Skip to content

Instantly share code, notes, and snippets.

@pit

pit/build.py (eks)

Created January 10, 2020 01:37
Show Gist options
  • Save pit/81a7b69b569d15f7dbce6e4f57acaa1e to your computer and use it in GitHub Desktop.
Save pit/81a7b69b569d15f7dbce6e4f57acaa1e to your computer and use it in GitHub Desktop.
Download ZIP
CloudFormation Samples
Raw
build.py (eks)
from navio.aws import AWSCloudFormation, AWSLogs, AWSACM
from navio.builder import task, nsh, sh
aws_stack = dict()
aws_stack_ro = dict()
aws_stack_ro['vpc.dev'] = AWSCloudFormation(
profile_name='company.dev',
stack_name='Vpc'
)
aws_stack['infra.dev'] = AWSCloudFormation(
profile_name='company.dev',
stack_name='EksInfra',
template='eks-infra.yaml',
on_failure='DELETE',
includes=[
'securitygroups.yaml',
'logs.yaml',
],
s3_uri='s3://company.aws-distribs/infrastructure/eks-infra/',
parameters=[
{
'ParameterKey': 'pEnvironment',
'ParameterValue': 'dev'
},
{
'ParameterKey': 'pVpcCidr',
'ParameterValue': aws_stack_ro['vpc.dev'].output('VpcCidr')
},
{
'ParameterKey': 'pVpcId',
'ParameterValue': aws_stack_ro['vpc.dev'].output('VpcId')
},
{
'ParameterKey': 'pSubnetsIds',
'ParameterValue': ','.join([
aws_stack_ro['vpc.dev'].output('SubnetAId'),
aws_stack_ro['vpc.dev'].output('SubnetBId'),
aws_stack_ro['vpc.dev'].output('SubnetCId'),
aws_stack_ro['vpc.dev'].output('SubnetDId'),
aws_stack_ro['vpc.dev'].output('SubnetFId'),
])
},
{
'ParameterKey': 'pClusterName',
'ParameterValue': 'apps'
},
{
'ParameterKey': 'pEksInfraLogGroupName',
'ParameterValue': '/aws/eks/apps/cluster'
},
{
'ParameterKey': 'pCreateEksInfraLogGroup',
'ParameterValue': str(not AWSLogs(profile_name='company.dev').group_exists(group_name='/aws/eks/apps/cluster')).lower()
},
]
)
Raw
build.py (vpc)
from navio.builder import task
from navio.aws import AWSCloudFormation
aws_stack_vpc = dict()
aws_stack_vpc['dev'] = AWSCloudFormation(
profile_name='company.dev',
stack_name='Vpc',
template='vpc.yaml',
on_failure='DELETE',
s3_uri='s3://company.aws-distribs/infrastructure/vpc/',
parameters=[
{
'ParameterKey': 'pEnvironment',
'ParameterValue': 'dev'
},
{
'ParameterKey': 'pVpcName',
'ParameterValue': 'dev'
},
{
'ParameterKey': 'pVpcCidr',
'ParameterValue': '10.50.0.0/16'
},
{
'ParameterKey': 'pSubnetsHasPublicIp',
'ParameterValue': 'true'
},
{
'ParameterKey': 'pUseIpv6',
'ParameterValue': 'false'
},
{
'ParameterKey': 'pRegionAZ2Name',
'ParameterValue': 'us-east-1b'
},
{
'ParameterKey': 'pRegionAZ3Name',
'ParameterValue': 'us-east-1c'
},
{
'ParameterKey': 'pRegionAZ4Name',
'ParameterValue': 'us-east-1d'
},
{
'ParameterKey': 'pRegionAZ5Name',
'ParameterValue': 'us-east-1e'
},
{
'ParameterKey': 'pRegionAZ6Name',
'ParameterValue': 'us-east-1f'
},
]
)
@task()
def validate():
for key in aws_stack_vpc:
aws_stack_vpc[key].validate()
@task(validate)
def create(env='dev'):
aws_stack_vpc[env].create()
@task(validate)
def update(env='dev'):
aws_stack_vpc[env].update()
@task()
def delete(env='dev'):
aws_stack_vpc[env].delete()
@task()
def outputs(env='dev'):
aws_stack_vpc[env].print_outputs()
Raw
eks-infra.yaml
---
AWSTemplateFormatVersion: 2010-09-09
Description: EKS Cluster Control Panel + Roles/SecurityGroups
Parameters:
pEnvironment:
Description: An environment name that will be prefixed to resource names
Type: String
pClusterName:
Description: EKS Cluster name
Type: String
pSubnetsIds:
Description: EKS nodes subnets to place in
Type: CommaDelimitedList
pVpcId:
Description: Vpc Id
Type: String
pVpcCidr:
Description: Vpc Cidr block
Type: String
pCreateEksInfraLogGroup:
Description: Should we create EKS control-plane logs group?
Type: String
AllowedValues:
- true
- false
pEksInfraLogGroupName:
Description: EKS control-plane logs group
Type: String
Resources:
rEksCluster:
Type: AWS::EKS::Cluster
Properties:
Name: !Ref pClusterName
Version: "1.14"
RoleArn: !GetAtt rClusterRole.Arn
ResourcesVpcConfig:
SecurityGroupIds:
- !GetAtt SecurityGroups.Outputs.ControlPlaneSecurityGroupId
SubnetIds: !Ref pSubnetsIds
rClusterRole:
Description: Allows EKS to manage clusters on your behalf.
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
Effect: Allow
Principal:
Service:
- eks.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
- arn:aws:iam::aws:policy/AmazonEKSServicePolicy
SecurityGroups:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://s3.amazonaws.com/company.aws-distribs/infrastructure/eks-infra/securitygroups.yaml
TimeoutInMinutes: 20
Parameters:
pEnvironment: !Ref pEnvironment
pClusterName: !Ref pClusterName
pVpcId: !Ref pVpcId
pVpcCidr: !Ref pVpcCidr
Logs:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://s3.amazonaws.com/company.aws-distribs/infrastructure/eks-infra/logs.yaml
TimeoutInMinutes: 20
Parameters:
pEnvironment: !Ref pEnvironment
pCreateLogGroup: !Ref pCreateEksInfraLogGroup
pLogGroupName: !Ref pEksInfraLogGroupName
pRetentionInDays: 30
Outputs:
AccountId:
Value: !Ref "AWS::AccountId"
ClusterName:
Value: !Ref rEksCluster
ClusterArn:
Value: !GetAtt rEksCluster.Arn
ClusterCAData:
Value: !GetAtt rEksCluster.CertificateAuthorityData
ClusterEndpoint:
Value: !GetAtt rEksCluster.Endpoint
ClusterRoleArn:
Value: !GetAtt rClusterRole.Arn
NodesSecurityGroupId:
Value: !GetAtt SecurityGroups.Outputs.NodesSecurityGroupId
ControlPlaneSecurityGroupId:
Value: !GetAtt SecurityGroups.Outputs.ControlPlaneSecurityGroupId
Raw
logs.yaml
---
AWSTemplateFormatVersion: 2010-09-09
Description: Logs groups
Parameters:
pEnvironment:
Description: An environment name
Type: String
pRetentionInDays:
Type: Number
pCreateLogGroup:
Description: Should we create logs group?
Type: String
AllowedValues:
- true
- false
pLogGroupName:
Description: Logs group name
Type: String
Conditions:
cCreateLogsGroup: !Equals [!Ref pCreateLogGroup, "true"]
Resources:
rCloudWatchLogsEksGroup:
Type: AWS::Logs::LogGroup
Condition: cCreateLogsGroup
DeletionPolicy: Retain
Properties:
LogGroupName: !Ref pLogGroupName
RetentionInDays: !Ref pRetentionInDays
Outputs:
Name:
Value: !Ref pLogGroupName
Arn:
Value: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${pLogGroupName}:*"
Raw
vpc.yaml
---
AWSTemplateFormatVersion: 2010-09-09
Description: Generic VPC configuration with Ipv6 support
Parameters:
pEnvironment:
Description: Environment name
Type: String
pVpcName:
Description: VPC name
Type: String
pVpcCidr:
Description: VPC CIDR block
Type: String
pSubnetsHasPublicIp:
Description: Does subnets need to have public ip
Type: String
AllowedValues:
- true
- false
pUseIpv6:
Description: Do we need Ipv6 support (true/false)
Type: String
Default: false
pCreatePeeringRole:
Description: IAM Role for peering setup
Type: String
Default: false
pPeeringAccountId:
Description: Peering account id
Type: String
Default: None
pRegionAZ1Name:
Description: AZ 1 Name in Region
Type: AWS::EC2::AvailabilityZone::Name
Default: us-east-1a
pRegionAZ2Name:
Description: AZ 2 Name in Region
Type: String
Default: None
pRegionAZ3Name:
Description: AZ 3 Name in Region
Type: String
Default: None
pRegionAZ4Name:
Description: AZ 4 Name in Region
Type: String
Default: None
pRegionAZ5Name:
Description: AZ 5 Name in Region
Type: String
Default: None
pRegionAZ6Name:
Description: AZ 6 Name in Region
Type: String
Default: None
Conditions:
cCreatePeeringRole: !Equals [!Ref pCreatePeeringRole, 'true']
cCreate2Zones: !Not [!Equals [!Ref pRegionAZ2Name, 'None']]
cCreate3Zones:
Fn::And:
- Condition: cCreate2Zones
- !Not [!Equals [!Ref pRegionAZ3Name, 'None']]
cCreate4Zones:
Fn::And:
- Condition: cCreate3Zones
- !Not [!Equals [!Ref pRegionAZ4Name, 'None']]
cCreate5Zones:
Fn::And:
- Condition: cCreate4Zones
- !Not [!Equals [!Ref pRegionAZ5Name, 'None']]
cCreate6Zones:
Fn::And:
- Condition: cCreate5Zones
- !Not [!Equals [!Ref pRegionAZ6Name, 'None']]
cCreateIpv6: !Equals [!Ref pUseIpv6, 'true']
cCreate2ZonesIpv6: !And [!Condition cCreateIpv6, !Condition cCreate2Zones]
cCreate3ZonesIpv6: !And [!Condition cCreateIpv6, !Condition cCreate3Zones]
cCreate4ZonesIpv6: !And [!Condition cCreateIpv6, !Condition cCreate4Zones]
cCreate5ZonesIpv6: !And [!Condition cCreateIpv6, !Condition cCreate5Zones]
cCreate6ZonesIpv6: !And [!Condition cCreateIpv6, !Condition cCreate6Zones]
Resources:
rVpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref pVpcCidr
InstanceTenancy: default
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: !Ref pVpcName
- Key: Environment
Value: !Ref pEnvironment
rVpcIpv6:
Type: AWS::EC2::VPCCidrBlock
Condition: cCreateIpv6
Properties:
AmazonProvidedIpv6CidrBlock: true
VpcId: !Ref rVpc
rSubnetA:
Type: AWS::EC2::Subnet
DependsOn:
- rVpc
Properties:
CidrBlock: !Select [0, !Cidr [!GetAtt rVpc.CidrBlock, 6, 8]]
AvailabilityZone: !Ref pRegionAZ1Name
MapPublicIpOnLaunch: !Ref pSubnetsHasPublicIp
VpcId: !Ref rVpc
Tags:
- Key: Name
Value: !Sub ${pVpcName}-subnet-a
- Key: Environment
Value: !Ref pEnvironment
rSubnetAIpv6:
Type: AWS::EC2::SubnetCidrBlock
Condition: cCreateIpv6
DependsOn:
- rVpc
- rVpcIpv6
Properties:
SubnetId: !Ref rSubnetA
Ipv6CidrBlock: !Select [0, !Cidr [!Select [0, !GetAtt rVpc.Ipv6CidrBlocks], 6, 64]]
rSubnetB:
Type: AWS::EC2::Subnet
Condition: cCreate2Zones
DependsOn:
- rVpc
Properties:
CidrBlock: !Select [1, !Cidr [!GetAtt rVpc.CidrBlock, 6, 8]]
AvailabilityZone: !Ref pRegionAZ2Name
MapPublicIpOnLaunch: !Ref pSubnetsHasPublicIp
VpcId: !Ref rVpc
Tags:
- Key: Name
Value: !Sub ${pVpcName}-subnet-b
- Key: Environment
Value: !Ref pEnvironment
rSubnetBIpv6:
Type: AWS::EC2::SubnetCidrBlock
Condition: cCreate2ZonesIpv6
DependsOn:
- rVpc
- rVpcIpv6
Properties:
SubnetId: !Ref rSubnetB
Ipv6CidrBlock: !Select [1, !Cidr [!Select [0, !GetAtt rVpc.Ipv6CidrBlocks], 6, 64]]
rSubnetC:
Type: AWS::EC2::Subnet
Condition: cCreate3Zones
DependsOn:
- rVpc
Properties:
CidrBlock: !Select [2, !Cidr [!GetAtt rVpc.CidrBlock, 6, 8]]
AvailabilityZone: !Ref pRegionAZ3Name
MapPublicIpOnLaunch: !Ref pSubnetsHasPublicIp
VpcId: !Ref rVpc
Tags:
- Key: Name
Value: !Sub ${pVpcName}-subnet-c
- Key: Environment
Value: !Ref pEnvironment
rSubnetCIpv6:
Type: AWS::EC2::SubnetCidrBlock
Condition: cCreate3ZonesIpv6
DependsOn:
- rVpc
- rVpcIpv6
Properties:
SubnetId: !Ref rSubnetC
Ipv6CidrBlock: !Select [2, !Cidr [!Select [0, !GetAtt rVpc.Ipv6CidrBlocks], 6, 64]]
rSubnetD:
Type: AWS::EC2::Subnet
Condition: cCreate4Zones
DependsOn:
- rVpc
Properties:
CidrBlock: !Select [3, !Cidr [!GetAtt rVpc.CidrBlock, 6, 8]]
AvailabilityZone: !Ref pRegionAZ4Name
MapPublicIpOnLaunch: !Ref pSubnetsHasPublicIp
VpcId: !Ref rVpc
Tags:
- Key: Name
Value: !Sub ${pVpcName}-subnet-d
- Key: Environment
Value: !Ref pEnvironment
rSubnetDIpv6:
Type: AWS::EC2::SubnetCidrBlock
Condition: cCreate4ZonesIpv6
DependsOn:
- rVpc
- rVpcIpv6
Properties:
SubnetId: !Ref rSubnetD
Ipv6CidrBlock: !Select [3, !Cidr [!Select [0, !GetAtt rVpc.Ipv6CidrBlocks], 6, 64]]
rSubnetE:
Type: AWS::EC2::Subnet
Condition: cCreate5Zones
DependsOn:
- rVpc
Properties:
CidrBlock: !Select [4, !Cidr [!GetAtt rVpc.CidrBlock, 6, 8]]
AvailabilityZone: !Ref pRegionAZ5Name
MapPublicIpOnLaunch: !Ref pSubnetsHasPublicIp
VpcId: !Ref rVpc
Tags:
- Key: Name
Value: !Sub ${pVpcName}-subnet-e
- Key: Environment
Value: !Ref pEnvironment
rSubnetEIpv6:
Type: AWS::EC2::SubnetCidrBlock
Condition: cCreate5ZonesIpv6
DependsOn:
- rVpc
- rVpcIpv6
Properties:
SubnetId: !Ref rSubnetE
Ipv6CidrBlock: !Select [4, !Cidr [!Select [0, !GetAtt rVpc.Ipv6CidrBlocks], 6, 64]]
rSubnetF:
Type: AWS::EC2::Subnet
Condition: cCreate6Zones
DependsOn:
- rVpc
Properties:
CidrBlock: !Select [5, !Cidr [!GetAtt rVpc.CidrBlock, 6, 8]]
AvailabilityZone: !Ref pRegionAZ6Name
MapPublicIpOnLaunch: !Ref pSubnetsHasPublicIp
VpcId: !Ref rVpc
Tags:
- Key: Name
Value: !Sub ${pVpcName}-subnet-f
- Key: Environment
Value: !Ref pEnvironment
rSubneFDIpv6:
Type: AWS::EC2::SubnetCidrBlock
Condition: cCreate6ZonesIpv6
DependsOn:
- rVpc
- rVpcIpv6
Properties:
SubnetId: !Ref rSubnetF
Ipv6CidrBlock: !Select [5, !Cidr [!Select [0, !GetAtt rVpc.Ipv6CidrBlocks], 6, 64]]
rIgw:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: !Sub ${pVpcName}-igw
- Key: Environment
Value: !Ref pEnvironment
rGwAttachmentIgw:
Type: AWS::EC2::VPCGatewayAttachment
DependsOn: rIgw
Properties:
VpcId: !Ref rVpc
InternetGatewayId: !Ref rIgw
rRouteTableMain:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref rVpc
Tags:
- Key: Name
Value: !Sub ${pVpcName}-route-tbl
- Key: Environment
Value: !Ref pEnvironment
rRouteIgw:
Type: AWS::EC2::Route
DependsOn:
- rGwAttachmentIgw
- rIgw
Properties:
RouteTableId: !Ref rRouteTableMain
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref rIgw
rRouteIgwIpv6:
Type: AWS::EC2::Route
Condition: cCreateIpv6
DependsOn:
- rGwAttachmentIgw
- rIgw
Properties:
RouteTableId: !Ref rRouteTableMain
DestinationIpv6CidrBlock: ::/0
GatewayId: !Ref rIgw
rRouteAssocA:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref rRouteTableMain
SubnetId: !Ref rSubnetA
rRouteAssocB:
Type: AWS::EC2::SubnetRouteTableAssociation
Condition: cCreate2Zones
Properties:
RouteTableId: !Ref rRouteTableMain
SubnetId: !Ref rSubnetB
rRouteAssocC:
Type: AWS::EC2::SubnetRouteTableAssociation
Condition: cCreate3Zones
Properties:
RouteTableId: !Ref rRouteTableMain
SubnetId: !Ref rSubnetC
rRouteAssocD:
Type: AWS::EC2::SubnetRouteTableAssociation
Condition: cCreate4Zones
Properties:
RouteTableId: !Ref rRouteTableMain
SubnetId: !Ref rSubnetD
rVpcPeeringRole:
Type: AWS::IAM::Role
Condition: cCreatePeeringRole
Properties:
Path: /
AssumeRolePolicyDocument:
Statement:
- Principal:
AWS:
- !Ref pPeeringAccountId
Action:
- sts:AssumeRole
Effect: Allow
Policies:
- PolicyName: accept-vpc-peering-connection-policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: ec2:AcceptVpcPeeringConnection
Resource: '*'
Outputs:
AccountId:
Value: !Ref "AWS::AccountId"
PeeringRoleArn:
Condition: cCreatePeeringRole
Value: !GetAtt rVpcPeeringRole.Arn
VpcId:
Value: !Ref rVpc
VpcDefaultSecurityGroupId:
Value: !GetAtt rVpc.DefaultSecurityGroup
VpcCidr:
Value: !Ref pVpcCidr
VpcCidrIpv6:
Condition: cCreateIpv6
Value: !Join [', ', !GetAtt rVpc.Ipv6CidrBlocks]
SubnetAId:
Value: !Ref rSubnetA
SubnetBId:
Condition: cCreate2Zones
Value: !Ref rSubnetB
SubnetCId:
Condition: cCreate3Zones
Value: !Ref rSubnetC
SubnetDId:
Condition: cCreate4Zones
Value: !Ref rSubnetD
SubnetEId:
Condition: cCreate5Zones
Value: !Ref rSubnetE
SubnetFId:
Condition: cCreate6Zones
Value: !Ref rSubnetF
SubnetAAZ:
Value: !GetAtt rSubnetA.AvailabilityZone
SubnetBAZ:
Condition: cCreate2Zones
Value: !GetAtt rSubnetB.AvailabilityZone
SubnetCAZ:
Condition: cCreate3Zones
Value: !GetAtt rSubnetC.AvailabilityZone
SubnetDAZ:
Condition: cCreate4Zones
Value: !GetAtt rSubnetD.AvailabilityZone
SubnetEAZ:
Condition: cCreate5Zones
Value: !GetAtt rSubnetE.AvailabilityZone
SubnetFAZ:
Condition: cCreate6Zones
Value: !GetAtt rSubnetF.AvailabilityZone
SubnetACidrIpv4:
Value: !Select [0, !Cidr [!GetAtt rVpc.CidrBlock, 6, 8]]
SubnetACidrIpv6:
Condition: cCreateIpv6
Value: !Join [', ', !GetAtt rSubnetA.Ipv6CidrBlocks]
SubnetBCidrIpv4:
Condition: cCreate2Zones
Value: !Select [1, !Cidr [!GetAtt rVpc.CidrBlock, 6, 8]]
SubnetBCidrIpv6:
Condition: cCreateIpv6
Value: !Join [', ', !GetAtt rSubnetB.Ipv6CidrBlocks]
SubnetCCidrIpv4:
Condition: cCreate3Zones
Value: !Select [2, !Cidr [!GetAtt rVpc.CidrBlock, 6, 8]]
SubnetCCidrIpv6:
Condition: cCreate3ZonesIpv6
Value: !Join [', ', !GetAtt rSubnetC.Ipv6CidrBlocks]
SubnetDCidrIpv4:
Condition: cCreate4Zones
Value: !Select [3, !Cidr [!GetAtt rVpc.CidrBlock, 6, 8]]
SubnetDCidrIpv6:
Condition: cCreate4ZonesIpv6
Value: !Join [', ', !GetAtt rSubnetD.Ipv6CidrBlocks]
SubnetECidrIpv4:
Condition: cCreate5Zones
Value: !Select [4, !Cidr [!GetAtt rVpc.CidrBlock, 6, 8]]
SubnetECidrIpv6:
Condition: cCreate5ZonesIpv6
Value: !Join [', ', !GetAtt rSubnetE.Ipv6CidrBlocks]
SubnetFCidrIpv4:
Condition: cCreate6Zones
Value: !Select [5, !Cidr [!GetAtt rVpc.CidrBlock, 6, 8]]
SubnetFCidrIpv6:
Condition: cCreate6ZonesIpv6
Value: !Join [', ', !GetAtt rSubnetF.Ipv6CidrBlocks]
RouteTableMainId:
Value: !Ref rRouteTableMain
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment