Updates to access, maintenance, and support policy for official packages:On January 31, 2025 Upbound is updating the access policy for Official Providers
Learn More
upbound/platform-ref-aws@v1.2.0
xeks.aws.platformref.upbound.io

xeks.aws.platformref.upbound.io

xeks.aws.platformref.upbound.io
upbound/platform-ref-aws@v1.2.0xeks.aws.platformref.upbound.io
Type

Composition

Referenced XRD

XEKS

Source Codegithub.com/upbound/platform-ref-aws
Resources (11)

The following resources are composed to implement the referenced Composite Resource Definition (XRD).

Kind
Group
Version

Role

iam.aws.upbound.io
v1beta1

RolePolicyAttachment

iam.aws.upbound.io
v1beta1

Cluster

eks.aws.upbound.io
v1beta1

ClusterAuth

eks.aws.upbound.io
v1beta1

Role

iam.aws.upbound.io
v1beta1

RolePolicyAttachment

iam.aws.upbound.io
v1beta1

RolePolicyAttachment

iam.aws.upbound.io
v1beta1

RolePolicyAttachment

iam.aws.upbound.io
v1beta1

NodeGroup

eks.aws.upbound.io
v1beta1

OpenIDConnectProvider

iam.aws.upbound.io
v1beta1

ProviderConfig

helm.crossplane.io
v1beta1
YAML
kind: Composition
apiVersion: apiextensions.crossplane.io/v1
metadata:
  name: xeks.aws.platformref.upbound.io
  creationTimestamp: null
  labels:
    provider: aws
spec:
  compositeTypeRef:
    apiVersion: aws.platformref.upbound.io/v1alpha1
    kind: XEKS
  resources:
    - name: controlplaneRole
      base:
        apiVersion: iam.aws.upbound.io/v1beta1
        kind: Role
        metadata:
          labels:
            role: controlplane
        spec:
          forProvider:
            assumeRolePolicy: |
              {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": [
                                "eks.amazonaws.com"
                            ]
                        },
                        "Action": [
                            "sts:AssumeRole"
                        ]
                    }
                ]
              }
    - name: clusterRolePolicyAttachment
      base:
        apiVersion: iam.aws.upbound.io/v1beta1
        kind: RolePolicyAttachment
        spec:
          forProvider:
            policyArn: arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
            roleSelector:
              matchControllerRef: true
              matchLabels:
                role: controlplane
    - name: kubernetesCluster
      base:
        apiVersion: eks.aws.upbound.io/v1beta1
        kind: Cluster
        spec:
          forProvider:
            region: us-west-2
            roleArnSelector:
              matchControllerRef: true
              matchLabels:
                role: controlplane
            version: "1.23"
            vpcConfig:
              - endpointPrivateAccess: true
                endpointPublicAccess: true
      patches:
        - fromFieldPath: spec.parameters.securityGroupIds
          toFieldPath: spec.forProvider.vpcConfig[0].securityGroupIds
        - fromFieldPath: spec.parameters.subnetIds
          toFieldPath: spec.forProvider.vpcConfig[0].subnetIds
        - type: ToCompositeFieldPath
          fromFieldPath: status.atProvider.identity[0].oidc[0].issuer
          toFieldPath: status.eks.oidc
          policy:
            fromFieldPath: Optional
    - name: kubernetesClusterAuth
      base:
        apiVersion: eks.aws.upbound.io/v1beta1
        kind: ClusterAuth
        spec:
          forProvider:
            clusterNameSelector:
              matchControllerRef: true
            region: us-west-2
      patches:
        - fromFieldPath: spec.writeConnectionSecretToRef.namespace
          toFieldPath: spec.writeConnectionSecretToRef.namespace
        - fromFieldPath: metadata.uid
          toFieldPath: spec.writeConnectionSecretToRef.name
          transforms:
            - type: string
              string:
                fmt: "%s-ekscluster"
      connectionDetails:
        - fromConnectionSecretKey: kubeconfig
    - name: nodegroupRole
      base:
        apiVersion: iam.aws.upbound.io/v1beta1
        kind: Role
        metadata:
          labels:
            role: nodegroup
        spec:
          forProvider:
            assumeRolePolicy: |
              {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": [
                                "ec2.amazonaws.com"
                            ]
                        },
                        "Action": [
                            "sts:AssumeRole"
                        ]
                    }
                ]
              }
    - name: workerNodeRolePolicyAttachment
      base:
        apiVersion: iam.aws.upbound.io/v1beta1
        kind: RolePolicyAttachment
        spec:
          forProvider:
            policyArn: arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
            roleSelector:
              matchControllerRef: true
              matchLabels:
                role: nodegroup
    - name: cniRolePolicyAttachment
      base:
        apiVersion: iam.aws.upbound.io/v1beta1
        kind: RolePolicyAttachment
        spec:
          forProvider:
            policyArn: arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
            roleSelector:
              matchControllerRef: true
              matchLabels:
                role: nodegroup
    - name: containerRegistryRolePolicyAttachment
      base:
        apiVersion: iam.aws.upbound.io/v1beta1
        kind: RolePolicyAttachment
        spec:
          forProvider:
            policyArn: arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
            roleSelector:
              matchControllerRef: true
              matchLabels:
                role: nodegroup
    - name: nodeGroupPublic
      base:
        apiVersion: eks.aws.upbound.io/v1beta1
        kind: NodeGroup
        spec:
          forProvider:
            clusterNameSelector:
              matchControllerRef: true
            instanceTypes:
              - t3.medium
            nodeRoleArnSelector:
              matchControllerRef: true
              matchLabels:
                role: nodegroup
            region: us-west-2
            scalingConfig:
              - desiredSize: 1
                maxSize: 100
                minSize: 1
            subnetIdSelector:
              matchLabels:
                access: public
      patches:
        - fromFieldPath: spec.parameters.nodes.count
          toFieldPath: spec.forProvider.scalingConfig[0].desiredSize
        - fromFieldPath: spec.parameters.nodes.size
          toFieldPath: spec.forProvider.instanceTypes[0]
          transforms:
            - type: map
              map:
                large: t3.large
                medium: t3.medium
                small: t3.small
        - fromFieldPath: spec.id
          toFieldPath: spec.forProvider.subnetIdSelector.matchLabels[networks.aws.platformref.upbound.io/network-id]
    - name: oidcProvider
      base:
        apiVersion: iam.aws.upbound.io/v1beta1
        kind: OpenIDConnectProvider
        spec:
          forProvider:
            clientIdList:
              - sts.amazonaws.com
            thumbprintList:
              - 9e99a48a9960b14926bb7f3b02e22da2b0ab7280
      patches:
        - fromFieldPath: status.eks.oidc
          toFieldPath: spec.forProvider.url
          policy:
            fromFieldPath: Required
    - name: providerConfig
      base:
        apiVersion: helm.crossplane.io/v1beta1
        kind: ProviderConfig
        spec:
          credentials:
            secretRef:
              key: kubeconfig
            source: Secret
      patches:
        - fromFieldPath: spec.id
          toFieldPath: metadata.name
        - fromFieldPath: spec.writeConnectionSecretToRef.namespace
          toFieldPath: spec.credentials.secretRef.namespace
        - fromFieldPath: metadata.uid
          toFieldPath: spec.credentials.secretRef.name
          transforms:
            - type: string
              string:
                fmt: "%s-ekscluster"
      readinessChecks:
        - type: None
  writeConnectionSecretsToNamespace: upbound-system
Discover the building blocks for your internal cloud platform.
© 2024 Upbound, Inc.
Solutions