AWSTemplateFormatVersion: '2010-09-09' Description: 'Creates the Systems Manager resources required for EKS Hybrid Nodes and the EKS Hybrid Nodes IAM role' Metadata: Version: Number: "v0.0.5" Parameters: RoleName: Type: String Description: The role name for the EKS Hybrid Nodes IAM role Default: 'AmazonEKSHybridNodesRole' SSMDeregisterConditionTagKey: Type: String Description: The resource tag Key to use in the condition for the ssm:DeregisterManagedInstance action Default: 'EKSClusterARN' SSMDeregisterConditionTagValue: Type: String Description: The resource tag Value to use in the condition for the ssm:DeregisterManagedInstance action. Resources: EKSHybridNodesRole: Type: AWS::IAM::Role Properties: RoleName: !Ref RoleName AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: ssm.amazonaws.com Action: 'sts:AssumeRole' Condition: StringEquals: 'aws:SourceAccount': !Sub '${AWS::AccountId}' ArnEquals: 'aws:SourceArn': !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:*' Policies: - PolicyName: EKSHybridSSMPolicy PolicyDocument: !Sub - | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ssm:DescribeInstanceInformation", "Resource": "*" }, { "Effect": "Allow", "Action": "ssm:DeregisterManagedInstance", "Resource": "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:managed-instance/*", "Condition": { "StringEquals": { "ssm:resourceTag/${SSMDeregisterConditionTagKey}": "${SSMDeregisterConditionTagValue}" } } } ] } - SSMDeregisterConditionTagKey: !Ref SSMDeregisterConditionTagKey SSMDeregisterConditionTagValue: !Ref SSMDeregisterConditionTagValue - PolicyName: EKSDescribeClusterPolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: 'eks:DescribeCluster' Resource: '*' ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly Outputs: EKSHybridNodesRoleName: Description: Name of the EKS Hybrid Nodes IAM role Value: !Ref EKSHybridNodesRole Export: Name: EKSHybridNodesRoleSSM EKSHybridNodesRoleARN: Description: ARN of the EKS Hybrid Nodes IAM role Value: !GetAtt EKSHybridNodesRole.Arn Export: Name: EKSHybridNodesRoleARNSSM