sigs.k8s.io/cluster-api-provider-aws@v1.5.5/cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml (about) 1 AWSTemplateFormatVersion: 2010-09-09 2 Resources: 3 AWSIAMInstanceProfileControlPlane: 4 Properties: 5 InstanceProfileName: control-plane.cluster-api-provider-aws.sigs.k8s.io 6 Roles: 7 - Ref: AWSIAMRoleControlPlane 8 Type: AWS::IAM::InstanceProfile 9 AWSIAMInstanceProfileControllers: 10 Properties: 11 InstanceProfileName: controllers.cluster-api-provider-aws.sigs.k8s.io 12 Roles: 13 - Ref: AWSIAMRoleControllers 14 Type: AWS::IAM::InstanceProfile 15 AWSIAMInstanceProfileNodes: 16 Properties: 17 InstanceProfileName: nodes.cluster-api-provider-aws.sigs.k8s.io 18 Roles: 19 - Ref: AWSIAMRoleNodes 20 Type: AWS::IAM::InstanceProfile 21 AWSIAMManagedPolicyCloudProviderControlPlane: 22 Properties: 23 Description: For the Kubernetes Cloud Provider AWS Control Plane 24 ManagedPolicyName: control-plane.cluster-api-provider-aws.sigs.k8s.io 25 PolicyDocument: 26 Statement: 27 - Action: 28 - autoscaling:DescribeAutoScalingGroups 29 - autoscaling:DescribeLaunchConfigurations 30 - autoscaling:DescribeTags 31 - ec2:DescribeInstances 32 - ec2:DescribeImages 33 - ec2:DescribeRegions 34 - ec2:DescribeRouteTables 35 - ec2:DescribeSecurityGroups 36 - ec2:DescribeSubnets 37 - ec2:DescribeVolumes 38 - ec2:CreateSecurityGroup 39 - ec2:CreateTags 40 - ec2:CreateVolume 41 - ec2:ModifyInstanceAttribute 42 - ec2:ModifyVolume 43 - ec2:AttachVolume 44 - ec2:AuthorizeSecurityGroupIngress 45 - ec2:CreateRoute 46 - ec2:DeleteRoute 47 - ec2:DeleteSecurityGroup 48 - ec2:DeleteVolume 49 - ec2:DetachVolume 50 - ec2:RevokeSecurityGroupIngress 51 - ec2:DescribeVpcs 52 - elasticloadbalancing:AddTags 53 - elasticloadbalancing:AttachLoadBalancerToSubnets 54 - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer 55 - elasticloadbalancing:CreateLoadBalancer 56 - elasticloadbalancing:CreateLoadBalancerPolicy 57 - elasticloadbalancing:CreateLoadBalancerListeners 58 - elasticloadbalancing:ConfigureHealthCheck 59 - elasticloadbalancing:DeleteLoadBalancer 60 - elasticloadbalancing:DeleteLoadBalancerListeners 61 - elasticloadbalancing:DescribeLoadBalancers 62 - elasticloadbalancing:DescribeLoadBalancerAttributes 63 - elasticloadbalancing:DetachLoadBalancerFromSubnets 64 - elasticloadbalancing:DeregisterInstancesFromLoadBalancer 65 - elasticloadbalancing:ModifyLoadBalancerAttributes 66 - elasticloadbalancing:RegisterInstancesWithLoadBalancer 67 - elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer 68 - elasticloadbalancing:CreateListener 69 - elasticloadbalancing:CreateTargetGroup 70 - elasticloadbalancing:DeleteListener 71 - elasticloadbalancing:DeleteTargetGroup 72 - elasticloadbalancing:DescribeListeners 73 - elasticloadbalancing:DescribeLoadBalancerPolicies 74 - elasticloadbalancing:DescribeTargetGroups 75 - elasticloadbalancing:DescribeTargetHealth 76 - elasticloadbalancing:ModifyListener 77 - elasticloadbalancing:ModifyTargetGroup 78 - elasticloadbalancing:RegisterTargets 79 - elasticloadbalancing:SetLoadBalancerPoliciesOfListener 80 - iam:CreateServiceLinkedRole 81 - kms:DescribeKey 82 Effect: Allow 83 Resource: 84 - '*' 85 Version: 2012-10-17 86 Roles: 87 - Ref: AWSIAMRoleControlPlane 88 Type: AWS::IAM::ManagedPolicy 89 AWSIAMManagedPolicyCloudProviderNodes: 90 Properties: 91 Description: For the Kubernetes Cloud Provider AWS nodes 92 ManagedPolicyName: nodes.cluster-api-provider-aws.sigs.k8s.io 93 PolicyDocument: 94 Statement: 95 - Action: 96 - ec2:DescribeInstances 97 - ec2:DescribeRegions 98 - ecr:GetAuthorizationToken 99 - ecr:BatchCheckLayerAvailability 100 - ecr:GetDownloadUrlForLayer 101 - ecr:GetRepositoryPolicy 102 - ecr:DescribeRepositories 103 - ecr:ListImages 104 - ecr:BatchGetImage 105 Effect: Allow 106 Resource: 107 - '*' 108 - Action: 109 - ssm:DeleteParameter 110 - ssm:GetParameter 111 Effect: Allow 112 Resource: 113 - arn:*:ssm:*:*:parameter/cluster.x-k8s.io/* 114 - Action: 115 - ssm:UpdateInstanceInformation 116 - ssmmessages:CreateControlChannel 117 - ssmmessages:CreateDataChannel 118 - ssmmessages:OpenControlChannel 119 - ssmmessages:OpenDataChannel 120 - s3:GetEncryptionConfiguration 121 Effect: Allow 122 Resource: 123 - '*' 124 Version: 2012-10-17 125 Roles: 126 - Ref: AWSIAMRoleControlPlane 127 - Ref: AWSIAMRoleNodes 128 Type: AWS::IAM::ManagedPolicy 129 AWSIAMManagedPolicyControllers: 130 Properties: 131 Description: For the Kubernetes Cluster API Provider AWS Controllers 132 ManagedPolicyName: controllers.cluster-api-provider-aws.sigs.k8s.io 133 PolicyDocument: 134 Statement: 135 - Action: 136 - ec2:AllocateAddress 137 - ec2:AssociateRouteTable 138 - ec2:AttachInternetGateway 139 - ec2:AuthorizeSecurityGroupIngress 140 - ec2:CreateInternetGateway 141 - ec2:CreateNatGateway 142 - ec2:CreateRoute 143 - ec2:CreateRouteTable 144 - ec2:CreateSecurityGroup 145 - ec2:CreateSubnet 146 - ec2:CreateTags 147 - ec2:CreateVpc 148 - ec2:ModifyVpcAttribute 149 - ec2:DeleteInternetGateway 150 - ec2:DeleteNatGateway 151 - ec2:DeleteRouteTable 152 - ec2:ReplaceRoute 153 - ec2:DeleteSecurityGroup 154 - ec2:DeleteSubnet 155 - ec2:DeleteTags 156 - ec2:DeleteVpc 157 - ec2:DescribeAccountAttributes 158 - ec2:DescribeAddresses 159 - ec2:DescribeAvailabilityZones 160 - ec2:DescribeInstances 161 - ec2:DescribeInternetGateways 162 - ec2:DescribeImages 163 - ec2:DescribeNatGateways 164 - ec2:DescribeNetworkInterfaces 165 - ec2:DescribeNetworkInterfaceAttribute 166 - ec2:DescribeRouteTables 167 - ec2:DescribeSecurityGroups 168 - ec2:DescribeSubnets 169 - ec2:DescribeVpcs 170 - ec2:DescribeVpcAttribute 171 - ec2:DescribeVolumes 172 - ec2:DetachInternetGateway 173 - ec2:DisassociateRouteTable 174 - ec2:DisassociateAddress 175 - ec2:ModifyInstanceAttribute 176 - ec2:ModifyNetworkInterfaceAttribute 177 - ec2:ModifySubnetAttribute 178 - ec2:ReleaseAddress 179 - ec2:RevokeSecurityGroupIngress 180 - ec2:RunInstances 181 - ec2:TerminateInstances 182 - tag:GetResources 183 - elasticloadbalancing:AddTags 184 - elasticloadbalancing:CreateLoadBalancer 185 - elasticloadbalancing:ConfigureHealthCheck 186 - elasticloadbalancing:DeleteLoadBalancer 187 - elasticloadbalancing:DeleteTargetGroup 188 - elasticloadbalancing:DescribeLoadBalancers 189 - elasticloadbalancing:DescribeLoadBalancerAttributes 190 - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer 191 - elasticloadbalancing:DescribeTags 192 - elasticloadbalancing:ModifyLoadBalancerAttributes 193 - elasticloadbalancing:RegisterInstancesWithLoadBalancer 194 - elasticloadbalancing:DeregisterInstancesFromLoadBalancer 195 - elasticloadbalancing:RemoveTags 196 - autoscaling:DescribeAutoScalingGroups 197 - autoscaling:DescribeInstanceRefreshes 198 - ec2:CreateLaunchTemplate 199 - ec2:CreateLaunchTemplateVersion 200 - ec2:DescribeLaunchTemplates 201 - ec2:DescribeLaunchTemplateVersions 202 - ec2:DeleteLaunchTemplate 203 - ec2:DeleteLaunchTemplateVersions 204 - ec2:DescribeKeyPairs 205 Effect: Allow 206 Resource: 207 - '*' 208 - Action: 209 - autoscaling:CreateAutoScalingGroup 210 - autoscaling:UpdateAutoScalingGroup 211 - autoscaling:CreateOrUpdateTags 212 - autoscaling:StartInstanceRefresh 213 - autoscaling:DeleteAutoScalingGroup 214 - autoscaling:DeleteTags 215 Effect: Allow 216 Resource: 217 - arn:*:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/* 218 - Action: 219 - iam:CreateServiceLinkedRole 220 Condition: 221 StringLike: 222 iam:AWSServiceName: autoscaling.amazonaws.com 223 Effect: Allow 224 Resource: 225 - arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling 226 - Action: 227 - iam:CreateServiceLinkedRole 228 Condition: 229 StringLike: 230 iam:AWSServiceName: elasticloadbalancing.amazonaws.com 231 Effect: Allow 232 Resource: 233 - arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing 234 - Action: 235 - iam:CreateServiceLinkedRole 236 Condition: 237 StringLike: 238 iam:AWSServiceName: spot.amazonaws.com 239 Effect: Allow 240 Resource: 241 - arn:*:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot 242 - Action: 243 - iam:PassRole 244 Effect: Allow 245 Resource: 246 - arn:*:iam::*:role/*.cluster-api-provider-aws.sigs.k8s.io 247 - Action: 248 - ssm:PutParameter 249 - ssm:DeleteParameter 250 - ssm:AddTagsToResource 251 Effect: Allow 252 Resource: 253 - arn:*:ssm:*:*:parameter/cluster.x-k8s.io/* 254 Version: 2012-10-17 255 Roles: 256 - Ref: AWSIAMRoleControllers 257 - Ref: AWSIAMRoleControlPlane 258 Type: AWS::IAM::ManagedPolicy 259 AWSIAMManagedPolicyControllersEKS: 260 Properties: 261 Description: For the Kubernetes Cluster API Provider AWS Controllers 262 ManagedPolicyName: controllers-eks.cluster-api-provider-aws.sigs.k8s.io 263 PolicyDocument: 264 Statement: 265 - Action: 266 - ssm:GetParameter 267 Effect: Allow 268 Resource: 269 - arn:*:ssm:*:*:parameter/aws/service/eks/optimized-ami/* 270 - Action: 271 - iam:CreateServiceLinkedRole 272 Condition: 273 StringLike: 274 iam:AWSServiceName: eks.amazonaws.com 275 Effect: Allow 276 Resource: 277 - arn:*:iam::*:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS 278 - Action: 279 - iam:CreateServiceLinkedRole 280 Condition: 281 StringLike: 282 iam:AWSServiceName: eks-nodegroup.amazonaws.com 283 Effect: Allow 284 Resource: 285 - arn:*:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup 286 - Action: 287 - iam:CreateServiceLinkedRole 288 Condition: 289 StringLike: 290 iam:AWSServiceName: eks-fargate.amazonaws.com 291 Effect: Allow 292 Resource: 293 - arn:aws:iam::*:role/aws-service-role/eks-fargate-pods.amazonaws.com/AWSServiceRoleForAmazonEKSForFargate 294 - Action: 295 - iam:GetRole 296 - iam:ListAttachedRolePolicies 297 Effect: Allow 298 Resource: 299 - arn:*:iam::*:role/* 300 - Action: 301 - iam:GetPolicy 302 Effect: Allow 303 Resource: 304 - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy 305 - Action: 306 - eks:DescribeCluster 307 - eks:ListClusters 308 - eks:CreateCluster 309 - eks:TagResource 310 - eks:UpdateClusterVersion 311 - eks:DeleteCluster 312 - eks:UpdateClusterConfig 313 - eks:UntagResource 314 - eks:UpdateNodegroupVersion 315 - eks:DescribeNodegroup 316 - eks:DeleteNodegroup 317 - eks:UpdateNodegroupConfig 318 - eks:CreateNodegroup 319 - eks:AssociateEncryptionConfig 320 - eks:ListIdentityProviderConfigs 321 - eks:AssociateIdentityProviderConfig 322 - eks:DescribeIdentityProviderConfig 323 - eks:DisassociateIdentityProviderConfig 324 Effect: Allow 325 Resource: 326 - arn:*:eks:*:*:cluster/* 327 - arn:*:eks:*:*:nodegroup/*/*/* 328 - Action: 329 - ec2:AssociateVpcCidrBlock 330 - ec2:DisassociateVpcCidrBlock 331 - eks:ListAddons 332 - eks:CreateAddon 333 - eks:DescribeAddonVersions 334 - eks:DescribeAddon 335 - eks:DeleteAddon 336 - eks:UpdateAddon 337 - eks:TagResource 338 - eks:DescribeFargateProfile 339 - eks:CreateFargateProfile 340 - eks:DeleteFargateProfile 341 Effect: Allow 342 Resource: 343 - '*' 344 - Action: 345 - iam:PassRole 346 Condition: 347 StringEquals: 348 iam:PassedToService: eks.amazonaws.com 349 Effect: Allow 350 Resource: 351 - '*' 352 - Action: 353 - kms:CreateGrant 354 - kms:DescribeKey 355 Condition: 356 ForAnyValue:StringLike: 357 kms:ResourceAliases: alias/cluster-api-provider-aws-* 358 Effect: Allow 359 Resource: 360 - '*' 361 Version: 2012-10-17 362 Roles: 363 - Ref: AWSIAMRoleControllers 364 - Ref: AWSIAMRoleControlPlane 365 Type: AWS::IAM::ManagedPolicy 366 AWSIAMRoleControlPlane: 367 Properties: 368 AssumeRolePolicyDocument: 369 Statement: 370 - Action: 371 - sts:AssumeRole 372 Effect: Allow 373 Principal: 374 Service: 375 - ec2.amazonaws.com 376 Version: 2012-10-17 377 RoleName: control-plane.cluster-api-provider-aws.sigs.k8s.io 378 Type: AWS::IAM::Role 379 AWSIAMRoleControllers: 380 Properties: 381 AssumeRolePolicyDocument: 382 Statement: 383 - Action: 384 - sts:AssumeRole 385 Effect: Allow 386 Principal: 387 Service: 388 - ec2.amazonaws.com 389 Version: 2012-10-17 390 RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io 391 Type: AWS::IAM::Role 392 AWSIAMRoleEKSControlPlane: 393 Properties: 394 AssumeRolePolicyDocument: 395 Statement: 396 - Action: 397 - sts:AssumeRole 398 Effect: Allow 399 Principal: 400 Service: 401 - eks.amazonaws.com 402 Version: 2012-10-17 403 ManagedPolicyArns: 404 - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy 405 RoleName: eks-controlplane.cluster-api-provider-aws.sigs.k8s.io 406 Type: AWS::IAM::Role 407 AWSIAMRoleNodes: 408 Properties: 409 AssumeRolePolicyDocument: 410 Statement: 411 - Action: 412 - sts:AssumeRole 413 Effect: Allow 414 Principal: 415 Service: 416 - ec2.amazonaws.com 417 Version: 2012-10-17 418 ManagedPolicyArns: 419 - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy 420 - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy 421 RoleName: nodes.cluster-api-provider-aws.sigs.k8s.io 422 Type: AWS::IAM::Role