AWS-CreateEKSClusterWithNodegroup
Description
The AWS-CreateEKSClusterWithNodegroup runbook creates an Amazon Elastic Kubernetes Service
(Amazon EKS) cluster using a node group for capacity.
Document type
Automation
Owner
Amazon
Platforms
Linux, macOS, Windows
Parameters
-
AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
-
ClusterName
Type: String
Description: (Required) A unique name for the cluster.
-
ClusterRoleArn
Type: String
Description: (Required) The ARN of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf.
-
NodegroupName
Type: String
Description: (Required) A unique name for the node group.
-
NodegroupRoleArn
Type: String
Description: (Required) The ARN of the IAM role to associate with your node group. The Amazon EKS worker node kubelet daemon makes calls to AWS APIs on your behalf. Nodes receive permissions for these API calls through an IAM instance profile and associated policies. Before you can launch nodes and register them into a cluster, you must create an IAM role for those nodes to use when they are launched.
-
SubnetIds
Type: StringList
Description: (Required) The IDs of the subnets you want to use for your Amazon EKS cluster. Amazon EKS creates elastic network interfaces in these subnets for communication between your nodes and the Kubernetes control plane. You must specify at least two subnet IDs.
-
EKSEndpointPrivateAccess
Type: Boolean
Default: True
Description: (Optional) Set this value to
Trueto allow private access for your cluster's Kubernetes API server endpoint. If you enable private access, Kubernetes API requests from within your cluster's VPC use the private VPC endpoint. If you disable private access and you have nodes or AWS Fargate pods in the cluster, then ensure thatpublicAccessCidrsinclude the necessary CIDR blocks for communication with the nodes or Fargate pods. -
EKSEndpointPublicAccess
Type: Boolean
Default: False
Description: (Optional) Set this value to
Falseto disable public access to your cluster's Kubernetes API server endpoint. If you disable public access, your cluster's Kubernetes API server can only receive requests from within the VPC where it was launched. -
PublicAccessCIDRs
Type: StringList
Description: (Optional) The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. If you've disabled private endpoint access and you have nodes or Fargate pods in the cluster, then ensure that you specify the necessary CIDR blocks.
-
SecurityGroupIds
Type: StringList
Description: (Optional) Specify one or more security groups to associate with the elastic network interfaces created in your account by Amazon EKS.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to
use the runbook successfully.
-
ssm:StartAutomationExecution -
ssm:GetAutomationExecution -
ec2:DescribeSubnets -
eks:CreateCluster -
eks:CreateNodegroup -
eks:DescribeCluster -
eks:DescribeNodegroup -
iam:CreateServiceLinkedRole -
iam:GetRole -
iam:ListAttachedRolePolicies -
iam:PassRole
Document Steps
-
CreateEKSCluster (aws:executeAwsApi) - Creates an Amazon EKS cluster.
-
VerifyEKSClusterIsActive (aws:waitForAwsResourceProperty) - Verifies the cluster state is
ACTIVE. -
CreateNodegroup (aws:executeAwsApi) - Creates a node group for the cluster.
-
VerifyNodegroupIsActive (aws:waitForAwsResourceProperty) - Verifies the node group state is
ACTIVE.
Outputs
-
CreateEKSCluster.CreateClusterResponse: Response received from theCreateClusterAPI call. -
CreateNodegroup.CreateNodegroupResponse: Response received from theCreateNodegroupAPI call.
