mirror of
https://github.com/openshift/installer.git
synced 2026-02-05 15:47:14 +01:00
39a926a918
Moved the encrypted-AMI section from "Create Cluster" to "Running Cluster", because it has more value there folks inspecting their account and what has happened after the fact. Since we call out the running instances (by count with a picture) they may wonder "where did this unique AMI come from it is running"? It goes along with some of the other explanations we chase with as well. The Create Cluster section just has the whole IPI output, but no explanation of all wizardry under the covers, calling this particular wrinkle out there seemed a bit awkward to me.
438 lines
11 KiB
YAML
438 lines
11 KiB
YAML
AWSTemplateFormatVersion: 2010-09-09
|
|
Description: Template for Best Practice VPC with 1-3 AZs
|
|
|
|
Parameters:
|
|
VpcCidr:
|
|
AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-4]))$
|
|
ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-24
|
|
Default: 10.0.0.0/16
|
|
Description: CIDR block for VPC
|
|
Type: String
|
|
AvailabilityZoneCount:
|
|
ConstraintDescription: "The number of availability zones (Min: 1, Max: 3)"
|
|
MinValue: 1
|
|
MaxValue: 3
|
|
Default: 1
|
|
Description: "How many AZs to create VPC subnets for (Min: 1, Max: 3)"
|
|
Type: Number
|
|
SubnetBits:
|
|
ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/19-27
|
|
MinValue: 5
|
|
MaxValue: 13
|
|
Default: 12
|
|
Description: "Size of each subnet to create within the availability zones. (Min: 5 = /27, Max: 13 = /19)"
|
|
Type: Number
|
|
|
|
Metadata:
|
|
AWS::CloudFormation::Interface:
|
|
ParameterGroups:
|
|
- Label:
|
|
default: "Network Configuration"
|
|
Parameters:
|
|
- VpcCidr
|
|
- SubnetBits
|
|
- Label:
|
|
default: "Availability Zones"
|
|
Parameters:
|
|
- AvailabilityZoneCount
|
|
ParameterLabels:
|
|
AvailabilityZoneCount:
|
|
default: "Availability Zone Count"
|
|
VpcCidr:
|
|
default: "VPC CIDR"
|
|
SubnetBits:
|
|
default: "Bits Per Subnet"
|
|
|
|
Conditions:
|
|
DoAz3: !Equals [3, !Ref AvailabilityZoneCount]
|
|
DoAz2: !Or [!Equals [2, !Ref AvailabilityZoneCount], Condition: DoAz3]
|
|
|
|
Resources:
|
|
VPC:
|
|
Type: "AWS::EC2::VPC"
|
|
Properties:
|
|
EnableDnsSupport: "true"
|
|
EnableDnsHostnames: "true"
|
|
CidrBlock: !Ref VpcCidr
|
|
Tags:
|
|
- Key: Application
|
|
Value: !Ref "AWS::StackName"
|
|
- Key: Network
|
|
Value: Public
|
|
- Key: Name
|
|
Value: !Ref "AWS::StackName"
|
|
PublicSubnet:
|
|
Type: "AWS::EC2::Subnet"
|
|
Properties:
|
|
VpcId: !Ref VPC
|
|
CidrBlock: !Select [0, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
|
|
AvailabilityZone: !Select
|
|
- 0
|
|
- Fn::GetAZs: !Ref "AWS::Region"
|
|
Tags:
|
|
- Key: Application
|
|
Value: !Ref "AWS::StackName"
|
|
- Key: Network
|
|
Value: Public
|
|
PublicSubnet2:
|
|
Type: "AWS::EC2::Subnet"
|
|
Condition: DoAz2
|
|
Properties:
|
|
VpcId: !Ref VPC
|
|
CidrBlock: !Select [1, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
|
|
AvailabilityZone: !Select
|
|
- 1
|
|
- Fn::GetAZs: !Ref "AWS::Region"
|
|
Tags:
|
|
- Key: Application
|
|
Value: !Ref "AWS::StackName"
|
|
- Key: Network
|
|
Value: Public
|
|
PublicSubnet3:
|
|
Type: "AWS::EC2::Subnet"
|
|
Condition: DoAz3
|
|
Properties:
|
|
VpcId: !Ref VPC
|
|
CidrBlock: !Select [2, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
|
|
AvailabilityZone: !Select
|
|
- 2
|
|
- Fn::GetAZs: !Ref "AWS::Region"
|
|
Tags:
|
|
- Key: Application
|
|
Value: !Ref "AWS::StackName"
|
|
- Key: Network
|
|
Value: Public
|
|
InternetGateway:
|
|
Type: "AWS::EC2::InternetGateway"
|
|
Properties:
|
|
Tags:
|
|
- Key: Application
|
|
Value: !Ref "AWS::StackName"
|
|
- Key: Network
|
|
Value: Public
|
|
GatewayToInternet:
|
|
Type: "AWS::EC2::VPCGatewayAttachment"
|
|
Properties:
|
|
VpcId: !Ref VPC
|
|
InternetGatewayId: !Ref InternetGateway
|
|
PublicRouteTable:
|
|
Type: "AWS::EC2::RouteTable"
|
|
Properties:
|
|
VpcId: !Ref VPC
|
|
Tags:
|
|
- Key: Application
|
|
Value: !Ref "AWS::StackName"
|
|
- Key: Network
|
|
Value: Public
|
|
PublicRoute:
|
|
Type: "AWS::EC2::Route"
|
|
DependsOn: GatewayToInternet
|
|
Properties:
|
|
RouteTableId: !Ref PublicRouteTable
|
|
DestinationCidrBlock: 0.0.0.0/0
|
|
GatewayId: !Ref InternetGateway
|
|
PublicSubnetRouteTableAssociation:
|
|
Type: "AWS::EC2::SubnetRouteTableAssociation"
|
|
Properties:
|
|
SubnetId: !Ref PublicSubnet
|
|
RouteTableId: !Ref PublicRouteTable
|
|
PublicSubnetRouteTableAssociation2:
|
|
Type: "AWS::EC2::SubnetRouteTableAssociation"
|
|
Condition: DoAz2
|
|
Properties:
|
|
SubnetId: !Ref PublicSubnet2
|
|
RouteTableId: !Ref PublicRouteTable
|
|
PublicSubnetRouteTableAssociation3:
|
|
Condition: DoAz3
|
|
Type: "AWS::EC2::SubnetRouteTableAssociation"
|
|
Properties:
|
|
SubnetId: !Ref PublicSubnet3
|
|
RouteTableId: !Ref PublicRouteTable
|
|
PublicNetworkAcl:
|
|
Type: "AWS::EC2::NetworkAcl"
|
|
Properties:
|
|
VpcId: !Ref VPC
|
|
Tags:
|
|
- Key: Application
|
|
Value: !Ref "AWS::StackName"
|
|
- Key: Network
|
|
Value: Public
|
|
InboundHTTPPublicNetworkAclEntry:
|
|
Type: "AWS::EC2::NetworkAclEntry"
|
|
Properties:
|
|
NetworkAclId: !Ref PublicNetworkAcl
|
|
RuleNumber: "100"
|
|
Protocol: "6"
|
|
RuleAction: allow
|
|
Egress: "false"
|
|
CidrBlock: 0.0.0.0/0
|
|
PortRange:
|
|
From: "80"
|
|
To: "80"
|
|
InboundHTTPSPublicNetworkAclEntry:
|
|
Type: "AWS::EC2::NetworkAclEntry"
|
|
Properties:
|
|
NetworkAclId: !Ref PublicNetworkAcl
|
|
RuleNumber: "101"
|
|
Protocol: "6"
|
|
RuleAction: allow
|
|
Egress: "false"
|
|
CidrBlock: 0.0.0.0/0
|
|
PortRange:
|
|
From: "443"
|
|
To: "443"
|
|
InboundSSHPublicNetworkAclEntry:
|
|
Type: "AWS::EC2::NetworkAclEntry"
|
|
Properties:
|
|
NetworkAclId: !Ref PublicNetworkAcl
|
|
RuleNumber: "102"
|
|
Protocol: "6"
|
|
RuleAction: allow
|
|
Egress: "false"
|
|
CidrBlock: 0.0.0.0/0
|
|
PortRange:
|
|
From: "22"
|
|
To: "22"
|
|
InboundEphemeralPublicNetworkAclEntry:
|
|
Type: "AWS::EC2::NetworkAclEntry"
|
|
Properties:
|
|
NetworkAclId: !Ref PublicNetworkAcl
|
|
RuleNumber: "103"
|
|
Protocol: "6"
|
|
RuleAction: allow
|
|
Egress: "false"
|
|
CidrBlock: 0.0.0.0/0
|
|
PortRange:
|
|
From: "1024"
|
|
To: "65535"
|
|
OutboundPublicNetworkAclEntry:
|
|
Type: "AWS::EC2::NetworkAclEntry"
|
|
Properties:
|
|
NetworkAclId: !Ref PublicNetworkAcl
|
|
RuleNumber: "100"
|
|
Protocol: "6"
|
|
RuleAction: allow
|
|
Egress: "true"
|
|
CidrBlock: 0.0.0.0/0
|
|
PortRange:
|
|
From: "0"
|
|
To: "65535"
|
|
PublicSubnetNetworkAclAssociation:
|
|
Type: "AWS::EC2::SubnetNetworkAclAssociation"
|
|
Properties:
|
|
SubnetId: !Ref PublicSubnet
|
|
NetworkAclId: !Ref PublicNetworkAcl
|
|
PublicSubnetNetworkAclAssociation2:
|
|
Type: "AWS::EC2::SubnetNetworkAclAssociation"
|
|
Condition: DoAz2
|
|
Properties:
|
|
SubnetId: !Ref PublicSubnet2
|
|
NetworkAclId: !Ref PublicNetworkAcl
|
|
PublicSubnetNetworkAclAssociation3:
|
|
Type: "AWS::EC2::SubnetNetworkAclAssociation"
|
|
Condition: DoAz3
|
|
Properties:
|
|
SubnetId: !Ref PublicSubnet3
|
|
NetworkAclId: !Ref PublicNetworkAcl
|
|
PrivateSubnet:
|
|
Type: "AWS::EC2::Subnet"
|
|
Properties:
|
|
VpcId: !Ref VPC
|
|
CidrBlock: !Select [3, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
|
|
AvailabilityZone: !Select
|
|
- 0
|
|
- Fn::GetAZs: !Ref "AWS::Region"
|
|
Tags:
|
|
- Key: Application
|
|
Value: !Ref "AWS::StackName"
|
|
- Key: Network
|
|
Value: Private
|
|
PrivateRouteTable:
|
|
Type: "AWS::EC2::RouteTable"
|
|
Properties:
|
|
VpcId: !Ref VPC
|
|
Tags:
|
|
- Key: Application
|
|
Value: !Ref "AWS::StackName"
|
|
- Key: Network
|
|
Value: Private
|
|
PrivateSubnetRouteTableAssociation:
|
|
Type: "AWS::EC2::SubnetRouteTableAssociation"
|
|
Properties:
|
|
SubnetId: !Ref PrivateSubnet
|
|
RouteTableId: !Ref PrivateRouteTable
|
|
NAT:
|
|
DependsOn:
|
|
- GatewayToInternet
|
|
Type: "AWS::EC2::NatGateway"
|
|
Properties:
|
|
AllocationId:
|
|
"Fn::GetAtt":
|
|
- EIP
|
|
- AllocationId
|
|
SubnetId: !Ref PublicSubnet
|
|
EIP:
|
|
Type: "AWS::EC2::EIP"
|
|
Properties:
|
|
Domain: vpc
|
|
Route:
|
|
Type: "AWS::EC2::Route"
|
|
Properties:
|
|
RouteTableId:
|
|
Ref: PrivateRouteTable
|
|
DestinationCidrBlock: 0.0.0.0/0
|
|
NatGatewayId:
|
|
Ref: NAT
|
|
PrivateSubnet2:
|
|
Type: "AWS::EC2::Subnet"
|
|
Condition: DoAz2
|
|
Properties:
|
|
VpcId: !Ref VPC
|
|
CidrBlock: !Select [4, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
|
|
AvailabilityZone: !Select
|
|
- 1
|
|
- Fn::GetAZs: !Ref "AWS::Region"
|
|
Tags:
|
|
- Key: Application
|
|
Value: !Ref "AWS::StackName"
|
|
- Key: Network
|
|
Value: Private
|
|
PrivateRouteTable2:
|
|
Type: "AWS::EC2::RouteTable"
|
|
Condition: DoAz2
|
|
Properties:
|
|
VpcId: !Ref VPC
|
|
Tags:
|
|
- Key: Application
|
|
Value: !Ref "AWS::StackName"
|
|
- Key: Network
|
|
Value: Private
|
|
PrivateSubnetRouteTableAssociation2:
|
|
Type: "AWS::EC2::SubnetRouteTableAssociation"
|
|
Condition: DoAz2
|
|
Properties:
|
|
SubnetId: !Ref PrivateSubnet2
|
|
RouteTableId: !Ref PrivateRouteTable2
|
|
NAT2:
|
|
DependsOn:
|
|
- GatewayToInternet
|
|
Type: "AWS::EC2::NatGateway"
|
|
Condition: DoAz2
|
|
Properties:
|
|
AllocationId:
|
|
"Fn::GetAtt":
|
|
- EIP2
|
|
- AllocationId
|
|
SubnetId: !Ref PublicSubnet2
|
|
EIP2:
|
|
Type: "AWS::EC2::EIP"
|
|
Condition: DoAz2
|
|
Properties:
|
|
Domain: vpc
|
|
Route2:
|
|
Type: "AWS::EC2::Route"
|
|
Condition: DoAz2
|
|
Properties:
|
|
RouteTableId:
|
|
Ref: PrivateRouteTable2
|
|
DestinationCidrBlock: 0.0.0.0/0
|
|
NatGatewayId:
|
|
Ref: NAT2
|
|
PrivateSubnet3:
|
|
Type: "AWS::EC2::Subnet"
|
|
Condition: DoAz3
|
|
Properties:
|
|
VpcId: !Ref VPC
|
|
CidrBlock: !Select [5, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
|
|
AvailabilityZone: !Select
|
|
- 2
|
|
- Fn::GetAZs: !Ref "AWS::Region"
|
|
Tags:
|
|
- Key: Application
|
|
Value: !Ref "AWS::StackName"
|
|
- Key: Network
|
|
Value: Private
|
|
PrivateRouteTable3:
|
|
Type: "AWS::EC2::RouteTable"
|
|
Condition: DoAz3
|
|
Properties:
|
|
VpcId: !Ref VPC
|
|
Tags:
|
|
- Key: Application
|
|
Value: !Ref "AWS::StackName"
|
|
- Key: Network
|
|
Value: Private
|
|
PrivateSubnetRouteTableAssociation3:
|
|
Type: "AWS::EC2::SubnetRouteTableAssociation"
|
|
Condition: DoAz3
|
|
Properties:
|
|
SubnetId: !Ref PrivateSubnet3
|
|
RouteTableId: !Ref PrivateRouteTable3
|
|
NAT3:
|
|
DependsOn:
|
|
- GatewayToInternet
|
|
Type: "AWS::EC2::NatGateway"
|
|
Condition: DoAz3
|
|
Properties:
|
|
AllocationId:
|
|
"Fn::GetAtt":
|
|
- EIP3
|
|
- AllocationId
|
|
SubnetId: !Ref PublicSubnet3
|
|
EIP3:
|
|
Type: "AWS::EC2::EIP"
|
|
Condition: DoAz3
|
|
Properties:
|
|
Domain: vpc
|
|
Route3:
|
|
Type: "AWS::EC2::Route"
|
|
Condition: DoAz3
|
|
Properties:
|
|
RouteTableId:
|
|
Ref: PrivateRouteTable3
|
|
DestinationCidrBlock: 0.0.0.0/0
|
|
NatGatewayId:
|
|
Ref: NAT3
|
|
S3Endpoint:
|
|
Type: AWS::EC2::VPCEndpoint
|
|
Properties:
|
|
PolicyDocument:
|
|
Version: 2012-10-17
|
|
Statement:
|
|
- Effect: Allow
|
|
Principal: '*'
|
|
Action:
|
|
- '*'
|
|
Resource:
|
|
- '*'
|
|
RouteTableIds:
|
|
- !Ref PublicRouteTable
|
|
- !Ref PrivateRouteTable
|
|
- !If [DoAz2, !Ref PrivateRouteTable2, !Ref "AWS::NoValue"]
|
|
- !If [DoAz3, !Ref PrivateRouteTable3, !Ref "AWS::NoValue"]
|
|
ServiceName: !Join
|
|
- ''
|
|
- - com.amazonaws.
|
|
- !Ref 'AWS::Region'
|
|
- .s3
|
|
VpcId: !Ref VPC
|
|
|
|
Outputs:
|
|
VpcId:
|
|
Description: ID of the newly created VPC
|
|
Value: !Ref VPC
|
|
PublicSubnetIds:
|
|
Description: Subnet IDs of the public subnets
|
|
Value:
|
|
!Join [
|
|
",",
|
|
[!Ref PublicSubnet, !If [DoAz2, !Ref PublicSubnet2, !Ref "AWS::NoValue"], !If [DoAz3, !Ref PublicSubnet3, !Ref "AWS::NoValue"]]
|
|
]
|
|
PrivateSubnetIds:
|
|
Description: Subnet IDs of the private subnets
|
|
Value:
|
|
!Join [
|
|
",",
|
|
[!Ref PrivateSubnet, !If [DoAz2, !Ref PrivateSubnet2, !Ref "AWS::NoValue"], !If [DoAz3, !Ref PrivateSubnet3, !Ref "AWS::NoValue"]]
|
|
]
|