diff --git a/cmd/create/network/templates/rosa-quickstart-default-vpc/cloudformation.yaml b/cmd/create/network/templates/rosa-quickstart-default-vpc/cloudformation.yaml index 21a28d7f2..05eeb02c2 100644 --- a/cmd/create/network/templates/rosa-quickstart-default-vpc/cloudformation.yaml +++ b/cmd/create/network/templates/rosa-quickstart-default-vpc/cloudformation.yaml @@ -1,23 +1,39 @@ AWSTemplateFormatVersion: '2010-09-09' -Description: CloudFormation template to create a ROSA Quickstart default VPC +Description: CloudFormation template to create a ROSA Quickstart default VPC. Parameters: + AvailabilityZoneCount: + Type: Number + Description: "Number of Availability Zones to use" + MinValue: 1 + MaxValue: 3 + Region: + Type: String + Description: "AWS Region" + Default: "us-west-2" Name: Type: String - Description: Prefix for naming resources + Description: "Name prefix for resources" VpcCidr: Type: String Description: CIDR block for the VPC Default: '10.0.0.0/16' - AvailabilityZonesCount: - Type: Number - Description: Number of availability zones - Default: 2 - MinValue: 2 - Region: - Type: String - Description: AWS region to deploy resources in - Default: 'us-west-2' + +Conditions: + HasAZ1: !Equals [!Ref AvailabilityZoneCount, 1] + HasAZ2: !Equals [!Ref AvailabilityZoneCount, 2] + HasAZ3: !Equals [!Ref AvailabilityZoneCount, 3] + + One: + Fn::Or: + - Condition: HasAZ1 + - Condition: HasAZ2 + - Condition: HasAZ3 + + Two: + Fn::Or: + - Condition: HasAZ3 + - Condition: HasAZ2 Resources: VPC: @@ -46,12 +62,9 @@ Resources: - !Ref PublicRouteTable - !Ref PrivateRouteTable - PublicSubnet: - Type: 'AWS::EC2::Subnet' + InternetGateway: + Type: AWS::EC2::InternetGateway Properties: - VpcId: !Ref VPC - CidrBlock: !Select [0, !Cidr [!Ref VpcCidr, !Ref AvailabilityZonesCount, 8]] - AvailabilityZone: !Select [0, !GetAZs ''] Tags: - Key: Name Value: !Ref Name @@ -59,35 +72,44 @@ Resources: Value: 'true' - Key: 'rosa_hcp_policies' Value: 'true' - - Key: 'kubernetes.io/role/elb' - Value: '1' - Key: 'service' Value: 'ROSA' - PrivateSubnet: - Type: 'AWS::EC2::Subnet' + AttachGateway: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + VpcId: !Ref VPC + InternetGatewayId: !Ref InternetGateway + + PublicRouteTable: + Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC - CidrBlock: !Select [1, !Cidr [!Ref VpcCidr, !Ref AvailabilityZonesCount, 8]] - AvailabilityZone: !Select [0, !GetAZs ''] Tags: - Key: Name - Value: !Sub "${Name}-private" + Value: !Ref Name - Key: 'rosa_managed_policies' Value: 'true' - Key: 'rosa_hcp_policies' Value: 'true' - - Key: 'kubernetes.io/role/internal-elb' - Value: '1' - Key: 'service' Value: 'ROSA' - InternetGateway: - Type: AWS::EC2::InternetGateway + PublicRoute: + Type: AWS::EC2::Route + DependsOn: AttachGateway + Properties: + RouteTableId: !Ref PublicRouteTable + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref InternetGateway + + PrivateRouteTable: + Type: AWS::EC2::RouteTable Properties: + VpcId: !Ref VPC Tags: - Key: Name - Value: !Ref Name + Value: !Sub "${Name}-Private-Route-Table" - Key: 'rosa_managed_policies' Value: 'true' - Key: 'rosa_hcp_policies' @@ -95,11 +117,132 @@ Resources: - Key: 'service' Value: 'ROSA' - AttachGateway: - Type: AWS::EC2::VPCGatewayAttachment + PrivateRoute: + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref PrivateRouteTable + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: !If + - One + - !Ref NATGateway1 + - !If + - Two + - !Ref NATGateway2 + - !If + - HasAZ3 + - !Ref NATGateway3 + - !Ref "AWS::NoValue" + + SubnetPublic1: + Condition: One + Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC - InternetGatewayId: !Ref InternetGateway + CidrBlock: 10.0.1.0/24 + AvailabilityZone: !Select [0, !GetAZs ''] + MapPublicIpOnLaunch: true + Tags: + - Key: Name + Value: !Sub "${Name}-Public-Subnet-1" + + SubnetPrivate1: + Condition: One + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: 10.0.2.0/24 + AvailabilityZone: !Select [0, !GetAZs ''] + Tags: + - Key: Name + Value: !Sub "${Name}-Private-Subnet-1" + + SubnetPublic2: + Condition: Two + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: 10.0.3.0/24 + AvailabilityZone: !Select [1, !GetAZs ''] + MapPublicIpOnLaunch: true + Tags: + - Key: Name + Value: !Sub "${Name}-Public-Subnet-2" + + SubnetPrivate2: + Condition: Two + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: 10.0.4.0/24 + AvailabilityZone: !Select [1, !GetAZs ''] + Tags: + - Key: Name + Value: !Sub "${Name}-Private-Subnet-2" + + SubnetPublic3: + Condition: HasAZ3 + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: 10.0.5.0/24 + AvailabilityZone: !Select [2, !GetAZs ''] + MapPublicIpOnLaunch: true + Tags: + - Key: Name + Value: !Sub "${Name}-Public-Subnet-3" + + SubnetPrivate3: + Condition: HasAZ3 + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: 10.0.6.0/24 + AvailabilityZone: !Select [2, !GetAZs ''] + Tags: + - Key: Name + Value: !Sub "${Name}-Private-Subnet-3" + + PublicSubnetRouteTableAssociation1: + Condition: One + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + SubnetId: !Ref SubnetPublic1 + RouteTableId: !Ref PublicRouteTable + + PublicSubnetRouteTableAssociation2: + Condition: Two + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + SubnetId: !Ref SubnetPublic2 + RouteTableId: !Ref PublicRouteTable + + PublicSubnetRouteTableAssociation3: + Condition: HasAZ3 + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + SubnetId: !Ref SubnetPublic3 + RouteTableId: !Ref PublicRouteTable + + PrivateSubnetRouteTableAssociation1: + Condition: One + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + SubnetId: !Ref SubnetPrivate1 + RouteTableId: !Ref PrivateRouteTable + + PrivateSubnetRouteTableAssociation2: + Condition: Two + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + SubnetId: !Ref SubnetPrivate2 + RouteTableId: !Ref PrivateRouteTable + + PrivateSubnetRouteTableAssociation3: + Condition: HasAZ3 + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + SubnetId: !Ref SubnetPrivate3 + RouteTableId: !Ref PrivateRouteTable ElasticIP1: Type: AWS::EC2::EIP @@ -129,11 +272,11 @@ Resources: - Key: 'service' Value: 'ROSA' - NATGateway: - Type: 'AWS::EC2::NatGateway' + ElasticIP3: + Condition: HasAZ3 + Type: AWS::EC2::EIP Properties: - AllocationId: !GetAtt ElasticIP1.AllocationId - SubnetId: !Ref PublicSubnet + Domain: vpc Tags: - Key: Name Value: !Ref Name @@ -144,13 +287,15 @@ Resources: - Key: 'service' Value: 'ROSA' - PublicRouteTable: - Type: 'AWS::EC2::RouteTable' + NATGateway1: + Condition: One + Type: 'AWS::EC2::NatGateway' Properties: - VpcId: !Ref VPC + AllocationId: !GetAtt ElasticIP1.AllocationId + SubnetId: !Ref SubnetPublic1 Tags: - Key: Name - Value: !Ref Name + Value: !Sub "${Name}-NAT-1" - Key: 'rosa_managed_policies' Value: 'true' - Key: 'rosa_hcp_policies' @@ -158,26 +303,15 @@ Resources: - Key: 'service' Value: 'ROSA' - PublicRoute: - Type: AWS::EC2::Route - Properties: - RouteTableId: !Ref PublicRouteTable - DestinationCidrBlock: '0.0.0.0/0' - GatewayId: !Ref InternetGateway - - PublicRouteTableAssociation: - Type: 'AWS::EC2::SubnetRouteTableAssociation' - Properties: - SubnetId: !Ref PublicSubnet - RouteTableId: !Ref PublicRouteTable - - PrivateRouteTable: - Type: 'AWS::EC2::RouteTable' + NATGateway2: + Condition: Two + Type: 'AWS::EC2::NatGateway' Properties: - VpcId: !Ref VPC + AllocationId: !GetAtt ElasticIP2.AllocationId + SubnetId: !Ref SubnetPublic2 Tags: - Key: Name - Value: !Ref Name + Value: !Sub "${Name}-NAT-2" - Key: 'rosa_managed_policies' Value: 'true' - Key: 'rosa_hcp_policies' @@ -185,19 +319,22 @@ Resources: - Key: 'service' Value: 'ROSA' - PrivateRoutes: - Type: AWS::EC2::Route - Properties: - RouteTableId: !Ref PrivateRouteTable - DestinationCidrBlock: '0.0.0.0/0' - NatGatewayId: !Ref NATGateway - - PrivateRouteTableAssociation: - Type: 'AWS::EC2::SubnetRouteTableAssociation' + NATGateway3: + Condition: HasAZ3 + Type: 'AWS::EC2::NatGateway' Properties: - SubnetId: !Ref PrivateSubnet - RouteTableId: !Ref PrivateRouteTable - + AllocationId: !GetAtt ElasticIP3.AllocationId + SubnetId: !Ref SubnetPublic3 + Tags: + - Key: Name + Value: !Sub "${Name}-NAT-3" + - Key: 'rosa_managed_policies' + Value: 'true' + - Key: 'rosa_hcp_policies' + Value: 'true' + - Key: 'service' + Value: 'ROSA' + SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: @@ -222,6 +359,10 @@ Resources: Value: !Ref Name - Key: 'service' Value: 'ROSA' + - Key: 'rosa_managed_policies' + Value: 'true' + - Key: 'rosa_hcp_policies' + Value: 'true' EC2VPCEndpoint: Type: AWS::EC2::VPCEndpoint @@ -231,7 +372,9 @@ Resources: PrivateDnsEnabled: true VpcEndpointType: Interface SubnetIds: - - !Ref PrivateSubnet + - !If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"] + - !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"] + - !If [HasAZ3, !Ref SubnetPrivate3, !Ref "AWS::NoValue"] SecurityGroupIds: - !Ref SecurityGroup @@ -243,7 +386,9 @@ Resources: PrivateDnsEnabled: true VpcEndpointType: Interface SubnetIds: - - !Ref PrivateSubnet + - !If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"] + - !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"] + - !If [HasAZ3, !Ref SubnetPrivate3, !Ref "AWS::NoValue"] SecurityGroupIds: - !Ref SecurityGroup @@ -255,7 +400,9 @@ Resources: PrivateDnsEnabled: true VpcEndpointType: Interface SubnetIds: - - !Ref PrivateSubnet + - !If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"] + - !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"] + - !If [HasAZ3, !Ref SubnetPrivate3, !Ref "AWS::NoValue"] SecurityGroupIds: - !Ref SecurityGroup @@ -267,7 +414,9 @@ Resources: PrivateDnsEnabled: true VpcEndpointType: Interface SubnetIds: - - !Ref PrivateSubnet + - !If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"] + - !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"] + - !If [HasAZ3, !Ref SubnetPrivate3, !Ref "AWS::NoValue"] SecurityGroupIds: - !Ref SecurityGroup @@ -279,46 +428,36 @@ Resources: PrivateDnsEnabled: true VpcEndpointType: Interface SubnetIds: - - !Ref PrivateSubnet + - !If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"] + - !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"] + - !If [HasAZ3, !Ref SubnetPrivate3, !Ref "AWS::NoValue"] SecurityGroupIds: - !Ref SecurityGroup Outputs: VPCId: - Description: The ID of the VPC + Description: "VPC Id" Value: !Ref VPC Export: Name: !Sub "${Name}-VPCId" - InternetGatewayId: - Description: The ID of the Internet Gateway - Value: !Ref InternetGateway - Export: - Name: !Sub "${Name}-InternetGatewayId" - - PublicRouteTableId: - Description: The ID of the public route table - Value: !Ref PublicRouteTable - Export: - Name: !Sub "${Name}-PublicRouteTableId" - VPCEndpointId: Description: The ID of the VPC Endpoint Value: !Ref S3VPCEndpoint Export: Name: !Sub "${Name}-VPCEndpointId" - PublicSubnet: - Description: The ID of the public subnet - Value: !Ref PublicSubnet + PublicSubnets: + Description: "Public Subnet Ids" + Value: !Join [",", [!If [One, !Ref SubnetPublic1, !Ref "AWS::NoValue"], !If [Two, !Ref SubnetPublic2, !Ref "AWS::NoValue"], !If [HasAZ3, !Ref SubnetPublic3, !Ref "AWS::NoValue"]]] Export: - Name: !Sub "${Name}-PublicSubnet" + Name: !Sub "${Name}-PublicSubnets" - PrivateSubnet: - Description: The ID of the private subnet - Value: !Ref PrivateSubnet + PrivateSubnets: + Description: "Private Subnet Ids" + Value: !Join [",", [!If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"], !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"], !If [HasAZ3, !Ref SubnetPrivate3, !Ref "AWS::NoValue"]]] Export: - Name: !Sub "${Name}-PrivateSubnet" + Name: !Sub "${Name}-PrivateSubnets" EIP1AllocationId: Description: Allocation ID for ElasticIP1 @@ -332,15 +471,64 @@ Outputs: Export: Name: !Sub "${Name}-EIP2-AllocationId" - NatGatewayIds: - Description: The NAT Gateway ID - Value: !Ref NATGateway + EIP3AllocationId: + Condition: HasAZ3 + Description: Allocation ID for ElasticIP3 + Value: !GetAtt ElasticIP3.AllocationId + Export: + Name: !Sub "${Name}-EIP3-AllocationId" + + NatGatewayId: + Description: The NAT Gateway IDs + Value: !Join [",", [!If [One, !Ref NATGateway1, !Ref "AWS::NoValue"], !If [Two, !Ref NATGateway2, !Ref "AWS::NoValue"], !If [HasAZ3, !Ref NATGateway3, !Ref "AWS::NoValue"]]] + Export: + Name: !Sub "${Name}-NatGatewayId" + + InternetGatewayId: + Description: The ID of the Internet Gateway + Value: !Ref InternetGateway + Export: + Name: !Sub "${Name}-InternetGatewayId" + + PublicRouteTableId: + Description: The ID of the public route table + Value: !Ref PublicRouteTable + Export: + Name: !Sub "${Name}-PublicRouteTableId" PrivateRouteTableId: - Description: The Private Route Table IDs + Description: The ID of the private route table Value: !Ref PrivateRouteTable + Export: + Name: !Sub "${Name}-PrivateRouteTableId" + + EC2VPCEndpointId: + Description: The ID of the EC2 VPC Endpoint + Value: !Ref EC2VPCEndpoint + Export: + Name: !Sub "${Name}-EC2VPCEndpointId" + + KMSVPCEndpointId: + Description: The ID of the KMS VPC Endpoint + Value: !Ref KMSVPCEndpoint + Export: + Name: !Sub "${Name}-KMSVPCEndpointId" - PrivateRouteIDs: - Description: IDs of the created private routes - Value: !Ref PrivateRoutes - \ No newline at end of file + STSVPCEndpointId: + Description: The ID of the STS VPC Endpoint + Value: !Ref STSVPCEndpoint + Export: + Name: !Sub "${Name}-STSVPCEndpointId" + + EcrApiVPCEndpointId: + Description: The ID of the ECR API VPC Endpoint + Value: !Ref EcrApiVPCEndpoint + Export: + Name: !Sub "${Name}-EcrApiVPCEndpointId" + + EcrDkrVPCEndpointId: + Description: The ID of the ECR DKR VPC Endpoint + Value: !Ref EcrDkrVPCEndpoint + Export: + Name: !Sub "${Name}-EcrDkrVPCEndpointId" + \ No newline at end of file