sigs.k8s.io/cluster-api-provider-aws@v1.5.5/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_disable.yaml (about) 1 AWSTemplateFormatVersion: 2010-09-09 2 Resources: 3 AWSIAMInstanceProfileControlPlane: 4 Properties: 5 InstanceProfileName: control-plane.cluster-api-provider-aws.sigs.k8s.io 6 Roles: 7 - Ref: AWSIAMRoleControlPlane 8 Type: AWS::IAM::InstanceProfile 9 AWSIAMInstanceProfileControllers: 10 Properties: 11 InstanceProfileName: controllers.cluster-api-provider-aws.sigs.k8s.io 12 Roles: 13 - Ref: AWSIAMRoleControllers 14 Type: AWS::IAM::InstanceProfile 15 AWSIAMInstanceProfileNodes: 16 Properties: 17 InstanceProfileName: nodes.cluster-api-provider-aws.sigs.k8s.io 18 Roles: 19 - Ref: AWSIAMRoleNodes 20 Type: AWS::IAM::InstanceProfile 21 AWSIAMManagedPolicyCloudProviderControlPlane: 22 Properties: 23 Description: For the Kubernetes Cloud Provider AWS Control Plane 24 ManagedPolicyName: control-plane.cluster-api-provider-aws.sigs.k8s.io 25 PolicyDocument: 26 Statement: 27 - Action: 28 - autoscaling:DescribeAutoScalingGroups 29 - autoscaling:DescribeLaunchConfigurations 30 - autoscaling:DescribeTags 31 - ec2:DescribeInstances 32 - ec2:DescribeImages 33 - ec2:DescribeRegions 34 - ec2:DescribeRouteTables 35 - ec2:DescribeSecurityGroups 36 - ec2:DescribeSubnets 37 - ec2:DescribeVolumes 38 - ec2:CreateSecurityGroup 39 - ec2:CreateTags 40 - ec2:CreateVolume 41 - ec2:ModifyInstanceAttribute 42 - ec2:ModifyVolume 43 - ec2:AttachVolume 44 - ec2:AuthorizeSecurityGroupIngress 45 - ec2:CreateRoute 46 - ec2:DeleteRoute 47 - ec2:DeleteSecurityGroup 48 - ec2:DeleteVolume 49 - ec2:DetachVolume 50 - ec2:RevokeSecurityGroupIngress 51 - ec2:DescribeVpcs 52 - elasticloadbalancing:AddTags 53 - elasticloadbalancing:AttachLoadBalancerToSubnets 54 - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer 55 - elasticloadbalancing:CreateLoadBalancer 56 - elasticloadbalancing:CreateLoadBalancerPolicy 57 - elasticloadbalancing:CreateLoadBalancerListeners 58 - elasticloadbalancing:ConfigureHealthCheck 59 - elasticloadbalancing:DeleteLoadBalancer 60 - elasticloadbalancing:DeleteLoadBalancerListeners 61 - elasticloadbalancing:DescribeLoadBalancers 62 - elasticloadbalancing:DescribeLoadBalancerAttributes 63 - elasticloadbalancing:DetachLoadBalancerFromSubnets 64 - elasticloadbalancing:DeregisterInstancesFromLoadBalancer 65 - elasticloadbalancing:ModifyLoadBalancerAttributes 66 - elasticloadbalancing:RegisterInstancesWithLoadBalancer 67 - elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer 68 - elasticloadbalancing:CreateListener 69 - elasticloadbalancing:CreateTargetGroup 70 - elasticloadbalancing:DeleteListener 71 - elasticloadbalancing:DeleteTargetGroup 72 - elasticloadbalancing:DescribeListeners 73 - elasticloadbalancing:DescribeLoadBalancerPolicies 74 - elasticloadbalancing:DescribeTargetGroups 75 - elasticloadbalancing:DescribeTargetHealth 76 - elasticloadbalancing:ModifyListener 77 - elasticloadbalancing:ModifyTargetGroup 78 - elasticloadbalancing:RegisterTargets 79 - elasticloadbalancing:SetLoadBalancerPoliciesOfListener 80 - iam:CreateServiceLinkedRole 81 - kms:DescribeKey 82 Effect: Allow 83 Resource: 84 - '*' 85 Version: 2012-10-17 86 Roles: 87 - Ref: AWSIAMRoleControlPlane 88 Type: AWS::IAM::ManagedPolicy 89 AWSIAMManagedPolicyCloudProviderNodes: 90 Properties: 91 Description: For the Kubernetes Cloud Provider AWS nodes 92 ManagedPolicyName: nodes.cluster-api-provider-aws.sigs.k8s.io 93 PolicyDocument: 94 Statement: 95 - Action: 96 - ec2:DescribeInstances 97 - ec2:DescribeRegions 98 - ecr:GetAuthorizationToken 99 - ecr:BatchCheckLayerAvailability 100 - ecr:GetDownloadUrlForLayer 101 - ecr:GetRepositoryPolicy 102 - ecr:DescribeRepositories 103 - ecr:ListImages 104 - ecr:BatchGetImage 105 Effect: Allow 106 Resource: 107 - '*' 108 - Action: 109 - secretsmanager:DeleteSecret 110 - secretsmanager:GetSecretValue 111 Effect: Allow 112 Resource: 113 - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/* 114 - Action: 115 - ssm:UpdateInstanceInformation 116 - ssmmessages:CreateControlChannel 117 - ssmmessages:CreateDataChannel 118 - ssmmessages:OpenControlChannel 119 - ssmmessages:OpenDataChannel 120 - s3:GetEncryptionConfiguration 121 Effect: Allow 122 Resource: 123 - '*' 124 Version: 2012-10-17 125 Roles: 126 - Ref: AWSIAMRoleControlPlane 127 - Ref: AWSIAMRoleNodes 128 Type: AWS::IAM::ManagedPolicy 129 AWSIAMManagedPolicyControllers: 130 Properties: 131 Description: For the Kubernetes Cluster API Provider AWS Controllers 132 ManagedPolicyName: controllers.cluster-api-provider-aws.sigs.k8s.io 133 PolicyDocument: 134 Statement: 135 - Action: 136 - ec2:AllocateAddress 137 - ec2:AssociateRouteTable 138 - ec2:AttachInternetGateway 139 - ec2:AuthorizeSecurityGroupIngress 140 - ec2:CreateInternetGateway 141 - ec2:CreateNatGateway 142 - ec2:CreateRoute 143 - ec2:CreateRouteTable 144 - ec2:CreateSecurityGroup 145 - ec2:CreateSubnet 146 - ec2:CreateTags 147 - ec2:CreateVpc 148 - ec2:ModifyVpcAttribute 149 - ec2:DeleteInternetGateway 150 - ec2:DeleteNatGateway 151 - ec2:DeleteRouteTable 152 - ec2:ReplaceRoute 153 - ec2:DeleteSecurityGroup 154 - ec2:DeleteSubnet 155 - ec2:DeleteTags 156 - ec2:DeleteVpc 157 - ec2:DescribeAccountAttributes 158 - ec2:DescribeAddresses 159 - ec2:DescribeAvailabilityZones 160 - ec2:DescribeInstances 161 - ec2:DescribeInternetGateways 162 - ec2:DescribeImages 163 - ec2:DescribeNatGateways 164 - ec2:DescribeNetworkInterfaces 165 - ec2:DescribeNetworkInterfaceAttribute 166 - ec2:DescribeRouteTables 167 - ec2:DescribeSecurityGroups 168 - ec2:DescribeSubnets 169 - ec2:DescribeVpcs 170 - ec2:DescribeVpcAttribute 171 - ec2:DescribeVolumes 172 - ec2:DetachInternetGateway 173 - ec2:DisassociateRouteTable 174 - ec2:DisassociateAddress 175 - ec2:ModifyInstanceAttribute 176 - ec2:ModifyNetworkInterfaceAttribute 177 - ec2:ModifySubnetAttribute 178 - ec2:ReleaseAddress 179 - ec2:RevokeSecurityGroupIngress 180 - ec2:RunInstances 181 - ec2:TerminateInstances 182 - tag:GetResources 183 - elasticloadbalancing:AddTags 184 - elasticloadbalancing:CreateLoadBalancer 185 - elasticloadbalancing:ConfigureHealthCheck 186 - elasticloadbalancing:DeleteLoadBalancer 187 - elasticloadbalancing:DeleteTargetGroup 188 - elasticloadbalancing:DescribeLoadBalancers 189 - elasticloadbalancing:DescribeLoadBalancerAttributes 190 - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer 191 - elasticloadbalancing:DescribeTags 192 - elasticloadbalancing:ModifyLoadBalancerAttributes 193 - elasticloadbalancing:RegisterInstancesWithLoadBalancer 194 - elasticloadbalancing:DeregisterInstancesFromLoadBalancer 195 - elasticloadbalancing:RemoveTags 196 - autoscaling:DescribeAutoScalingGroups 197 - autoscaling:DescribeInstanceRefreshes 198 - ec2:CreateLaunchTemplate 199 - ec2:CreateLaunchTemplateVersion 200 - ec2:DescribeLaunchTemplates 201 - ec2:DescribeLaunchTemplateVersions 202 - ec2:DeleteLaunchTemplate 203 - ec2:DeleteLaunchTemplateVersions 204 - ec2:DescribeKeyPairs 205 Effect: Allow 206 Resource: 207 - '*' 208 - Action: 209 - autoscaling:CreateAutoScalingGroup 210 - autoscaling:UpdateAutoScalingGroup 211 - autoscaling:CreateOrUpdateTags 212 - autoscaling:StartInstanceRefresh 213 - autoscaling:DeleteAutoScalingGroup 214 - autoscaling:DeleteTags 215 Effect: Allow 216 Resource: 217 - arn:*:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/* 218 - Action: 219 - iam:CreateServiceLinkedRole 220 Condition: 221 StringLike: 222 iam:AWSServiceName: autoscaling.amazonaws.com 223 Effect: Allow 224 Resource: 225 - arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling 226 - Action: 227 - iam:CreateServiceLinkedRole 228 Condition: 229 StringLike: 230 iam:AWSServiceName: elasticloadbalancing.amazonaws.com 231 Effect: Allow 232 Resource: 233 - arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing 234 - Action: 235 - iam:CreateServiceLinkedRole 236 Condition: 237 StringLike: 238 iam:AWSServiceName: spot.amazonaws.com 239 Effect: Allow 240 Resource: 241 - arn:*:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot 242 - Action: 243 - iam:PassRole 244 Effect: Allow 245 Resource: 246 - arn:*:iam::*:role/*.cluster-api-provider-aws.sigs.k8s.io 247 - Action: 248 - secretsmanager:CreateSecret 249 - secretsmanager:DeleteSecret 250 - secretsmanager:TagResource 251 Effect: Allow 252 Resource: 253 - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/* 254 Version: 2012-10-17 255 Roles: 256 - Ref: AWSIAMRoleControllers 257 - Ref: AWSIAMRoleControlPlane 258 Type: AWS::IAM::ManagedPolicy 259 AWSIAMRoleControlPlane: 260 Properties: 261 AssumeRolePolicyDocument: 262 Statement: 263 - Action: 264 - sts:AssumeRole 265 Effect: Allow 266 Principal: 267 Service: 268 - ec2.amazonaws.com 269 Version: 2012-10-17 270 RoleName: control-plane.cluster-api-provider-aws.sigs.k8s.io 271 Type: AWS::IAM::Role 272 AWSIAMRoleControllers: 273 Properties: 274 AssumeRolePolicyDocument: 275 Statement: 276 - Action: 277 - sts:AssumeRole 278 Effect: Allow 279 Principal: 280 Service: 281 - ec2.amazonaws.com 282 Version: 2012-10-17 283 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io 284 Type: AWS::IAM::Role 285 AWSIAMRoleNodes: 286 Properties: 287 AssumeRolePolicyDocument: 288 Statement: 289 - Action: 290 - sts:AssumeRole 291 Effect: Allow 292 Principal: 293 Service: 294 - ec2.amazonaws.com 295 Version: 2012-10-17 296 RoleName: nodes.cluster-api-provider-aws.sigs.k8s.io 297 Type: AWS::IAM::Role