AWSTemplateFormatVersion: "2010-09-09" Metadata: Generator: "former2" Description: "" Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: IAM role for Logiq-EKS Parameters: - logiqEBSRole - Label: default: Logiq S3 bucket for Helm Parameters: - logiqS3name ParameterLabels: logiqEBSRole: default: Please enter IAM role name for Logiq-EKS logiqS3name: default: Logiq S3 bucket bucket name Parameters: logiqEBSRole: Type: String Description: IAM role for Logiq-EKS logiqS3name: Type: String Description: Logiq S3 bucket name Resources: IAManagedLogiqEBSPolicy: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Join [ "-", ["Amazon_EBS_CSI_Driver_logiq",!Ref logiqEBSRole ]] Path: "/" PolicyDocument: | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateSnapshot", "ec2:AttachVolume", "ec2:DetachVolume", "ec2:ModifyVolume", "ec2:DescribeAvailabilityZones", "ec2:DescribeInstances", "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:snapshot/*" ], "Condition": { "StringEquals": { "ec2:CreateAction": [ "CreateVolume", "CreateSnapshot" ] } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteTags" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:snapshot/*" ] }, { "Effect": "Allow", "Action": [ "ec2:CreateVolume" ], "Resource": "*", "Condition": { "StringLike": { "aws:RequestTag/ebs.csi.aws.com/cluster": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateVolume" ], "Resource": "*", "Condition": { "StringLike": { "aws:RequestTag/CSIVolumeName": "*" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateVolume" ], "Resource": "*", "Condition": { "StringLike": { "aws:RequestTag/kubernetes.io/cluster/*": "owned" } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteVolume" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteVolume" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/CSIVolumeName": "*" } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteVolume" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/kubernetes.io/cluster/*": "owned" } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteSnapshot" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/CSIVolumeSnapshotName": "*" } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteSnapshot" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" } } } ] } IAMManagedbucketpolicy: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: !Join [ "-", [!Ref logiqS3name,!Ref logiqEBSRole ]] Path: "/" PolicyDocument: !Sub | { "Version": "2012-10-17", "Statement": [ { "Sid": "ConsoleAccess", "Effect": "Allow", "Action": [ "s3:GetAccountPublicAccessBlock", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock" ], "Resource": "*" }, { "Sid": "ListObjectsInBucket", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": [ "arn:aws:s3:::${logiqS3name}" ] }, { "Sid": "AllObjectActions", "Effect": "Allow", "Action": "s3:*Object", "Resource": [ "arn:aws:s3:::${logiqS3name}/*" ] } ] } IAMRoleLogiqEKS: Type: "AWS::IAM::Role" Properties: Path: "/" RoleName: !Join [ "-", ["eks-cluster",!Ref logiqEBSRole ]] AssumeRolePolicyDocument: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"},{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"eks.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}" MaxSessionDuration: 3600 ManagedPolicyArns: - "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" - "arn:aws:iam::aws:policy/AmazonEKSServicePolicy" - "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" - !Ref IAMManagedbucketpolicy - !Ref IAManagedLogiqEBSPolicy Outputs: LogiqS3Bucket: Value: !Ref logiqS3name Description: S3 bucket to be used with Logiq LogiqEKSClusterRole: Value: !GetAtt IAMRoleLogiqEKS.Arn Description: Logiq EKS role ARN