AWSTemplateFormatVersion: "2010-09-09" Description: Jitsi platform Parameters: ClusterName: Description: "Cluster name" Type: String Default: "dev" Subnet1AvailabilityZone: Description: "The availability zone for the subnet #1" Type: "AWS::EC2::AvailabilityZone::Name" Default: "eu-west-1b" Subnet2AvailabilityZone: Description: "The availability zone for the subnet #2" Type: "AWS::EC2::AvailabilityZone::Name" Default: "eu-west-1c" Resources: Role: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - eks.amazonaws.com Action: - sts:AssumeRole Policies: - PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Resource: '*' Action: - autoscaling:DescribeAutoScalingGroups - autoscaling:DescribeLaunchConfigurations - autoscaling:DescribeTags - ec2:DescribeInstances - ec2:DescribeRegions - ec2:DescribeAccountAttributes - ec2:DescribeInternetGateways - ec2:DescribeRouteTables - ec2:DescribeSecurityGroups - ec2:DescribeSubnets - ec2:DescribeVolumes - ec2:CreateSecurityGroup - ec2:CreateTags - ec2:CreateVolume - ec2:ModifyInstanceAttribute - ec2:ModifyVolume - ec2:AttachVolume - ec2:AuthorizeSecurityGroupIngress - ec2:CreateRoute - ec2:DeleteRoute - ec2:DeleteSecurityGroup - ec2:DeleteVolume - ec2:DetachVolume - ec2:RevokeSecurityGroupIngress - ec2:DescribeVpcs - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners - elasticloadbalancing:ConfigureHealthCheck - elasticloadbalancing:DeleteLoadBalancer - elasticloadbalancing:DeleteLoadBalancerListeners - elasticloadbalancing:DescribeLoadBalancers - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DetachLoadBalancerFromSubnets - elasticloadbalancing:DeregisterInstancesFromLoadBalancer - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer - elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer - elasticloadbalancing:AddTags - elasticloadbalancing:CreateListener - elasticloadbalancing:CreateTargetGroup - elasticloadbalancing:DeleteListener - elasticloadbalancing:DeleteTargetGroup - elasticloadbalancing:DescribeListeners - elasticloadbalancing:DescribeLoadBalancerPolicies - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:DescribeTargetHealth - elasticloadbalancing:ModifyListener - elasticloadbalancing:ModifyTargetGroup - elasticloadbalancing:RegisterTargets - elasticloadbalancing:DeregisterTargets - elasticloadbalancing:SetLoadBalancerPoliciesOfListener - iam:CreateServiceLinkedRole - kms:DescribeKey PolicyName: 'eks-master' ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEKSClusterPolicy' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEKSServicePolicy' NodeInstanceRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - eks.amazonaws.com Action: - "sts:AssumeRole" - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - "sts:AssumeRole" ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy" - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKS_CNI_Policy" - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonElasticFileSystemReadOnlyAccess' Policies: - PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - ec2:DescribeInstances - ec2:DescribeRegions - ecr:GetAuthorizationToken - ecr:BatchCheckLayerAvailability - ecr:GetDownloadUrlForLayer - ecr:GetRepositoryPolicy - ecr:DescribeRepositories - ecr:ListImages - ecr:BatchGetImage Resource: '*' PolicyName: 'eks-node' Path: / Vpc: Type: "AWS::EC2::VPC" Properties: CidrBlock: "10.0.0.0/24" EnableDnsHostnames: true EnableDnsSupport: true PublicRouteTable: Type: "AWS::EC2::RouteTable" Properties: VpcId: !Ref Vpc Subnet1: Type: "AWS::EC2::Subnet" Properties: CidrBlock: "10.0.0.0/26" VpcId: !Ref Vpc AvailabilityZone: !Ref Subnet1AvailabilityZone MapPublicIpOnLaunch: true Tags: - Key: !Join - "/" - - "kubernetes.io/cluster" - !Ref ClusterName Value: shared Subnet1Assoc: Type: "AWS::EC2::SubnetRouteTableAssociation" Properties: RouteTableId: !Ref PublicRouteTable SubnetId: !Ref Subnet1 Subnet2: Type: "AWS::EC2::Subnet" Properties: CidrBlock: "10.0.0.192/26" VpcId: !Ref Vpc AvailabilityZone: !Ref Subnet2AvailabilityZone MapPublicIpOnLaunch: true Tags: - Key: !Join - "/" - - "kubernetes.io/cluster" - !Ref ClusterName Value: shared Subnet2Assoc: Type: "AWS::EC2::SubnetRouteTableAssociation" Properties: RouteTableId: !Ref PublicRouteTable SubnetId: !Ref Subnet2 # Elastic IP Eip: Type: AWS::EC2::EIP DependsOn: VpcIgPairing Properties: Domain: vpc # Gateways InternetGateway: Type: "AWS::EC2::InternetGateway" InternetRoute: Type: "AWS::EC2::Route" Properties: RouteTableId: !Ref PublicRouteTable DestinationCidrBlock: "0.0.0.0/0" GatewayId: !Ref InternetGateway VpcIgPairing: Type: "AWS::EC2::VPCGatewayAttachment" Properties: InternetGatewayId: !Ref InternetGateway VpcId: !Ref Vpc SecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: "Cluster SG" GroupName: cluster-sg VpcId: !Ref Vpc SecurityGroupIngress: - FromPort: 0 ToPort: 65535 IpProtocol: "-1" CidrIp: "0.0.0.0/0" SecurityGroupEgress: - IpProtocol: "-1" FromPort: 0 ToPort: 65535 CidrIp: "0.0.0.0/0" # SecurityGroupNodeGroups: # Type: "AWS::EC2::SecurityGroup" # Properties: # GroupDescription: "Cluster SG Node Group" # GroupName: node-group-sg # VpcId: !Ref Vpc # SecurityGroupIngress: # - FromPort: 22 # ToPort: 22 # IpProtocol: "tcp" # CidrIp: "0.0.0.0/0" # - FromPort: 443 # ToPort: 443 # IpProtocol: "tcp" # CidrIp: "0.0.0.0/0" # - FromPort: 30300 # ToPort: 30300 # IpProtocol: "udp" # CidrIp: "0.0.0.0/0" # - IpProtocol: -1 # FromPort: 1025 # ToPort: 65535 # CidrIp: "0.0.0.0/0" # SecurityGroupEgress: # - IpProtocol: "-1" # FromPort: 0 # ToPort: 65535 # CidrIp: "0.0.0.0/0" # SecurityGroupIngressController: # Type: "AWS::EC2::SecurityGroup" # Properties: # GroupDescription: "Cluster SG ingress controller" # GroupName: ingress-ctrl-sg # VpcId: !Ref Vpc # SecurityGroupIngress: # - FromPort: 443 # ToPort: 443 # IpProtocol: "tcp" # CidrIp: "173.245.48.0/20" # - FromPort: 443 # ToPort: 443 # IpProtocol: "tcp" # CidrIp: "103.21.244.0/22" # - FromPort: 443 # ToPort: 443 # IpProtocol: "tcp" # CidrIp: "103.22.200.0/22" # - FromPort: 443 # ToPort: 443 # IpProtocol: "tcp" # CidrIp: "103.31.4.0/22" # - FromPort: 443 # ToPort: 443 # IpProtocol: "tcp" # CidrIp: "141.101.64.0/18" # - FromPort: 443 # ToPort: 443 # IpProtocol: "tcp" # CidrIp: "108.162.192.0/18" # - FromPort: 443 # ToPort: 443 # IpProtocol: "tcp" # CidrIp: "190.93.240.0/20" # - FromPort: 443 # ToPort: 443 # IpProtocol: "tcp" # CidrIp: "188.114.96.0/20" # - FromPort: 443 # ToPort: 443 # IpProtocol: "tcp" # CidrIp: "197.234.240.0/22" # - FromPort: 443 # ToPort: 443 # IpProtocol: "tcp" # CidrIp: "198.41.128.0/17" # - FromPort: 443 # ToPort: 443 # IpProtocol: "tcp" # CidrIp: "162.158.0.0/15" # - FromPort: 443 # ToPort: 443 # IpProtocol: "tcp" # CidrIp: "104.16.0.0/12" # - FromPort: 443 # ToPort: 443 # IpProtocol: "tcp" # CidrIp: "172.64.0.0/13" # - FromPort: 443 # ToPort: 443 # IpProtocol: "tcp" # CidrIp: "131.0.72.0/22" # SecurityGroupEgress: # - IpProtocol: "tcp" # FromPort: 1025 # ToPort: 65535 # CidrIp: "0.0.0.0/0" Cluster: Type: "AWS::EKS::Cluster" Properties: RoleArn: !GetAtt Role.Arn Name: !Ref ClusterName ResourcesVpcConfig: SubnetIds: - !Ref Subnet1 - !Ref Subnet2 SecurityGroupIds: - !Ref SecurityGroup DevNodeGroup: Type: "AWS::EKS::Nodegroup" DependsOn: Cluster Properties: ClusterName: !Ref ClusterName NodegroupName: group-dev AmiType: AL2_x86_64 RemoteAccess: Ec2SshKey: "eks-dev-nodes" SourceSecurityGroups: - !Ref SecurityGroup ScalingConfig: MinSize: 2 DesiredSize: 3 MaxSize: 5 InstanceTypes: - m5.large NodeRole: !GetAtt NodeInstanceRole.Arn Subnets: - !Ref Subnet1 - !Ref Subnet2