster deployment without relocation CloudInit: "4500" # 75m TAPInstall: "3300" # 55m TAPWorkloadInstall: "900" # 15m TAPTests: "300" # 5m 'Yes': #! multi cluster deployment with relocation CloudInit: "6000" # 100m TAPInstall: "4800" # 80m TAPWorkloadInstall: "900" # 15m TAPTests: "300" # 5m Conditions: CreateMultiCluster: !Equals [!Ref TAPClusterArch, multi] CreateSingleCluster: !Equals [!Ref TAPClusterArch, single] 3AZDeployment: !Not [!Equals [!Ref PrivateSubnet3Id, '']] # TODO: Finish building logic to only deploy ECR-related resources if when # necessary. # UseEcr: !Equals [!Ref TanzuNetRelocateImages, 'Yes'] UsingDefaultBucket: !Equals [!Ref QSS3BucketName, aws-quickstart] Resources: TanzuNetSecretCredentials: Type: AWS::SecretsManager::Secret Properties: Name: !Sub - '${StackId}/TanzuNetCredentials' - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] Description: The VMware Tanzu Network credentials. SecretString: !Sub >- { "username": "${TanzuNetUsername}", "password": "${TanzuNetPassword}", "token": "${TanzuNetApiToken}" } TAPPackagesRepo: Type: AWS::ECR::Repository # TODO: Flip back to delete if/when possible for CloudFormation to delete # ECR repos with images. # Condition: UseEcr UpdateReplacePolicy: Retain DeletionPolicy: Retain Properties: RepositoryName: !Sub - '${StackId}/tanzu-application-platform/tap-packages' - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] EncryptionConfiguration: EncryptionType: AES256 TAPClusterEssentialsBundleRepo: Type: AWS::ECR::Repository # Condition: UseEcr UpdateReplacePolicy: Retain DeletionPolicy: Retain Properties: RepositoryName: !Sub - '${StackId}/tanzu-cluster-essentials/bundle' - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] EncryptionConfiguration: EncryptionType: AES256 TAPBuildServiceRepo: Type: AWS::ECR::Repository # Condition: UseEcr UpdateReplacePolicy: Retain DeletionPolicy: Retain Properties: RepositoryName: !Sub - '${StackId}/tap-build-service' - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] EncryptionConfiguration: EncryptionType: AES256 TAPWorkloadRepo: Type: AWS::ECR::Repository # Condition: UseEcr UpdateReplacePolicy: Retain DeletionPolicy: Retain Properties: RepositoryName: !Sub - '${StackId}/${Prefix}/${Suffix}' - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] Prefix: !FindInMap [Apps, Sample, OotbRepoPrefix] Suffix: !Sub - '${SampleAppName}-${Namespace}' - Namespace: !FindInMap [Apps, Sample, Namespace] SampleAppName: !FindInMap [Apps, Sample, Name] EncryptionConfiguration: EncryptionType: AES256 TAPWorkloadBundleRepo: Type: AWS::ECR::Repository # Condition: UseEcr UpdateReplacePolicy: Retain DeletionPolicy: Retain Properties: RepositoryName: !Sub - '${StackId}/${Prefix}/${Suffix}-bundle' - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] Prefix: !FindInMap [Apps, Sample, OotbRepoPrefix] Suffix: !Sub - '${SampleAppName}-${Namespace}' - Namespace: !FindInMap [Apps, Sample, Namespace] SampleAppName: !FindInMap [Apps, Sample, Name] EncryptionConfiguration: EncryptionType: AES256 PrivateHostedZone: Type: AWS::Route53::HostedZone # TODO: Flip back to delete if/when possible for CloudFormation to delete # Route 53 hosted zones with records. UpdateReplacePolicy: Retain DeletionPolicy: Retain Properties: HostedZoneConfig: Comment: VMware Tanzu Application Platform hosted zone Name: !Ref TAPDomainName VPCs: - VPCId: !Ref VpcId VPCRegion: !Ref AWS::Region EKSAdvancedConfigStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-amazon-eks/templates/amazon-eks-advanced-configuration.template.yaml - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] Parameters: ConfigSetName: !Ref AWS::StackName NodeVolumeSize: !Ref NodeVolumeSize KubernetesVersion: !FindInMap [ Versions, current, EKS ] AutoDetectSharedResources: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-amazon-eks/templates/workloads/amazon-eks-prerequisites.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-amazon-eks/ EKSQSStack: Type: AWS::CloudFormation::Stack Condition: CreateSingleCluster DependsOn: - EKSAdvancedConfigStack - AutoDetectSharedResources Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-amazon-eks/templates/amazon-eks-entrypoint-existing-vpc.template.yaml - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] Parameters: QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-amazon-eks/ ConfigSetName: !Ref AWS::StackName VPCID: !Ref VpcId PrivateSubnet1ID: !Ref PrivateSubnet1Id PrivateSubnet2ID: !Ref PrivateSubnet2Id PrivateSubnet3ID: !If - 3AZDeployment - !Ref PrivateSubnet3Id - !Ref AWS::NoValue RemoteAccessCIDR: !Ref RemoteAccessCidr EKSPublicAccessEndpoint: Disabled AdditionalEKSAdminRoleArn: !GetAtt QSBastionIamRole.Arn KeyPairName: !Ref KeyPairName NumberOfNodes: !Ref NumberOfNodes MaxNumberOfNodes: !Ref MaxNumberOfNodes NodeInstanceType: !Ref NodeInstanceType NodeInstanceFamily: Standard NodeGroupType: Managed NodeGroupOS: Amazon Linux 2 EKSClusterName: !Join ['-', ['tap', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]] ClusterAutoScaler: Enabled LoadBalancerController: Enabled PerRegionSharedResources: 'No' PerAccountSharedResources: 'No' #eks stacks multi cluster start RUNEKSQSStack: Type: AWS::CloudFormation::Stack Condition: CreateMultiCluster DependsOn: - EKSAdvancedConfigStack - AutoDetectSharedResources Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-amazon-eks/templates/amazon-eks-entrypoint-existing-vpc.template.yaml - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] Parameters: QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-amazon-eks/ ConfigSetName: !Ref AWS::StackName VPCID: !Ref VpcId PrivateSubnet1ID: !Ref PrivateSubnet1Id PrivateSubnet2ID: !Ref PrivateSubnet2Id PrivateSubnet3ID: !If - 3AZDeployment - !Ref PrivateSubnet3Id - !Ref AWS::NoValue RemoteAccessCIDR: !Ref RemoteAccessCidr EKSPublicAccessEndpoint: Disabled AdditionalEKSAdminRoleArn: !GetAtt QSBastionIamRole.Arn KeyPairName: !Ref KeyPairName NumberOfNodes: !Ref NumberOfNodes MaxNumberOfNodes: !Ref MaxNumberOfNodes NodeInstanceType: !Ref NodeInstanceType NodeInstanceFamily: Standard NodeGroupType: Managed NodeGroupOS: Amazon Linux 2 EKSClusterName: !Join ['-', ['tap', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]], 'run']] ClusterAutoScaler: Enabled LoadBalancerController: Enabled PerRegionSharedResources: 'No' PerAccountSharedResources: 'No' VIEWEKSQSStack: Type: AWS::CloudFormation::Stack Condition: CreateMultiCluster DependsOn: - EKSAdvancedConfigStack - AutoDetectSharedResources Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-amazon-eks/templates/amazon-eks-entrypoint-existing-vpc.template.yaml - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] Parameters: QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-amazon-eks/ ConfigSetName: !Ref AWS::StackName VPCID: !Ref VpcId PrivateSubnet1ID: !Ref PrivateSubnet1Id PrivateSubnet2ID: !Ref PrivateSubnet2Id PrivateSubnet3ID: !If - 3AZDeployment - !Ref PrivateSubnet3Id - !Ref AWS::NoValue RemoteAccessCIDR: !Ref RemoteAccessCidr EKSPublicAccessEndpoint: Disabled AdditionalEKSAdminRoleArn: !GetAtt QSBastionIamRole.Arn KeyPairName: !Ref KeyPairName NumberOfNodes: !Ref NumberOfNodes MaxNumberOfNodes: !Ref MaxNumberOfNodes NodeInstanceType: !Ref NodeInstanceType NodeInstanceFamily: Standard NodeGroupType: Managed NodeGroupOS: Amazon Linux 2 EKSClusterName: !Join ['-', ['tap', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]], 'view']] ClusterAutoScaler: Enabled LoadBalancerController: Enabled PerRegionSharedResources: 'No' PerAccountSharedResources: 'No' BUILDEKSQSStack: Type: AWS::CloudFormation::Stack Condition: CreateMultiCluster DependsOn: - EKSAdvancedConfigStack - AutoDetectSharedResources Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-amazon-eks/templates/amazon-eks-entrypoint-existing-vpc.template.yaml - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] Parameters: QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-amazon-eks/ ConfigSetName: !Ref AWS::StackName VPCID: !Ref VpcId PrivateSubnet1ID: !Ref PrivateSubnet1Id PrivateSubnet2ID: !Ref PrivateSubnet2Id PrivateSubnet3ID: !If - 3AZDeployment - !Ref PrivateSubnet3Id - !Ref AWS::NoValue RemoteAccessCIDR: !Ref RemoteAccessCidr EKSPublicAccessEndpoint: Disabled AdditionalEKSAdminRoleArn: !GetAtt QSBastionIamRole.Arn KeyPairName: !Ref KeyPairName NumberOfNodes: !Ref NumberOfNodes MaxNumberOfNodes: !Ref MaxNumberOfNodes NodeInstanceType: !Ref NodeInstanceType NodeInstanceFamily: Standard NodeGroupType: Managed NodeGroupOS: Amazon Linux 2 EKSClusterName: !Join ['-', ['tap', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]], 'build']] ClusterAutoScaler: Enabled LoadBalancerController: Enabled PerRegionSharedResources: 'No' PerAccountSharedResources: 'No' ITERATEEKSQSStack: Type: AWS::CloudFormation::Stack Condition: CreateMultiCluster DependsOn: - EKSAdvancedConfigStack - AutoDetectSharedResources Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-amazon-eks/templates/amazon-eks-entrypoint-existing-vpc.template.yaml - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] S3Region: !If [UsingDefaultBucket, !Ref AWS::Region, !Ref QSS3BucketRegion] Parameters: QSS3BucketName: !Ref QSS3BucketName QSS3BucketRegion: !Ref QSS3BucketRegion QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-amazon-eks/ ConfigSetName: !Ref AWS::StackName VPCID: !Ref VpcId PrivateSubnet1ID: !Ref PrivateSubnet1Id PrivateSubnet2ID: !Ref PrivateSubnet2Id PrivateSubnet3ID: !If - 3AZDeployment - !Ref PrivateSubnet3Id - !Ref AWS::NoValue RemoteAccessCIDR: !Ref RemoteAccessCidr EKSPublicAccessEndpoint: Disabled AdditionalEKSAdminRoleArn: !GetAtt QSBastionIamRole.Arn KeyPairName: !Ref KeyPairName NumberOfNodes: !Ref NumberOfNodes MaxNumberOfNodes: !Ref MaxNumberOfNodes NodeInstanceType: !Ref NodeInstanceType NodeInstanceFamily: Standard NodeGroupType: Managed NodeGroupOS: Amazon Linux 2 EKSClusterName: !Join ['-', ['tap', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]], 'iterate']] ClusterAutoScaler: Enabled LoadBalancerController: Enabled PerRegionSharedResources: 'No' PerAccountSharedResources: 'No' #eks stacks for multi cluster end #Rules for multi cluster start RunLinuxBastionSshToNodesEgressRule: Type: AWS::EC2::SecurityGroupEgress Condition: CreateMultiCluster UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: >- Allow SSH from the Linux bastion host / bootstrap instance to the EKS nodes. GroupId: !Ref QSBastionSecurityGroup IpProtocol: tcp FromPort: 22 ToPort: 22 DestinationSecurityGroupId: !GetAtt RUNEKSQSStack.Outputs.NodeGroupSecurityGroup RunNodesSshIngressRule: Type: AWS::EC2::SecurityGroupIngress Condition: CreateMultiCluster UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: >- Allow SSH from the Linux bastion host / bootstrap instance to the EKS nodes. GroupId: !GetAtt RUNEKSQSStack.Outputs.NodeGroupSecurityGroup IpProtocol: tcp ToPort: 22 FromPort: 22 SourceSecurityGroupId: !Ref QSBastionSecurityGroup RunLinuxBastionK8sToApiEgressRule: Type: AWS::EC2::SecurityGroupEgress Condition: CreateMultiCluster UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: >- Allow the Linux bastion host / bootstrap instance to connect to the EKS control plane for Kubernetes API traffic. GroupId: !Ref QSBastionSecurityGroup IpProtocol: tcp FromPort: 443 ToPort: 443 DestinationSecurityGroupId: !GetAtt RUNEKSQSStack.Outputs.ControlPlaneSecurityGroup RunEKSControlPlaneApiIngressRule: Type: AWS::EC2::SecurityGroupIngress Condition: CreateMultiCluster UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: >- Allow the Linux bastion host / bootstrap instance to connect to the EKS control plane for Kubernetes API traffic. GroupId: !GetAtt RUNEKSQSStack.Outputs.ControlPlaneSecurityGroup IpProtocol: tcp ToPort: 443 FromPort: 443 SourceSecurityGroupId: !Ref QSBastionSecurityGroup ViewLinuxBastionSshToNodesEgressRule: Type: AWS::EC2::SecurityGroupEgress Condition: CreateMultiCluster UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: >- Allow SSH from the Linux bastion host / bootstrap instance to the EKS nodes. GroupId: !Ref QSBastionSecurityGroup IpProtocol: tcp FromPort: 22 ToPort: 22 DestinationSecurityGroupId: !GetAtt VIEWEKSQSStack.Outputs.NodeGroupSecurityGroup ViewNodesSshIngressRule: Type: AWS::EC2::SecurityGroupIngress Condition: CreateMultiCluster UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: >- Allow SSH from the Linux bastion host / bootstrap instance to the EKS nodes. GroupId: !GetAtt VIEWEKSQSStack.Outputs.NodeGroupSecurityGroup IpProtocol: tcp ToPort: 22 FromPort: 22 SourceSecurityGroupId: !Ref QSBastionSecurityGroup ViewLinuxBastionK8sToApiEgressRule: Type: AWS::EC2::SecurityGroupEgress Condition: CreateMultiCluster UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: >- Allow the Linux bastion host / bootstrap instance to connect to the EKS control plane for Kubernetes API traffic. GroupId: !Ref QSBastionSecurityGroup IpProtocol: tcp FromPort: 443 ToPort: 443 DestinationSecurityGroupId: !GetAtt VIEWEKSQSStack.Outputs.ControlPlaneSecurityGroup ViewEKSControlPlaneApiIngressRule: Type: AWS::EC2::SecurityGroupIngress Condition: CreateMultiCluster UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: >- Allow the Linux bastion host / bootstrap instance to connect to the EKS control plane for Kubernetes API traffic. GroupId: !GetAtt VIEWEKSQSStack.Outputs.ControlPlaneSecurityGroup IpProtocol: tcp ToPort: 443 FromPort: 443 SourceSecurityGroupId: !Ref QSBastionSecurityGroup BuildLinuxBastionSshToNodesEgressRule: Type: AWS::EC2::SecurityGroupEgress Condition: CreateMultiCluster UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: >- Allow SSH from the Linux bastion host / bootstrap instance to the EKS nodes. GroupId: !Ref QSBastionSecurityGroup IpProtocol: tcp FromPort: 22 ToPort: 22 DestinationSecurityGroupId: !GetAtt BUILDEKSQSStack.Outputs.NodeGroupSecurityGroup BuildNodesSshIngressRule: Type: AWS::EC2::SecurityGroupIngress Condition: CreateMultiCluster UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: >- Allow SSH from the Linux bastion host / bootstrap instance to the EKS nodes. GroupId: !GetAtt BUILDEKSQSStack.Outputs.NodeGroupSecurityGroup IpProtocol: tcp ToPort: 22 FromPort: 22 SourceSecurityGroupId: !Ref QSBastionSecurityGroup BuildinuxBastionK8sToApiEgressRule: Type: AWS::EC2::SecurityGroupEgress Condition: CreateMultiCluster UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: >- Allow the Linux bastion host / bootstrap instance to connect to the EKS control plane for Kubernetes API traffic. GroupId: !Ref QSBastionSecurityGroup IpProtocol: tcp FromPort: 443 ToPort: 443 DestinationSecurityGroupId: !GetAtt BUILDEKSQSStack.Outputs.ControlPlaneSecurityGroup BuildEKSControlPlaneApiIngressRule: Type: AWS::EC2::SecurityGroupIngress Condition: CreateMultiCluster UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: >- Allow the Linux bastion host / bootstrap instance to connect to the EKS control plane for Kubernetes API traffic. GroupId: !GetAtt BUILDEKSQSStack.Outputs.ControlPlaneSecurityGroup IpProtocol: tcp ToPort: 443 FromPort: 443 SourceSecurityGroupId: !Ref QSBastionSecurityGroup IterateLinuxBastionSshToNodesEgressRule: Type: AWS::EC2::SecurityGroupEgress Condition: CreateMultiCluster UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: >- Allow SSH from the Linux bastion host / bootstrap instance to the EKS nodes. GroupId: !Ref QSBastionSecurityGroup IpProtocol: tcp FromPort: 22 ToPort: 22 DestinationSecurityGroupId: !GetAtt ITERATEEKSQSStack.Outputs.NodeGroupSecurityGroup IterateNodesSshIngressRule: Type: AWS::EC2::SecurityGroupIngress Condition: CreateMultiCluster UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: >- Allow SSH from the Linux bastion host / bootstrap instance to the EKS nodes. GroupId: !GetAtt ITERATEEKSQSStack.Outputs.NodeGroupSecurityGroup IpProtocol: tcp ToPort: 22 FromPort: 22 SourceSecurityGroupId: !Ref QSBastionSecurityGroup IterateLinuxBastionK8sToApiEgressRule: Type: AWS::EC2::SecurityGroupEgress Condition: CreateMultiCluster UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: >- Allow the Linux bastion host / bootstrap instance to connect to the EKS control plane for Kubernetes API traffic. GroupId: !Ref QSBastionSecurityGroup IpProtocol: tcp FromPort: 443 ToPort: 443 DestinationSecurityGroupId: !GetAtt ITERATEEKSQSStack.Outputs.ControlPlaneSecurityGroup IterateEKSControlPlaneApiIngressRule: Type: AWS::EC2::SecurityGroupIngress Condition: CreateMultiCluster UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: >- Allow the Linux bastion host / bootstrap instance to connect to the EKS control plane for Kubernetes API traffic. GroupId: !GetAtt ITERATEEKSQSStack.Outputs.ControlPlaneSecurityGroup IpProtocol: tcp ToPort: 443 FromPort: 443 SourceSecurityGroupId: !Ref QSBastionSecurityGroup #Rules for multi cluster end TAPLogGroup: Type: AWS::Logs::LogGroup UpdateReplacePolicy: Retain DeletionPolicy: Retain Properties: LogGroupName: !Sub - /aws/quickstart/vmware-tanzu-application-platform/${StackId} - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] LinuxBastionSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: >- The TAP Linux bastion host / bootstrap instance security group. VpcId: !Ref VpcId Tags: - Key: Name Value: LinuxBastionSecurityGroup - Key: Description Value: >- The VMware Tanzu Application Platform Linux bastion host / bootstrap instance security group. LinuxBastionSshIngressRule: Type: AWS::EC2::SecurityGroupIngress UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: Allow SSH to the Linux bastion host / bootstrap instance. GroupId: !Ref LinuxBastionSecurityGroup IpProtocol: tcp CidrIp: !Ref RemoteAccessCidr FromPort: 22 ToPort: 22 QSBastionSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: >- The TAP bastion host / bootstrap instance security group. VpcId: !Ref VpcId Tags: - Key: Name Value: QSBastionSecurityGroup - Key: Description Value: >- The VMware Tanzu Application Platform bastion host / bootstrap instance security group. QSBastionDefaultEgressRule: Type: AWS::EC2::SecurityGroupEgress UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: Allow all egress. GroupId: !Ref QSBastionSecurityGroup IpProtocol: tcp FromPort: 0 ToPort: 65535 CidrIp: 0.0.0.0/0 QSBastionSshToNodesEgressRule: Type: AWS::EC2::SecurityGroupEgress Condition: CreateSingleCluster UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: >- Allow SSH from the bastion host / bootstrap instance to the EKS nodes. GroupId: !Ref QSBastionSecurityGroup IpProtocol: tcp FromPort: 22 ToPort: 22 DestinationSecurityGroupId: !GetAtt EKSQSStack.Outputs.NodeGroupSecurityGroup NodesSshIngressRule: Type: AWS::EC2::SecurityGroupIngress Condition: CreateSingleCluster UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: >- Allow SSH from the bastion host / bootstrap instance to the EKS nodes. GroupId: !GetAtt EKSQSStack.Outputs.NodeGroupSecurityGroup IpProtocol: tcp ToPort: 22 FromPort: 22 SourceSecurityGroupId: !Ref QSBastionSecurityGroup QSBastionK8sToApiEgressRule: Type: AWS::EC2::SecurityGroupEgress Condition: CreateSingleCluster UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: >- Allow the bastion host / bootstrap instance to connect to the EKS control plane for Kubernetes API traffic. GroupId: !Ref QSBastionSecurityGroup IpProtocol: tcp FromPort: 443 ToPort: 443 DestinationSecurityGroupId: !GetAtt EKSQSStack.Outputs.ControlPlaneSecurityGroup EKSControlPlaneApiIngressRule: Type: AWS::EC2::SecurityGroupIngress Condition: CreateSingleCluster UpdateReplacePolicy: Delete DeletionPolicy: Delete Properties: Description: >- Allow the bastion host / bootstrap instance to connect to the EKS control plane for Kubernetes API traffic. GroupId: !GetAtt EKSQSStack.Outputs.ControlPlaneSecurityGroup IpProtocol: tcp ToPort: 443 FromPort: 443 SourceSecurityGroupId: !Ref QSBastionSecurityGroup IterateEKSViewClusterApiIngressRule: Type: AWS::EC2::SecurityGroupIngress UpdateReplacePolicy: Delete DeletionPolicy: Delete Condition: CreateMultiCluster Properties: Description: >- Allow the View Cluster to connect to the Iterate Cluster EKS control plane for Kubernetes API traffic. GroupId: !GetAtt ITERATEEKSQSStack.Outputs.ControlPlaneSecurityGroup IpProtocol: tcp ToPort: 443 FromPort: 443 SourceSecurityGroupId: !GetAtt VIEWEKSQSStack.Outputs.NodeGroupSecurityGroup RunEKSViewClusterApiIngressRule: Type: AWS::EC2::SecurityGroupIngress UpdateReplacePolicy: Delete DeletionPolicy: Delete Condition: CreateMultiCluster Properties: Description: >- Allow the View Cluster to connect to the Run Cluster EKS control plane for Kubernetes API traffic. GroupId: !GetAtt RUNEKSQSStack.Outputs.ControlPlaneSecurityGroup IpProtocol: tcp ToPort: 443 FromPort: 443 SourceSecurityGroupId: !GetAtt VIEWEKSQSStack.Outputs.NodeGroupSecurityGroup BuildEKSViewClusterApiIngressRule: Type: AWS::EC2::SecurityGroupIngress UpdateReplacePolicy: Delete DeletionPolicy: Delete Condition: CreateMultiCluster Properties: Description: >- Allow the View Cluster to connect to the Build Cluster EKS control plane for Kubernetes API traffic. GroupId: !GetAtt BUILDEKSQSStack.Outputs.ControlPlaneSecurityGroup IpProtocol: tcp ToPort: 443 FromPort: 443 SourceSecurityGroupId: !GetAtt VIEWEKSQSStack.Outputs.NodeGroupSecurityGroup LinuxBastionEIP: Type: AWS::EC2::EIP Properties: Domain: vpc Tags: - Key: Name Value: VMwareLinuxBastionEIP QSBastionIamRole: Type: AWS::IAM::Role Properties: RoleName: !Sub - QSBastionIamRole-${StackId} - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] Description: QS bastion host / bootstrap instance IAM Role. AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: !Sub ec2.${AWS::URLSuffix} Action: sts:AssumeRole Policies: - PolicyName: TAPBootstrapInstanceConfig PolicyDocument: Version: 2012-10-17 Statement: - Sid: ListAllEksClusters Effect: Allow Action: eks:ListClusters Resource: !Sub arn:${AWS::Partition}:eks:${AWS::Region}:${AWS::AccountId}:cluster/* - Sid: ManageTapEksCluster Effect: Allow Action: - eks:ListAddons - eks:ListFargateProfiles - eks:ListIdentityProviderConfigs - eks:ListNodegroups - eks:ListUpdates - eks:AccessKubernetesApi - eks:DescribeAddonVersions - eks:DescribeCluster - eks:DescribeNodegroup Resource: - !Sub - arn:${AWS::Partition}:eks:${AWS::Region}:${AWS::AccountId}:cluster/${clusterName} - clusterName: !Join ['-', ['tap', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]] - !Sub - arn:${AWS::Partition}:eks:${AWS::Region}:${AWS::AccountId}:cluster/${clusterName} - clusterName: !Join ['-', ['tap', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]], 'run']] - !Sub - arn:${AWS::Partition}:eks:${AWS::Region}:${AWS::AccountId}:cluster/${clusterName} - clusterName: !Join ['-', ['tap', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]], 'build']] - !Sub - arn:${AWS::Partition}:eks:${AWS::Region}:${AWS::AccountId}:cluster/${clusterName} - clusterName: !Join ['-', ['tap', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]], 'iterate']] - !Sub - arn:${AWS::Partition}:eks:${AWS::Region}:${AWS::AccountId}:cluster/${clusterName} - clusterName: !Join ['-', ['tap', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]], 'view']] - Sid: DescribeEksAddons Effect: Allow Action: - eks:DescribeAddon Resource: !Sub arn:${AWS::Partition}:eks:${AWS::Region}:${AWS::AccountId}:addon/*/*/* - Sid: ManageTapEcrRepos Effect: Allow Action: - ecr:DescribeImages - ecr:ListImages - ecr:BatchCheckLayerAvailability - ecr:BatchGetImage - ecr:DescribeRepositories - ecr:GetDownloadUrlForLayer - ecr:CompleteLayerUpload - ecr:InitiateLayerUpload - ecr:PutImage - ecr:UploadLayerPart Resource: - !GetAtt TAPPackagesRepo.Arn - !GetAtt TAPClusterEssentialsBundleRepo.Arn - !GetAtt TAPBuildServiceRepo.Arn - !GetAtt TAPWorkloadRepo.Arn - !GetAtt TAPWorkloadBundleRepo.Arn - Sid: DescribeEcrPrivateRegistryAndGetAuthToken Effect: Allow Action: - ecr:DescribeRegistry - ecr:GetAuthorizationToken Resource: '*' - Sid: ListIamRoles Effect: Allow Action: iam:ListRoles Resource: '*' - Sid: ManageTapSecrets Effect: Allow Action: - secretsmanager:DescribeSecret - secretsmanager:GetResourcePolicy - secretsmanager:GetSecretValue - secretsmanager:ListSecretVersionIds - secretsmanager:PutSecretValue Resource: !Ref TanzuNetSecretCredentials - Sid: ListSecretsAndGetRandomPassword Effect: Allow Action: - secretsmanager:GetRandomPassword - secretsmanager:ListSecrets Resource: '*' - Sid: ListRoute53HostedZones Effect: Allow Action: - route53:ListHostedZones - route53:ListHostedZonesByName Resource: '*' - Sid: ManageTapRoute53HostedZoneRecordSets Effect: Allow Action: - route53:ListResourceRecordSets - route53:ChangeResourceRecordSets Resource: !Sub arn:${AWS::Partition}:route53:::hostedzone/${PrivateHostedZone} - Sid: ManageCloudWatchLogs Effect: Allow Action: - logs:DescribeLogGroups - logs:DescribeLogStreams - logs:GetLogEvents - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - logs:PutMetricFilter - logs:PutRetentionPolicy Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*:* - Sid: GetQSS3BucketObjects Effect: Allow Action: s3:GetObject Resource: !Sub - arn:${AWS::Partition}:s3:::${S3Bucket}/${QSS3KeyPrefix}* - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] - Sid: ListAllS3Buckets Effect: Allow Action: s3:ListAllMyBuckets Resource: !Sub arn:${AWS::Partition}:s3:::* ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonEC2RoleforSSM - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore - !Sub arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy LinuxBastionInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: InstanceProfileName: !Sub - VMwareLinuxBastionInstanceProfile-${StackId} - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] Roles: - !Ref QSBastionIamRole TAPBuildServiceIamRole: Type: AWS::IAM::Role # Condition: UseEcr Condition: CreateSingleCluster Properties: RoleName: !Sub - TAPBuildServiceIamRole-${StackId} - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] Description: >- VMware Tanzu Application Platform role to allow Tanzu Build Service to write to ECR. AssumeRolePolicyDocument: !Sub - | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "${IamOidcProviderArn}/${OidcProviderEndpoint}" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "${OidcProviderEndpoint}:aud": "sts.amazonaws.com" }, "StringLike": { "${OidcProviderEndpoint}:sub": [ "system:serviceaccount:kpack:controller", "system:serviceaccount:build-service:dependency-updater-controller-serviceaccount" ] } } } ] } - IamOidcProviderArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:oidc-provider OidcProviderEndpoint: !Select [1, !Split ["//", !GetAtt EKSQSStack.Outputs.OIDCIssuerURL]] Policies: - PolicyName: TAPEcrBuildService PolicyDocument: Version: 2012-10-17 Statement: - Sid: TAPEcrBuildServiceGlobal Effect: Allow Action: - ecr:DescribeRegistry - ecr:GetAuthorizationToken - ecr:GetRegistryPolicy - ecr:PutRegistryPolicy - ecr:PutReplicationConfiguration - ecr:DeleteRegistryPolicy Resource: '*' - Sid: TAPEcrBuildServiceScoped Effect: Allow Action: - ecr:DescribeImages - ecr:ListImages - ecr:BatchCheckLayerAvailability - ecr:BatchGetImage - ecr:BatchGetRepositoryScanningConfiguration - ecr:DescribeImageReplicationStatus - ecr:DescribeImageScanFindings - ecr:DescribeRepositories - ecr:GetDownloadUrlForLayer - ecr:GetLifecyclePolicy - ecr:GetLifecyclePolicyPreview - ecr:GetRegistryScanningConfiguration - ecr:GetRepositoryPolicy - ecr:ListTagsForResource - ecr:TagResource - ecr:UntagResource - ecr:BatchDeleteImage - ecr:BatchImportUpstreamImage - ecr:CompleteLayerUpload - ecr:CreatePullThroughCacheRule - ecr:CreateRepository - ecr:DeleteLifecyclePolicy - ecr:DeletePullThroughCacheRule - ecr:DeleteRepository - ecr:InitiateLayerUpload - ecr:PutImage - ecr:PutImageScanningConfiguration - ecr:PutImageTagMutability - ecr:PutLifecyclePolicy - ecr:PutRegistryScanningConfiguration - ecr:ReplicateImage - ecr:StartImageScan - ecr:StartLifecyclePolicyPreview - ecr:UploadLayerPart - ecr:DeleteRepositoryPolicy - ecr:SetRepositoryPolicy Resource: - !GetAtt TAPBuildServiceRepo.Arn - !GetAtt TAPClusterEssentialsBundleRepo.Arn - !GetAtt TAPPackagesRepo.Arn - !GetAtt TAPWorkloadRepo.Arn - !GetAtt TAPWorkloadBundleRepo.Arn - !Sub # Allows TAP to deploy & manage new workloads from other # repos with the stack ID prefix post-deployment. - arn:${AWS::Partition}:ecr:${AWS::Region}:${AWS::AccountId}:repository/${StackId}/* - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] TAPWorkloadIamRole: Type: AWS::IAM::Role # Condition: UseEcr Condition: CreateSingleCluster Properties: RoleName: !Sub - TAPWorkloadIamRole-${StackId} - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] Description: >- VMware Tanzu Application Platform role to create a workload. AssumeRolePolicyDocument: !Sub - | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "${IamOidcProviderArn}/${OidcProviderEndpoint}" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "${OidcProviderEndpoint}:aud": "sts.amazonaws.com", "${OidcProviderEndpoint}:sub": "system:serviceaccount:tap-workload:default" } } } ] } - IamOidcProviderArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:oidc-provider OidcProviderEndpoint: !Select [1, !Split [//, !GetAtt EKSQSStack.Outputs.OIDCIssuerURL]] Policies: - PolicyName: TAPEcrWorkload PolicyDocument: Version: 2012-10-17 Statement: - Sid: TAPEcrWorkloadGlobal Effect: Allow Action: - ecr:DescribeRegistry - ecr:GetAuthorizationToken - ecr:GetRegistryPolicy - ecr:PutRegistryPolicy - ecr:PutReplicationConfiguration - ecr:DeleteRegistryPolicy Resource: '*' - Sid: TAPEcrWorkloadScoped Effect: Allow Action: - ecr:DescribeImages - ecr:ListImages - ecr:BatchCheckLayerAvailability - ecr:BatchGetImage - ecr:BatchGetRepositoryScanningConfiguration - ecr:DescribeImageReplicationStatus - ecr:DescribeImageScanFindings - ecr:DescribeRepositories - ecr:GetDownloadUrlForLayer - ecr:GetLifecyclePolicy - ecr:GetLifecyclePolicyPreview - ecr:GetRegistryScanningConfiguration - ecr:GetRepositoryPolicy - ecr:ListTagsForResource - ecr:TagResource - ecr:UntagResource - ecr:BatchDeleteImage - ecr:BatchImportUpstreamImage - ecr:CompleteLayerUpload - ecr:CreatePullThroughCacheRule - ecr:CreateRepository - ecr:DeleteLifecyclePolicy - ecr:DeletePullThroughCacheRule - ecr:DeleteRepository - ecr:InitiateLayerUpload - ecr:PutImage - ecr:PutImageScanningConfiguration - ecr:PutImageTagMutability - ecr:PutLifecyclePolicy - ecr:PutRegistryScanningConfiguration - ecr:ReplicateImage - ecr:StartImageScan - ecr:StartLifecyclePolicyPreview - ecr:UploadLayerPart - ecr:DeleteRepositoryPolicy - ecr:SetRepositoryPolicy Resource: - !GetAtt TAPWorkloadRepo.Arn - !GetAtt TAPWorkloadBundleRepo.Arn - !Sub # Allows TAP to deploy & manage new workloads from other # repos with the stack ID prefix post-deployment. - arn:${AWS::Partition}:ecr:${AWS::Region}:${AWS::AccountId}:repository/${StackId}/* - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] #roles muli cluster start BUILDBuildServiceIamRole: Type: AWS::IAM::Role # Condition: UseEcr Condition: CreateMultiCluster Properties: RoleName: !Sub - BUILDBuildServiceIamRole-${StackId} - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] Description: >- VMware Tanzu Application Platform role to allow Tanzu Build Service to write to ECR. AssumeRolePolicyDocument: !Sub - | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "${IamOidcProviderArn}/${OidcProviderEndpoint}" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "${OidcProviderEndpoint}:aud": "sts.amazonaws.com" }, "StringLike": { "${OidcProviderEndpoint}:sub": [ "system:serviceaccount:kpack:controller", "system:serviceaccount:build-service:dependency-updater-controller-serviceaccount" ] } } } ] } - IamOidcProviderArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:oidc-provider OidcProviderEndpoint: !Select [1, !Split ["//", !GetAtt BUILDEKSQSStack.Outputs.OIDCIssuerURL]] Policies: - PolicyName: TAPEcrBuildService PolicyDocument: Version: 2012-10-17 Statement: - Sid: TAPEcrBuildServiceGlobal Effect: Allow Action: - ecr:DescribeRegistry - ecr:GetAuthorizationToken - ecr:GetRegistryPolicy - ecr:PutRegistryPolicy - ecr:PutReplicationConfiguration - ecr:DeleteRegistryPolicy Resource: '*' - Sid: TAPEcrBuildServiceScoped Effect: Allow Action: - ecr:DescribeImages - ecr:ListImages - ecr:BatchCheckLayerAvailability - ecr:BatchGetImage - ecr:BatchGetRepositoryScanningConfiguration - ecr:DescribeImageReplicationStatus - ecr:DescribeImageScanFindings - ecr:DescribeRepositories - ecr:GetDownloadUrlForLayer - ecr:GetLifecyclePolicy - ecr:GetLifecyclePolicyPreview - ecr:GetRegistryScanningConfiguration - ecr:GetRepositoryPolicy - ecr:ListTagsForResource - ecr:TagResource - ecr:UntagResource - ecr:BatchDeleteImage - ecr:BatchImportUpstreamImage - ecr:CompleteLayerUpload - ecr:CreatePullThroughCacheRule - ecr:CreateRepository - ecr:DeleteLifecyclePolicy - ecr:DeletePullThroughCacheRule - ecr:DeleteRepository - ecr:InitiateLayerUpload - ecr:PutImage - ecr:PutImageScanningConfiguration - ecr:PutImageTagMutability - ecr:PutLifecyclePolicy - ecr:PutRegistryScanningConfiguration - ecr:ReplicateImage - ecr:StartImageScan - ecr:StartLifecyclePolicyPreview - ecr:UploadLayerPart - ecr:DeleteRepositoryPolicy - ecr:SetRepositoryPolicy Resource: - !GetAtt TAPBuildServiceRepo.Arn - !GetAtt TAPClusterEssentialsBundleRepo.Arn - !GetAtt TAPPackagesRepo.Arn - !GetAtt TAPWorkloadRepo.Arn - !GetAtt TAPWorkloadBundleRepo.Arn - !Sub # Allows TAP to deploy & manage new workloads from other # repos with the stack ID prefix post-deployment. - arn:${AWS::Partition}:ecr:${AWS::Region}:${AWS::AccountId}:repository/${StackId}/* - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] BUILDWorkloadIamRole: Type: AWS::IAM::Role # Condition: UseEcr Condition: CreateMultiCluster Properties: RoleName: !Sub - BUILDWorkloadIamRole-${StackId} - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] Description: >- VMware Tanzu Application Platform role to create a workload. AssumeRolePolicyDocument: !Sub - | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "${IamOidcProviderArn}/${OidcProviderEndpoint}" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "${OidcProviderEndpoint}:aud": "sts.amazonaws.com", "${OidcProviderEndpoint}:sub": "system:serviceaccount:tap-workload:default" } } } ] } - IamOidcProviderArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:oidc-provider OidcProviderEndpoint: !Select [1, !Split [//, !GetAtt BUILDEKSQSStack.Outputs.OIDCIssuerURL]] Policies: - PolicyName: TAPEcrWorkload PolicyDocument: Version: 2012-10-17 Statement: - Sid: TAPEcrWorkloadGlobal Effect: Allow Action: - ecr:DescribeRegistry - ecr:GetAuthorizationToken - ecr:GetRegistryPolicy - ecr:PutRegistryPolicy - ecr:PutReplicationConfiguration - ecr:DeleteRegistryPolicy Resource: '*' - Sid: TAPEcrWorkloadScoped Effect: Allow Action: - ecr:DescribeImages - ecr:ListImages - ecr:BatchCheckLayerAvailability - ecr:BatchGetImage - ecr:BatchGetRepositoryScanningConfiguration - ecr:DescribeImageReplicationStatus - ecr:DescribeImageScanFindings - ecr:DescribeRepositories - ecr:GetDownloadUrlForLayer - ecr:GetLifecyclePolicy - ecr:GetLifecyclePolicyPreview - ecr:GetRegistryScanningConfiguration - ecr:GetRepositoryPolicy - ecr:ListTagsForResource - ecr:TagResource - ecr:UntagResource - ecr:BatchDeleteImage - ecr:BatchImportUpstreamImage - ecr:CompleteLayerUpload - ecr:CreatePullThroughCacheRule - ecr:CreateRepository - ecr:DeleteLifecyclePolicy - ecr:DeletePullThroughCacheRule - ecr:DeleteRepository - ecr:InitiateLayerUpload - ecr:PutImage - ecr:PutImageScanningConfiguration - ecr:PutImageTagMutability - ecr:PutLifecyclePolicy - ecr:PutRegistryScanningConfiguration - ecr:ReplicateImage - ecr:StartImageScan - ecr:StartLifecyclePolicyPreview - ecr:UploadLayerPart - ecr:DeleteRepositoryPolicy - ecr:SetRepositoryPolicy Resource: - !GetAtt TAPWorkloadRepo.Arn - !GetAtt TAPWorkloadBundleRepo.Arn - !Sub # Allows TAP to deploy & manage new workloads from other # repos with the stack ID prefix post-deployment. - arn:${AWS::Partition}:ecr:${AWS::Region}:${AWS::AccountId}:repository/${StackId}/* - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] ITERATEBuildServiceIamRole: Type: AWS::IAM::Role # Condition: UseEcr Condition: CreateMultiCluster Properties: RoleName: !Sub - ITERATEBuildServiceIamRole-${StackId} - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] Description: >- VMware Tanzu Application Platform role to allow Tanzu Build Service to write to ECR. AssumeRolePolicyDocument: !Sub - | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "${IamOidcProviderArn}/${OidcProviderEndpoint}" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "${OidcProviderEndpoint}:aud": "sts.amazonaws.com" }, "StringLike": { "${OidcProviderEndpoint}:sub": [ "system:serviceaccount:kpack:controller", "system:serviceaccount:build-service:dependency-updater-controller-serviceaccount" ] } } } ] } - IamOidcProviderArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:oidc-provider OidcProviderEndpoint: !Select [1, !Split ["//", !GetAtt ITERATEEKSQSStack.Outputs.OIDCIssuerURL]] Policies: - PolicyName: TAPEcrBuildService PolicyDocument: Version: 2012-10-17 Statement: - Sid: TAPEcrBuildServiceGlobal Effect: Allow Action: - ecr:DescribeRegistry - ecr:GetAuthorizationToken - ecr:GetRegistryPolicy - ecr:PutRegistryPolicy - ecr:PutReplicationConfiguration - ecr:DeleteRegistryPolicy Resource: '*' - Sid: TAPEcrBuildServiceScoped Effect: Allow Action: - ecr:DescribeImages - ecr:ListImages - ecr:BatchCheckLayerAvailability - ecr:BatchGetImage - ecr:BatchGetRepositoryScanningConfiguration - ecr:DescribeImageReplicationStatus - ecr:DescribeImageScanFindings - ecr:DescribeRepositories - ecr:GetDownloadUrlForLayer - ecr:GetLifecyclePolicy - ecr:GetLifecyclePolicyPreview - ecr:GetRegistryScanningConfiguration - ecr:GetRepositoryPolicy - ecr:ListTagsForResource - ecr:TagResource - ecr:UntagResource - ecr:BatchDeleteImage - ecr:BatchImportUpstreamImage - ecr:CompleteLayerUpload - ecr:CreatePullThroughCacheRule - ecr:CreateRepository - ecr:DeleteLifecyclePolicy - ecr:DeletePullThroughCacheRule - ecr:DeleteRepository - ecr:InitiateLayerUpload - ecr:PutImage - ecr:PutImageScanningConfiguration - ecr:PutImageTagMutability - ecr:PutLifecyclePolicy - ecr:PutRegistryScanningConfiguration - ecr:ReplicateImage - ecr:StartImageScan - ecr:StartLifecyclePolicyPreview - ecr:UploadLayerPart - ecr:DeleteRepositoryPolicy - ecr:SetRepositoryPolicy Resource: - !GetAtt TAPBuildServiceRepo.Arn - !GetAtt TAPClusterEssentialsBundleRepo.Arn - !GetAtt TAPPackagesRepo.Arn - !GetAtt TAPWorkloadRepo.Arn - !GetAtt TAPWorkloadBundleRepo.Arn - !Sub # Allows TAP to deploy & manage new workloads from other # repos with the stack ID prefix post-deployment. - arn:${AWS::Partition}:ecr:${AWS::Region}:${AWS::AccountId}:repository/${StackId}/* - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] ITERATEWorkloadIamRole: Type: AWS::IAM::Role # Condition: UseEcr Condition: CreateMultiCluster Properties: RoleName: !Sub - ITERATEWorkloadIamRole-${StackId} - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] Description: >- VMware Tanzu Application Platform role to create a workload. AssumeRolePolicyDocument: !Sub - | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "${IamOidcProviderArn}/${OidcProviderEndpoint}" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "${OidcProviderEndpoint}:aud": "sts.amazonaws.com", "${OidcProviderEndpoint}:sub": "system:serviceaccount:tap-workload:default" } } } ] } - IamOidcProviderArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:oidc-provider OidcProviderEndpoint: !Select [1, !Split [//, !GetAtt ITERATEEKSQSStack.Outputs.OIDCIssuerURL]] Policies: - PolicyName: TAPEcrWorkload PolicyDocument: Version: 2012-10-17 Statement: - Sid: TAPEcrWorkloadGlobal Effect: Allow Action: - ecr:DescribeRegistry - ecr:GetAuthorizationToken - ecr:GetRegistryPolicy - ecr:PutRegistryPolicy - ecr:PutReplicationConfiguration - ecr:DeleteRegistryPolicy Resource: '*' - Sid: TAPEcrWorkloadScoped Effect: Allow Action: - ecr:DescribeImages - ecr:ListImages - ecr:BatchCheckLayerAvailability - ecr:BatchGetImage - ecr:BatchGetRepositoryScanningConfiguration - ecr:DescribeImageReplicationStatus - ecr:DescribeImageScanFindings - ecr:DescribeRepositories - ecr:GetDownloadUrlForLayer - ecr:GetLifecyclePolicy - ecr:GetLifecyclePolicyPreview - ecr:GetRegistryScanningConfiguration - ecr:GetRepositoryPolicy - ecr:ListTagsForResource - ecr:TagResource - ecr:UntagResource - ecr:BatchDeleteImage - ecr:BatchImportUpstreamImage - ecr:CompleteLayerUpload - ecr:CreatePullThroughCacheRule - ecr:CreateRepository - ecr:DeleteLifecyclePolicy - ecr:DeletePullThroughCacheRule - ecr:DeleteRepository - ecr:InitiateLayerUpload - ecr:PutImage - ecr:PutImageScanningConfiguration - ecr:PutImageTagMutability - ecr:PutLifecyclePolicy - ecr:PutRegistryScanningConfiguration - ecr:ReplicateImage - ecr:StartImageScan - ecr:StartLifecyclePolicyPreview - ecr:UploadLayerPart - ecr:DeleteRepositoryPolicy - ecr:SetRepositoryPolicy Resource: - !GetAtt TAPWorkloadRepo.Arn - !GetAtt TAPWorkloadBundleRepo.Arn - !Sub # Allows TAP to deploy & manage new workloads from other # repos with the stack ID prefix post-deployment. - arn:${AWS::Partition}:ecr:${AWS::Region}:${AWS::AccountId}:repository/${StackId}/* - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] # roles multi cluster end UbuntuBastionLaunchTemplate: Type: AWS::EC2::LaunchTemplate Properties: LaunchTemplateData: SecurityGroupIds: - !Ref QSBastionSecurityGroup - !Ref LinuxBastionSecurityGroup Monitoring: Enabled: true KeyName: !Ref KeyPairName ImageId: !FindInMap [AwsAmiRegionMap, !Ref AWS::Region, US2204HVM] InstanceType: m5.large IamInstanceProfile: Arn: !GetAtt LinuxBastionInstanceProfile.Arn BlockDeviceMappings: - DeviceName: /dev/sda1 Ebs: VolumeSize: 50 VolumeType: gp2 Encrypted: true DeleteOnTermination: true MetadataOptions: HttpEndpoint: enabled #! Troy: [...] you also need to set the hop limit to 2, because the default of 1 effectively disables EC2 host profile authentication [...] HttpPutResponseHopLimit: 2 HttpTokens: required UserData: Fn::Base64: !Sub - | #!/bin/bash set -e set -u set -o pipefail set -x cat <> /etc/environment AWS_REGION=${AWS::Region} AWS_DEFAULT_REGION=${AWS::Region} EOF . /etc/environment export AWS_REGION AWS_DEFAULT_REGION set +x # TODO: we should ensure to # - only export actually used vars # - never print/log those, or at least sensitive ones # - use consistent/proper/clear var names # - handle multiline/quoted/... vars correctly export AWSAccountID='${AWS::AccountId}' export AwsKubectlVersion='${AwsKubectlVersion}' export BuildClusterBuildServiceArn='${BuildClusterBuildServiceArn}' export BuildClusterName='${BuildClusterName}' export BuildClusterWorkloadArn='${BuildClusterWorkloadArn}' export ClusterArch='${ClusterArch}' export ClusterEssentialsBundleFileHash='${ClusterEssentialsBundleFileHash}' export ClusterEssentialsBundleRepo='${ClusterEssentialsBundleRepo}' export ClusterEssentialsBundleVersion='${ClusterEssentialsBundleVersion}' export DockerCredPassVersion='${DockerCredPassVersion}' export EKSClusterName='${EKSClusterName}' export IterateClusterBuildServiceArn='${IterateClusterBuildServiceArn}' export IterateClusterName='${IterateClusterName}' export IterateClusterWorkloadArn='${IterateClusterWorkloadArn}' export OmCLIVersion='${OmCLIVersion}' export PrivateHostedZone='${PrivateHostedZone}' export QSS3BucketPath='${QSS3BucketPath}' export RunClusterName='${RunClusterName}' export SampleAppConfig='${SampleAppConfig}' export SampleAppNamespace='${SampleAppNamespace}' export SampleAppName='${SampleAppName}' export TAPBuildServiceRepo_RepositoryUri='${TAPBuildServiceRepo.RepositoryUri}' export TAPClusterEssentialsBundleRepo_RepositoryUri='${TAPClusterEssentialsBundleRepo.RepositoryUri}' export TAPDomainName='${TAPDomainName}' export TAPLogGroup='${TAPLogGroup}' export TAPPackagesRepo_RepositoryUri='${TAPPackagesRepo.RepositoryUri}' export TAPRepo='${TAPRepo}' export TAPVersion='${TAPVersion}' export TAPWorkloadRepo_RepositoryUri='${TAPWorkloadRepo.RepositoryUri}' export TAPWorkloadBundleRepo_RepositoryUri='${TAPWorkloadBundleRepo.RepositoryUri}' export TanzuNetRegistryServer='${TanzuNetRegistryServer}' export TanzuNetRelocateImages='${TanzuNetRelocateImages}' export TanzuNetSecretCredentials='${TanzuNetSecretCredentials}' export ViewClusterName='${ViewClusterName}' # WaitConditionHanldes export CloudInitHandle='${CloudInitHandle}' export TAPInstallHandle='${TAPInstallHandle}' export TAPWorkloadInstallHandle='${TAPWorkloadInstallHandle}' export TAPTestsHandle='${TAPTestsHandle}' set -x arch=$(dpkg --print-architecture) echo "Removing built-in Docker..." apt-get -y remove containerd runc echo "Adding Docker CE repo..." mkdir -p /usr/local/share/keyrings/ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/local/share/keyrings/docker-archive-keyring.gpg --yes printf "deb [arch=$arch signed-by=/usr/local/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list echo "Updating & upgrading..." apt-get -y update apt-get -y upgrade echo "Installing system dependencies..." apt-get -y install \ amazon-ecr-credential-helper \ ca-certificates \ containerd.io \ curl \ docker-ce \ docker-ce-cli \ docker-compose-plugin \ git \ gnupg \ gnupg2 \ jq \ lsb-release \ openssl \ pass \ perl \ python3-pip \ python3-setuptools \ sed \ sudo \ traceroute \ unzip \ uuid-runtime \ vim \ wget # TODO: use mktemp and a trap to clean up (or use an AMI with AWS CLI preinstalled) # Note: the Ubuntu AMI seems to come with `wget` and `curl` already installed echo "Installing aws cli..." pushd /tmp wget -O "./awscliv2.zip" "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip" unzip ./awscliv2.zip ./aws/install popd echo "Installing aws-cfn-bootstrap tools & setting signal trap" pip3 install "https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz" # Set and export the cfn trap cfnSignal() { local - set +x local rc="${!1:-42}" local handleURL="${!2:-${CloudInitHandle}}" local reason='installation succeeded' local ctxLines=10 (( rc != 0 )) && { local nl=$'\n' # We don't care about the last 3 lines of the log, because # that's logging the cfnSignal itself. reason="${!nl}$( tail -n $(( ctxLines + 3 )) /var/log/cloud-init-output.log | head -n -3 )${!nl}" } cfn-signal --region "${!AWS_REGION}" --exit-code "$rc" --reason "$reason" "$handleURL" \ || echo >&2 'could not run cfn-signal' } export -f cfnSignal trap 'cfnSignal $?' ERR cInit="${!QSS3BucketPath}/src/cloud-init.sh" echo "kicking off cloud-init from '${!cInit}'" bash -xe <( aws s3 cp --no-progress "${!cInit}" - ) cfnSignal 0 - AwsKubectlVersion: !FindInMap [ Versions, current, Kubectl ] TAPVersion: !FindInMap [ Versions, current, TAP ] ClusterEssentialsBundleRepo: tanzu-cluster-essentials/cluster-essentials-bundle ClusterEssentialsBundleFileHash: !FindInMap [ Versions, current, ClusterEssentialsHash ] ClusterEssentialsBundleVersion: !FindInMap [ Versions, current, ClusterEssentialsVersion ] DockerCredPassVersion: !FindInMap [ Versions, current, DockerCredPass ] OmCLIVersion: !FindInMap [ Versions, current, OmCLI ] SampleAppConfig: !FindInMap [Apps, Sample, Config] SampleAppNamespace: !FindInMap [Apps, Sample, Namespace] SampleAppName: !FindInMap [Apps, Sample, Name] QSS3BucketPath: !Sub - s3://${S3Bucket}/${QSS3KeyPrefix}tap-setup-scripts - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] TanzuNetRegistryServer: !FindInMap [TanzuNetRegistryServer, Server, Name] TAPRepo: tanzu-application-platform/tap-packages ClusterArch: !Ref TAPClusterArch BuildClusterName: !If [CreateMultiCluster, !GetAtt BUILDEKSQSStack.Outputs.EKSClusterName, !GetAtt EKSQSStack.Outputs.EKSClusterName] BuildClusterBuildServiceArn: !If [CreateMultiCluster, !GetAtt BUILDBuildServiceIamRole.Arn, !GetAtt TAPBuildServiceIamRole.Arn] BuildClusterWorkloadArn: !If [CreateMultiCluster, !GetAtt BUILDWorkloadIamRole.Arn, !GetAtt TAPWorkloadIamRole.Arn] IterateClusterName: !If [CreateMultiCluster, !GetAtt ITERATEEKSQSStack.Outputs.EKSClusterName, ""] IterateClusterBuildServiceArn: !If [CreateMultiCluster, !GetAtt ITERATEBuildServiceIamRole.Arn, ""] IterateClusterWorkloadArn: !If [CreateMultiCluster, !GetAtt ITERATEWorkloadIamRole.Arn, ""] RunClusterName: !If [CreateMultiCluster, !GetAtt RUNEKSQSStack.Outputs.EKSClusterName, ""] ViewClusterName: !If [CreateMultiCluster, !GetAtt VIEWEKSQSStack.Outputs.EKSClusterName, ""] #! TODO: #! We need this regardless of deployment arch, so we can't use #! the EKS stack's output here. We should change the cloud-init #! to not rely on that for the multi-cluster case. EKSClusterName: !Join ['-', ['tap', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]] CloudInitHandle: !Ref PhaseCloudInitHandle TAPInstallHandle: !Ref PhaseTAPInstallHandle TAPWorkloadInstallHandle: !Ref PhaseTAPWorkloadInstallHandle TAPTestsHandle: !Ref PhaseTAPTestsHandle UbuntuBastion: # TODO: Implement CloudFormation helper scripts once Ubuntu 22.04 is # supported. Type: AWS::EC2::Instance Metadata: cfn-lint: { config: { ignore_checks: [I3042] } } Properties: LaunchTemplate: LaunchTemplateId: !Ref UbuntuBastionLaunchTemplate Version: !GetAtt [UbuntuBastionLaunchTemplate, DefaultVersionNumber] SubnetId: !Ref PublicSubnet1Id Tags: - Key: Name Value: VMwareLinuxBastionInstance - Key: Description Value: VMware Tanzu Application Platform EKS cluster bootstrap instance. # Phase for the whole cloud-init process # from the creation of the instance to finished cloud-init run PhaseCloudInitHandle: Type: AWS::CloudFormation::WaitConditionHandle PhaseCloudInit: Type: AWS::CloudFormation::WaitCondition DependsOn: UbuntuBastion Properties: Count: 1 Handle: !Ref "PhaseCloudInitHandle" Timeout: !FindInMap [ !FindInMap [TimeoutMap, !Ref TAPClusterArch, MapName], !Ref TanzuNetRelocateImages, CloudInit ] # Phase for TAP install # from the creation of the instance to finished TAP install PhaseTAPInstallHandle: Type: AWS::CloudFormation::WaitConditionHandle PhaseTAPInstall: Type: AWS::CloudFormation::WaitCondition DependsOn: UbuntuBastion Properties: Count: 1 Handle: !Ref "PhaseTAPInstallHandle" Timeout: !FindInMap [ !FindInMap [TimeoutMap, !Ref TAPClusterArch, MapName], !Ref TanzuNetRelocateImages, TAPInstall ] # Phase for TAP workload install # from finished TAP install to finished workload deployment PhaseTAPWorkloadInstallHandle: Type: AWS::CloudFormation::WaitConditionHandle PhaseTAPWorkloadInstall: Type: AWS::CloudFormation::WaitCondition DependsOn: PhaseTAPInstall Properties: Count: 1 Handle: !Ref "PhaseTAPWorkloadInstallHandle" Timeout: !FindInMap [ !FindInMap [TimeoutMap, !Ref TAPClusterArch, MapName], !Ref TanzuNetRelocateImages, TAPWorkloadInstall ] # Phase for TAP (smoke) tests # from finished TAP workload deployment to finished test runs PhaseTAPTestsHandle: Type: AWS::CloudFormation::WaitConditionHandle PhaseTAPTests: Type: AWS::CloudFormation::WaitCondition DependsOn: PhaseTAPWorkloadInstall Properties: Count: 1 Handle: !Ref "PhaseTAPTestsHandle" Timeout: !FindInMap [ !FindInMap [TimeoutMap, !Ref TAPClusterArch, MapName], !Ref TanzuNetRelocateImages, TAPTests ] UbuntuBastionEipAssociation: Type: AWS::EC2::EIPAssociation UpdateReplacePolicy: Delete Properties: InstanceId: !Ref UbuntuBastion AllocationId: !GetAtt LinuxBastionEIP.AllocationId WindowsBastionEIP: Type: AWS::EC2::EIP Properties: Domain: vpc Tags: - Key: Name Value: VMwareWindowsBastionEIP WindowsBastionSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Windows bastion host security group. VpcId: !Ref VpcId Tags: - Key: Name Value: VMwareWindowsBastionSecurityGroup - Key: Description Value: >- Windows bastion security group for accessing the VMware Tanzu Application Platform cluster GUI. WindowsBastionRdpIngressRule: Type: AWS::EC2::SecurityGroupIngress Properties: Description: Allow RDP to bastion host GroupId: !Ref WindowsBastionSecurityGroup IpProtocol: tcp FromPort: 3389 ToPort: 3389 CidrIp: !Ref RemoteAccessCidr WindowsBastionInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: InstanceProfileName: !Sub - VMwareWindowsBastionInstanceProfile-${StackId} - StackId: !Select [2, !Split [/, !Ref AWS::StackId]] Roles: - !Ref QSBastionIamRole WindowsBastionLaunchTemplate: Type: AWS::EC2::LaunchTemplate Metadata: {} Properties: LaunchTemplateData: SecurityGroupIds: - !Ref QSBastionSecurityGroup - !Ref WindowsBastionSecurityGroup KeyName: !Ref KeyPairName ImageId: !FindInMap [AwsAmiRegionMap, !Ref AWS::Region, WS2022FullBase] InstanceType: t3.medium IamInstanceProfile: Arn: !GetAtt WindowsBastionInstanceProfile.Arn BlockDeviceMappings: - DeviceName: /dev/xvda Ebs: VolumeSize: 80 VolumeType: gp2 MetadataOptions: HttpEndpoint: enabled #! Troy: [...] you also need to set the hop limit to 2, because the default of 1 effectively disables EC2 host profile authentication [...] HttpPutResponseHopLimit: 2 HttpTokens: required UserData: Fn::Base64: !Sub - | Write-Host -Object 'Setting AWS Region environment variables...' [System.Environment]::SetEnvironmentVariable('AWS_REGION','${AWS::Region}',[System.EnvironmentVariableTarget]::System) [System.Environment]::SetEnvironmentVariable('AWS_DEFAULT_REGION','${AWS::Region}',[System.EnvironmentVariableTarget]::System) Write-Host -Object 'Installing Chocolatey...' Set-ExecutionPolicy Bypass -Scope Process -Force [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072 Invoke-Expression -Command ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')) Write-Host -Object 'Installing tools ...' choco install -y googlechrome jq base64 Write-Host -Object 'Installing AWS CLI...' $WebClient = New-Object System.Net.WebClient $WebClient.DownloadFile("https://awscli.amazonaws.com/AWSCLIV2.msi","awscliv2.msi") Write-Host -Object "Downloaded the cli installer." Start-Process msiexec.exe -Wait -ArgumentList '/i awscliv2.msi /qn /l*v aws-cli-install.log' Start-Sleep -Seconds 60 $env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User") Write-Host -Object "aws cli installed." aws --version aws sts get-caller-identity Write-Host -Object 'Installing kubectl...' Write-Host -Object "AwsKubectlVersion ${AwsKubectlVersion} Arch ${Arch}" Invoke-WebRequest -Uri "https://s3.us-west-2.amazonaws.com/amazon-eks/${AwsKubectlVersion}/bin/windows/${Arch}/kubectl.exe" -OutFile "kubectl.exe" Invoke-WebRequest -Uri "https://s3.us-west-2.amazonaws.com/amazon-eks/${AwsKubectlVersion}/bin/windows/${Arch}/kubectl.exe.sha256" -OutFile "kubectl.exe.sha256" # Get the file hashes $hashSrc = (Get-FileHash kubectl.exe -Algorithm "SHA256").Hash $hashDest = Get-Content -Path kubectl.exe.sha256 # Compare the hashes & note this in the log If ($hashSrc.Hash -ne $hashDest.Hash) { Write-Output "The kubectl file Hashes are NOT EQUAL" Write-Output "kubectl.exe File Hash: $hashSrc" Write-Output "kubectl.exe.sha256 File Hash: $hashDest" Exit 1 } Move-Item -Path kubectl.exe -Destination C:\Windows\System32\kubectl.exe $TmpCertFileName = "tap-ingress-selfsigned-root-ca-tls.crt" Write-Output -Object 'Updating Kubeconfig for ClusterName ${ClusterName} ...' aws eks update-kubeconfig --name ${ClusterName} kubectl version Write-Host -Object 'Importing TAP-GUI Cert to LocalMachine\Root Cert Store ...' kubectl get secrets/tap-ingress-selfsigned-root-ca -n cert-manager -o json | jq -r '.data.\"tls.crt\"' | base64 -d > $TmpCertFileName Import-Certificate -FilePath $TmpCertFileName -CertStoreLocation Cert:\LocalMachine\Root - AwsKubectlVersion: !FindInMap [ Versions, current, WindowsKubectl ] Arch : amd64 ClusterName: !If [CreateMultiCluster, !GetAtt VIEWEKSQSStack.Outputs.EKSClusterName, !GetAtt EKSQSStack.Outputs.EKSClusterName] WindowsBastion: Type: AWS::EC2::Instance DependsOn: PhaseTAPTests Properties: LaunchTemplate: LaunchTemplateId: !Ref WindowsBastionLaunchTemplate Version: !GetAtt [WindowsBastionLaunchTemplate, DefaultVersionNumber] SubnetId: !Ref PublicSubnet1Id Tags: - Key: Name Value: VMwareWindowsBastionInstance - Key: Description Value: >- Windows bastion instance for accessing the VMware Tanzu Application Platform cluster graphical user interface (GUI). WindowsBastionEipAssociation: Type: AWS::EC2::EIPAssociation UpdateReplacePolicy: Delete Properties: InstanceId: !Ref WindowsBastion AllocationId: !GetAtt WindowsBastionEIP.AllocationId Outputs: LinuxBastionEIP: Description: >- The public IP address of the Linux bastion host / bootstrap instance. Value: !Ref LinuxBastionEIP UbuntuBastionAZ: Description: >- The Availability Zone that the Ubuntu bastion host / bootstrap instance is deployed in. Value: !GetAtt UbuntuBastion.AvailabilityZone UbuntuBastionId: Description: >- The EC2 instance ID of the Ubuntu bastion host / bootstrap instance. Value: !Ref UbuntuBastion UbuntuBastionPublicDnsName: Description: >- The public DNS name of the Ubuntu bastion host / bootstrap instance. Value: !GetAtt UbuntuBastion.PublicDnsName EKSClusterName: Description: The Amazon EKS cluster name. Value: !GetAtt EKSQSStack.Outputs.EKSClusterName Condition: CreateSingleCluster TAPGuiUrl: Description: >- The URL of the VMware Tanzu Application Platform GUI that is accessible from within the VPC, such as the Windows bastion instance. Value: !If [CreateMultiCluster, !Sub 'http://tap-gui.view.${TAPDomainName}', !Sub 'http://tap-gui.${TAPDomainName}'] TAPWorkloadUrl: Description: >- The URL of the VMware Tanzu Application Platform sample workload that is accessible from within the VPC, such as the Windows bastion instance. Value: !Sub - http://${SampleAppName}.${Namespace}${ClusterName}.${TAPDomainName} - ClusterName: !If [CreateMultiCluster, .run, ''] Namespace: !FindInMap [Apps, Sample, Namespace] SampleAppName: !FindInMap [Apps, Sample, Name] WindowsBastionAZ: Description: >- The Availability Zone that the Windows bastion instance is deployed in. Value: !GetAtt WindowsBastion.AvailabilityZone WindowsBastionId: Description: The instance ID of the Windows bastion instance. Value: !Ref WindowsBastion WindowsBastionEIP: Description: The public IP address of the Windows bastion instance. Value: !Ref WindowsBastionEIP WindowsBastionPublicDnsName: Description: The public DNS name of the Windows bastion instance. Value: !GetAtt WindowsBastion.PublicDnsName TAPLogGroup: Description: >- The Amazon CloudWatch Logs log group where the Tanzu Application Platform bootstrap logs are stored. Value: !Ref TAPLogGroup Postdeployment: Description: See the deployment guide for postdeployment steps. Value: https://fwd.aws/gDY8k? #start multi cluster outputs ViewEKSClusterName: Description: The TAP View cluster name. Value: !GetAtt VIEWEKSQSStack.Outputs.EKSClusterName Condition: CreateMultiCluster RunEKSClusterName: Description: The TAP Run cluster name. Value: !GetAtt RUNEKSQSStack.Outputs.EKSClusterName Condition: CreateMultiCluster BuildEKSClusterName: Description: The TAP Build cluster name. Value: !GetAtt BUILDEKSQSStack.Outputs.EKSClusterName Condition: CreateMultiCluster IterateEKSClusterName: Description: The TAP Iterate cluster name. Value: !GetAtt ITERATEEKSQSStack.Outputs.EKSClusterName Condition: CreateMultiCluster TAPClusterArch: Description: TAP cluster architecture. Value: !Ref TAPClusterArch #end multi cluster outputs Rules: AcceptEULAs: Assertions: - Assert: !Equals [!Ref AcceptEULAs, 'Yes'] AssertDescription: >- You must agree to all of the applicable VMware Tanzu Network end-user license agreements (EULAs) before proceeding. AcceptCEIP: Assertions: - Assert: !Equals [!Ref AcceptCEIP, 'Yes'] AssertDescription: >- You must acknowledge that you have read and accept the VMware Customer Experience Improvement Program (CEIP) policy before you can proceed with the installation.