· 6 years ago · Oct 08, 2019, 04:28 PM
1AWSTemplateFormatVersion: "2010-09-09"
2Description: >-
3 This template creates a Multi-AZ, multi-subnet VPC infrastructure with managed NAT
4 gateways in the public subnet for each Availability Zone. You can also create additional
5 private subnets with dedicated custom network access control lists (ACLs). If you
6 deploy the Quick Start in a region that doesn't support NAT gateways, NAT instances
7 are deployed instead. **WARNING** This template creates AWS resources. You will
8 be billed for the AWS resources used if you create a stack from this template. QS(0027)
9Resources:
10 ##### START VPC RESOURCES #####
11 VPC:
12 Type: AWS::EC2::VPC
13 Properties:
14 CidrBlock: 10.0.0.0/16
15 InstanceTenancy: default
16 EnableDnsSupport: true
17 EnableDnsHostnames: true
18 Tags:
19 - Key: BelongsTo
20 Value: !Ref "AWS::StackName"
21 - Key: Name
22 Value: GremlinGameDay/Gremlin/DefaultVpc
23 InternetGateway:
24 Type: AWS::EC2::InternetGateway
25 Properties:
26 Tags:
27 - Key: Name
28 Value: !Ref "AWS::StackName"
29 VPCGatewayAttachment:
30 Type: AWS::EC2::VPCGatewayAttachment
31 Properties:
32 VpcId: !Ref "VPC"
33 InternetGatewayId: !Ref "InternetGateway"
34 PrivateSubnet1A:
35 Type: AWS::EC2::Subnet
36 Properties:
37 VpcId: !Ref "VPC"
38 CidrBlock: 10.0.0.0/19
39 AvailabilityZone: us-east-1a
40 PrivateSubnet2A:
41 Type: AWS::EC2::Subnet
42 Properties:
43 VpcId: !Ref "VPC"
44 CidrBlock: 10.0.32.0/19
45 AvailabilityZone: us-east-1b
46 PrivateSubnet3A:
47 Type: AWS::EC2::Subnet
48 Properties:
49 VpcId: !Ref "VPC"
50 CidrBlock: 10.0.64.0/19
51 AvailabilityZone: us-east-1c
52 PublicSubnet1:
53 Type: AWS::EC2::Subnet
54 Properties:
55 VpcId: !Ref "VPC"
56 CidrBlock: 10.0.96.0/19
57 AvailabilityZone: us-east-1a
58 MapPublicIpOnLaunch: true
59 PublicSubnet2:
60 Type: AWS::EC2::Subnet
61 Properties:
62 VpcId: !Ref "VPC"
63 CidrBlock: 10.0.128.0/19
64 AvailabilityZone: us-east-1b
65 MapPublicIpOnLaunch: true
66 PublicSubnet3:
67 Type: AWS::EC2::Subnet
68 Properties:
69 VpcId: !Ref "VPC"
70 CidrBlock: 10.0.160.0/19
71 AvailabilityZone: us-east-1c
72 MapPublicIpOnLaunch: true
73 PrivateSubnet1ARouteTable:
74 Type: AWS::EC2::RouteTable
75 Properties:
76 VpcId: !Ref "VPC"
77 Tags:
78 - Key: Name
79 Value: Private subnet 1A
80 - Key: Network
81 Value: Private
82 PrivateSubnet1ARoute:
83 Type: AWS::EC2::Route
84 Properties:
85 RouteTableId: !Ref "PrivateSubnet1ARouteTable"
86 DestinationCidrBlock: "0.0.0.0/0"
87 NatGatewayId: !Ref "NATGateway1"
88 PrivateSubnet1ARouteTableAssociation:
89 Type: AWS::EC2::SubnetRouteTableAssociation
90 Properties:
91 SubnetId: !Ref "PrivateSubnet1A"
92 RouteTableId: !Ref "PrivateSubnet1ARouteTable"
93 PrivateSubnet2ARouteTable:
94 Type: AWS::EC2::RouteTable
95 Properties:
96 VpcId: !Ref "VPC"
97 Tags:
98 - Key: Name
99 Value: Private subnet 2A
100 - Key: Network
101 Value: Private
102 PrivateSubnet2ARoute:
103 Type: AWS::EC2::Route
104 Properties:
105 RouteTableId: !Ref "PrivateSubnet2ARouteTable"
106 DestinationCidrBlock: "0.0.0.0/0"
107 NatGatewayId: !Ref "NATGateway2"
108 PrivateSubnet2ARouteTableAssociation:
109 Type: AWS::EC2::SubnetRouteTableAssociation
110 Properties:
111 SubnetId: !Ref "PrivateSubnet2A"
112 RouteTableId: !Ref "PrivateSubnet2ARouteTable"
113 PrivateSubnet3ARouteTable:
114 Type: AWS::EC2::RouteTable
115 Properties:
116 VpcId: !Ref "VPC"
117 Tags:
118 - Key: Name
119 Value: Private subnet 3A
120 - Key: Network
121 Value: Private
122 PrivateSubnet3ARoute:
123 Type: AWS::EC2::Route
124 Properties:
125 RouteTableId: !Ref "PrivateSubnet3ARouteTable"
126 DestinationCidrBlock: "0.0.0.0/0"
127 NatGatewayId: !Ref "NATGateway3"
128 PrivateSubnet3ARouteTableAssociation:
129 Type: AWS::EC2::SubnetRouteTableAssociation
130 Properties:
131 SubnetId: !Ref "PrivateSubnet3A"
132 RouteTableId: !Ref "PrivateSubnet3ARouteTable"
133 PublicSubnetRouteTable:
134 Type: AWS::EC2::RouteTable
135 Properties:
136 VpcId: !Ref "VPC"
137 Tags:
138 - Key: Name
139 Value: Public Subnets
140 - Key: Network
141 Value: Public
142 PublicSubnetRoute:
143 DependsOn: VPCGatewayAttachment
144 Type: AWS::EC2::Route
145 Properties:
146 RouteTableId: !Ref "PublicSubnetRouteTable"
147 DestinationCidrBlock: "0.0.0.0/0"
148 GatewayId: !Ref "InternetGateway"
149 PublicSubnet1RouteTableAssociation:
150 Type: AWS::EC2::SubnetRouteTableAssociation
151 Properties:
152 SubnetId: !Ref "PublicSubnet1"
153 RouteTableId: !Ref "PublicSubnetRouteTable"
154 PublicSubnet2RouteTableAssociation:
155 Type: AWS::EC2::SubnetRouteTableAssociation
156 Properties:
157 SubnetId: !Ref "PublicSubnet2"
158 RouteTableId: !Ref "PublicSubnetRouteTable"
159 PublicSubnet3RouteTableAssociation:
160 Type: AWS::EC2::SubnetRouteTableAssociation
161 Properties:
162 SubnetId: !Ref "PublicSubnet3"
163 RouteTableId: !Ref "PublicSubnetRouteTable"
164 NAT1EIP:
165 DependsOn: VPCGatewayAttachment
166 Type: AWS::EC2::EIP
167 Properties:
168 Domain: vpc
169 NAT2EIP:
170 DependsOn: VPCGatewayAttachment
171 Type: AWS::EC2::EIP
172 Properties:
173 Domain: vpc
174 NAT3EIP:
175 DependsOn: VPCGatewayAttachment
176 Type: AWS::EC2::EIP
177 Properties:
178 Domain: vpc
179 NATGateway1:
180 DependsOn: VPCGatewayAttachment
181 Type: AWS::EC2::NatGateway
182 Properties:
183 AllocationId: !GetAtt "NAT1EIP.AllocationId"
184 SubnetId: !Ref "PublicSubnet1"
185 NATGateway2:
186 DependsOn: VPCGatewayAttachment
187 Type: AWS::EC2::NatGateway
188 Properties:
189 AllocationId: !GetAtt "NAT2EIP.AllocationId"
190 SubnetId: !Ref "PublicSubnet2"
191 NATGateway3:
192 DependsOn: VPCGatewayAttachment
193 Type: AWS::EC2::NatGateway
194 Properties:
195 AllocationId: !GetAtt "NAT3EIP.AllocationId"
196 SubnetId: !Ref "PublicSubnet3"
197
198 ##### END VPC RESOURCES #####
199
200 ##### START SECURITY GROUPS #####
201 ControlPlaneSecurityGroup:
202 Type: AWS::EC2::SecurityGroup
203 Properties:
204 GroupDescription: Cluster communication
205 VpcId: !Ref "VPC"
206
207 NodeSecurityGroup:
208 Type: AWS::EC2::SecurityGroup
209 Properties:
210 GroupDescription: Security group for all nodes in the node group
211 VpcId: !Ref "VPC"
212 NodeSecurityGroupIngress:
213 Type: AWS::EC2::SecurityGroupIngress
214 Properties:
215 Description: Allow nodes to communicate with each other
216 GroupId: !Ref NodeSecurityGroup
217 SourceSecurityGroupId: !Ref NodeSecurityGroup
218 IpProtocol: '-1'
219 FromPort: 0
220 ToPort: 65535
221 NodeSecurityGroupFromControlPlaneIngress:
222 Type: AWS::EC2::SecurityGroupIngress
223 Properties:
224 Description: Allow worker Kubelets and pods to receive communication from the cluster control plane
225 GroupId: !Ref NodeSecurityGroup
226 SourceSecurityGroupId: !Ref ControlPlaneSecurityGroup
227 IpProtocol: tcp
228 FromPort: 1025
229 ToPort: 65535
230 ControlPlaneEgressToNodeSecurityGroup:
231 Type: AWS::EC2::SecurityGroupEgress
232 Properties:
233 Description: Allow the cluster control plane to communicate with worker Kubelet and pods
234 GroupId: !Ref ControlPlaneSecurityGroup
235 DestinationSecurityGroupId: !Ref NodeSecurityGroup
236 IpProtocol: tcp
237 FromPort: 1025
238 ToPort: 65535
239 NodeSecurityGroupFromControlPlaneOn443Ingress:
240 Type: AWS::EC2::SecurityGroupIngress
241 Properties:
242 Description: Allow pods running extension API servers on port 443 to receive communication from cluster control plane
243 GroupId: !Ref NodeSecurityGroup
244 SourceSecurityGroupId: !Ref ControlPlaneSecurityGroup
245 IpProtocol: tcp
246 FromPort: 443
247 ToPort: 443
248 ControlPlaneEgressToNodeSecurityGroupOn443:
249 Type: AWS::EC2::SecurityGroupEgress
250 Properties:
251 Description: Allow the cluster control plane to communicate with pods running extension API servers on port 443
252 GroupId: !Ref ControlPlaneSecurityGroup
253 DestinationSecurityGroupId: !Ref NodeSecurityGroup
254 IpProtocol: tcp
255 FromPort: 443
256 ToPort: 443
257 ClusterControlPlaneSecurityGroupIngress:
258 Type: AWS::EC2::SecurityGroupIngress
259 Properties:
260 Description: Allow pods to communicate with the cluster API Server
261 GroupId: !Ref ControlPlaneSecurityGroup
262 SourceSecurityGroupId: !Ref NodeSecurityGroup
263 IpProtocol: tcp
264 ToPort: 443
265 FromPort: 443
266 ##### END SECURITY GROUPS #####
267
268 ##### START IAM ROLES #####
269
270 ControlPlaneRole:
271 Type: "AWS::IAM::Role"
272 Properties:
273 AssumeRolePolicyDocument:
274 Version: 2012-10-17
275 Statement:
276 - Effect: Allow
277 Principal:
278 Service: eks.amazonaws.com
279 Action: sts:AssumeRole
280 ManagedPolicyArns:
281 - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
282 - arn:aws:iam::aws:policy/AmazonEKSServicePolicy
283
284 ##### END IAM ROLES #####
285
286 ##### START EKS RESOURCES #####
287 EKS:
288 Type: "AWS::EKS::Cluster"
289 Properties:
290 ResourcesVpcConfig:
291 SecurityGroupIds:
292 - !Ref ControlPlaneSecurityGroup
293 SubnetIds:
294 - !Ref PrivateSubnet1A
295 - !Ref PrivateSubnet2A
296 - !Ref PrivateSubnet3A
297 - !Ref PublicSubnet1
298 - !Ref PublicSubnet2
299 - !Ref PublicSubnet3
300 RoleArn: !GetAtt ControlPlaneRole.Arn
301 Version: "1.13"
302
303 NodeInstanceProfile:
304 Type: AWS::IAM::InstanceProfile
305 Properties:
306 Path: "/"
307 Roles:
308 - !Ref NodeInstanceRole
309
310 NodeInstanceRole:
311 Type: AWS::IAM::Role
312 Properties:
313 AssumeRolePolicyDocument:
314 Version: '2012-10-17'
315 Statement:
316 - Effect: Allow
317 Principal:
318 Service:
319 - ec2.amazonaws.com
320 Action:
321 - sts:AssumeRole
322 Path: "/"
323 ManagedPolicyArns:
324 - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
325 - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
326 - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
327
328 NodeGroup:
329 Type: AWS::AutoScaling::AutoScalingGroup
330 Properties:
331 DesiredCapacity: 3
332 LaunchConfigurationName: !Ref NodeLaunchConfig
333 MinSize: 3
334 MaxSize: 3
335 VPCZoneIdentifier:
336 - !Ref PrivateSubnet1A
337 - !Ref PrivateSubnet2A
338 - !Ref PrivateSubnet3A
339 CreationPolicy:
340 ResourceSignal:
341 Count: 3
342 Timeout: PT15M
343 UpdatePolicy:
344 AutoScalingRollingUpdate:
345 MinInstancesInService: 1
346 MaxBatchSize: 1
347 WaitOnResourceSignals : true
348 PauseTime: PT15M
349
350 NodeLaunchConfig:
351 Type: AWS::AutoScaling::LaunchConfiguration
352 Properties:
353 ImageId: ami-08198f90fe8bc57f0
354 InstanceType: m5.large
355 IamInstanceProfile:
356 Ref: NodeInstanceProfile
357 SecurityGroups:
358 - !Ref NodeSecurityGroup
359 UserData:
360 Fn::Base64:
361 !Sub |
362 #!/bin/bash
363 set -o xtrace
364 /etc/eks/bootstrap.sh ${EKS}
365 /opt/aws/bin/cfn-signal --exit-code $? \
366 --stack ${AWS::StackName} \
367 --resource NodeGroup \
368 --region ${AWS::Region}
369
370Outputs:
371 NAT1EIP:
372 Description: NAT 1 IP address
373 Value: !Ref "NAT1EIP"
374 Export:
375 Name: !Sub "${AWS::StackName}-NAT1EIP"
376 NAT2EIP:
377 Description: NAT 2 IP address
378 Value: !Ref "NAT2EIP"
379 Export:
380 Name: !Sub "${AWS::StackName}-NAT2EIP"
381 NAT3EIP:
382 Description: NAT 3 IP address
383 Value: !Ref "NAT3EIP"
384 Export:
385 Name: !Sub "${AWS::StackName}-NAT3EIP"
386 PrivateSubnet1AID:
387 Description: Private subnet 1A ID in Availability Zone 1
388 Value: !Ref "PrivateSubnet1A"
389 Export:
390 Name: !Sub "${AWS::StackName}-PrivateSubnet1AID"
391 PrivateSubnet2AID:
392 Description: Private subnet 2A ID in Availability Zone 2
393 Value: !Ref "PrivateSubnet2A"
394 Export:
395 Name: !Sub "${AWS::StackName}-PrivateSubnet2AID"
396 PrivateSubnet3AID:
397 Description: Private subnet 3A ID in Availability Zone 3
398 Value: !Ref "PrivateSubnet3A"
399 Export:
400 Name: !Sub "${AWS::StackName}-PrivateSubnet3AID"
401 PublicSubnet1ID:
402 Description: Public subnet 1 ID in Availability Zone 1
403 Value: !Ref "PublicSubnet1"
404 Export:
405 Name: !Sub "${AWS::StackName}-PublicSubnet1ID"
406 PublicSubnet2ID:
407 Description: Public subnet 2 ID in Availability Zone 2
408 Value: !Ref "PublicSubnet2"
409 Export:
410 Name: !Sub "${AWS::StackName}-PublicSubnet2ID"
411 PublicSubnet3ID:
412 Description: Public subnet 3 ID in Availability Zone 3
413 Value: !Ref "PublicSubnet3"
414 Export:
415 Name: !Sub "${AWS::StackName}-PublicSubnet3ID"
416 PrivateSubnet1ARouteTable:
417 Value: !Ref "PrivateSubnet1ARouteTable"
418 Description: Private subnet 1A route table
419 Export:
420 Name: !Sub "${AWS::StackName}-PrivateSubnet1ARouteTable"
421 PrivateSubnet2ARouteTable:
422 Value: !Ref "PrivateSubnet2ARouteTable"
423 Description: Private subnet 2A route table
424 Export:
425 Name: !Sub "${AWS::StackName}-PrivateSubnet2ARouteTable"
426 PrivateSubnet3ARouteTable:
427 Value: !Ref "PrivateSubnet3ARouteTable"
428 Description: Private subnet 3A route table
429 Export:
430 Name: !Sub "${AWS::StackName}-PrivateSubnet3ARouteTable"
431 PublicSubnetRouteTable:
432 Value: !Ref "PublicSubnetRouteTable"
433 Description: Public subnet route table
434 Export:
435 Name: !Sub "${AWS::StackName}-PublicSubnetRouteTable"
436 VPCID:
437 Value: !Ref "VPC"
438 Description: VPC ID
439 Export:
440 Name: !Sub "${AWS::StackName}-VPCID"