-
Notifications
You must be signed in to change notification settings - Fork 3
/
ebs-snapshot-instance.yaml
133 lines (126 loc) · 4.09 KB
/
ebs-snapshot-instance.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
AWSTemplateFormatVersion: 2010-09-09
Description: Bottlerocket instance to snapshot data volume with configurable network settings.
Parameters:
AmiID:
Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
Description: "The ID of the AMI."
Default: /aws/service/bottlerocket/aws-k8s-1.27/x86_64/latest/image_id
InstanceType:
Type: String
Description: "EC2 instance type to launch"
Default: m5.large
InstanceRole:
Type: String
Description: "Name of IAM Role used in instance"
Default: NONE
Encrypt:
Type: String
Description: "Encrypt the AMI"
Default: NONE
KMSId:
Type: String
Description: "Id of the KMS Key used for the snapshot"
Default: NONE
SnapshotSize:
Type: Number
Description: "Size of the target snapshot"
Default: 50
SecurityGroupId:
Type: String
Description: "Optional Security Group ID. If not provided, the default VPC security group will be used."
Default: NONE
SubnetId:
Type: String
Description: "Optional Subnet ID. If not provided, a subnet from the default VPC will be used."
Default: NONE
AssociatePublicIpAddress:
Type: String
Description: "Whether to associate a public IP address to the instance"
Default: "true"
AllowedValues:
- "true"
- "false"
Conditions:
CreateNewIAMRole: !Equals [!Ref InstanceRole, NONE]
UseCustomKMSId: !Not [!Equals [!Ref KMSId, NONE]]
Encrypt: !Not [!Equals [!Ref Encrypt, NONE]]
UseCustomSecurityGroup: !Not [!Equals [!Ref SecurityGroupId, NONE]]
UseCustomSubnet: !Not [!Equals [!Ref SubnetId, NONE]]
Resources:
BottlerocketNodeRole:
Type: "AWS::IAM::Role"
Condition: CreateNewIAMRole
Properties:
Path: /
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
!Sub "ec2.${AWS::URLSuffix}"
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
BottlerocketNodeInstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
Path: "/"
Roles:
- !If [CreateNewIAMRole, !Ref BottlerocketNodeRole, !Ref InstanceRole]
BottlerocketLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateData:
ImageId: !Ref AmiID
InstanceType: !Ref InstanceType
IamInstanceProfile:
Name: !Ref BottlerocketNodeInstanceProfile
UserData:
Fn::Base64: |
[settings.host-containers.admin]
enabled = true
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
VolumeSize: 10
VolumeType: gp3
DeleteOnTermination: true
- DeviceName: /dev/xvdb
Ebs:
VolumeSize: !Ref SnapshotSize
VolumeType: gp3
Encrypted:
Fn::If:
- Encrypt
- true
- false
KmsKeyId:
Fn::If:
- UseCustomKMSId
- !Ref KMSId
- !Ref AWS::NoValue
Throughput: 1000
Iops: 4000
DeleteOnTermination: true
NetworkInterfaces:
- AssociatePublicIpAddress: !Ref AssociatePublicIpAddress
DeviceIndex: "0"
Groups:
- !If [UseCustomSecurityGroup, !Ref SecurityGroupId, !Ref 'AWS::NoValue']
SubnetId: !If [UseCustomSubnet, !Ref SubnetId, !Ref 'AWS::NoValue']
BottlerocketInstance:
Type: AWS::EC2::Instance
Properties:
LaunchTemplate:
LaunchTemplateId: !Ref BottlerocketLaunchTemplate
Version: !GetAtt BottlerocketLaunchTemplate.LatestVersionNumber
Outputs:
InstanceId:
Value: !Ref BottlerocketInstance
Description: Instance Id