{ "Resources": { "AWSAutoScalingAutoScalingGroupbastionprivateciliumexamplecom": { "Type": "AWS::AutoScaling::AutoScalingGroup", "Properties": { "AutoScalingGroupName": "bastion.privatecilium.example.com", "LaunchTemplate": { "LaunchTemplateId": { "Ref": "AWSEC2LaunchTemplatebastionprivateciliumexamplecom" }, "Version": { "Fn::GetAtt": [ "AWSEC2LaunchTemplatebastionprivateciliumexamplecom", "LatestVersionNumber" ] } }, "MaxSize": 1, "MinSize": 1, "VPCZoneIdentifier": [ { "Ref": "AWSEC2Subnetutilityustest1aprivateciliumexamplecom" } ], "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com", "PropagateAtLaunch": true }, { "Key": "Name", "Value": "bastion.privatecilium.example.com", "PropagateAtLaunch": true }, { "Key": "k8s.io/role/bastion", "Value": "1", "PropagateAtLaunch": true }, { "Key": "kops.k8s.io/instancegroup", "Value": "bastion", "PropagateAtLaunch": true }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned", "PropagateAtLaunch": true } ], "MetricsCollection": [ { "Granularity": "1Minute", "Metrics": [ "GroupDesiredCapacity", "GroupInServiceInstances", "GroupMaxSize", "GroupMinSize", "GroupPendingInstances", "GroupStandbyInstances", "GroupTerminatingInstances", "GroupTotalInstances" ] } ], "LoadBalancerNames": [ { "Ref": "AWSElasticLoadBalancingLoadBalancerbastionprivateciliumexamplecom" } ] } }, "AWSAutoScalingAutoScalingGroupmasterustest1amastersprivateciliumexamplecom": { "Type": "AWS::AutoScaling::AutoScalingGroup", "Properties": { "AutoScalingGroupName": "master-us-test-1a.masters.privatecilium.example.com", "LaunchTemplate": { "LaunchTemplateId": { "Ref": "AWSEC2LaunchTemplatemasterustest1amastersprivateciliumexamplecom" }, "Version": { "Fn::GetAtt": [ "AWSEC2LaunchTemplatemasterustest1amastersprivateciliumexamplecom", "LatestVersionNumber" ] } }, "MaxSize": 1, "MinSize": 1, "VPCZoneIdentifier": [ { "Ref": "AWSEC2Subnetustest1aprivateciliumexamplecom" } ], "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com", "PropagateAtLaunch": true }, { "Key": "Name", "Value": "master-us-test-1a.masters.privatecilium.example.com", "PropagateAtLaunch": true }, { "Key": "k8s.io/role/master", "Value": "1", "PropagateAtLaunch": true }, { "Key": "kops.k8s.io/instancegroup", "Value": "master-us-test-1a", "PropagateAtLaunch": true }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned", "PropagateAtLaunch": true } ], "MetricsCollection": [ { "Granularity": "1Minute", "Metrics": [ "GroupDesiredCapacity", "GroupInServiceInstances", "GroupMaxSize", "GroupMinSize", "GroupPendingInstances", "GroupStandbyInstances", "GroupTerminatingInstances", "GroupTotalInstances" ] } ], "LoadBalancerNames": [ { "Ref": "AWSElasticLoadBalancingLoadBalancerapiprivateciliumexamplecom" } ] } }, "AWSAutoScalingAutoScalingGroupnodesprivateciliumexamplecom": { "Type": "AWS::AutoScaling::AutoScalingGroup", "Properties": { "AutoScalingGroupName": "nodes.privatecilium.example.com", "LaunchTemplate": { "LaunchTemplateId": { "Ref": "AWSEC2LaunchTemplatenodesprivateciliumexamplecom" }, "Version": { "Fn::GetAtt": [ "AWSEC2LaunchTemplatenodesprivateciliumexamplecom", "LatestVersionNumber" ] } }, "MaxSize": 2, "MinSize": 2, "VPCZoneIdentifier": [ { "Ref": "AWSEC2Subnetustest1aprivateciliumexamplecom" } ], "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com", "PropagateAtLaunch": true }, { "Key": "Name", "Value": "nodes.privatecilium.example.com", "PropagateAtLaunch": true }, { "Key": "k8s.io/role/node", "Value": "1", "PropagateAtLaunch": true }, { "Key": "kops.k8s.io/instancegroup", "Value": "nodes", "PropagateAtLaunch": true }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned", "PropagateAtLaunch": true } ], "MetricsCollection": [ { "Granularity": "1Minute", "Metrics": [ "GroupDesiredCapacity", "GroupInServiceInstances", "GroupMaxSize", "GroupMinSize", "GroupPendingInstances", "GroupStandbyInstances", "GroupTerminatingInstances", "GroupTotalInstances" ] } ] } }, "AWSEC2DHCPOptionsprivateciliumexamplecom": { "Type": "AWS::EC2::DHCPOptions", "Properties": { "DomainName": "us-test-1.compute.internal", "DomainNameServers": [ "AmazonProvidedDNS" ], "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "privatecilium.example.com" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" } ] } }, "AWSEC2EIPustest1aprivateciliumexamplecom": { "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc", "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "us-test-1a.privatecilium.example.com" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" } ] } }, "AWSEC2InternetGatewayprivateciliumexamplecom": { "Type": "AWS::EC2::InternetGateway", "Properties": { "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "privatecilium.example.com" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" } ] } }, "AWSEC2LaunchTemplatebastionprivateciliumexamplecom": { "Type": "AWS::EC2::LaunchTemplate", "Properties": { "LaunchTemplateName": "bastion.privatecilium.example.com", "LaunchTemplateData": { "BlockDeviceMappings": [ { "DeviceName": "/dev/xvda", "Ebs": { "VolumeType": "gp2", "VolumeSize": 32, "DeleteOnTermination": true } } ], "IamInstanceProfile": { "Name": { "Ref": "AWSIAMInstanceProfilebastionsprivateciliumexamplecom" } }, "ImageId": "ami-12345678", "InstanceType": "t2.micro", "KeyName": "kubernetes.privatecilium.example.com-c4:a6:ed:9a:a8:89:b9:e2:c3:9c:d6:63:eb:9c:71:57", "NetworkInterfaces": [ { "AssociatePublicIpAddress": true, "DeleteOnTermination": true, "DeviceIndex": 0, "Groups": [ { "Ref": "AWSEC2SecurityGroupbastionprivateciliumexamplecom" } ] } ], "TagSpecifications": [ { "ResourceType": "instance", "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "bastion.privatecilium.example.com" }, { "Key": "k8s.io/role/bastion", "Value": "1" }, { "Key": "kops.k8s.io/instancegroup", "Value": "bastion" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" } ] }, { "ResourceType": "volume", "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "bastion.privatecilium.example.com" }, { "Key": "k8s.io/role/bastion", "Value": "1" }, { "Key": "kops.k8s.io/instancegroup", "Value": "bastion" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" } ] } ], "UserData": "extracted" } } }, "AWSEC2LaunchTemplatemasterustest1amastersprivateciliumexamplecom": { "Type": "AWS::EC2::LaunchTemplate", "Properties": { "LaunchTemplateName": "master-us-test-1a.masters.privatecilium.example.com", "LaunchTemplateData": { "BlockDeviceMappings": [ { "DeviceName": "/dev/xvda", "Ebs": { "VolumeType": "gp2", "VolumeSize": 64, "DeleteOnTermination": true } }, { "DeviceName": "/dev/sdc", "VirtualName": "ephemeral0" } ], "IamInstanceProfile": { "Name": { "Ref": "AWSIAMInstanceProfilemastersprivateciliumexamplecom" } }, "ImageId": "ami-12345678", "InstanceType": "m3.medium", "KeyName": "kubernetes.privatecilium.example.com-c4:a6:ed:9a:a8:89:b9:e2:c3:9c:d6:63:eb:9c:71:57", "NetworkInterfaces": [ { "AssociatePublicIpAddress": false, "DeleteOnTermination": true, "DeviceIndex": 0, "Groups": [ { "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" } ] } ], "TagSpecifications": [ { "ResourceType": "instance", "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "master-us-test-1a.masters.privatecilium.example.com" }, { "Key": "k8s.io/role/master", "Value": "1" }, { "Key": "kops.k8s.io/instancegroup", "Value": "master-us-test-1a" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" } ] }, { "ResourceType": "volume", "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "master-us-test-1a.masters.privatecilium.example.com" }, { "Key": "k8s.io/role/master", "Value": "1" }, { "Key": "kops.k8s.io/instancegroup", "Value": "master-us-test-1a" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" } ] } ], "UserData": "extracted" } } }, "AWSEC2LaunchTemplatenodesprivateciliumexamplecom": { "Type": "AWS::EC2::LaunchTemplate", "Properties": { "LaunchTemplateName": "nodes.privatecilium.example.com", "LaunchTemplateData": { "BlockDeviceMappings": [ { "DeviceName": "/dev/xvda", "Ebs": { "VolumeType": "gp2", "VolumeSize": 128, "DeleteOnTermination": true } } ], "IamInstanceProfile": { "Name": { "Ref": "AWSIAMInstanceProfilenodesprivateciliumexamplecom" } }, "ImageId": "ami-12345678", "InstanceType": "t2.medium", "KeyName": "kubernetes.privatecilium.example.com-c4:a6:ed:9a:a8:89:b9:e2:c3:9c:d6:63:eb:9c:71:57", "NetworkInterfaces": [ { "AssociatePublicIpAddress": false, "DeleteOnTermination": true, "DeviceIndex": 0, "Groups": [ { "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" } ] } ], "TagSpecifications": [ { "ResourceType": "instance", "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "nodes.privatecilium.example.com" }, { "Key": "k8s.io/role/node", "Value": "1" }, { "Key": "kops.k8s.io/instancegroup", "Value": "nodes" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" } ] }, { "ResourceType": "volume", "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "nodes.privatecilium.example.com" }, { "Key": "k8s.io/role/node", "Value": "1" }, { "Key": "kops.k8s.io/instancegroup", "Value": "nodes" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" } ] } ], "UserData": "extracted" } } }, "AWSEC2NatGatewayustest1aprivateciliumexamplecom": { "Type": "AWS::EC2::NatGateway", "Properties": { "AllocationId": { "Fn::GetAtt": [ "AWSEC2EIPustest1aprivateciliumexamplecom", "AllocationId" ] }, "SubnetId": { "Ref": "AWSEC2Subnetutilityustest1aprivateciliumexamplecom" }, "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "us-test-1a.privatecilium.example.com" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" } ] } }, "AWSEC2Route00000": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { "Ref": "AWSEC2RouteTableprivateciliumexamplecom" }, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "AWSEC2InternetGatewayprivateciliumexamplecom" } } }, "AWSEC2RouteTableprivateciliumexamplecom": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "AWSEC2VPCprivateciliumexamplecom" }, "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "privatecilium.example.com" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" }, { "Key": "kubernetes.io/kops/role", "Value": "public" } ] } }, "AWSEC2RouteTableprivateustest1aprivateciliumexamplecom": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "AWSEC2VPCprivateciliumexamplecom" }, "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "private-us-test-1a.privatecilium.example.com" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" }, { "Key": "kubernetes.io/kops/role", "Value": "private-us-test-1a" } ] } }, "AWSEC2Routeprivateustest1a00000": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { "Ref": "AWSEC2RouteTableprivateustest1aprivateciliumexamplecom" }, "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": { "Ref": "AWSEC2NatGatewayustest1aprivateciliumexamplecom" } } }, "AWSEC2SecurityGroupEgressapielbegress": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupapielbprivateciliumexamplecom" }, "FromPort": 0, "ToPort": 0, "IpProtocol": "-1", "CidrIp": "0.0.0.0/0" } }, "AWSEC2SecurityGroupEgressbastionegress": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupbastionprivateciliumexamplecom" }, "FromPort": 0, "ToPort": 0, "IpProtocol": "-1", "CidrIp": "0.0.0.0/0" } }, "AWSEC2SecurityGroupEgressbastionelbegress": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupbastionelbprivateciliumexamplecom" }, "FromPort": 0, "ToPort": 0, "IpProtocol": "-1", "CidrIp": "0.0.0.0/0" } }, "AWSEC2SecurityGroupEgressmasteregress": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" }, "FromPort": 0, "ToPort": 0, "IpProtocol": "-1", "CidrIp": "0.0.0.0/0" } }, "AWSEC2SecurityGroupEgressnodeegress": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" }, "FromPort": 0, "ToPort": 0, "IpProtocol": "-1", "CidrIp": "0.0.0.0/0" } }, "AWSEC2SecurityGroupIngressallmastertomaster": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" }, "SourceSecurityGroupId": { "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" }, "FromPort": 0, "ToPort": 0, "IpProtocol": "-1" } }, "AWSEC2SecurityGroupIngressallmastertonode": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" }, "SourceSecurityGroupId": { "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" }, "FromPort": 0, "ToPort": 0, "IpProtocol": "-1" } }, "AWSEC2SecurityGroupIngressallnodetonode": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" }, "SourceSecurityGroupId": { "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" }, "FromPort": 0, "ToPort": 0, "IpProtocol": "-1" } }, "AWSEC2SecurityGroupIngressbastiontomasterssh": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" }, "SourceSecurityGroupId": { "Ref": "AWSEC2SecurityGroupbastionprivateciliumexamplecom" }, "FromPort": 22, "ToPort": 22, "IpProtocol": "tcp" } }, "AWSEC2SecurityGroupIngressbastiontonodessh": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" }, "SourceSecurityGroupId": { "Ref": "AWSEC2SecurityGroupbastionprivateciliumexamplecom" }, "FromPort": 22, "ToPort": 22, "IpProtocol": "tcp" } }, "AWSEC2SecurityGroupIngresshttpsapielb00000": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupapielbprivateciliumexamplecom" }, "FromPort": 443, "ToPort": 443, "IpProtocol": "tcp", "CidrIp": "0.0.0.0/0" } }, "AWSEC2SecurityGroupIngresshttpselbtomaster": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" }, "SourceSecurityGroupId": { "Ref": "AWSEC2SecurityGroupapielbprivateciliumexamplecom" }, "FromPort": 443, "ToPort": 443, "IpProtocol": "tcp" } }, "AWSEC2SecurityGroupIngressicmppmtuapielb00000": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupapielbprivateciliumexamplecom" }, "FromPort": 3, "ToPort": 4, "IpProtocol": "icmp", "CidrIp": "0.0.0.0/0" } }, "AWSEC2SecurityGroupIngressnodetomastertcp12379": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" }, "SourceSecurityGroupId": { "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" }, "FromPort": 1, "ToPort": 2379, "IpProtocol": "tcp" } }, "AWSEC2SecurityGroupIngressnodetomastertcp23824000": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" }, "SourceSecurityGroupId": { "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" }, "FromPort": 2382, "ToPort": 4000, "IpProtocol": "tcp" } }, "AWSEC2SecurityGroupIngressnodetomastertcp400365535": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" }, "SourceSecurityGroupId": { "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" }, "FromPort": 4003, "ToPort": 65535, "IpProtocol": "tcp" } }, "AWSEC2SecurityGroupIngressnodetomasterudp165535": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" }, "SourceSecurityGroupId": { "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" }, "FromPort": 1, "ToPort": 65535, "IpProtocol": "udp" } }, "AWSEC2SecurityGroupIngresssshelbtobastion": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupbastionprivateciliumexamplecom" }, "SourceSecurityGroupId": { "Ref": "AWSEC2SecurityGroupbastionelbprivateciliumexamplecom" }, "FromPort": 22, "ToPort": 22, "IpProtocol": "tcp" } }, "AWSEC2SecurityGroupIngresssshexternaltobastionelb00000": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupbastionelbprivateciliumexamplecom" }, "FromPort": 22, "ToPort": 22, "IpProtocol": "tcp", "CidrIp": "0.0.0.0/0" } }, "AWSEC2SecurityGroupapielbprivateciliumexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "AWSEC2VPCprivateciliumexamplecom" }, "GroupDescription": "Security group for api ELB", "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "api-elb.privatecilium.example.com" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" } ] } }, "AWSEC2SecurityGroupbastionelbprivateciliumexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "AWSEC2VPCprivateciliumexamplecom" }, "GroupDescription": "Security group for bastion ELB", "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "bastion-elb.privatecilium.example.com" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" } ] } }, "AWSEC2SecurityGroupbastionprivateciliumexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "AWSEC2VPCprivateciliumexamplecom" }, "GroupDescription": "Security group for bastion", "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "bastion.privatecilium.example.com" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" } ] } }, "AWSEC2SecurityGroupmastersprivateciliumexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "AWSEC2VPCprivateciliumexamplecom" }, "GroupDescription": "Security group for masters", "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "masters.privatecilium.example.com" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" } ] } }, "AWSEC2SecurityGroupnodesprivateciliumexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "AWSEC2VPCprivateciliumexamplecom" }, "GroupDescription": "Security group for nodes", "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "nodes.privatecilium.example.com" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" } ] } }, "AWSEC2SubnetRouteTableAssociationprivateustest1aprivateciliumexamplecom": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "AWSEC2Subnetustest1aprivateciliumexamplecom" }, "RouteTableId": { "Ref": "AWSEC2RouteTableprivateustest1aprivateciliumexamplecom" } } }, "AWSEC2SubnetRouteTableAssociationutilityustest1aprivateciliumexamplecom": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "AWSEC2Subnetutilityustest1aprivateciliumexamplecom" }, "RouteTableId": { "Ref": "AWSEC2RouteTableprivateciliumexamplecom" } } }, "AWSEC2Subnetustest1aprivateciliumexamplecom": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "AWSEC2VPCprivateciliumexamplecom" }, "CidrBlock": "172.20.32.0/19", "AvailabilityZone": "us-test-1a", "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "us-test-1a.privatecilium.example.com" }, { "Key": "SubnetType", "Value": "Private" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" }, { "Key": "kubernetes.io/role/internal-elb", "Value": "1" } ] } }, "AWSEC2Subnetutilityustest1aprivateciliumexamplecom": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "AWSEC2VPCprivateciliumexamplecom" }, "CidrBlock": "172.20.4.0/22", "AvailabilityZone": "us-test-1a", "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "utility-us-test-1a.privatecilium.example.com" }, { "Key": "SubnetType", "Value": "Utility" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" }, { "Key": "kubernetes.io/role/elb", "Value": "1" } ] } }, "AWSEC2VPCDHCPOptionsAssociationprivateciliumexamplecom": { "Type": "AWS::EC2::VPCDHCPOptionsAssociation", "Properties": { "VpcId": { "Ref": "AWSEC2VPCprivateciliumexamplecom" }, "DhcpOptionsId": { "Ref": "AWSEC2DHCPOptionsprivateciliumexamplecom" } } }, "AWSEC2VPCGatewayAttachmentprivateciliumexamplecom": { "Type": "AWS::EC2::VPCGatewayAttachment", "Properties": { "VpcId": { "Ref": "AWSEC2VPCprivateciliumexamplecom" }, "InternetGatewayId": { "Ref": "AWSEC2InternetGatewayprivateciliumexamplecom" } } }, "AWSEC2VPCprivateciliumexamplecom": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "172.20.0.0/16", "EnableDnsHostnames": true, "EnableDnsSupport": true, "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "privatecilium.example.com" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" } ] } }, "AWSEC2Volumeustest1aetcdeventsprivateciliumexamplecom": { "Type": "AWS::EC2::Volume", "Properties": { "AvailabilityZone": "us-test-1a", "Size": 20, "VolumeType": "gp2", "Encrypted": false, "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "us-test-1a.etcd-events.privatecilium.example.com" }, { "Key": "k8s.io/etcd/events", "Value": "us-test-1a/us-test-1a" }, { "Key": "k8s.io/role/master", "Value": "1" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" } ] } }, "AWSEC2Volumeustest1aetcdmainprivateciliumexamplecom": { "Type": "AWS::EC2::Volume", "Properties": { "AvailabilityZone": "us-test-1a", "Size": 20, "VolumeType": "gp2", "Encrypted": false, "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "us-test-1a.etcd-main.privatecilium.example.com" }, { "Key": "k8s.io/etcd/main", "Value": "us-test-1a/us-test-1a" }, { "Key": "k8s.io/role/master", "Value": "1" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" } ] } }, "AWSElasticLoadBalancingLoadBalancerapiprivateciliumexamplecom": { "Type": "AWS::ElasticLoadBalancing::LoadBalancer", "Properties": { "LoadBalancerName": "api-privatecilium-example-fnt793", "Listeners": [ { "InstancePort": 443, "InstanceProtocol": "TCP", "LoadBalancerPort": 443, "Protocol": "TCP" } ], "SecurityGroups": [ { "Ref": "AWSEC2SecurityGroupapielbprivateciliumexamplecom" } ], "Subnets": [ { "Ref": "AWSEC2Subnetutilityustest1aprivateciliumexamplecom" } ], "HealthCheck": { "Target": "SSL:443", "HealthyThreshold": 2, "UnhealthyThreshold": 2, "Interval": 10, "Timeout": 5 }, "ConnectionSettings": { "IdleTimeout": 300 }, "CrossZone": false, "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "api.privatecilium.example.com" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" } ] } }, "AWSElasticLoadBalancingLoadBalancerbastionprivateciliumexamplecom": { "Type": "AWS::ElasticLoadBalancing::LoadBalancer", "Properties": { "LoadBalancerName": "bastion-privatecilium-exa-l2ms01", "Listeners": [ { "InstancePort": 22, "InstanceProtocol": "TCP", "LoadBalancerPort": 22, "Protocol": "TCP" } ], "SecurityGroups": [ { "Ref": "AWSEC2SecurityGroupbastionelbprivateciliumexamplecom" } ], "Subnets": [ { "Ref": "AWSEC2Subnetutilityustest1aprivateciliumexamplecom" } ], "HealthCheck": { "Target": "TCP:22", "HealthyThreshold": 2, "UnhealthyThreshold": 2, "Interval": 10, "Timeout": 5 }, "ConnectionSettings": { "IdleTimeout": 300 }, "Tags": [ { "Key": "KubernetesCluster", "Value": "privatecilium.example.com" }, { "Key": "Name", "Value": "bastion.privatecilium.example.com" }, { "Key": "kubernetes.io/cluster/privatecilium.example.com", "Value": "owned" } ] } }, "AWSIAMInstanceProfilebastionsprivateciliumexamplecom": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Roles": [ { "Ref": "AWSIAMRolebastionsprivateciliumexamplecom" } ] } }, "AWSIAMInstanceProfilemastersprivateciliumexamplecom": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Roles": [ { "Ref": "AWSIAMRolemastersprivateciliumexamplecom" } ] } }, "AWSIAMInstanceProfilenodesprivateciliumexamplecom": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Roles": [ { "Ref": "AWSIAMRolenodesprivateciliumexamplecom" } ] } }, "AWSIAMPolicybastionsprivateciliumexamplecom": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "bastions.privatecilium.example.com", "Roles": [ { "Ref": "AWSIAMRolebastionsprivateciliumexamplecom" } ], "PolicyDocument": { "Statement": [ { "Action": [ "ec2:DescribeRegions" ], "Effect": "Allow", "Resource": [ "*" ] } ], "Version": "2012-10-17" } } }, "AWSIAMPolicymastersprivateciliumexamplecom": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "masters.privatecilium.example.com", "Roles": [ { "Ref": "AWSIAMRolemastersprivateciliumexamplecom" } ], "PolicyDocument": { "Statement": [ { "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", "ec2:DescribeInternetGateways", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVolumes" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DescribeVolumesModifications", "ec2:ModifyInstanceAttribute", "ec2:ModifyVolume" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateRoute", "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { "ec2:ResourceTag/KubernetesCluster": "privatecilium.example.com" } }, "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", "ec2:DescribeLaunchTemplateVersions" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "autoscaling:SetDesiredCapacity", "autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup" ], "Condition": { "StringEquals": { "autoscaling:ResourceTag/KubernetesCluster": "privatecilium.example.com" } }, "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "elasticloadbalancing:AddTags", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateLoadBalancerPolicy", "elasticloadbalancing:CreateLoadBalancerListeners", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteLoadBalancerListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DetachLoadBalancerFromSubnets", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "ec2:DescribeVpcs", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "iam:ListServerCertificates", "iam:GetServerCertificate" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "route53:ChangeResourceRecordSets", "route53:ListResourceRecordSets", "route53:GetHostedZone" ], "Effect": "Allow", "Resource": [ "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" ] }, { "Action": [ "route53:GetChange" ], "Effect": "Allow", "Resource": [ "arn:aws:route53:::change/*" ] }, { "Action": [ "route53:ListHostedZones" ], "Effect": "Allow", "Resource": [ "*" ] } ], "Version": "2012-10-17" } } }, "AWSIAMPolicynodesprivateciliumexamplecom": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "nodes.privatecilium.example.com", "Roles": [ { "Ref": "AWSIAMRolenodesprivateciliumexamplecom" } ], "PolicyDocument": { "Statement": [ { "Action": [ "ec2:DescribeInstances", "ec2:DescribeRegions" ], "Effect": "Allow", "Resource": [ "*" ] } ], "Version": "2012-10-17" } } }, "AWSIAMRolebastionsprivateciliumexamplecom": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": "bastions.privatecilium.example.com", "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" } } ], "Version": "2012-10-17" } } }, "AWSIAMRolemastersprivateciliumexamplecom": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": "masters.privatecilium.example.com", "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" } } ], "Version": "2012-10-17" } } }, "AWSIAMRolenodesprivateciliumexamplecom": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": "nodes.privatecilium.example.com", "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" } } ], "Version": "2012-10-17" } } }, "AWSRoute53RecordSetapiprivateciliumexamplecom": { "Type": "AWS::Route53::RecordSet", "Properties": { "Name": "api.privatecilium.example.com", "Type": "A", "AliasTarget": { "DNSName": { "Fn::GetAtt": [ "AWSElasticLoadBalancingLoadBalancerapiprivateciliumexamplecom", "DNSName" ] }, "HostedZoneId": { "Fn::GetAtt": [ "AWSElasticLoadBalancingLoadBalancerapiprivateciliumexamplecom", "CanonicalHostedZoneNameID" ] }, "EvaluateTargetHealth": false }, "HostedZoneId": "/hostedzone/Z1AFAKE1ZON3YO" } } } }