-
Notifications
You must be signed in to change notification settings - Fork 25
/
Copy pathpcs-iip-minimal.yaml
99 lines (91 loc) · 3.14 KB
/
pcs-iip-minimal.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
AWSTemplateFormatVersion: 2010-09-09
Description: Minimal IAM instance profile for AWS PCS compute node groups.
This template creates an IAM instance profile with a role that has the minimum required permissions for AWS PCS compute node groups.
Optionally, the profile can be configured to enable the following services on PCS-managed instances - AWS Systems Manager, Amazon S3 (read-only access), Amazon CloudWatch Agent.
Check the Outputs tab of this stack for useful details about resources created by this template.
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: IAM Instance Profile Settings
Parameters:
- RoleName
- EnableSsm
- EnableS3ReadOnly
- EnableCloudwatchAgent
Parameters:
RoleName:
Type: String
Default: MinimalRole
Description: Name of the AWS PCS IAM role. Must be unique in your account and across all regions. The value you provide here will be prefixed with "AWSPCS-".
EnableSsm:
Type: String
Default: "True"
Description: "Enable AWS Systems Manager service on instances"
AllowedValues:
- "True"
- "False"
EnableS3ReadOnly:
Type: String
Default: "True"
Description: "Grant instances read-only access to Amazon S3"
AllowedValues:
- "True"
- "False"
EnableCloudwatchAgent:
Type: String
Default: "False"
Description: "Grant instances permissions to use use Amazon CloudWatch Agent"
AllowedValues:
- "True"
- "False"
Conditions:
EnableSsmCondition: !Equals [!Ref EnableSsm, "True"]
EnableS3ReadOnlyCondition: !Equals [!Ref EnableS3ReadOnly, "True"]
EnableCloudwatchAgentCondition: !Equals [!Ref EnableCloudwatchAgent, "True"]
Resources:
PcsInstanceIamRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "AWSPCS-${RoleName}-role"
Description: "AWS IAM role for PCS node group instances"
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: ec2.amazonaws.com
Version: "2012-10-17"
ManagedPolicyArns:
- !If
- EnableSsmCondition
- "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
- !Ref AWS::NoValue
- !If
- EnableS3ReadOnlyCondition
- "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
- !Ref AWS::NoValue
- !If
- EnableCloudwatchAgentCondition
- "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
- !Ref AWS::NoValue
Policies:
- PolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- pcs:RegisterComputeNodeGroupInstance
Effect: Allow
Resource: "*"
PolicyName: PcsRegisterInstancePolicy
PcsInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Roles:
- !Ref PcsInstanceIamRole
InstanceProfileName: !Sub "AWSPCS-${RoleName}"
Outputs:
InstanceProfile:
Value: !Ref PcsInstanceProfile
InstanceProfileArn:
Value: !GetAtt PcsInstanceProfile.Arn