{ "Resources": { "AWSAutoScalingAutoScalingGroupmasterustest1amasterscomplexexamplecom": { "Type": "AWS::AutoScaling::AutoScalingGroup", "Properties": { "AutoScalingGroupName": "master-us-test-1a.masters.complex.example.com", "LaunchTemplate": { "LaunchTemplateId": { "Ref": "AWSEC2LaunchTemplatemasterustest1amasterscomplexexamplecom" }, "Version": { "Fn::GetAtt": [ "AWSEC2LaunchTemplatemasterustest1amasterscomplexexamplecom", "LatestVersionNumber" ] } }, "MaxSize": "1", "MinSize": "1", "VPCZoneIdentifier": [ { "Ref": "AWSEC2Subnetustest1acomplexexamplecom" } ], "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com", "PropagateAtLaunch": true }, { "Key": "Name", "Value": "master-us-test-1a.masters.complex.example.com", "PropagateAtLaunch": true }, { "Key": "Owner", "Value": "John Doe", "PropagateAtLaunch": true }, { "Key": "foo/bar", "Value": "fib+baz", "PropagateAtLaunch": true }, { "Key": "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki", "Value": "", "PropagateAtLaunch": true }, { "Key": "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role", "Value": "master", "PropagateAtLaunch": true }, { "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane", "Value": "", "PropagateAtLaunch": true }, { "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/master", "Value": "", "PropagateAtLaunch": true }, { "Key": "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers", "Value": "", "PropagateAtLaunch": true }, { "Key": "k8s.io/role/master", "Value": "1", "PropagateAtLaunch": true }, { "Key": "kops.k8s.io/instancegroup", "Value": "master-us-test-1a", "PropagateAtLaunch": true }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned", "PropagateAtLaunch": true } ], "MetricsCollection": [ { "Granularity": "1Minute", "Metrics": [ "GroupDesiredCapacity", "GroupInServiceInstances", "GroupMaxSize", "GroupMinSize", "GroupPendingInstances", "GroupStandbyInstances", "GroupTerminatingInstances", "GroupTotalInstances" ] } ], "LoadBalancerNames": [ "my-external-lb-1" ], "TargetGroupARNs": [ { "Ref": "AWSElasticLoadBalancingV2TargetGrouptcpcomplexexamplecomvpjolq" }, { "Ref": "AWSElasticLoadBalancingV2TargetGrouptlscomplexexamplecom5nursn" } ] } }, "AWSAutoScalingAutoScalingGroupnodescomplexexamplecom": { "Type": "AWS::AutoScaling::AutoScalingGroup", "Properties": { "AutoScalingGroupName": "nodes.complex.example.com", "LaunchTemplate": { "LaunchTemplateId": { "Ref": "AWSEC2LaunchTemplatenodescomplexexamplecom" }, "Version": { "Fn::GetAtt": [ "AWSEC2LaunchTemplatenodescomplexexamplecom", "LatestVersionNumber" ] } }, "MaxSize": "2", "MinSize": "2", "VPCZoneIdentifier": [ { "Ref": "AWSEC2Subnetustest1acomplexexamplecom" } ], "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com", "PropagateAtLaunch": true }, { "Key": "Name", "Value": "nodes.complex.example.com", "PropagateAtLaunch": true }, { "Key": "Owner", "Value": "John Doe", "PropagateAtLaunch": true }, { "Key": "foo/bar", "Value": "fib+baz", "PropagateAtLaunch": true }, { "Key": "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role", "Value": "node", "PropagateAtLaunch": true }, { "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node", "Value": "", "PropagateAtLaunch": true }, { "Key": "k8s.io/role/node", "Value": "1", "PropagateAtLaunch": true }, { "Key": "kops.k8s.io/instancegroup", "Value": "nodes", "PropagateAtLaunch": true }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned", "PropagateAtLaunch": true } ], "MetricsCollection": [ { "Granularity": "1Minute", "Metrics": [ "GroupDesiredCapacity", "GroupInServiceInstances", "GroupMaxSize", "GroupMinSize", "GroupPendingInstances", "GroupStandbyInstances", "GroupTerminatingInstances", "GroupTotalInstances" ] } ], "LoadBalancerNames": [ "my-external-lb-1" ] } }, "AWSEC2DHCPOptionscomplexexamplecom": { "Type": "AWS::EC2::DHCPOptions", "Properties": { "DomainName": "us-test-1.compute.internal", "DomainNameServers": [ "AmazonProvidedDNS" ], "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "complex.example.com" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" } ] } }, "AWSEC2InternetGatewaycomplexexamplecom": { "Type": "AWS::EC2::InternetGateway", "Properties": { "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "complex.example.com" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" } ] } }, "AWSEC2LaunchTemplatemasterustest1amasterscomplexexamplecom": { "Type": "AWS::EC2::LaunchTemplate", "Properties": { "LaunchTemplateName": "master-us-test-1a.masters.complex.example.com", "LaunchTemplateData": { "BlockDeviceMappings": [ { "DeviceName": "/dev/xvda", "Ebs": { "VolumeType": "gp3", "VolumeSize": 64, "Iops": 3000, "Throughput": 125, "DeleteOnTermination": true, "Encrypted": true, "KmsKeyId": "arn:aws:kms:us-test-1:000000000000:key/1234abcd-12ab-34cd-56ef-1234567890ab" } }, { "DeviceName": "/dev/sdc", "VirtualName": "ephemeral0" } ], "IamInstanceProfile": { "Name": { "Ref": "AWSIAMInstanceProfilemasterscomplexexamplecom" } }, "ImageId": "ami-12345678", "InstanceType": "m3.medium", "MetadataOptions": { "HttpPutResponseHopLimit": 1, "HttpTokens": "required" }, "NetworkInterfaces": [ { "AssociatePublicIpAddress": true, "DeleteOnTermination": true, "DeviceIndex": 0, "Groups": [ { "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" }, "sg-exampleid5", "sg-exampleid6" ] } ], "TagSpecifications": [ { "ResourceType": "instance", "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "master-us-test-1a.masters.complex.example.com" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki", "Value": "" }, { "Key": "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role", "Value": "master" }, { "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane", "Value": "" }, { "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/master", "Value": "" }, { "Key": "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers", "Value": "" }, { "Key": "k8s.io/role/master", "Value": "1" }, { "Key": "kops.k8s.io/instancegroup", "Value": "master-us-test-1a" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" } ] }, { "ResourceType": "volume", "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "master-us-test-1a.masters.complex.example.com" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki", "Value": "" }, { "Key": "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role", "Value": "master" }, { "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane", "Value": "" }, { "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/master", "Value": "" }, { "Key": "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers", "Value": "" }, { "Key": "k8s.io/role/master", "Value": "1" }, { "Key": "kops.k8s.io/instancegroup", "Value": "master-us-test-1a" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" } ] } ], "UserData": "extracted" } } }, "AWSEC2LaunchTemplatenodescomplexexamplecom": { "Type": "AWS::EC2::LaunchTemplate", "Properties": { "LaunchTemplateName": "nodes.complex.example.com", "LaunchTemplateData": { "BlockDeviceMappings": [ { "DeviceName": "/dev/xvda", "Ebs": { "VolumeType": "gp3", "VolumeSize": 128, "Iops": 3000, "Throughput": 125, "DeleteOnTermination": true, "Encrypted": true } }, { "DeviceName": "/dev/xvdd", "Ebs": { "VolumeType": "gp2", "VolumeSize": 20, "DeleteOnTermination": true, "Encrypted": true, "KmsKeyId": "arn:aws:kms:us-test-1:000000000000:key/1234abcd-12ab-34cd-56ef-1234567890ab" } } ], "CreditSpecification": { "CpuCredits": "standard" }, "IamInstanceProfile": { "Name": { "Ref": "AWSIAMInstanceProfilenodescomplexexamplecom" } }, "ImageId": "ami-12345678", "InstanceType": "t2.medium", "MetadataOptions": { "HttpPutResponseHopLimit": 1, "HttpTokens": "optional" }, "Monitoring": { "Enabled": true }, "NetworkInterfaces": [ { "AssociatePublicIpAddress": true, "DeleteOnTermination": true, "DeviceIndex": 0, "Groups": [ { "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" }, "sg-exampleid3", "sg-exampleid4" ] } ], "TagSpecifications": [ { "ResourceType": "instance", "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "nodes.complex.example.com" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role", "Value": "node" }, { "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node", "Value": "" }, { "Key": "k8s.io/role/node", "Value": "1" }, { "Key": "kops.k8s.io/instancegroup", "Value": "nodes" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" } ] }, { "ResourceType": "volume", "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "nodes.complex.example.com" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role", "Value": "node" }, { "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node", "Value": "" }, { "Key": "k8s.io/role/node", "Value": "1" }, { "Key": "kops.k8s.io/instancegroup", "Value": "nodes" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" } ] } ], "UserData": "extracted" } } }, "AWSEC2Route00000": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { "Ref": "AWSEC2RouteTablecomplexexamplecom" }, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "AWSEC2InternetGatewaycomplexexamplecom" } } }, "AWSEC2RouteTablecomplexexamplecom": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "AWSEC2VPCcomplexexamplecom" }, "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "complex.example.com" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" }, { "Key": "kubernetes.io/kops/role", "Value": "public" } ] } }, "AWSEC2RouteTableprivateustest1acomplexexamplecom": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "AWSEC2VPCcomplexexamplecom" }, "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "private-us-test-1a.complex.example.com" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" }, { "Key": "kubernetes.io/kops/role", "Value": "private-us-test-1a" } ] } }, "AWSEC2Routeprivateustest1a00000": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { "Ref": "AWSEC2RouteTableprivateustest1acomplexexamplecom" }, "DestinationCidrBlock": "0.0.0.0/0", "TransitGatewayId": "tgw-123456" } }, "AWSEC2SecurityGroupEgressfrommasterscomplexexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" }, "FromPort": 0, "ToPort": 0, "IpProtocol": "-1", "CidrIp": "0.0.0.0/0" } }, "AWSEC2SecurityGroupEgressfromnodescomplexexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" }, "FromPort": 0, "ToPort": 0, "IpProtocol": "-1", "CidrIp": "0.0.0.0/0" } }, "AWSEC2SecurityGroupIngressfrom111024ingresstcp443to443masterscomplexexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" }, "FromPort": 443, "ToPort": 443, "IpProtocol": "tcp", "CidrIp": "1.1.1.0/24" } }, "AWSEC2SecurityGroupIngressfrom111132ingresstcp22to22masterscomplexexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" }, "FromPort": 22, "ToPort": 22, "IpProtocol": "tcp", "CidrIp": "1.1.1.1/32" } }, "AWSEC2SecurityGroupIngressfrom111132ingresstcp22to22nodescomplexexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" }, "FromPort": 22, "ToPort": 22, "IpProtocol": "tcp", "CidrIp": "1.1.1.1/32" } }, "AWSEC2SecurityGroupIngressfrom20010850040ingresstcp443to443masterscomplexexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" }, "FromPort": 443, "ToPort": 443, "IpProtocol": "tcp", "CidrIpv6": "2001:0:8500::/40" } }, "AWSEC2SecurityGroupIngressfrom2001085a348ingresstcp22to22masterscomplexexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" }, "FromPort": 22, "ToPort": 22, "IpProtocol": "tcp", "CidrIpv6": "2001:0:85a3::/48" } }, "AWSEC2SecurityGroupIngressfrom2001085a348ingresstcp22to22nodescomplexexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" }, "FromPort": 22, "ToPort": 22, "IpProtocol": "tcp", "CidrIpv6": "2001:0:85a3::/48" } }, "AWSEC2SecurityGroupIngressfrommasterscomplexexamplecomingressall0to0masterscomplexexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" }, "SourceSecurityGroupId": { "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" }, "FromPort": 0, "ToPort": 0, "IpProtocol": "-1" } }, "AWSEC2SecurityGroupIngressfrommasterscomplexexamplecomingressall0to0nodescomplexexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" }, "SourceSecurityGroupId": { "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" }, "FromPort": 0, "ToPort": 0, "IpProtocol": "-1" } }, "AWSEC2SecurityGroupIngressfromnodescomplexexamplecomingressall0to0nodescomplexexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" }, "SourceSecurityGroupId": { "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" }, "FromPort": 0, "ToPort": 0, "IpProtocol": "-1" } }, "AWSEC2SecurityGroupIngressfromnodescomplexexamplecomingresstcp1to2379masterscomplexexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" }, "SourceSecurityGroupId": { "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" }, "FromPort": 1, "ToPort": 2379, "IpProtocol": "tcp" } }, "AWSEC2SecurityGroupIngressfromnodescomplexexamplecomingresstcp2382to4000masterscomplexexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" }, "SourceSecurityGroupId": { "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" }, "FromPort": 2382, "ToPort": 4000, "IpProtocol": "tcp" } }, "AWSEC2SecurityGroupIngressfromnodescomplexexamplecomingresstcp4003to65535masterscomplexexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" }, "SourceSecurityGroupId": { "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" }, "FromPort": 4003, "ToPort": 65535, "IpProtocol": "tcp" } }, "AWSEC2SecurityGroupIngressfromnodescomplexexamplecomingressudp1to65535masterscomplexexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" }, "SourceSecurityGroupId": { "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" }, "FromPort": 1, "ToPort": 65535, "IpProtocol": "udp" } }, "AWSEC2SecurityGroupIngresshttpselbtomaster": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" }, "FromPort": 443, "ToPort": 443, "IpProtocol": "tcp", "CidrIp": "172.20.0.0/16" } }, "AWSEC2SecurityGroupIngresshttpslbtomaster1010016": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" }, "FromPort": 443, "ToPort": 443, "IpProtocol": "tcp", "CidrIp": "10.1.0.0/16" } }, "AWSEC2SecurityGroupIngresshttpslbtomaster1020016": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" }, "FromPort": 443, "ToPort": 443, "IpProtocol": "tcp", "CidrIp": "10.2.0.0/16" } }, "AWSEC2SecurityGroupIngressicmppmtuapielb111024": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" }, "FromPort": 3, "ToPort": 4, "IpProtocol": "icmp", "CidrIp": "1.1.1.0/24" } }, "AWSEC2SecurityGroupIngressicmppmtuapielb20010850040": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" }, "FromPort": 3, "ToPort": 4, "IpProtocol": "icmp", "CidrIpv6": "2001:0:8500::/40" } }, "AWSEC2SecurityGroupIngressnodeporttcpexternaltonode102030024": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" }, "FromPort": 28000, "ToPort": 32767, "IpProtocol": "tcp", "CidrIp": "10.20.30.0/24" } }, "AWSEC2SecurityGroupIngressnodeporttcpexternaltonode123432": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" }, "FromPort": 28000, "ToPort": 32767, "IpProtocol": "tcp", "CidrIp": "1.2.3.4/32" } }, "AWSEC2SecurityGroupIngressnodeportudpexternaltonode102030024": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" }, "FromPort": 28000, "ToPort": 32767, "IpProtocol": "udp", "CidrIp": "10.20.30.0/24" } }, "AWSEC2SecurityGroupIngressnodeportudpexternaltonode123432": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" }, "FromPort": 28000, "ToPort": 32767, "IpProtocol": "udp", "CidrIp": "1.2.3.4/32" } }, "AWSEC2SecurityGroupIngresstcpapi111024": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" }, "FromPort": 8443, "ToPort": 8443, "IpProtocol": "tcp", "CidrIp": "1.1.1.0/24" } }, "AWSEC2SecurityGroupIngresstcpapi20010850040": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" }, "FromPort": 8443, "ToPort": 8443, "IpProtocol": "tcp", "CidrIpv6": "2001:0:8500::/40" } }, "AWSEC2SecurityGroupapielbcomplexexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupName": "api-elb.complex.example.com", "VpcId": { "Ref": "AWSEC2VPCcomplexexamplecom" }, "GroupDescription": "Security group for api ELB", "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "api-elb.complex.example.com" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" } ] } }, "AWSEC2SecurityGroupmasterscomplexexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupName": "masters.complex.example.com", "VpcId": { "Ref": "AWSEC2VPCcomplexexamplecom" }, "GroupDescription": "Security group for masters", "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "masters.complex.example.com" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" } ] } }, "AWSEC2SecurityGroupnodescomplexexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupName": "nodes.complex.example.com", "VpcId": { "Ref": "AWSEC2VPCcomplexexamplecom" }, "GroupDescription": "Security group for nodes", "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "nodes.complex.example.com" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" } ] } }, "AWSEC2SubnetRouteTableAssociationprivateuseast1aprivatecomplexexamplecom": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "AWSEC2Subnetuseast1aprivatecomplexexamplecom" }, "RouteTableId": { "Ref": "AWSEC2RouteTableprivateustest1acomplexexamplecom" } } }, "AWSEC2SubnetRouteTableAssociationuseast1autilitycomplexexamplecom": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "AWSEC2Subnetuseast1autilitycomplexexamplecom" }, "RouteTableId": { "Ref": "AWSEC2RouteTablecomplexexamplecom" } } }, "AWSEC2SubnetRouteTableAssociationustest1acomplexexamplecom": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "AWSEC2Subnetustest1acomplexexamplecom" }, "RouteTableId": { "Ref": "AWSEC2RouteTablecomplexexamplecom" } } }, "AWSEC2Subnetuseast1aprivatecomplexexamplecom": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "AWSEC2VPCcomplexexamplecom" }, "CidrBlock": "172.20.64.0/19", "AvailabilityZone": "us-test-1a", "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "us-east-1a-private.complex.example.com" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "SubnetType", "Value": "Private" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" }, { "Key": "kubernetes.io/role/internal-elb", "Value": "1" } ] } }, "AWSEC2Subnetuseast1autilitycomplexexamplecom": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "AWSEC2VPCcomplexexamplecom" }, "CidrBlock": "172.20.96.0/19", "AvailabilityZone": "us-test-1a", "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "us-east-1a-utility.complex.example.com" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "SubnetType", "Value": "Utility" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" }, { "Key": "kubernetes.io/role/elb", "Value": "1" } ] } }, "AWSEC2Subnetustest1acomplexexamplecom": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "AWSEC2VPCcomplexexamplecom" }, "CidrBlock": "172.20.32.0/19", "AvailabilityZone": "us-test-1a", "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "us-test-1a.complex.example.com" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "SubnetType", "Value": "Public" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" }, { "Key": "kubernetes.io/role/elb", "Value": "1" } ] } }, "AWSEC2VPCCidrBlock1010016": { "Type": "AWS::EC2::VPCCidrBlock", "Properties": { "VpcId": { "Ref": "AWSEC2VPCcomplexexamplecom" }, "CidrBlock": "10.1.0.0/16" } }, "AWSEC2VPCCidrBlock1020016": { "Type": "AWS::EC2::VPCCidrBlock", "Properties": { "VpcId": { "Ref": "AWSEC2VPCcomplexexamplecom" }, "CidrBlock": "10.2.0.0/16" } }, "AWSEC2VPCDHCPOptionsAssociationcomplexexamplecom": { "Type": "AWS::EC2::VPCDHCPOptionsAssociation", "Properties": { "VpcId": { "Ref": "AWSEC2VPCcomplexexamplecom" }, "DhcpOptionsId": { "Ref": "AWSEC2DHCPOptionscomplexexamplecom" } } }, "AWSEC2VPCGatewayAttachmentcomplexexamplecom": { "Type": "AWS::EC2::VPCGatewayAttachment", "Properties": { "VpcId": { "Ref": "AWSEC2VPCcomplexexamplecom" }, "InternetGatewayId": { "Ref": "AWSEC2InternetGatewaycomplexexamplecom" } } }, "AWSEC2VPCcomplexexamplecom": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "172.20.0.0/16", "EnableDnsHostnames": true, "EnableDnsSupport": true, "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "complex.example.com" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" } ] } }, "AWSEC2Volumeaetcdeventscomplexexamplecom": { "Type": "AWS::EC2::Volume", "Properties": { "AvailabilityZone": "us-test-1a", "Size": 20, "VolumeType": "gp3", "Iops": 3000, "Throughput": 125, "Encrypted": false, "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "a.etcd-events.complex.example.com" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "k8s.io/etcd/events", "Value": "a/a" }, { "Key": "k8s.io/role/master", "Value": "1" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" } ] } }, "AWSEC2Volumeaetcdmaincomplexexamplecom": { "Type": "AWS::EC2::Volume", "Properties": { "AvailabilityZone": "us-test-1a", "Size": 20, "VolumeType": "gp3", "Iops": 3000, "Throughput": 125, "Encrypted": false, "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "a.etcd-main.complex.example.com" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "k8s.io/etcd/main", "Value": "a/a" }, { "Key": "k8s.io/role/master", "Value": "1" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" } ] } }, "AWSElasticLoadBalancingV2Listenerapicomplexexamplecom443": { "Type": "AWS::ElasticLoadBalancingV2::Listener", "Properties": { "Certificates": [ { "CertificateArn": "arn:aws:acm:us-test-1:000000000000:certificate/123456789012-1234-1234-1234-12345678" } ], "DefaultActions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "AWSElasticLoadBalancingV2TargetGrouptlscomplexexamplecom5nursn" } } ], "LoadBalancerArn": { "Ref": "AWSElasticLoadBalancingV2LoadBalancerapicomplexexamplecom" }, "Port": 443, "Protocol": "TLS", "SslPolicy": "ELBSecurityPolicy-2016-08" } }, "AWSElasticLoadBalancingV2Listenerapicomplexexamplecom8443": { "Type": "AWS::ElasticLoadBalancingV2::Listener", "Properties": { "DefaultActions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "AWSElasticLoadBalancingV2TargetGrouptcpcomplexexamplecomvpjolq" } } ], "LoadBalancerArn": { "Ref": "AWSElasticLoadBalancingV2LoadBalancerapicomplexexamplecom" }, "Port": 8443, "Protocol": "TCP" } }, "AWSElasticLoadBalancingV2LoadBalancerapicomplexexamplecom": { "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Properties": { "Name": "api-complex-example-com-vd3t5n", "Scheme": "internet-facing", "SubnetMappings": [ { "SubnetId": { "Ref": "AWSEC2Subnetustest1acomplexexamplecom" }, "AllocationId": "eipalloc-012345a678b9cdefa" } ], "Type": "network", "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "api.complex.example.com" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" } ] } }, "AWSElasticLoadBalancingV2TargetGrouptcpcomplexexamplecomvpjolq": { "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", "Properties": { "Name": "tcp-complex-example-com-vpjolq", "Port": 443, "Protocol": "TCP", "VpcId": { "Ref": "AWSEC2VPCcomplexexamplecom" }, "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "tcp-complex-example-com-vpjolq" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" } ], "HealthCheckProtocol": "TCP", "HealthyThresholdCount": 2, "UnhealthyThresholdCount": 2 } }, "AWSElasticLoadBalancingV2TargetGrouptlscomplexexamplecom5nursn": { "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", "Properties": { "Name": "tls-complex-example-com-5nursn", "Port": 443, "Protocol": "TLS", "VpcId": { "Ref": "AWSEC2VPCcomplexexamplecom" }, "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "tls-complex-example-com-5nursn" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" } ], "HealthCheckProtocol": "TLS", "HealthyThresholdCount": 2, "UnhealthyThresholdCount": 2 } }, "AWSIAMInstanceProfilemasterscomplexexamplecom": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "InstanceProfileName": "masters.complex.example.com", "Roles": [ { "Ref": "AWSIAMRolemasterscomplexexamplecom" } ] } }, "AWSIAMInstanceProfilenodescomplexexamplecom": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "InstanceProfileName": "nodes.complex.example.com", "Roles": [ { "Ref": "AWSIAMRolenodescomplexexamplecom" } ] } }, "AWSIAMPolicymasterscomplexexamplecom": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "masters.complex.example.com", "Roles": [ { "Ref": "AWSIAMRolemasterscomplexexamplecom" } ], "PolicyDocument": { "Statement": [ { "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", "ec2:DescribeInternetGateways", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVolumes" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DescribeVolumesModifications", "ec2:ModifyInstanceAttribute", "ec2:ModifyVolume" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateRoute", "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:RevokeSecurityGroupIngress" ], "Condition": { "StringEquals": { "ec2:ResourceTag/KubernetesCluster": "complex.example.com" } }, "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", "ec2:DescribeLaunchTemplateVersions" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "autoscaling:SetDesiredCapacity", "autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup" ], "Condition": { "StringEquals": { "autoscaling:ResourceTag/KubernetesCluster": "complex.example.com" } }, "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "autoscaling:CompleteLifecycleAction", "autoscaling:DescribeAutoScalingInstances" ], "Condition": { "StringEquals": { "autoscaling:ResourceTag/KubernetesCluster": "complex.example.com" } }, "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "elasticloadbalancing:AddTags", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateLoadBalancerPolicy", "elasticloadbalancing:CreateLoadBalancerListeners", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteLoadBalancerListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DetachLoadBalancerFromSubnets", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "ec2:DescribeVpcs", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "iam:ListServerCertificates", "iam:GetServerCertificate" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "route53:ChangeResourceRecordSets", "route53:ListResourceRecordSets", "route53:GetHostedZone" ], "Effect": "Allow", "Resource": [ "arn:aws:route53:::hostedzone/Z1AFAKE1ZON3YO" ] }, { "Action": [ "route53:GetChange" ], "Effect": "Allow", "Resource": [ "arn:aws:route53:::change/*" ] }, { "Action": [ "route53:ListHostedZones" ], "Effect": "Allow", "Resource": [ "*" ] } ], "Version": "2012-10-17" } } }, "AWSIAMPolicynodescomplexexamplecom": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "nodes.complex.example.com", "Roles": [ { "Ref": "AWSIAMRolenodescomplexexamplecom" } ], "PolicyDocument": { "Statement": [ { "Action": [ "ec2:DescribeInstances", "ec2:DescribeRegions" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": "autoscaling:DescribeAutoScalingInstances", "Effect": "Allow", "Resource": [ "*" ] } ], "Version": "2012-10-17" } } }, "AWSIAMRolemasterscomplexexamplecom": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": "masters.complex.example.com", "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" } } ], "Version": "2012-10-17" }, "PermissionsBoundary": "arn:aws:iam:00000000000:policy/boundaries", "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "masters.complex.example.com" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" } ] } }, "AWSIAMRolenodescomplexexamplecom": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": "nodes.complex.example.com", "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" } } ], "Version": "2012-10-17" }, "PermissionsBoundary": "arn:aws:iam:00000000000:policy/boundaries", "Tags": [ { "Key": "KubernetesCluster", "Value": "complex.example.com" }, { "Key": "Name", "Value": "nodes.complex.example.com" }, { "Key": "Owner", "Value": "John Doe" }, { "Key": "foo/bar", "Value": "fib+baz" }, { "Key": "kubernetes.io/cluster/complex.example.com", "Value": "owned" } ] } }, "AWSRoute53RecordSetapicomplexexamplecom": { "Type": "AWS::Route53::RecordSet", "Properties": { "Name": "api.complex.example.com", "Type": "A", "AliasTarget": { "DNSName": { "Fn::GetAtt": [ "AWSElasticLoadBalancingV2LoadBalancerapicomplexexamplecom", "DNSName" ] }, "HostedZoneId": { "Fn::GetAtt": [ "AWSElasticLoadBalancingV2LoadBalancerapicomplexexamplecom", "CanonicalHostedZoneID" ] }, "EvaluateTargetHealth": false }, "HostedZoneId": "/hostedzone/Z1AFAKE1ZON3YO" } } } }