def create_conditions(self):
self.template.add_condition(
"UseSSL", Not(Equals(Ref("ControllerELBCertName"), "")))
self.template.add_condition("UseDNS",
Not(Equals(Ref("ExternalDomain"), "")))
self.template.add_condition("EnableStreamingLogs",
Equals(Ref("DisableStreamingLogs"), ""))
def create_conditions(self):
t = self.template
ssl_condition = Not(Equals(Ref("ELBCertName"), ""))
t.add_condition("UseHTTPS", ssl_condition)
t.add_condition("UseHTTP", Not(ssl_condition))
self.template.add_condition(
"UseIAMCert",
Not(Equals(Ref("ELBCertType"), "acm")))
t.add_condition(
"EnableSNSEvents",
Equals(Ref("EventsBackend"), "sns"))
t.add_condition(
"CreateSNSTopic",
And(Equals(Ref("EventsSNSTopicName"), ""),
Condition("EnableSNSEvents")))
t.add_condition(
"EnableCloudwatchLogs",
Equals(Ref("RunLogsBackend"), "cloudwatch"))
t.add_condition(
"CreateRunLogsGroup",
And(Equals(Ref("RunLogsCloudwatchGroup"), ""),
Condition("EnableCloudwatchLogs")))
t.add_condition(
"EnableAppEventStream",
Equals(Ref("LogsStreamer"), "kinesis"))
t.add_condition(
"RequireCommitMessages",
Equals(Ref("RequireCommitMessages"), "true"))
def condition_bucket_name_provided(self) -> str:
"""Condition BucketNameProvided."""
return self.template.add_condition(
"BucketNameProvided",
And(
Not(Equals(self.variables["BucketName"].ref, "undefined")),
Not(Equals(self.variables["BucketName"].ref, "")),
),
)
def add_conditions(self):
""" Create Conditions """
template = self.template
variables = self.get_variables()
template.add_condition('UseCidrIp',
Not(Equals(variables['CidrIp'].ref, '')))
template.add_condition(
'UseSourceSecurityGroupId',
Not(Equals(variables['SourceSecurityGroupId'].ref, '')))
def add_conditions(self):
"""Add conditions to template."""
template = self.template
variables = self.get_variables()
template.add_condition('CidrDefined',
Not(Equals(variables['FromCidr'].ref, '')))
template.add_condition('SrcSgDefined',
Not(Equals(variables['FromSgId'].ref, '')))
def create_conditions(self):
self.template.add_condition("HasInternalDomain",
Not(Equals(Ref("InternalDomain"), "")))
self.template.add_condition("HasExternalDomain",
Not(Equals(Ref("BaseDomain"), "")))
self.template.add_condition(
"HasHostedZones",
Or(Condition("HasInternalDomain"), Condition("HasExternalDomain")))
self.template.add_condition("NoHostedZones",
Not(Condition("HasHostedZones")))
def create_conditions(self):
self.template.add_condition("HasInternalZone",
Not(Equals(Ref("InternalZoneId"), "")))
self.template.add_condition("HasInternalZoneName",
Not(Equals(Ref("InternalZoneName"), "")))
self.template.add_condition("HasInternalHostname",
Not(Equals(Ref("InternalHostname"), "")))
self.template.add_condition(
"CreateInternalHostname",
And(Condition("HasInternalZone"), Condition("HasInternalZoneName"),
Condition("HasInternalHostname")))
def create_conditions(self):
self.template.add_condition("CreateELB",
Not(Equals(Ref("ELBHostName"), "")))
self.template.add_condition("SetupDNS",
Not(Equals(Ref("BaseDomain"), "")))
self.template.add_condition("UseSSL",
Not(Equals(Ref("ELBCertName"), "")))
self.template.add_condition(
"CreateSSLELB", And(Condition("CreateELB"), Condition("UseSSL")))
self.template.add_condition(
"SetupELBDNS", And(Condition("CreateELB"), Condition("SetupDNS")))
def create_policy(self):
ns = self.context.namespace
name_prefix = "%s-%s" % (ns, self.name)
t = self.template
t.add_condition(
'ExternalRoles',
Not(Equals(Join(",", Ref('RoleNames')), '')),
)
t.add_condition(
'ExternalGroups',
Not(Equals(Join(",", Ref('GroupNames')), '')),
)
t.add_condition(
'ExternalUsers',
Not(Equals(Join(",", Ref('UserNames')), '')),
)
t.add_condition(
'CreatePolicy',
Or(
TropoCondition("ExternalRoles"),
TropoCondition("ExternalGroups"),
TropoCondition("ExternalUsers"),
))
t.add_resource(
iam.PolicyType(
FIREHOSE_WRITE_POLICY,
PolicyName='{}-firehose'.format(name_prefix),
PolicyDocument=firehose_write_policy(),
Roles=If("ExternalRoles", Ref("RoleNames"),
Ref("AWS::NoValue")),
Groups=If("ExternalGroups", Ref("GroupNames"),
Ref("AWS::NoValue")),
Users=If("ExternalUsers", Ref("UserNames"),
Ref("AWS::NoValue")),
Condition='CreatePolicy',
), )
t.add_resource(
iam.PolicyType(
LOGS_POLICY,
PolicyName='{}-logs'.format(name_prefix),
PolicyDocument=logs_policy(),
Roles=If("ExternalRoles", Ref("RoleNames"),
Ref("AWS::NoValue")),
Groups=If("ExternalGroups", Ref("GroupNames"),
Ref("AWS::NoValue")),
Users=If("ExternalUsers", Ref("UserNames"),
Ref("AWS::NoValue")),
Condition='CreatePolicy',
), )
def create_conditions(self):
self.template.add_condition("HasInternalDomain",
Not(Equals(Ref("InternalDomain"), "")))
self.template.add_condition("HasExternalDomain",
Not(Equals(Ref("BaseDomain"), "")))
self.template.add_condition(
"HasHostedZones",
Or(Condition("HasInternalDomain"), Condition("HasExternalDomain")))
self.template.add_condition("NoHostedZones",
Not(Condition("HasHostedZones")))
self.template.add_condition("UseNatGateway",
Equals(Ref("UseNatGateway"), "true"))
self.template.add_condition("UseNatInstances",
Not(Condition("UseNatGateway")))
def create_conditions(self):
t = self.template
t.add_condition("DefinedNotificationArn",
Not(Equals(Ref("NotificationTopicArn"), "")))
t.add_condition("DefinedPort", Not(Equals(Ref("Port"), "0")))
t.add_condition(
"DefinedAvailabilityZones",
Not(Equals(Join(",", Ref("PreferredCacheClusterAZs")), "")))
t.add_condition("DefinedSnapshotArns",
Not(Equals(Join(",", Ref("SnapshotArns")), "")))
t.add_condition("DefinedSnapshotWindow",
Not(Equals(Ref("SnapshotWindow"), "")))
# DNS Conditions
t.add_condition("HasInternalZone",
Not(Equals(Ref("InternalZoneId"), "")))
t.add_condition("HasInternalZoneName",
Not(Equals(Ref("InternalZoneName"), "")))
t.add_condition("HasInternalHostname",
Not(Equals(Ref("InternalHostname"), "")))
t.add_condition(
"CreateInternalHostname",
And(Condition("HasInternalZone"), Condition("HasInternalZoneName"),
Condition("HasInternalHostname")))
def add_conditions(self):
"""Set up AZ conditions."""
template = self.template
for i in range(AZS):
template.add_condition(
'PublicAZ%i' % (i + 1),
Not(Equals(Ref('PublicSubnet%i' % (i + 1)), '')))
template.add_condition(
'PrivateAZ%i' % (i + 1),
Not(Equals(Ref('PrivateSubnet%i' % (i + 1)), '')))
template.add_condition(
'CreateNATGateway%i' % (i + 1),
And(Condition('PublicAZ%i' % (i + 1)),
Condition('PrivateAZ%i' % (i + 1))))
def create_log_group_template():
template = Template(
Description="Child stack to maintain Lambda@Edge log groups")
log_group_name = template.add_parameter(
Parameter("LogGroupName", Type="String"))
log_retention_days = template.add_parameter(
Parameter(
"LogRetentionDays",
Type="Number",
Description=
"Days to keep Lambda@Edge logs. 0 means indefinite retention.",
AllowedValues=[0] + CLOUDWATCH_LOGS_RETENTION_OPTIONS,
))
retention_defined = add_condition(template, "RetentionDefined",
Not(Equals(Ref(log_retention_days), 0)))
template.add_resource(
LogGroup(
"EdgeLambdaLogGroup",
LogGroupName=Ref(log_group_name),
RetentionInDays=If(retention_defined, Ref(log_retention_days),
NoValue),
))
return template
def create_conditions(self):
t = self.template
t.add_condition(
'HasInternalZone',
Not(Equals(Ref('InternalZoneId'), '')))
t.add_condition(
'HasInternalZoneName',
Not(Equals(Ref('InternalZoneName'), '')))
t.add_condition(
'HasInternalHostname',
Not(Equals(Ref('InternalHostname'), '')))
t.add_condition(
'CreateInternalHostname',
And(Condition('HasInternalZone'),
Condition('HasInternalZoneName'),
Condition('HasInternalHostname')))
def create_kms_key(self):
t = self.template
t.add_condition("EncryptS3Bucket",
Not(Equals(Ref("EncryptS3Bucket"), "false")))
key_description = Join(
"",
["S3 Bucket kms encryption key for stack ",
Ref("AWS::StackName")])
key_use_arns = self.local_parameters["KeyUseArns"]
# auto add the created IAM Role
key_use_arns.append(GetAtt(IAM_ROLE, "Arn"))
key_admin_arns = self.local_parameters["KeyAdminArns"]
t.add_resource(
kms.Key(KMS_KEY,
Description=key_description,
Enabled=True,
EnableKeyRotation=Ref("EnableKeyRotation"),
KeyPolicy=kms_key_policy(key_use_arns, key_admin_arns),
Condition="EncryptS3Bucket"))
key_arn = Join("", [
"arn:aws:kms:",
Ref("AWS::Region"), ":",
Ref("AWS::AccountId"), ":key/",
Ref(KMS_KEY)
])
t.add_output(Output("KmsKeyArn", Value=key_arn))
def main(argv):
# Set up a blank template
t = Template()
# Add description
t.add_description("RDS Database")
# Add all defined input parameters to template
for p in parameters.values():
t.add_parameter(p)
t.add_condition("InstallPostgis", Not(Equals(Ref("ProvisionStackName"),
"")))
t.add_resource(gen_postgis_provisioner())
# Create instance and security group add to template
t.add_resource(gen_sg())
for resource in gen_rds_db(service_name):
t.add_resource(resource)
t.add_output(
Output("ConnectionString",
Description="Connection string for database",
Value=Join("", [GetAtt("DB", "Endpoint.Address"),
Ref("DB")])))
# Convert template to json
template = (t.to_json())
# Print template to console (for debugging) and write to file
print(template)
write_to_file(template)
def add_conditions(self):
"""Set up template conditions."""
template = self.template
variables = self.get_variables()
template.add_condition(
'SSHKeySpecified',
And(Not(Equals(variables['KeyName'].ref, '')),
Not(Equals(variables['KeyName'].ref, 'undefined'))))
template.add_condition(
'MissingVPNAMI',
Or(Equals(variables['VPNAMI'].ref, ''),
Equals(variables['VPNAMI'].ref, 'undefined')))
template.add_condition(
'RHELUserData', Not(Equals(variables['VPNOS'].ref,
'ubuntu-16.04')))
template.add_condition(
'ChefRunListSpecified',
And(Not(Equals(variables['ChefRunList'].ref, '')),
Not(Equals(variables['ChefRunList'].ref, 'undefined'))))
template.add_condition(
'PublicRouteTableSpecified',
And(Not(Equals(variables['PublicRouteTable'].ref, '')),
Not(Equals(variables['PublicRouteTable'].ref, 'undefined'))))
template.add_condition(
'PublicSubnetsOmitted',
Equals(Join('', variables['PublicSubnets'].ref), ''))
for i in range(AZS):
template.add_condition(
'%iPrivateSubnetsCreated' % (i + 1),
Equals(variables['PrivateSubnetCount'].ref, str(i + 1)))
template.add_condition(
'PrivateSubnetCountOmitted',
Equals(variables['PrivateSubnetCount'].ref, '0'))
def add_double_sided_condition(template, condition_name_base, conditional):
template.add_condition(
f"{condition_name_base}True",
conditional,
)
template.add_condition(f"{condition_name_base}False", Not(conditional))
return f"{condition_name_base}True", f"{condition_name_base}False"
def create_conditions(self):
self.template.add_condition(
"UseSSL",
Not(Equals(Ref("ControllerELBCertName"), "")))
self.template.add_condition(
"UseDNS",
Not(Equals(Ref("ExternalDomain"), "")))
self.template.add_condition(
"EnableStreamingLogs",
Equals(Ref("DisableStreamingLogs"), ""))
self.template.add_condition(
"HasGithubWebhooksSecret",
Not(Equals(Ref("EmpireGithubWebhooksSecret"), "")))
self.template.add_condition(
"HasGithubDeploymentEnvironment",
Not(Equals(Ref("EmpireGithubDeploymentsEnvironment"), "")))
self.template.add_condition(
"EnableSNSEvents",
Not(Equals(Ref("EnableSNSEvents"), "false")))
def add_conditions(self):
"""Add conditions to template."""
template = self.template
variables = self.get_variables()
template.add_condition('KmsKeyEnabled',
Not(Equals(variables['KmsKey'].ref, '')))
template.add_condition(
'CustomParameterGroup',
Not(Equals(variables['ParameterGroupName'].ref, '')))
template.add_condition(
'VpnAccessEnabled',
Not(Equals(variables['VPNSecurityGroup'].ref, '')))
template.add_condition(
'SnsTopicSpecified',
Not(Equals(Join('', variables['SNSTopic'].ref), '')))
template.add_condition(
'IdentifierSpecified',
Not(
Or(Equals(variables['RdsInstanceIdentifier'].ref, 'undefined'),
Equals(variables['RdsInstanceIdentifier'].ref, ''))))
template.add_condition(
'SnapshotSpecified',
Not(
Or(Equals(variables['RdsSnapshotIdentifier'].ref, 'undefined'),
Equals(variables['RdsSnapshotIdentifier'].ref, ''))))
def create_conditions(self):
t = self.template
t.add_condition(
"HasInternalZone",
Not(Equals(Ref("InternalZoneId"), "")))
t.add_condition(
"HasInternalZoneName",
Not(Equals(Ref("InternalZoneName"), "")))
t.add_condition(
"HasInternalHostname",
Not(Equals(Ref("InternalHostname"), "")))
t.add_condition(
"CreateInternalHostname",
And(Condition("HasInternalZone"),
Condition("HasInternalZoneName"),
Condition("HasInternalHostname")))
t.add_condition(
"HasProvisionedIOPS",
Not(Equals(Ref("IOPS"), "0")))
t.add_condition(
"HasStorageType",
Not(Equals(Ref("StorageType"), "default")))
t.add_condition(
"HasDBSnapshotIdentifier",
Not(Equals(Ref("DBSnapshotIdentifier"), "")))
def build_tags_list(t):
has_conditions = []
tags_list = []
for x in range(1, 11):
name = t.add_parameter(
Parameter(
"Tag%sName" % x,
Type="String",
Default="-NONE-",
))
value = t.add_parameter(
Parameter(
"Tag%sValue" % x,
Type="String",
Default="-NONE-",
))
t.add_condition(
"HasTag%s" % x,
Not(
Or(
Equals(Ref(name), "-NONE-"),
Equals(Ref(value), "-NONE-"),
), ),
)
has_conditions.append({"Fn::Condition": "HasTag%s" % x})
tags_list.append(
If(
"HasTag%s" % x,
{
"Key": Ref(name),
"Value": Ref(value),
},
NoValue,
), )
t.add_condition(
"HasTags",
Or(*has_conditions),
)
return If(
"HasTags",
TagsList(*tags_list),
NoValue,
)
def add_conditions(self):
"""Set up template conditions."""
template = self.template
variables = self.get_variables()
template.add_condition(
'AlarmDescriptionSpecified',
Not(Equals(variables['AlarmDescription'].ref, ''))
)
template.add_condition(
'AlarmNameSpecified',
Not(Equals(variables['AlarmName'].ref, ''))
)
template.add_condition(
'MetricDimensionSpecified',
Not(Equals(variables['DimensionName'].ref, ''))
)
template.add_condition(
'TreatMissingDataSpecified',
Not(Equals(variables['TreatMissingData'].ref, ''))
)
def __init__(
self,
vpc_configuration: VPCConfig,
existing_vpc: bool = False,
availability_zone: str = None,
description="Network build by NetworkTemplateBuilder",
):
self.__template = Template()
self.__template.set_version("2010-09-09")
self.__template.set_description(description)
self.__availability_zone = self.__get_availability_zone(availability_zone)
self.__vpc_config = vpc_configuration
self.__vpc, self.__additional_vpc_cidr_blocks = self.__get_vpc(existing_vpc)
self.__vpc_subnets = vpc_configuration.subnets
self.__gateway_id = self.__get_gateway_id()
self.__create_ig = self.__template.add_condition("CreateInternetGateway", Equals(self.__gateway_id, ""))
self.__existing_ig = self.__template.add_condition( # can't negate above condition with Not()
"ExistingInternetGateway", Not(Equals(self.__gateway_id, ""))
)
#
# Parameters
#
param_bucket_name = t.add_parameter(
Parameter(
'BucketName',
Description='Bucket name',
Default='',
Type='String',
AllowedPattern=r'[-\.a-z0-9]*',
))
#
# Condition
#
t.add_condition('HasBucketName', Not(Equals(Ref(param_bucket_name), '')))
#
# Resource
#
bucket = t.add_resource(
s3.Bucket(
'Bucket',
BucketName=If('HasBucketName', Ref(param_bucket_name),
Ref(AWS_NO_VALUE)),
LifecycleConfiguration=s3.LifecycleConfiguration(Rules=[
# Add a rule to
s3.LifecycleRule(
# Rule attributes
Id='S3BucketRule1',
Prefix='',
'Three',
Type='String',
),
Parameter(
'Four',
Type='String',
),
Parameter(
'SshKeyName',
Type='String',
)
])
t.add_condition('OneEqualsFoo', Equals(Ref('One'), 'Foo'))
t.add_condition('NotOneEqualsFoo', Not(Condition('OneEqualsFoo')))
t.add_condition('BarEqualsTwo', Equals('Bar', Ref('Two')))
t.add_condition('ThreeEqualsFour', Equals(Ref('Three'), Ref('Four')))
t.add_condition('OneEqualsFooOrBarEqualsTwo',
Or(Condition('OneEqualsFoo'), Condition('BarEqualsTwo')))
t.add_condition('OneEqualsFooAndNotBarEqualsTwo',
And(Condition('OneEqualsFoo'), Not(Condition('BarEqualsTwo'))))
t.add_condition(
'OneEqualsFooAndBarEqualsTwoAndThreeEqualsPft',
And(Condition('OneEqualsFoo'), Condition('BarEqualsTwo'),
Equals(Ref('Three'), 'Pft')))
def create_template(self) -> None:
"""Create template (main function called by Stacker)."""
template = self.template
template.add_version("2010-09-09")
template.add_description(
"Kubernetes workers via EKS - V1.0.0 "
"- compatible with amazon-eks-node-v23+"
)
# Metadata
template.add_metadata(
{
"AWS::CloudFormation::Interface": {
"ParameterGroups": [
{
"Label": {"default": "EKS Cluster"},
"Parameters": [
self.variables[i].name
for i in [
"ClusterName",
"ClusterControlPlaneSecurityGroup",
]
],
},
{
"Label": {"default": "Worker Node Configuration"},
"Parameters": [
self.variables[i].name
for i in [
"NodeGroupName",
"NodeAutoScalingGroupMinSize",
"NodeAutoScalingGroupMaxSize",
"UseDesiredInstanceCount",
"NodeInstanceType",
"NodeInstanceProfile",
"NodeImageId",
"NodeVolumeSize",
"KeyName",
"UseSpotInstances",
"SpotBidPrice",
"BootstrapArguments",
]
],
},
{
"Label": {"default": "Worker Network Configuration"},
"Parameters": [
self.variables[i].name for i in ["VpcId", "Subnets"]
],
},
]
}
}
)
# Conditions
template.add_condition(
"SetSpotPrice", Equals(self.variables["UseSpotInstances"].ref, "yes")
)
template.add_condition(
"DesiredInstanceCountSpecified",
Equals(self.variables["UseDesiredInstanceCount"].ref, "true"),
)
template.add_condition(
"KeyNameSpecified", Not(Equals(self.variables["KeyName"].ref, ""))
)
# Resources
nodesecuritygroup = template.add_resource(
ec2.SecurityGroup(
"NodeSecurityGroup",
GroupDescription="Security group for all nodes in the cluster",
Tags=[
{
"Key": Sub("kubernetes.io/cluster/${ClusterName}"),
"Value": "owned",
},
],
VpcId=self.variables["VpcId"].ref,
)
)
template.add_output(
Output(
"NodeSecurityGroup",
Description="Security group for all nodes in the cluster",
Value=nodesecuritygroup.ref(),
)
)
template.add_resource(
ec2.SecurityGroupIngress(
"NodeSecurityGroupIngress",
Description="Allow node to communicate with each other",
GroupId=nodesecuritygroup.ref(),
SourceSecurityGroupId=nodesecuritygroup.ref(),
IpProtocol="-1",
FromPort=0,
ToPort=65535,
)
)
template.add_resource(
ec2.SecurityGroupIngress(
"NodeSecurityGroupFromControlPlaneIngress",
Description="Allow worker Kubelets and pods to receive "
"communication from the cluster control plane",
GroupId=nodesecuritygroup.ref(),
SourceSecurityGroupId=self.variables[
"ClusterControlPlaneSecurityGroup"
].ref, # noqa
IpProtocol="tcp",
FromPort=1025,
ToPort=65535,
)
)
template.add_resource(
ec2.SecurityGroupEgress(
"ControlPlaneEgressToNodeSecurityGroup",
Description="Allow the cluster control plane to communicate "
"with worker Kubelet and pods",
GroupId=self.variables["ClusterControlPlaneSecurityGroup"].ref,
DestinationSecurityGroupId=nodesecuritygroup.ref(),
IpProtocol="tcp",
FromPort=1025,
ToPort=65535,
)
)
template.add_resource(
ec2.SecurityGroupIngress(
"NodeSecurityGroupFromControlPlaneOn443Ingress",
Description="Allow pods running extension API servers on port "
"443 to receive communication from cluster "
"control plane",
GroupId=nodesecuritygroup.ref(),
SourceSecurityGroupId=self.variables[
"ClusterControlPlaneSecurityGroup"
].ref, # noqa
IpProtocol="tcp",
FromPort=443,
ToPort=443,
)
)
template.add_resource(
ec2.SecurityGroupEgress(
"ControlPlaneEgressToNodeSecurityGroupOn443",
Description="Allow the cluster control plane to communicate "
"with pods running extension API servers on port "
"443",
GroupId=self.variables["ClusterControlPlaneSecurityGroup"].ref,
DestinationSecurityGroupId=nodesecuritygroup.ref(),
IpProtocol="tcp",
FromPort=443,
ToPort=443,
)
)
template.add_resource(
ec2.SecurityGroupIngress(
"ClusterControlPlaneSecurityGroupIngress",
Description="Allow pods to communicate with the cluster API " "Server",
GroupId=self.variables["ClusterControlPlaneSecurityGroup"].ref,
SourceSecurityGroupId=nodesecuritygroup.ref(),
IpProtocol="tcp",
FromPort=443,
ToPort=443,
)
)
nodelaunchconfig = template.add_resource(
autoscaling.LaunchConfiguration(
"NodeLaunchConfig",
AssociatePublicIpAddress=True,
IamInstanceProfile=self.variables["NodeInstanceProfile"].ref,
ImageId=self.variables["NodeImageId"].ref,
InstanceType=self.variables["NodeInstanceType"].ref,
KeyName=If("KeyNameSpecified", self.variables["KeyName"].ref, NoValue),
SecurityGroups=[nodesecuritygroup.ref()],
SpotPrice=If(
"SetSpotPrice", self.variables["SpotBidPrice"].ref, NoValue
),
BlockDeviceMappings=[
autoscaling.BlockDeviceMapping(
DeviceName="/dev/xvda",
Ebs=autoscaling.EBSBlockDevice(
VolumeSize=self.variables["NodeVolumeSize"].ref,
VolumeType="gp2",
DeleteOnTermination=True,
),
)
],
UserData=Base64(
Sub(
"\n".join(
[
"#!/bin/bash",
"set -o xtrace",
"/etc/eks/bootstrap.sh ${ClusterName} ${BootstrapArguments}",
"/opt/aws/bin/cfn-signal --exit-code $? \\",
"--stack ${AWS::StackName} \\",
"--resource NodeGroup \\",
"--region ${AWS::Region}",
]
)
)
),
)
)
template.add_resource(
autoscaling.AutoScalingGroup(
"NodeGroup",
DesiredCapacity=If(
"DesiredInstanceCountSpecified",
self.variables["NodeAutoScalingGroupMaxSize"].ref,
NoValue,
),
LaunchConfigurationName=nodelaunchconfig.ref(),
MinSize=self.variables["NodeAutoScalingGroupMinSize"].ref,
MaxSize=self.variables["NodeAutoScalingGroupMaxSize"].ref,
VPCZoneIdentifier=self.variables["Subnets"].ref,
Tags=[
autoscaling.Tag(
"Name", Sub("${ClusterName}-${NodeGroupName}-Node"), True
),
autoscaling.Tag(
Sub("kubernetes.io/cluster/${ClusterName}"), "owned", True
),
],
UpdatePolicy=UpdatePolicy(
AutoScalingRollingUpdate=AutoScalingRollingUpdate(
MinInstancesInService="1", MaxBatchSize="1"
)
),
)
)
Default="redis",
Description="Cache engine (redis or memcached)",
Type="String",
AllowedValues=[
'redis',
'memcached',
],
ConstraintDescription="must select a valid cache engine.",
),
group="Cache",
label="Engine",
)
cache_condition = "CacheCondition"
template.add_condition(cache_condition,
Not(Equals(Ref(cache_node_type), dont_create_value)))
using_redis_condition = "UsingRedis"
template.add_condition(
using_redis_condition,
Equals(Ref(cache_engine), "redis"),
)
cache_security_group = ec2.SecurityGroup(
'CacheSecurityGroup',
template=template,
GroupDescription="Cache security group.",
Condition=cache_condition,
VpcId=Ref(vpc),
SecurityGroupIngress=[
# Redis in from web clusters
Parameter(
"BastionKeyName",
Description="Name of an existing EC2 KeyPair to enable SSH access to "
"the Bastion instance. This parameter is required even if "
"no Bastion AMI is specified (but will be unused).",
Type="AWS::EC2::KeyPair::KeyName",
ConstraintDescription="must be the name of an existing EC2 KeyPair.",
Default=dont_create_value,
),
group="Bastion Server",
label="SSH Key Name",
)
bastion_type_set = "BastionTypeSet"
template.add_condition(bastion_type_set,
Not(Equals(dont_create_value, Ref(bastion_type))))
bastion_type_is_openvpn_set = "BastionTypeIsOpenVPNSet"
template.add_condition(bastion_type_is_openvpn_set,
Equals("OpenVPN", Ref(bastion_type)))
bastion_type_is_ssh_set = "BastionTypeIsSSHSet"
template.add_condition(bastion_type_is_ssh_set, Equals("SSH",
Ref(bastion_type)))
bastion_ami_set = "BastionAMISet"
template.add_condition(bastion_ami_set, Not(Equals("", Ref(bastion_ami))))
bastion_type_and_ami_set = "BastionTypeAndAMISet"
template.add_condition(
bastion_type_and_ami_set,
))
use_aes256_encryption = Ref(template.add_parameter(
Parameter(
"UseAES256Encryption",
Description="Whether or not to use server side encryption for S3, EBS, and RDS. "
"When true, encryption is enabled for all resources.",
Type="String",
AllowedValues=["true", "false"],
Default="false",
),
group="Global",
label="Enable Encryption",
))
use_aes256_encryption_cond = "UseAES256EncryptionCond"
template.add_condition(use_aes256_encryption_cond, Equals(use_aes256_encryption, "true"))
cmk_arn = template.add_parameter(
Parameter(
"CustomerManagedCmkArn",
Description="KMS CMK ARN to encrypt stack resources (except for public buckets).",
Type="String",
Default="",
),
group="Global",
label="Customer managed key ARN",
)
use_cmk_arn = "CmkArnCondition"
template.add_condition(use_cmk_arn, Not(Equals(Ref(cmk_arn), "")))
