From 8327fa9cd8a1f9def2518381706a440f195b2be7 Mon Sep 17 00:00:00 2001 From: Andrew Gargan Date: Wed, 22 Sep 2021 14:26:18 -0700 Subject: [PATCH 01/16] Code sample for EKS prework blogpost --- .../eks-cluster-prework/scripts/pw-script.sh | 17 ++ .../eks-cluster-prework.template.yaml | 38 ++++ .../templates/prework.template.yaml | 165 ++++++++++++++++++ 3 files changed, 220 insertions(+) create mode 100644 samples/eks-cluster-prework/scripts/pw-script.sh create mode 100644 samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml create mode 100644 samples/eks-cluster-prework/templates/prework.template.yaml diff --git a/samples/eks-cluster-prework/scripts/pw-script.sh b/samples/eks-cluster-prework/scripts/pw-script.sh new file mode 100644 index 0000000..f75a0af --- /dev/null +++ b/samples/eks-cluster-prework/scripts/pw-script.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# Install kubectl +yum install -y unzip + +# TODO: Make this generic based on the EKS Version +curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.16.8/2020-04-16/bin/linux/amd64/kubectl +chmod +x ./kubectl + +#============= INSERT YOUR PREWORK STEPS HERE ====================# +# Confirm VNI version (Current is 1.9.0) - we could just assume this since it is a new cluster +kubectl describe daemonset aws-node --namespace kube-system | grep Image | cut -d "/" -f 2 > /tmp/foo.txt +# TODO: add to a kubernetes secret we output into the CloudFormation template + +# Set AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG to True +kubectl set env daemonset aws-node -n kube-system AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG=true + +# Add additional steps below diff --git a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml new file mode 100644 index 0000000..b53c118 --- /dev/null +++ b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml @@ -0,0 +1,38 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: "Amazon EKS PreWork pattern Blog" +Parameters: + AccessCIDR: + Default: 0.0.0.0/0 + Type: String + PreworkScriptBucket: + Type: String + Default: 'aws-quickstart' + PreworkScriptObject: + Type: String + Default: 'quickstart-examples/samples/eks-cluster-prework/script/pw-script.sh' +Resources: + EKSStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-amazon-eks/templates/amazon-eks-entrypoint-new-vpc.template.yaml' + Parameters: + # Quickstart properties + QSS3BucketName: aws-quickstart + QSS3KeyPrefix: quickstart-amazon-eks/ + QSS3BucketRegion: us-east-1 + # Cluster properties + ProvisionBastionHost: Enabled + AccessCIDR: !Ref AccessCIDR + NodeInstanceType: t3.large + NumberOfNodes: 1 + MaxNumberOfNodes: 1 + PreworkStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-examples/samples/eks-cluster-prework/templates/prework.template.yaml' + Parameters: + ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" + PreworkScriptBucket: "aws-quickstart" + PreworkScriptObject: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" + JobName: "ExampleJob" + KubernetesNameSpace: "prework-example" diff --git a/samples/eks-cluster-prework/templates/prework.template.yaml b/samples/eks-cluster-prework/templates/prework.template.yaml new file mode 100644 index 0000000..cfd4e66 --- /dev/null +++ b/samples/eks-cluster-prework/templates/prework.template.yaml @@ -0,0 +1,165 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: +Parameters: + ClusterName: + Type: String + PreworkScriptBucket: + Type: String + Default: aws-quickstart + PreworkScriptObject: + Type: String + Default: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" + JobName: + Type: String + Default: ExampleJob + KubernetesNameSpace: + Type: String + Default: "prework-example" +Resources: + KubernetesPreWorkIAMRole: + Type: AWS::IAM::Role + Properties: + RoleName: !Sub "pw-role-${JobName}" + AssumeRolePolicyDocument: !Sub + - | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/${OIDCProvider}" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "${OIDCProvider}:sub": "system:serviceaccount:${NameSpace}:${ResourceName}-${JobName}" + } + } + } + ] + } + - NameSpace: !Ref KubernetesNameSpace + ResourceName: "pw-service-account" + Path: "/" + Policies: + - PolicyName: root + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - s3:GetObject + Resource: + - !Sub "arn:aws:s3:::${PreworkScriptBucket}/${PreworkScriptObject}" + KubernetesRole: + Type: AWSQS::Kubernetes::Resource + Properties: + ClusterName: !Ref ClusterName + Namespace: !Ref KubernetesNameSpace + Manifest: !Sub + - | + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app.kubernetes.io/name: "${ResourceName}-${JobName}" + name: "${ResourceName}-${JobName}" + # Modify for your scripts here + rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - ResourceName: "pw-role" + NameSpace: !Ref "KubernetesNameSpace" + + PreWorkServiceAccount: + Type: AWSQS::Kubernetes::Resource + Properties: + ClusterName: !Ref ClusterName + Namespace: !Ref KubernetesNameSpace + Manifest: !Sub + - | + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/name: "${ResourceName}-${JobName}" + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::${AWS::AccountId}:role/${RoleName}-${JobName} + name: "${ResourceName}-${JobName}" + namespace: ${NameSpace} + - ResourceName: "pw-service-account" + NameSpace: !Ref KubernetesNameSpace + RoleName: !Ref "PreWorkIAMRole" + + PreWorkClusterRoleBinding: + Type: AWSQS::Kubernetes::Resource + Properties: + ClusterName: !Ref ClusterName + Namespace: !Ref KubernetesNameSpace + Manifest: !Sub + - | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app.kubernetes.io/name: "${ResourceName}-${JobName}" + name: "${ResourceName}-${JobName}" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "pw-role-${JobName}" + subjects: + - kind: ServiceAccount + name: "pw-service-account-${JobName}" + namespace: ${NameSpace} + - ResourceName: "pw-role-binding-${JobName}" + NameSpace: !Ref KubernetesNameSpace + + PreWorkJob: + DependsOn: [ PreWorkIAMRole, PreWorkRole, PreWorkServiceAccount, PreWorkRoleBinding ] + Type: AWSQS::Kubernetes::Resource + Properties: + ClusterName: !Ref ClusterName + Namespace: !Ref KubernetesNameSpace + Manifest: !Sub + - | + apiVersion: batch/v1 + kind: Job + metadata: + name: "${ResourceName}-${JobName}" + namespace: ${NameSpace} + spec: + template: + spec: + containers: + - name: ${ResourceName} + image: amazonlinux:2 + command: ["/bin/bash","-c"] + args: + - > + sleep 15; + yum update -y; + yum install -y awscli; + export AWS_REGION=${AWS::Region}; + export NS=${NameSpace}; + aws sts get-caller-identity; + aws s3 cp ${!S3_SCRIPT_URL} ./prework-script.sh && + chmod +x ./prework-script.sh && + ./prework-script.sh + env: + - name: S3_SCRIPT_URL + value: ${S3ScriptURL} + - name: AWS_REGION + value: ${AWS::Region} + serviceAccountName: "pw-service-account-${JobName}" + restartPolicy: Never + backoffLimit: 4 + - ResourceName: "pw-job" + NameSpace: !Ref "KubernetesNameSpace" + S3ScriptURL: !Sub "s3://${PreworkScriptBucket}/${PreworkScriptObject}" From f19cb7604c73ae333f1532374cfbbd54dbb0ebef Mon Sep 17 00:00:00 2001 From: Andrew Gargan Date: Wed, 22 Sep 2021 14:34:07 -0700 Subject: [PATCH 02/16] Initial Blog Sample code --- .../eks-cluster-prework/scripts/pw-script.sh | 17 ++ .../eks-cluster-prework.template.yaml | 38 ++++ .../templates/prework.template.yaml | 165 ++++++++++++++++++ 3 files changed, 220 insertions(+) create mode 100644 samples/eks-cluster-prework/scripts/pw-script.sh create mode 100644 samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml create mode 100644 samples/eks-cluster-prework/templates/prework.template.yaml diff --git a/samples/eks-cluster-prework/scripts/pw-script.sh b/samples/eks-cluster-prework/scripts/pw-script.sh new file mode 100644 index 0000000..f75a0af --- /dev/null +++ b/samples/eks-cluster-prework/scripts/pw-script.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# Install kubectl +yum install -y unzip + +# TODO: Make this generic based on the EKS Version +curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.16.8/2020-04-16/bin/linux/amd64/kubectl +chmod +x ./kubectl + +#============= INSERT YOUR PREWORK STEPS HERE ====================# +# Confirm VNI version (Current is 1.9.0) - we could just assume this since it is a new cluster +kubectl describe daemonset aws-node --namespace kube-system | grep Image | cut -d "/" -f 2 > /tmp/foo.txt +# TODO: add to a kubernetes secret we output into the CloudFormation template + +# Set AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG to True +kubectl set env daemonset aws-node -n kube-system AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG=true + +# Add additional steps below diff --git a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml new file mode 100644 index 0000000..b53c118 --- /dev/null +++ b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml @@ -0,0 +1,38 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: "Amazon EKS PreWork pattern Blog" +Parameters: + AccessCIDR: + Default: 0.0.0.0/0 + Type: String + PreworkScriptBucket: + Type: String + Default: 'aws-quickstart' + PreworkScriptObject: + Type: String + Default: 'quickstart-examples/samples/eks-cluster-prework/script/pw-script.sh' +Resources: + EKSStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-amazon-eks/templates/amazon-eks-entrypoint-new-vpc.template.yaml' + Parameters: + # Quickstart properties + QSS3BucketName: aws-quickstart + QSS3KeyPrefix: quickstart-amazon-eks/ + QSS3BucketRegion: us-east-1 + # Cluster properties + ProvisionBastionHost: Enabled + AccessCIDR: !Ref AccessCIDR + NodeInstanceType: t3.large + NumberOfNodes: 1 + MaxNumberOfNodes: 1 + PreworkStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-examples/samples/eks-cluster-prework/templates/prework.template.yaml' + Parameters: + ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" + PreworkScriptBucket: "aws-quickstart" + PreworkScriptObject: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" + JobName: "ExampleJob" + KubernetesNameSpace: "prework-example" diff --git a/samples/eks-cluster-prework/templates/prework.template.yaml b/samples/eks-cluster-prework/templates/prework.template.yaml new file mode 100644 index 0000000..cfd4e66 --- /dev/null +++ b/samples/eks-cluster-prework/templates/prework.template.yaml @@ -0,0 +1,165 @@ +AWSTemplateFormatVersion: "2010-09-09" +Description: +Parameters: + ClusterName: + Type: String + PreworkScriptBucket: + Type: String + Default: aws-quickstart + PreworkScriptObject: + Type: String + Default: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" + JobName: + Type: String + Default: ExampleJob + KubernetesNameSpace: + Type: String + Default: "prework-example" +Resources: + KubernetesPreWorkIAMRole: + Type: AWS::IAM::Role + Properties: + RoleName: !Sub "pw-role-${JobName}" + AssumeRolePolicyDocument: !Sub + - | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/${OIDCProvider}" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "${OIDCProvider}:sub": "system:serviceaccount:${NameSpace}:${ResourceName}-${JobName}" + } + } + } + ] + } + - NameSpace: !Ref KubernetesNameSpace + ResourceName: "pw-service-account" + Path: "/" + Policies: + - PolicyName: root + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - s3:GetObject + Resource: + - !Sub "arn:aws:s3:::${PreworkScriptBucket}/${PreworkScriptObject}" + KubernetesRole: + Type: AWSQS::Kubernetes::Resource + Properties: + ClusterName: !Ref ClusterName + Namespace: !Ref KubernetesNameSpace + Manifest: !Sub + - | + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app.kubernetes.io/name: "${ResourceName}-${JobName}" + name: "${ResourceName}-${JobName}" + # Modify for your scripts here + rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - ResourceName: "pw-role" + NameSpace: !Ref "KubernetesNameSpace" + + PreWorkServiceAccount: + Type: AWSQS::Kubernetes::Resource + Properties: + ClusterName: !Ref ClusterName + Namespace: !Ref KubernetesNameSpace + Manifest: !Sub + - | + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/name: "${ResourceName}-${JobName}" + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::${AWS::AccountId}:role/${RoleName}-${JobName} + name: "${ResourceName}-${JobName}" + namespace: ${NameSpace} + - ResourceName: "pw-service-account" + NameSpace: !Ref KubernetesNameSpace + RoleName: !Ref "PreWorkIAMRole" + + PreWorkClusterRoleBinding: + Type: AWSQS::Kubernetes::Resource + Properties: + ClusterName: !Ref ClusterName + Namespace: !Ref KubernetesNameSpace + Manifest: !Sub + - | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app.kubernetes.io/name: "${ResourceName}-${JobName}" + name: "${ResourceName}-${JobName}" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "pw-role-${JobName}" + subjects: + - kind: ServiceAccount + name: "pw-service-account-${JobName}" + namespace: ${NameSpace} + - ResourceName: "pw-role-binding-${JobName}" + NameSpace: !Ref KubernetesNameSpace + + PreWorkJob: + DependsOn: [ PreWorkIAMRole, PreWorkRole, PreWorkServiceAccount, PreWorkRoleBinding ] + Type: AWSQS::Kubernetes::Resource + Properties: + ClusterName: !Ref ClusterName + Namespace: !Ref KubernetesNameSpace + Manifest: !Sub + - | + apiVersion: batch/v1 + kind: Job + metadata: + name: "${ResourceName}-${JobName}" + namespace: ${NameSpace} + spec: + template: + spec: + containers: + - name: ${ResourceName} + image: amazonlinux:2 + command: ["/bin/bash","-c"] + args: + - > + sleep 15; + yum update -y; + yum install -y awscli; + export AWS_REGION=${AWS::Region}; + export NS=${NameSpace}; + aws sts get-caller-identity; + aws s3 cp ${!S3_SCRIPT_URL} ./prework-script.sh && + chmod +x ./prework-script.sh && + ./prework-script.sh + env: + - name: S3_SCRIPT_URL + value: ${S3ScriptURL} + - name: AWS_REGION + value: ${AWS::Region} + serviceAccountName: "pw-service-account-${JobName}" + restartPolicy: Never + backoffLimit: 4 + - ResourceName: "pw-job" + NameSpace: !Ref "KubernetesNameSpace" + S3ScriptURL: !Sub "s3://${PreworkScriptBucket}/${PreworkScriptObject}" From bd1a12d1b29d1085afe5e4a99c89945c729ef864 Mon Sep 17 00:00:00 2001 From: Andrew Gargan Date: Wed, 22 Sep 2021 14:39:13 -0700 Subject: [PATCH 03/16] Fix spacing issues. --- .../templates/eks-cluster-prework.template.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml index b53c118..ba9438b 100644 --- a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml +++ b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml @@ -21,8 +21,8 @@ Resources: QSS3KeyPrefix: quickstart-amazon-eks/ QSS3BucketRegion: us-east-1 # Cluster properties - ProvisionBastionHost: Enabled - AccessCIDR: !Ref AccessCIDR + ProvisionBastionHost: Enabled + AccessCIDR: !Ref AccessCIDR NodeInstanceType: t3.large NumberOfNodes: 1 MaxNumberOfNodes: 1 @@ -31,7 +31,7 @@ Resources: Properties: TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-examples/samples/eks-cluster-prework/templates/prework.template.yaml' Parameters: - ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" + ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" PreworkScriptBucket: "aws-quickstart" PreworkScriptObject: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" JobName: "ExampleJob" From c13d5c0cf8d069f8fa3c424e39eb3686ef58feda Mon Sep 17 00:00:00 2001 From: Andrew Gargan Date: Wed, 22 Sep 2021 14:39:42 -0700 Subject: [PATCH 04/16] Fix spacing issues. --- .../templates/eks-cluster-prework.template.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml index ba9438b..62f6f18 100644 --- a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml +++ b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml @@ -31,7 +31,7 @@ Resources: Properties: TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-examples/samples/eks-cluster-prework/templates/prework.template.yaml' Parameters: - ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" + ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" PreworkScriptBucket: "aws-quickstart" PreworkScriptObject: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" JobName: "ExampleJob" From 53883df36a1807044c70570fd6a0dd761830f4f6 Mon Sep 17 00:00:00 2001 From: Andrew Gargan Date: Thu, 23 Sep 2021 10:19:36 -0700 Subject: [PATCH 05/16] Remove Bastion and AccessCIDR, small parameter adjustments --- .../eks-cluster-prework.template.yaml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml index 62f6f18..e869ea2 100644 --- a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml +++ b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml @@ -1,9 +1,12 @@ AWSTemplateFormatVersion: '2010-09-09' Description: "Amazon EKS PreWork pattern Blog" Parameters: - AccessCIDR: - Default: 0.0.0.0/0 + PreworkJobName: Type: String + Default: 'example-job' + PreworkNameSpace: + Type: String + Default: 'example-job-ns' PreworkScriptBucket: Type: String Default: 'aws-quickstart' @@ -16,13 +19,12 @@ Resources: Properties: TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-amazon-eks/templates/amazon-eks-entrypoint-new-vpc.template.yaml' Parameters: - # Quickstart properties + # AWS Quick Start properties QSS3BucketName: aws-quickstart QSS3KeyPrefix: quickstart-amazon-eks/ QSS3BucketRegion: us-east-1 - # Cluster properties - ProvisionBastionHost: Enabled - AccessCIDR: !Ref AccessCIDR + # Amazon EKS Cluster properties + ProvisionBastionHost: Disabled NodeInstanceType: t3.large NumberOfNodes: 1 MaxNumberOfNodes: 1 @@ -34,5 +36,5 @@ Resources: ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" PreworkScriptBucket: "aws-quickstart" PreworkScriptObject: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" - JobName: "ExampleJob" - KubernetesNameSpace: "prework-example" + JobName: !Ref "PreWorkJobName" + KubernetesNameSpace: !Ref "PreworkNamespace" From 05d0571e24799b294ee3c8a5fea831b2136ce05e Mon Sep 17 00:00:00 2001 From: Andrew Gargan Date: Thu, 23 Sep 2021 11:42:49 -0700 Subject: [PATCH 06/16] Adjust the S3 URI's to be sigv4 compliant. --- .../templates/eks-cluster-prework.template.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml index e869ea2..9f116d1 100644 --- a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml +++ b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml @@ -17,7 +17,7 @@ Resources: EKSStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-amazon-eks/templates/amazon-eks-entrypoint-new-vpc.template.yaml' + TemplateURL: 'https://aws-quickstart.s3.us-east-1.amazonaws.com/quickstart-amazon-eks/templates/amazon-eks-entrypoint-new-vpc.template.yaml' Parameters: # AWS Quick Start properties QSS3BucketName: aws-quickstart @@ -31,7 +31,7 @@ Resources: PreworkStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-examples/samples/eks-cluster-prework/templates/prework.template.yaml' + TemplateURL: 'https://aws-quickstart.s3.us-east-1.amazonaws.com/quickstart-examples/samples/eks-cluster-prework/templates/prework.template.yaml' Parameters: ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" PreworkScriptBucket: "aws-quickstart" From 9521c13b6ae38aa8372c032ab4f1d9f519ce4ab1 Mon Sep 17 00:00:00 2001 From: Andrew Gargan Date: Mon, 27 Sep 2021 14:05:52 -0700 Subject: [PATCH 07/16] Adjusting to agreed path for blog posts --- {samples => blog-assets}/eks-cluster-prework/scripts/pw-script.sh | 0 .../templates/eks-cluster-prework.template.yaml | 0 .../eks-cluster-prework/templates/prework.template.yaml | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename {samples => blog-assets}/eks-cluster-prework/scripts/pw-script.sh (100%) rename {samples => blog-assets}/eks-cluster-prework/templates/eks-cluster-prework.template.yaml (100%) rename {samples => blog-assets}/eks-cluster-prework/templates/prework.template.yaml (100%) diff --git a/samples/eks-cluster-prework/scripts/pw-script.sh b/blog-assets/eks-cluster-prework/scripts/pw-script.sh similarity index 100% rename from samples/eks-cluster-prework/scripts/pw-script.sh rename to blog-assets/eks-cluster-prework/scripts/pw-script.sh diff --git a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml similarity index 100% rename from samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml rename to blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml diff --git a/samples/eks-cluster-prework/templates/prework.template.yaml b/blog-assets/eks-cluster-prework/templates/prework.template.yaml similarity index 100% rename from samples/eks-cluster-prework/templates/prework.template.yaml rename to blog-assets/eks-cluster-prework/templates/prework.template.yaml From 13fdfe8c3596c6633cf42d0dddc68dbfcbf36fbd Mon Sep 17 00:00:00 2001 From: Andrew Gargan Date: Mon, 27 Sep 2021 14:14:31 -0700 Subject: [PATCH 08/16] Template adjustments for new paths --- .../templates/eks-cluster-prework.template.yaml | 6 +++--- .../templates/prework.template.yaml | 12 +++++++++++- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml index 9f116d1..b9c4e8f 100644 --- a/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml +++ b/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml @@ -12,7 +12,7 @@ Parameters: Default: 'aws-quickstart' PreworkScriptObject: Type: String - Default: 'quickstart-examples/samples/eks-cluster-prework/script/pw-script.sh' + Default: 'quickstart-examples/blog-assets/eks-cluster-prework/script/pw-script.sh' Resources: EKSStack: Type: AWS::CloudFormation::Stack @@ -31,10 +31,10 @@ Resources: PreworkStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: 'https://aws-quickstart.s3.us-east-1.amazonaws.com/quickstart-examples/samples/eks-cluster-prework/templates/prework.template.yaml' + TemplateURL: 'https://aws-quickstart.s3.us-east-1.amazonaws.com/quickstart-examples/blog-assets/eks-cluster-prework/templates/prework.template.yaml' Parameters: ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" PreworkScriptBucket: "aws-quickstart" - PreworkScriptObject: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" + PreworkScriptObject: !Ref "PreworkScriptObject" JobName: !Ref "PreWorkJobName" KubernetesNameSpace: !Ref "PreworkNamespace" diff --git a/blog-assets/eks-cluster-prework/templates/prework.template.yaml b/blog-assets/eks-cluster-prework/templates/prework.template.yaml index cfd4e66..4ad336d 100644 --- a/blog-assets/eks-cluster-prework/templates/prework.template.yaml +++ b/blog-assets/eks-cluster-prework/templates/prework.template.yaml @@ -8,7 +8,7 @@ Parameters: Default: aws-quickstart PreworkScriptObject: Type: String - Default: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" + Default: "quickstart-examples/blog-assets/eks-cluster-prework/scripts/pw-script.sh" JobName: Type: String Default: ExampleJob @@ -52,6 +52,16 @@ Resources: - s3:GetObject Resource: - !Sub "arn:aws:s3:::${PreworkScriptBucket}/${PreworkScriptObject}" + PeworkNameSpace: + Type: "AWSQS::Kubernetes::Resource" + Properties: + ClusterName: !Ref ClusterName + Manifest: !Sub | + kind: Namespace + apiVersion: v1 + metadata: + name: ${KubernetesNameSpace} + Namespace: default KubernetesRole: Type: AWSQS::Kubernetes::Resource Properties: From cc2db3d1f31091909700101ab7b8ebcd02300d14 Mon Sep 17 00:00:00 2001 From: Tony Bulding <44652148+tbulding@users.noreply.github.com> Date: Thu, 14 Oct 2021 12:57:33 -0500 Subject: [PATCH 09/16] fixing spacing and incorrect value --- samples/ia4ct.py | 8 ++++---- submodules/quickstart-aws-vpc | 2 +- submodules/quickstart-linux-bastion | 2 +- submodules/quickstart-microsoft-rdgateway | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/samples/ia4ct.py b/samples/ia4ct.py index 6665def..e693c54 100644 --- a/samples/ia4ct.py +++ b/samples/ia4ct.py @@ -56,7 +56,7 @@ def method(self, arg): if hasattr(p,"AllowedPattern"): m.write(" # AllowedPattern: " + p.AllowedPattern + "\r\n") if hasattr(p,"AllowedValues"): - m.write(" # AllowedValues: " + ' '.join(p.AllowedValues) + "\r\n") + m.write(" # AllowedValues: " + ' '.join(str(v) for v in p.AllowedValues) + "\r\n") if hasattr(p,"ConstraintDescription"): m.write(" # ConstraintDescription: " + p.ConstraintDescription + "\r\n") if hasattr(p,"MaxLength"): @@ -73,15 +73,15 @@ def method(self, arg): m.write(" # Type: " + p.Type + "\r\n") m.write(" - parameter_key: " + p.name + "\r\n") if hasattr(p,"Default"): - m.write(" parameter_value: " + p.Default + "\r\n") + m.write(" parameter_value: " + str(p.Default) + "\r\n") else: m.write(" parameter_value: \r\n") m.write(" deploy_method: stack_set\r\n") - m.write(" deployment_targets: stack_set\r\n") + m.write(" deployment_targets:\r\n") m.write(" organizational_units:\r\n") m.write(" - [Enter your Organizational Unit]\r\n") m.write(" regions:\r\n") - m.write(" - [The region where you wish to deploy this workload]\r\n") + m.write(" - [The region where you wish to deploy this workload]\r\n") except YAMLError as exc: diff --git a/submodules/quickstart-aws-vpc b/submodules/quickstart-aws-vpc index ffc7af4..c0c6b19 160000 --- a/submodules/quickstart-aws-vpc +++ b/submodules/quickstart-aws-vpc @@ -1 +1 @@ -Subproject commit ffc7af4e59a09dbf52199a3ecf70f3805abeff48 +Subproject commit c0c6b19e183e37b014ce6d2b6862608173551726 diff --git a/submodules/quickstart-linux-bastion b/submodules/quickstart-linux-bastion index b9950be..f7ea3f4 160000 --- a/submodules/quickstart-linux-bastion +++ b/submodules/quickstart-linux-bastion @@ -1 +1 @@ -Subproject commit b9950be657d8a8c76e71fca157b4952a587342f4 +Subproject commit f7ea3f4eb39de5c80852c77a5e562a33f852c77f diff --git a/submodules/quickstart-microsoft-rdgateway b/submodules/quickstart-microsoft-rdgateway index 7becaf1..49a0408 160000 --- a/submodules/quickstart-microsoft-rdgateway +++ b/submodules/quickstart-microsoft-rdgateway @@ -1 +1 @@ -Subproject commit 7becaf192403d4092b4a8c4ad8f9b03c3d07ab20 +Subproject commit 49a0408d53ac915f27572da78fb5c259e0b1a17e From acc22a0716a098768c26a4434b4a87794fa94f8d Mon Sep 17 00:00:00 2001 From: Tony Bulding <44652148+tbulding@users.noreply.github.com> Date: Thu, 14 Oct 2021 13:00:30 -0500 Subject: [PATCH 10/16] set line endings to unix --- samples/ia4ct.py | 54 ++++++++++++++++++++++++------------------------ 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/samples/ia4ct.py b/samples/ia4ct.py index e693c54..3086881 100644 --- a/samples/ia4ct.py +++ b/samples/ia4ct.py @@ -39,49 +39,49 @@ def method(self, arg): # Create the manifest file and write the document m = open(args.outPath, "w+") - m.write("---\r\n") - m.write("region: [The region where Customization for Control Tower is deployed]\r\n") - m.write("version: 2021-03-15\r\n") - m.write("resources:\r\n") - m.write(" - name: [The name for this deployment]\r\n") - m.write(" description: " + cfn['Description'] + "\r\n") - m.write(" resource_file: [The s3 path where the template is located.]\r\n") - m.write(" parameters:\r\n") + m.write("---\n") + m.write("region: [The region where Customization for Control Tower is deployed]\n") + m.write("version: 2021-03-15\n") + m.write("resources:\n") + m.write(" - name: [The name for this deployment]\n") + m.write(" description: " + cfn['Description'] + "\n") + m.write(" resource_file: [The s3 path where the template is located.]\n") + m.write(" parameters:\n") parameters.sort(key=lambda x: x.name) for p in parameters: if args.verboseManifest: if hasattr(p,"Description"): - m.write(" # Description: " + p.Description + "\r\n") + m.write(" # Description: " + p.Description + "\n") if hasattr(p,"AllowedPattern"): - m.write(" # AllowedPattern: " + p.AllowedPattern + "\r\n") + m.write(" # AllowedPattern: " + p.AllowedPattern + "\n") if hasattr(p,"AllowedValues"): - m.write(" # AllowedValues: " + ' '.join(str(v) for v in p.AllowedValues) + "\r\n") + m.write(" # AllowedValues: " + ' '.join(str(v) for v in p.AllowedValues) + "\n") if hasattr(p,"ConstraintDescription"): - m.write(" # ConstraintDescription: " + p.ConstraintDescription + "\r\n") + m.write(" # ConstraintDescription: " + p.ConstraintDescription + "\n") if hasattr(p,"MaxLength"): - m.write(" # MaxLength: " + p.MaxLength + "\r\n") + m.write(" # MaxLength: " + p.MaxLength + "\n") if hasattr(p,"MaxValue"): - m.write(" # MaxValue: " + p.MaxValue + "\r\n") + m.write(" # MaxValue: " + p.MaxValue + "\n") if hasattr(p,"MinLength"): - m.write(" # MinLength: " + p.MinLength + "\r\n") + m.write(" # MinLength: " + p.MinLength + "\n") if hasattr(p,"MinValue"): - m.write(" # MinValue: " + p.MinValue + "\r\n") + m.write(" # MinValue: " + p.MinValue + "\n") if hasattr(p,"NoEcho"): - m.write(" # NoEcho: " + p.NoEcho + "\r\n") + m.write(" # NoEcho: " + p.NoEcho + "\n") if hasattr(p,"Type"): - m.write(" # Type: " + p.Type + "\r\n") - m.write(" - parameter_key: " + p.name + "\r\n") + m.write(" # Type: " + p.Type + "\n") + m.write(" - parameter_key: " + p.name + "\n") if hasattr(p,"Default"): - m.write(" parameter_value: " + str(p.Default) + "\r\n") + m.write(" parameter_value: " + str(p.Default) + "\n") else: - m.write(" parameter_value: \r\n") - m.write(" deploy_method: stack_set\r\n") - m.write(" deployment_targets:\r\n") - m.write(" organizational_units:\r\n") - m.write(" - [Enter your Organizational Unit]\r\n") - m.write(" regions:\r\n") - m.write(" - [The region where you wish to deploy this workload]\r\n") + m.write(" parameter_value: \n") + m.write(" deploy_method: stack_set\n") + m.write(" deployment_targets:\n") + m.write(" organizational_units:\n") + m.write(" - [Enter your Organizational Unit]\n") + m.write(" regions:\n") + m.write(" - [The region where you wish to deploy this workload]\n") except YAMLError as exc: From 4fce4a877e64e0e36a8ace17ba4804296ebe4605 Mon Sep 17 00:00:00 2001 From: Vinicius Pereira Date: Tue, 26 Oct 2021 17:30:28 -0300 Subject: [PATCH 11/16] add CF template for the blog post --- blog-assets/template.yaml | 158 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 158 insertions(+) create mode 100644 blog-assets/template.yaml diff --git a/blog-assets/template.yaml b/blog-assets/template.yaml new file mode 100644 index 0000000..81c3edd --- /dev/null +++ b/blog-assets/template.yaml @@ -0,0 +1,158 @@ +AWSTemplateFormatVersion: '2010-09-09' + +Description: AWS API Gateway working as a Service Virtualization + +Resources: + + RestApi: + Type: AWS::ApiGateway::RestApi + Properties: + ApiKeySourceType: HEADER + Description: An API Gateway as Service Virtualization + EndpointConfiguration: + Types: + - EDGE + Name: mock-api + + Resource: + Type: AWS::ApiGateway::Resource + Properties: + ParentId: !GetAtt RestApi.RootResourceId + PathPart: 'mock' + RestApiId: !Ref RestApi + + GetMethod: + Type: AWS::ApiGateway::Method + Properties: + ApiKeyRequired: false + AuthorizationType: NONE + HttpMethod: GET + RequestParameters: + method.request.querystring.method: true + MethodResponses: + - ResponseModels: + application/json: !Ref ApiGatewayModel + StatusCode: 200 + - ResponseModels: + application/json: !Ref ApiGatewayModel + StatusCode: 201 + - ResponseModels: + application/json: !Ref ApiGatewayModel + StatusCode: 500 + - ResponseModels: + application/json: !Ref ApiGatewayModel + StatusCode: 503 + Integration: + ConnectionType: INTERNET + IntegrationResponses: + - ResponseTemplates: + application/json: | + { + "statusCode": 200, + "message": "OK. No problem here." + } + StatusCode: 200 + - ResponseTemplates: + application/json: | + { + "statusCode": 201, + "message": "Created. It appears to be good." + } + SelectionPattern: '201' + StatusCode: 201 + - ResponseTemplates: + application/json: | + { + "statusCode": 500, + "message": "Internal Server Error. Houston, we have a problem." + } + SelectionPattern: '500' + StatusCode: 500 + - ResponseTemplates: + application/json: | + { + "statusCode": 503, + "message": "Service Unavailable. I am not ready yet." + } + SelectionPattern: '503' + StatusCode: 503 + PassthroughBehavior: WHEN_NO_TEMPLATES + RequestTemplates: + application/json: | + { + #if ( $input.params('method') == "ok" ) + "statusCode": 200 + #elseif ( $input.params('method') == "created" ) + "statusCode": 201 + #elseif ( $input.params('method') == "internalerror" ) + "statusCode": 500 + #else + "statusCode": 503 + #end + } + Type: MOCK + TimeoutInMillis: 29000 + OperationName: 'mock' + ResourceId: !Ref Resource + RestApiId: !Ref RestApi + + PostMethod: + Type: AWS::ApiGateway::Method + Properties: + ApiKeyRequired: false + AuthorizationType: NONE + HttpMethod: POST + MethodResponses: + - ResponseModels: + application/json: !Ref ApiGatewayModel + StatusCode: 200 + - ResponseModels: + application/json: !Ref ApiGatewayModel + StatusCode: 500 + Integration: + ConnectionType: INTERNET + IntegrationResponses: + - ResponseTemplates: + application/json: "{\"message\": \"OK. No problem here.\"}" + # SelectionPattern: '2\d{2}' + StatusCode: 200 + - ResponseTemplates: + application/json: "{\"message\": \"Internal Server Error. Houston, we have a problem.\"}" + SelectionPattern: '5\d{2}' + StatusCode: 500 + PassthroughBehavior: WHEN_NO_TEMPLATES + RequestTemplates: + application/json: | + { + "statusCode": $input.json('$.statusCode'), + "message": $input.json('$.message') + } + Type: MOCK + TimeoutInMillis: 29000 + OperationName: 'mock' + ResourceId: !Ref Resource + RestApiId: !Ref RestApi + + ApiGatewayModel: + Type: AWS::ApiGateway::Model + Properties: + ContentType: 'application/json' + RestApiId: !Ref RestApi + Schema: {} + + ApiGatewayStage: + Type: AWS::ApiGateway::Stage + Properties: + DeploymentId: !Ref ApiGatewayDeployment + Description: Mock API Stage v0 + RestApiId: !Ref RestApi + StageName: 'v0' + + ApiGatewayDeployment: + Type: AWS::ApiGateway::Deployment + DependsOn: + - GetMethod + - PostMethod + Properties: + Description: Mock API Deployment + RestApiId: !Ref RestApi \ No newline at end of file From 8e58afb9cf3b20a1a0f1556c86aa138b9651acc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vin=C3=ADcius=20Pereira?= Date: Tue, 26 Oct 2021 17:43:37 -0300 Subject: [PATCH 12/16] add Postman collection for the blog post --- ...t.SVwithAPIGateway.postman_collection.json | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 blog-assets/AWS Blog Post.SVwithAPIGateway.postman_collection.json diff --git a/blog-assets/AWS Blog Post.SVwithAPIGateway.postman_collection.json b/blog-assets/AWS Blog Post.SVwithAPIGateway.postman_collection.json new file mode 100644 index 0000000..28c018c --- /dev/null +++ b/blog-assets/AWS Blog Post.SVwithAPIGateway.postman_collection.json @@ -0,0 +1,70 @@ +{ + "info": { + "_postman_id": "233e8d84-5068-4909-84f0-c0340b451606", + "name": "AWS Blog Post", + "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json" + }, + "item": [ + { + "name": "GET Method", + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "https://put-your-api-gateway-stage-address-here/v0/mock?method=created", + "protocol": "https", + "host": [ + "put-your-api-gateway-stage-address-here" + ], + "path": [ + "v0", + "mock" + ], + "query": [ + { + "key": "method", + "value": "created" + } + ] + } + }, + "response": [] + }, + { + "name": "POST Method", + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json", + "type": "text" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"statusCode\": 226\r\n}" + }, + "url": { + "raw": "https://put-your-api-gateway-stage-address-here/v0/mock", + "protocol": "https", + "host": [ + "put-your-api-gateway-stage-address-here" + ], + "path": [ + "v0", + "mock" + ], + "query": [ + { + "key": "scope", + "value": "internal", + "disabled": true + } + ] + } + }, + "response": [] + } + ] +} \ No newline at end of file From aeec25aa69a402acaf60871d560156ca7aed923b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vin=C3=ADcius=20Pereira?= Date: Fri, 19 Nov 2021 20:02:20 -0300 Subject: [PATCH 13/16] created folder for the blog post --- .../AWS Blog Post.SVwithAPIGateway.postman_collection.json | 0 blog-assets/{ => svcvirt-apigateway-cfn}/template.yaml | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename blog-assets/{ => svcvirt-apigateway-cfn}/AWS Blog Post.SVwithAPIGateway.postman_collection.json (100%) rename blog-assets/{ => svcvirt-apigateway-cfn}/template.yaml (100%) diff --git a/blog-assets/AWS Blog Post.SVwithAPIGateway.postman_collection.json b/blog-assets/svcvirt-apigateway-cfn/AWS Blog Post.SVwithAPIGateway.postman_collection.json similarity index 100% rename from blog-assets/AWS Blog Post.SVwithAPIGateway.postman_collection.json rename to blog-assets/svcvirt-apigateway-cfn/AWS Blog Post.SVwithAPIGateway.postman_collection.json diff --git a/blog-assets/template.yaml b/blog-assets/svcvirt-apigateway-cfn/template.yaml similarity index 100% rename from blog-assets/template.yaml rename to blog-assets/svcvirt-apigateway-cfn/template.yaml From e35583bbcbd60a1b94f1352658ed9ee619391f9a Mon Sep 17 00:00:00 2001 From: "[taskcat-ci]" Date: Mon, 13 Dec 2021 22:26:08 -0800 Subject: [PATCH 14/16] [taskcat-ci] Updating submodules --- submodules/quickstart-aws-vpc | 2 +- submodules/quickstart-linux-bastion | 2 +- submodules/quickstart-microsoft-rdgateway | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/submodules/quickstart-aws-vpc b/submodules/quickstart-aws-vpc index c0c6b19..b7aefd0 160000 --- a/submodules/quickstart-aws-vpc +++ b/submodules/quickstart-aws-vpc @@ -1 +1 @@ -Subproject commit c0c6b19e183e37b014ce6d2b6862608173551726 +Subproject commit b7aefd089e944d77cdc2b083886cdc498d2a6ee4 diff --git a/submodules/quickstart-linux-bastion b/submodules/quickstart-linux-bastion index f7ea3f4..645f03e 160000 --- a/submodules/quickstart-linux-bastion +++ b/submodules/quickstart-linux-bastion @@ -1 +1 @@ -Subproject commit f7ea3f4eb39de5c80852c77a5e562a33f852c77f +Subproject commit 645f03e28125e145b243f2b6cd21e9ee3b429c98 diff --git a/submodules/quickstart-microsoft-rdgateway b/submodules/quickstart-microsoft-rdgateway index 49a0408..f282fbb 160000 --- a/submodules/quickstart-microsoft-rdgateway +++ b/submodules/quickstart-microsoft-rdgateway @@ -1 +1 @@ -Subproject commit 49a0408d53ac915f27572da78fb5c259e0b1a17e +Subproject commit f282fbb4e807dd4b4044244361d260c4f206bf0c From 29a308c852c030fb8cdcb5657a0753eb7788096e Mon Sep 17 00:00:00 2001 From: Andrew Gargan Date: Thu, 27 Jan 2022 15:35:29 -0800 Subject: [PATCH 15/16] Adding tested blogpost samples --- .../eks-cluster-prework/scripts/pw-script.sh | 23 +++--- .../eks-cluster-prework.template.yaml | 34 ++++++-- .../templates/prework.template.yaml | 78 ++++++++++++------- 3 files changed, 88 insertions(+), 47 deletions(-) diff --git a/samples/eks-cluster-prework/scripts/pw-script.sh b/samples/eks-cluster-prework/scripts/pw-script.sh index f75a0af..b264164 100644 --- a/samples/eks-cluster-prework/scripts/pw-script.sh +++ b/samples/eks-cluster-prework/scripts/pw-script.sh @@ -1,17 +1,18 @@ #!/bin/bash # Install kubectl -yum install -y unzip -# TODO: Make this generic based on the EKS Version -curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.16.8/2020-04-16/bin/linux/amd64/kubectl -chmod +x ./kubectl +# we are installing the current version if you are on an older cluster you might need to change this. +curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" +# Install kubectl +install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl #============= INSERT YOUR PREWORK STEPS HERE ====================# -# Confirm VNI version (Current is 1.9.0) - we could just assume this since it is a new cluster -kubectl describe daemonset aws-node --namespace kube-system | grep Image | cut -d "/" -f 2 > /tmp/foo.txt -# TODO: add to a kubernetes secret we output into the CloudFormation template - -# Set AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG to True -kubectl set env daemonset aws-node -n kube-system AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG=true +# We will create a simple script the point of the blog is to show that you CAN run pre-work on the cluster via CloudFormation +# so we are less concerned with the content of this script. -# Add additional steps below +# there are much better ways to manage secrets ;) +kubectl create secret generic db-user-pass \ + --from-literal=username=devuser \ + --from-literal=password='S!B\*d$zDsb=' \ + -- namespace $KUBE_NAMESPACE +kubectl describe secrets/db-user-pass \ No newline at end of file diff --git a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml index b53c118..c1ca84f 100644 --- a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml +++ b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml @@ -4,6 +4,9 @@ Parameters: AccessCIDR: Default: 0.0.0.0/0 Type: String + JobName: + Type: String + Default: 'job-example' PreworkScriptBucket: Type: String Default: 'aws-quickstart' @@ -16,23 +19,38 @@ Resources: Properties: TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-amazon-eks/templates/amazon-eks-entrypoint-new-vpc.template.yaml' Parameters: - # Quickstart properties + # QuickStart properties QSS3BucketName: aws-quickstart QSS3KeyPrefix: quickstart-amazon-eks/ - QSS3BucketRegion: us-east-1 # Cluster properties - ProvisionBastionHost: Enabled - AccessCIDR: !Ref AccessCIDR + ProvisionBastionHost: Enabled + AccessCIDR: !Ref AccessCIDR NodeInstanceType: t3.large NumberOfNodes: 1 MaxNumberOfNodes: 1 + GetOIDCProvider: + Type: Custom::GetOIDCProvider + Properties: + ServiceToken: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-ResourceReader" + AwsCliCommand: !Sub "eks describe-cluster --name ${ClusterName} --query 'cluster.identity.oidc.{issuer:issuer}'" + IdField: 'issuer' PreworkStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-examples/samples/eks-cluster-prework/templates/prework.template.yaml' Parameters: - ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" - PreworkScriptBucket: "aws-quickstart" - PreworkScriptObject: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" - JobName: "ExampleJob" + ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" + PreworkScriptBucket: !Ref PreworkScriptBucket + PreworkScriptObject: !Ref PreworkScriptObject + JobName: !Ref JobName KubernetesNameSpace: "prework-example" + OIDCProvider: !Sub + - "${OIDCProvider1}/${OIDCProvider2}/${OIDCProvider3}" + - OIDCProvider1: !Select [ 2, !Split [ "/", !Ref GetOIDCProvider ] ] + OIDCProvider2: !Select [ 3, !Split [ "/", !Ref GetOIDCProvider ] ] + OIDCProvider3: !Select [ 4, !Split [ "/", !Ref GetOIDCProvider ] ] +Outputs: + EKSClusterName: + Value: !GetAtt EKSStack.Outputs.EKSClusterName + BastionIP: + Value: !GetAtt EKSStack.Outputs.BastionIP diff --git a/samples/eks-cluster-prework/templates/prework.template.yaml b/samples/eks-cluster-prework/templates/prework.template.yaml index cfd4e66..aae7057 100644 --- a/samples/eks-cluster-prework/templates/prework.template.yaml +++ b/samples/eks-cluster-prework/templates/prework.template.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: "2010-09-09" -Description: +Description: "Amazon EKS cluster pre/post-work blog sample" Parameters: ClusterName: Type: String @@ -11,15 +11,23 @@ Parameters: Default: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" JobName: Type: String - Default: ExampleJob + Default: job-example + AllowedPattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*' + ConstraintDescription: "a lowercase RFC 1123 subdomain must consist of lower case + alphanumeric characters, '-' or '.', and must start and end with an alphanumeric + character" + OIDCProvider: + Type: String + Description: Amazon EKS cluster OIDC provider, without the protocol (e.g., oidc.eks.us-east-1.amazonaws.com/id/SADFASFFASFXCCVXCVSDFSDF). + Default: "" KubernetesNameSpace: Type: String Default: "prework-example" Resources: - KubernetesPreWorkIAMRole: + PreWorkIAMRole: Type: AWS::IAM::Role Properties: - RoleName: !Sub "pw-role-${JobName}" + RoleName: !Sub "pw-role-${JobName}" AssumeRolePolicyDocument: !Sub - | { @@ -33,14 +41,14 @@ Resources: "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { - "${OIDCProvider}:sub": "system:serviceaccount:${NameSpace}:${ResourceName}-${JobName}" + "${OIDCProvider}:sub": "system:serviceaccount:${NameSpace}:${ResourceName}" } } } ] } - NameSpace: !Ref KubernetesNameSpace - ResourceName: "pw-service-account" + ResourceName: !Sub "pw-service-account-${JobName}" Path: "/" Policies: - PolicyName: root @@ -50,10 +58,22 @@ Resources: - Effect: Allow Action: - s3:GetObject + - s3:HeadObject Resource: - !Sub "arn:aws:s3:::${PreworkScriptBucket}/${PreworkScriptObject}" - KubernetesRole: + KubePreWorkNamespace: + Type: "AWSQS::Kubernetes::Resource" + Properties: + ClusterName: !Ref ClusterName + Namespace: default + Manifest: !Sub | + kind: Namespace + apiVersion: v1 + metadata: + name: ${KubernetesNameSpace} + KubePreWorkRole: Type: AWSQS::Kubernetes::Resource + DependsOn: [ KubePreWorkNamespace ] Properties: ClusterName: !Ref ClusterName Namespace: !Ref KubernetesNameSpace @@ -63,8 +83,8 @@ Resources: kind: Role metadata: labels: - app.kubernetes.io/name: "${ResourceName}-${JobName}" - name: "${ResourceName}-${JobName}" + app.kubernetes.io/name: "${ResourceName}" + name: "${ResourceName}" # Modify for your scripts here rules: - apiGroups: @@ -74,11 +94,12 @@ Resources: verbs: - create - delete - - ResourceName: "pw-role" + - get + - ResourceName: !Sub "pw-role-${JobName}" NameSpace: !Ref "KubernetesNameSpace" - - PreWorkServiceAccount: + KubePreWorkServiceAccount: Type: AWSQS::Kubernetes::Resource + DependsOn: [ KubePreWorkNamespace ] Properties: ClusterName: !Ref ClusterName Namespace: !Ref KubernetesNameSpace @@ -88,17 +109,17 @@ Resources: kind: ServiceAccount metadata: labels: - app.kubernetes.io/name: "${ResourceName}-${JobName}" + app.kubernetes.io/name: "${ResourceName}" annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::${AWS::AccountId}:role/${RoleName}-${JobName} - name: "${ResourceName}-${JobName}" + eks.amazonaws.com/role-arn: arn:aws:iam::${AWS::AccountId}:role/${RoleName} + name: "${ResourceName}" namespace: ${NameSpace} - - ResourceName: "pw-service-account" + - ResourceName: !Sub "pw-service-account-${JobName}" NameSpace: !Ref KubernetesNameSpace - RoleName: !Ref "PreWorkIAMRole" - - PreWorkClusterRoleBinding: + RoleName: !Ref PreWorkIAMRole + KubePreWorkRoleBinding: Type: AWSQS::Kubernetes::Resource + DependsOn: [ KubePreWorkNamespace, KubePreWorkRole, KubePreWorkServiceAccount ] Properties: ClusterName: !Ref ClusterName Namespace: !Ref KubernetesNameSpace @@ -108,8 +129,8 @@ Resources: kind: RoleBinding metadata: labels: - app.kubernetes.io/name: "${ResourceName}-${JobName}" - name: "${ResourceName}-${JobName}" + app.kubernetes.io/name: "${ResourceName}" + name: "${ResourceName}" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -118,11 +139,10 @@ Resources: - kind: ServiceAccount name: "pw-service-account-${JobName}" namespace: ${NameSpace} - - ResourceName: "pw-role-binding-${JobName}" + - ResourceName: !Sub "pw-role-binding-${JobName}" NameSpace: !Ref KubernetesNameSpace - - PreWorkJob: - DependsOn: [ PreWorkIAMRole, PreWorkRole, PreWorkServiceAccount, PreWorkRoleBinding ] + KubePreWorkJob: + DependsOn: [ PreWorkIAMRole, KubePreWorkRole, KubePreWorkServiceAccount, KubePreWorkRoleBinding ] Type: AWSQS::Kubernetes::Resource Properties: ClusterName: !Ref ClusterName @@ -132,7 +152,7 @@ Resources: apiVersion: batch/v1 kind: Job metadata: - name: "${ResourceName}-${JobName}" + name: "${ResourceName}" namespace: ${NameSpace} spec: template: @@ -157,9 +177,11 @@ Resources: value: ${S3ScriptURL} - name: AWS_REGION value: ${AWS::Region} + - name: KUBE_NAMESPACE + value: ${KubernetesNameSpace} serviceAccountName: "pw-service-account-${JobName}" restartPolicy: Never backoffLimit: 4 - - ResourceName: "pw-job" + - ResourceName: !Sub "pw-job-${JobName}" NameSpace: !Ref "KubernetesNameSpace" - S3ScriptURL: !Sub "s3://${PreworkScriptBucket}/${PreworkScriptObject}" + S3ScriptURL: !Sub "s3://${PreworkScriptBucket}/${PreworkScriptObject}" \ No newline at end of file From 2142bf028b0edf650d0f758dcee5ad64fdefb757 Mon Sep 17 00:00:00 2001 From: Andrew Gargan Date: Tue, 1 Feb 2022 10:18:12 -0800 Subject: [PATCH 16/16] Moved Assets for blog posts to new location --- .../eks-cluster-prework/scripts/pw-script.sh | 23 +-- .../eks-cluster-prework.template.yaml | 44 +++-- .../templates/prework.template.yaml | 74 ++++--- .../eks-cluster-prework/scripts/pw-script.sh | 18 -- .../eks-cluster-prework.template.yaml | 56 ------ .../templates/prework.template.yaml | 187 ------------------ 6 files changed, 85 insertions(+), 317 deletions(-) delete mode 100644 samples/eks-cluster-prework/scripts/pw-script.sh delete mode 100644 samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml delete mode 100644 samples/eks-cluster-prework/templates/prework.template.yaml diff --git a/blog-assets/eks-cluster-prework/scripts/pw-script.sh b/blog-assets/eks-cluster-prework/scripts/pw-script.sh index f75a0af..b264164 100644 --- a/blog-assets/eks-cluster-prework/scripts/pw-script.sh +++ b/blog-assets/eks-cluster-prework/scripts/pw-script.sh @@ -1,17 +1,18 @@ #!/bin/bash # Install kubectl -yum install -y unzip -# TODO: Make this generic based on the EKS Version -curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.16.8/2020-04-16/bin/linux/amd64/kubectl -chmod +x ./kubectl +# we are installing the current version if you are on an older cluster you might need to change this. +curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" +# Install kubectl +install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl #============= INSERT YOUR PREWORK STEPS HERE ====================# -# Confirm VNI version (Current is 1.9.0) - we could just assume this since it is a new cluster -kubectl describe daemonset aws-node --namespace kube-system | grep Image | cut -d "/" -f 2 > /tmp/foo.txt -# TODO: add to a kubernetes secret we output into the CloudFormation template - -# Set AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG to True -kubectl set env daemonset aws-node -n kube-system AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG=true +# We will create a simple script the point of the blog is to show that you CAN run pre-work on the cluster via CloudFormation +# so we are less concerned with the content of this script. -# Add additional steps below +# there are much better ways to manage secrets ;) +kubectl create secret generic db-user-pass \ + --from-literal=username=devuser \ + --from-literal=password='S!B\*d$zDsb=' \ + -- namespace $KUBE_NAMESPACE +kubectl describe secrets/db-user-pass \ No newline at end of file diff --git a/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml index b9c4e8f..db23bd6 100644 --- a/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml +++ b/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml @@ -1,12 +1,12 @@ AWSTemplateFormatVersion: '2010-09-09' Description: "Amazon EKS PreWork pattern Blog" Parameters: - PreworkJobName: + AccessCIDR: + Default: 0.0.0.0/0 Type: String - Default: 'example-job' - PreworkNameSpace: + JobName: Type: String - Default: 'example-job-ns' + Default: 'job-example' PreworkScriptBucket: Type: String Default: 'aws-quickstart' @@ -17,24 +17,40 @@ Resources: EKSStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: 'https://aws-quickstart.s3.us-east-1.amazonaws.com/quickstart-amazon-eks/templates/amazon-eks-entrypoint-new-vpc.template.yaml' + TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-amazon-eks/templates/amazon-eks-entrypoint-new-vpc.template.yaml' Parameters: - # AWS Quick Start properties + # QuickStart properties QSS3BucketName: aws-quickstart QSS3KeyPrefix: quickstart-amazon-eks/ - QSS3BucketRegion: us-east-1 - # Amazon EKS Cluster properties - ProvisionBastionHost: Disabled + # Cluster properties + ProvisionBastionHost: Enabled + AccessCIDR: !Ref AccessCIDR NodeInstanceType: t3.large NumberOfNodes: 1 MaxNumberOfNodes: 1 + GetOIDCProvider: + Type: Custom::GetOIDCProvider + Properties: + ServiceToken: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-ResourceReader" + AwsCliCommand: !Sub "eks describe-cluster --name ${ClusterName} --query 'cluster.identity.oidc.{issuer:issuer}'" + IdField: 'issuer' PreworkStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: 'https://aws-quickstart.s3.us-east-1.amazonaws.com/quickstart-examples/blog-assets/eks-cluster-prework/templates/prework.template.yaml' + TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-examples/blog-assets/eks-cluster-prework/templates/prework.template.yaml' Parameters: ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" - PreworkScriptBucket: "aws-quickstart" - PreworkScriptObject: !Ref "PreworkScriptObject" - JobName: !Ref "PreWorkJobName" - KubernetesNameSpace: !Ref "PreworkNamespace" + PreworkScriptBucket: !Ref PreworkScriptBucket + PreworkScriptObject: !Ref PreworkScriptObject + JobName: !Ref JobName + KubernetesNameSpace: "prework-example" + OIDCProvider: !Sub + - "${OIDCProvider1}/${OIDCProvider2}/${OIDCProvider3}" + - OIDCProvider1: !Select [ 2, !Split [ "/", !Ref GetOIDCProvider ] ] + OIDCProvider2: !Select [ 3, !Split [ "/", !Ref GetOIDCProvider ] ] + OIDCProvider3: !Select [ 4, !Split [ "/", !Ref GetOIDCProvider ] ] +Outputs: + EKSClusterName: + Value: !GetAtt EKSStack.Outputs.EKSClusterName + BastionIP: + Value: !GetAtt EKSStack.Outputs.BastionIP diff --git a/blog-assets/eks-cluster-prework/templates/prework.template.yaml b/blog-assets/eks-cluster-prework/templates/prework.template.yaml index 4ad336d..aae7057 100644 --- a/blog-assets/eks-cluster-prework/templates/prework.template.yaml +++ b/blog-assets/eks-cluster-prework/templates/prework.template.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: "2010-09-09" -Description: +Description: "Amazon EKS cluster pre/post-work blog sample" Parameters: ClusterName: Type: String @@ -8,18 +8,26 @@ Parameters: Default: aws-quickstart PreworkScriptObject: Type: String - Default: "quickstart-examples/blog-assets/eks-cluster-prework/scripts/pw-script.sh" + Default: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" JobName: Type: String - Default: ExampleJob + Default: job-example + AllowedPattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*' + ConstraintDescription: "a lowercase RFC 1123 subdomain must consist of lower case + alphanumeric characters, '-' or '.', and must start and end with an alphanumeric + character" + OIDCProvider: + Type: String + Description: Amazon EKS cluster OIDC provider, without the protocol (e.g., oidc.eks.us-east-1.amazonaws.com/id/SADFASFFASFXCCVXCVSDFSDF). + Default: "" KubernetesNameSpace: Type: String Default: "prework-example" Resources: - KubernetesPreWorkIAMRole: + PreWorkIAMRole: Type: AWS::IAM::Role Properties: - RoleName: !Sub "pw-role-${JobName}" + RoleName: !Sub "pw-role-${JobName}" AssumeRolePolicyDocument: !Sub - | { @@ -33,14 +41,14 @@ Resources: "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { - "${OIDCProvider}:sub": "system:serviceaccount:${NameSpace}:${ResourceName}-${JobName}" + "${OIDCProvider}:sub": "system:serviceaccount:${NameSpace}:${ResourceName}" } } } ] } - NameSpace: !Ref KubernetesNameSpace - ResourceName: "pw-service-account" + ResourceName: !Sub "pw-service-account-${JobName}" Path: "/" Policies: - PolicyName: root @@ -50,20 +58,22 @@ Resources: - Effect: Allow Action: - s3:GetObject + - s3:HeadObject Resource: - !Sub "arn:aws:s3:::${PreworkScriptBucket}/${PreworkScriptObject}" - PeworkNameSpace: + KubePreWorkNamespace: Type: "AWSQS::Kubernetes::Resource" Properties: ClusterName: !Ref ClusterName + Namespace: default Manifest: !Sub | kind: Namespace apiVersion: v1 metadata: name: ${KubernetesNameSpace} - Namespace: default - KubernetesRole: + KubePreWorkRole: Type: AWSQS::Kubernetes::Resource + DependsOn: [ KubePreWorkNamespace ] Properties: ClusterName: !Ref ClusterName Namespace: !Ref KubernetesNameSpace @@ -73,8 +83,8 @@ Resources: kind: Role metadata: labels: - app.kubernetes.io/name: "${ResourceName}-${JobName}" - name: "${ResourceName}-${JobName}" + app.kubernetes.io/name: "${ResourceName}" + name: "${ResourceName}" # Modify for your scripts here rules: - apiGroups: @@ -84,11 +94,12 @@ Resources: verbs: - create - delete - - ResourceName: "pw-role" + - get + - ResourceName: !Sub "pw-role-${JobName}" NameSpace: !Ref "KubernetesNameSpace" - - PreWorkServiceAccount: + KubePreWorkServiceAccount: Type: AWSQS::Kubernetes::Resource + DependsOn: [ KubePreWorkNamespace ] Properties: ClusterName: !Ref ClusterName Namespace: !Ref KubernetesNameSpace @@ -98,17 +109,17 @@ Resources: kind: ServiceAccount metadata: labels: - app.kubernetes.io/name: "${ResourceName}-${JobName}" + app.kubernetes.io/name: "${ResourceName}" annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::${AWS::AccountId}:role/${RoleName}-${JobName} - name: "${ResourceName}-${JobName}" + eks.amazonaws.com/role-arn: arn:aws:iam::${AWS::AccountId}:role/${RoleName} + name: "${ResourceName}" namespace: ${NameSpace} - - ResourceName: "pw-service-account" + - ResourceName: !Sub "pw-service-account-${JobName}" NameSpace: !Ref KubernetesNameSpace - RoleName: !Ref "PreWorkIAMRole" - - PreWorkClusterRoleBinding: + RoleName: !Ref PreWorkIAMRole + KubePreWorkRoleBinding: Type: AWSQS::Kubernetes::Resource + DependsOn: [ KubePreWorkNamespace, KubePreWorkRole, KubePreWorkServiceAccount ] Properties: ClusterName: !Ref ClusterName Namespace: !Ref KubernetesNameSpace @@ -118,8 +129,8 @@ Resources: kind: RoleBinding metadata: labels: - app.kubernetes.io/name: "${ResourceName}-${JobName}" - name: "${ResourceName}-${JobName}" + app.kubernetes.io/name: "${ResourceName}" + name: "${ResourceName}" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -128,11 +139,10 @@ Resources: - kind: ServiceAccount name: "pw-service-account-${JobName}" namespace: ${NameSpace} - - ResourceName: "pw-role-binding-${JobName}" + - ResourceName: !Sub "pw-role-binding-${JobName}" NameSpace: !Ref KubernetesNameSpace - - PreWorkJob: - DependsOn: [ PreWorkIAMRole, PreWorkRole, PreWorkServiceAccount, PreWorkRoleBinding ] + KubePreWorkJob: + DependsOn: [ PreWorkIAMRole, KubePreWorkRole, KubePreWorkServiceAccount, KubePreWorkRoleBinding ] Type: AWSQS::Kubernetes::Resource Properties: ClusterName: !Ref ClusterName @@ -142,7 +152,7 @@ Resources: apiVersion: batch/v1 kind: Job metadata: - name: "${ResourceName}-${JobName}" + name: "${ResourceName}" namespace: ${NameSpace} spec: template: @@ -167,9 +177,11 @@ Resources: value: ${S3ScriptURL} - name: AWS_REGION value: ${AWS::Region} + - name: KUBE_NAMESPACE + value: ${KubernetesNameSpace} serviceAccountName: "pw-service-account-${JobName}" restartPolicy: Never backoffLimit: 4 - - ResourceName: "pw-job" + - ResourceName: !Sub "pw-job-${JobName}" NameSpace: !Ref "KubernetesNameSpace" - S3ScriptURL: !Sub "s3://${PreworkScriptBucket}/${PreworkScriptObject}" + S3ScriptURL: !Sub "s3://${PreworkScriptBucket}/${PreworkScriptObject}" \ No newline at end of file diff --git a/samples/eks-cluster-prework/scripts/pw-script.sh b/samples/eks-cluster-prework/scripts/pw-script.sh deleted file mode 100644 index b264164..0000000 --- a/samples/eks-cluster-prework/scripts/pw-script.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash -# Install kubectl - -# we are installing the current version if you are on an older cluster you might need to change this. -curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" -# Install kubectl -install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl - -#============= INSERT YOUR PREWORK STEPS HERE ====================# -# We will create a simple script the point of the blog is to show that you CAN run pre-work on the cluster via CloudFormation -# so we are less concerned with the content of this script. - -# there are much better ways to manage secrets ;) -kubectl create secret generic db-user-pass \ - --from-literal=username=devuser \ - --from-literal=password='S!B\*d$zDsb=' \ - -- namespace $KUBE_NAMESPACE -kubectl describe secrets/db-user-pass \ No newline at end of file diff --git a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml deleted file mode 100644 index c1ca84f..0000000 --- a/samples/eks-cluster-prework/templates/eks-cluster-prework.template.yaml +++ /dev/null @@ -1,56 +0,0 @@ -AWSTemplateFormatVersion: '2010-09-09' -Description: "Amazon EKS PreWork pattern Blog" -Parameters: - AccessCIDR: - Default: 0.0.0.0/0 - Type: String - JobName: - Type: String - Default: 'job-example' - PreworkScriptBucket: - Type: String - Default: 'aws-quickstart' - PreworkScriptObject: - Type: String - Default: 'quickstart-examples/samples/eks-cluster-prework/script/pw-script.sh' -Resources: - EKSStack: - Type: AWS::CloudFormation::Stack - Properties: - TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-amazon-eks/templates/amazon-eks-entrypoint-new-vpc.template.yaml' - Parameters: - # QuickStart properties - QSS3BucketName: aws-quickstart - QSS3KeyPrefix: quickstart-amazon-eks/ - # Cluster properties - ProvisionBastionHost: Enabled - AccessCIDR: !Ref AccessCIDR - NodeInstanceType: t3.large - NumberOfNodes: 1 - MaxNumberOfNodes: 1 - GetOIDCProvider: - Type: Custom::GetOIDCProvider - Properties: - ServiceToken: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-ResourceReader" - AwsCliCommand: !Sub "eks describe-cluster --name ${ClusterName} --query 'cluster.identity.oidc.{issuer:issuer}'" - IdField: 'issuer' - PreworkStack: - Type: AWS::CloudFormation::Stack - Properties: - TemplateURL: 'https://aws-quickstart.s3.amazonaws.com/quickstart-examples/samples/eks-cluster-prework/templates/prework.template.yaml' - Parameters: - ClusterName: !Sub "EKSStack.Outputs.EKSClusterName" - PreworkScriptBucket: !Ref PreworkScriptBucket - PreworkScriptObject: !Ref PreworkScriptObject - JobName: !Ref JobName - KubernetesNameSpace: "prework-example" - OIDCProvider: !Sub - - "${OIDCProvider1}/${OIDCProvider2}/${OIDCProvider3}" - - OIDCProvider1: !Select [ 2, !Split [ "/", !Ref GetOIDCProvider ] ] - OIDCProvider2: !Select [ 3, !Split [ "/", !Ref GetOIDCProvider ] ] - OIDCProvider3: !Select [ 4, !Split [ "/", !Ref GetOIDCProvider ] ] -Outputs: - EKSClusterName: - Value: !GetAtt EKSStack.Outputs.EKSClusterName - BastionIP: - Value: !GetAtt EKSStack.Outputs.BastionIP diff --git a/samples/eks-cluster-prework/templates/prework.template.yaml b/samples/eks-cluster-prework/templates/prework.template.yaml deleted file mode 100644 index aae7057..0000000 --- a/samples/eks-cluster-prework/templates/prework.template.yaml +++ /dev/null @@ -1,187 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" -Description: "Amazon EKS cluster pre/post-work blog sample" -Parameters: - ClusterName: - Type: String - PreworkScriptBucket: - Type: String - Default: aws-quickstart - PreworkScriptObject: - Type: String - Default: "quickstart-examples/samples/eks-cluster-prework/scripts/pw-script.sh" - JobName: - Type: String - Default: job-example - AllowedPattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*' - ConstraintDescription: "a lowercase RFC 1123 subdomain must consist of lower case - alphanumeric characters, '-' or '.', and must start and end with an alphanumeric - character" - OIDCProvider: - Type: String - Description: Amazon EKS cluster OIDC provider, without the protocol (e.g., oidc.eks.us-east-1.amazonaws.com/id/SADFASFFASFXCCVXCVSDFSDF). - Default: "" - KubernetesNameSpace: - Type: String - Default: "prework-example" -Resources: - PreWorkIAMRole: - Type: AWS::IAM::Role - Properties: - RoleName: !Sub "pw-role-${JobName}" - AssumeRolePolicyDocument: !Sub - - | - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/${OIDCProvider}" - }, - "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { - "StringEquals": { - "${OIDCProvider}:sub": "system:serviceaccount:${NameSpace}:${ResourceName}" - } - } - } - ] - } - - NameSpace: !Ref KubernetesNameSpace - ResourceName: !Sub "pw-service-account-${JobName}" - Path: "/" - Policies: - - PolicyName: root - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - s3:GetObject - - s3:HeadObject - Resource: - - !Sub "arn:aws:s3:::${PreworkScriptBucket}/${PreworkScriptObject}" - KubePreWorkNamespace: - Type: "AWSQS::Kubernetes::Resource" - Properties: - ClusterName: !Ref ClusterName - Namespace: default - Manifest: !Sub | - kind: Namespace - apiVersion: v1 - metadata: - name: ${KubernetesNameSpace} - KubePreWorkRole: - Type: AWSQS::Kubernetes::Resource - DependsOn: [ KubePreWorkNamespace ] - Properties: - ClusterName: !Ref ClusterName - Namespace: !Ref KubernetesNameSpace - Manifest: !Sub - - | - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - labels: - app.kubernetes.io/name: "${ResourceName}" - name: "${ResourceName}" - # Modify for your scripts here - rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - ResourceName: !Sub "pw-role-${JobName}" - NameSpace: !Ref "KubernetesNameSpace" - KubePreWorkServiceAccount: - Type: AWSQS::Kubernetes::Resource - DependsOn: [ KubePreWorkNamespace ] - Properties: - ClusterName: !Ref ClusterName - Namespace: !Ref KubernetesNameSpace - Manifest: !Sub - - | - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/name: "${ResourceName}" - annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::${AWS::AccountId}:role/${RoleName} - name: "${ResourceName}" - namespace: ${NameSpace} - - ResourceName: !Sub "pw-service-account-${JobName}" - NameSpace: !Ref KubernetesNameSpace - RoleName: !Ref PreWorkIAMRole - KubePreWorkRoleBinding: - Type: AWSQS::Kubernetes::Resource - DependsOn: [ KubePreWorkNamespace, KubePreWorkRole, KubePreWorkServiceAccount ] - Properties: - ClusterName: !Ref ClusterName - Namespace: !Ref KubernetesNameSpace - Manifest: !Sub - - | - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - labels: - app.kubernetes.io/name: "${ResourceName}" - name: "${ResourceName}" - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: "pw-role-${JobName}" - subjects: - - kind: ServiceAccount - name: "pw-service-account-${JobName}" - namespace: ${NameSpace} - - ResourceName: !Sub "pw-role-binding-${JobName}" - NameSpace: !Ref KubernetesNameSpace - KubePreWorkJob: - DependsOn: [ PreWorkIAMRole, KubePreWorkRole, KubePreWorkServiceAccount, KubePreWorkRoleBinding ] - Type: AWSQS::Kubernetes::Resource - Properties: - ClusterName: !Ref ClusterName - Namespace: !Ref KubernetesNameSpace - Manifest: !Sub - - | - apiVersion: batch/v1 - kind: Job - metadata: - name: "${ResourceName}" - namespace: ${NameSpace} - spec: - template: - spec: - containers: - - name: ${ResourceName} - image: amazonlinux:2 - command: ["/bin/bash","-c"] - args: - - > - sleep 15; - yum update -y; - yum install -y awscli; - export AWS_REGION=${AWS::Region}; - export NS=${NameSpace}; - aws sts get-caller-identity; - aws s3 cp ${!S3_SCRIPT_URL} ./prework-script.sh && - chmod +x ./prework-script.sh && - ./prework-script.sh - env: - - name: S3_SCRIPT_URL - value: ${S3ScriptURL} - - name: AWS_REGION - value: ${AWS::Region} - - name: KUBE_NAMESPACE - value: ${KubernetesNameSpace} - serviceAccountName: "pw-service-account-${JobName}" - restartPolicy: Never - backoffLimit: 4 - - ResourceName: !Sub "pw-job-${JobName}" - NameSpace: !Ref "KubernetesNameSpace" - S3ScriptURL: !Sub "s3://${PreworkScriptBucket}/${PreworkScriptObject}" \ No newline at end of file