From 1aab848a22a383d185f8d0d6ed344076f636769b Mon Sep 17 00:00:00 2001 From: Mike Urbanski Date: Wed, 15 Jul 2020 15:22:37 -0500 Subject: [PATCH] add CFN template for EKS checks --- eks.yaml | 286 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 286 insertions(+) create mode 100644 eks.yaml diff --git a/eks.yaml b/eks.yaml new file mode 100644 index 0000000..33ab0e4 --- /dev/null +++ b/eks.yaml @@ -0,0 +1,286 @@ +--- +AWSTemplateFormatVersion: '2010-09-09' +Parameters: + EKSIAMRoleName: + Type: String + Description: The name of the IAM role for the EKS service to assume. + EKSClusterName: + Type: String + Description: The desired name of your AWS EKS Cluster. + + VpcBlock: + Type: String + Default: 192.168.0.0/16 + Description: The CIDR range for the VPC. This should be a valid private (RFC 1918) CIDR range. + PublicSubnet01Block: + Type: String + Default: 192.168.0.0/18 + Description: CidrBlock for public subnet 01 within the VPC + PublicSubnet02Block: + Type: String + Default: 192.168.64.0/18 + Description: CidrBlock for public subnet 02 within the VPC + PrivateSubnet01Block: + Type: String + Default: 192.168.128.0/18 + Description: CidrBlock for private subnet 01 within the VPC + PrivateSubnet02Block: + Type: String + Default: 192.168.192.0/18 + Description: CidrBlock for private subnet 02 within the VPC +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: "Worker Network Configuration" + Parameters: + - VpcBlock + - PublicSubnet01Block + - PublicSubnet02Block + - PrivateSubnet01Block + - PrivateSubnet02Block +Resources: + EKSIAMRole: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: + - eks.amazonaws.com + Action: + - 'sts:AssumeRole' + RoleName: !Ref EKSIAMRoleName + ManagedPolicyArns: + - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy + - arn:aws:iam::aws:policy/AmazonEKSServicePolicy + VPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: !Ref VpcBlock + EnableDnsSupport: true + EnableDnsHostnames: true + Tags: + - Key: Name + Value: !Sub '${AWS::StackName}-VPC' + InternetGateway: + Type: "AWS::EC2::InternetGateway" + VPCGatewayAttachment: + Type: "AWS::EC2::VPCGatewayAttachment" + Properties: + InternetGatewayId: !Ref InternetGateway + VpcId: !Ref VPC + PublicRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: Public Subnets + - Key: Network + Value: Public + + PrivateRouteTable01: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: Private Subnet AZ1 + - Key: Network + Value: Private01 + + PrivateRouteTable02: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: Private Subnet AZ2 + - Key: Network + Value: Private02 + PublicRoute: + DependsOn: VPCGatewayAttachment + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref PublicRouteTable + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref InternetGateway + PrivateRoute01: + DependsOn: + - VPCGatewayAttachment + - NatGateway01 + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref PrivateRouteTable01 + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: !Ref NatGateway01 + PrivateRoute02: + DependsOn: + - VPCGatewayAttachment + - NatGateway02 + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref PrivateRouteTable02 + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: !Ref NatGateway02 + NatGateway01: + DependsOn: + - NatGatewayEIP1 + - PublicSubnet01 + - VPCGatewayAttachment + Type: AWS::EC2::NatGateway + Properties: + AllocationId: !GetAtt 'NatGatewayEIP1.AllocationId' + SubnetId: !Ref PublicSubnet01 + Tags: + - Key: Name + Value: !Sub '${AWS::StackName}-NatGatewayAZ1' + NatGateway02: + DependsOn: + - NatGatewayEIP2 + - PublicSubnet02 + - VPCGatewayAttachment + Type: AWS::EC2::NatGateway + Properties: + AllocationId: !GetAtt 'NatGatewayEIP2.AllocationId' + SubnetId: !Ref PublicSubnet02 + Tags: + - Key: Name + Value: !Sub '${AWS::StackName}-NatGatewayAZ2' + NatGatewayEIP1: + DependsOn: + - VPCGatewayAttachment + Type: 'AWS::EC2::EIP' + Properties: + Domain: vpc + NatGatewayEIP2: + DependsOn: + - VPCGatewayAttachment + Type: 'AWS::EC2::EIP' + Properties: + Domain: vpc + PublicSubnet01: + Type: AWS::EC2::Subnet + Metadata: + Comment: Subnet 01 + Properties: + AvailabilityZone: + Fn::Select: + - '0' + - Fn::GetAZs: + Ref: AWS::Region + CidrBlock: + Ref: PublicSubnet01Block + VpcId: + Ref: VPC + Tags: + - Key: Name + Value: !Sub "${AWS::StackName}-PublicSubnet01" + PublicSubnet02: + Type: AWS::EC2::Subnet + Metadata: + Comment: Subnet 02 + Properties: + AvailabilityZone: + Fn::Select: + - '1' + - Fn::GetAZs: + Ref: AWS::Region + CidrBlock: + Ref: PublicSubnet02Block + VpcId: + Ref: VPC + Tags: + - Key: Name + Value: !Sub "${AWS::StackName}-PublicSubnet02" + PrivateSubnet01: + Type: AWS::EC2::Subnet + Metadata: + Comment: Subnet 03 + Properties: + AvailabilityZone: + Fn::Select: + - '0' + - Fn::GetAZs: + Ref: AWS::Region + CidrBlock: + Ref: PrivateSubnet01Block + VpcId: + Ref: VPC + Tags: + - Key: Name + Value: !Sub "${AWS::StackName}-PrivateSubnet01" + - Key: "kubernetes.io/role/internal-elb" + Value: 1 + PrivateSubnet02: + Type: AWS::EC2::Subnet + Metadata: + Comment: Private Subnet 02 + Properties: + AvailabilityZone: + Fn::Select: + - '1' + - Fn::GetAZs: + Ref: AWS::Region + CidrBlock: + Ref: PrivateSubnet02Block + VpcId: + Ref: VPC + Tags: + - Key: Name + Value: !Sub "${AWS::StackName}-PrivateSubnet02" + - Key: "kubernetes.io/role/internal-elb" + Value: 1 + PublicSubnet01RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + SubnetId: !Ref PublicSubnet01 + RouteTableId: !Ref PublicRouteTable + PublicSubnet02RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + SubnetId: !Ref PublicSubnet02 + RouteTableId: !Ref PublicRouteTable + PrivateSubnet01RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + SubnetId: !Ref PrivateSubnet01 + RouteTableId: !Ref PrivateRouteTable01 + PrivateSubnet02RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + SubnetId: !Ref PrivateSubnet02 + RouteTableId: !Ref PrivateRouteTable02 + ControlPlaneSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Cluster communication with worker nodes + VpcId: !Ref VPC + EKSCluster: + Type: AWS::EKS::Cluster + Properties: + Name: !Ref EKSClusterName + RoleArn: + "Fn::GetAtt": ["EKSIAMRole", "Arn"] + ResourcesVpcConfig: + SecurityGroupIds: + - !Ref ControlPlaneSecurityGroup + SubnetIds: + - !Ref PublicSubnet01 + - !Ref PublicSubnet02 + - !Ref PrivateSubnet01 + - !Ref PrivateSubnet02 + DependsOn: [EKSIAMRole, PublicSubnet01, PublicSubnet02, PrivateSubnet01, PrivateSubnet02, ControlPlaneSecurityGroup] +Outputs: + SubnetIds: + Description: Subnets IDs in the VPC + Value: !Join [ ",", [ !Ref PublicSubnet01, !Ref PublicSubnet02, !Ref PrivateSubnet01, !Ref PrivateSubnet02 ] ] + SecurityGroups: + Description: Security group for the cluster control plane communication with worker nodes + Value: !Join [ ",", [ !Ref ControlPlaneSecurityGroup ] ] + VpcId: + Description: The VPC Id + Value: !Ref VPC \ No newline at end of file