quickstart-amazon-eks-cluster-resource-provider icon indicating copy to clipboard operation
quickstart-amazon-eks-cluster-resource-provider copied to clipboard

Published 20 hours ago verified publisher icon aws-quickstart

Failing to create cluster

Open SairamKummari opened this issue 3 years ago • 3 comments

Dear all,

I am trying to create a cluster and I am using the below CFN template. I have activated the third party extension "AWSQS::EKS::Cluster" in Cloudformation Registry. The role with which I create the cloudformation stack has full permissions.

Below is the template I use -

AWSTemplateFormatVersion: "2010-09-09"
Parameters:
  SubnetIds:
    Type: "List<AWS::EC2::Subnet::Id>"
    Default: subnet-0f450d06e50xxxxxx,subnet-04fe13c86xxxxxxx,subnet-0a2d821c18xxxxxx
  # SecurityGroupIds:
  #   Type: "List<AWS::EC2::SecurityGroup::Id>"
  #   Default: 
Resources:
  SecurityGroup:
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      GroupDescription: Security group to allow communication between Worker Nodes and ControlPlane
      SecurityGroupEgress:
        - CidrIp: 10.113.112.0/20
          FromPort: 0
          IpProtocol: tcp
          ToPort: 65535
      SecurityGroupIngress:
        - CidrIp: 10.113.112.0/20
          FromPort: 0
          IpProtocol: tcp
          ToPort: 65535
      VpcId: vpc-xxxxxxxxxxx

  # EKS Cluster
  myCluster:  
    Type: "AWSQS::EKS::Cluster"
    Properties:
      Name: 'eks-test-cluster'
      LambdaRoleName: 'arn:aws:iam::<accountId>:role/eks-cluster-resource-provider-iam-ro-ExecutionRole-XV9HL6X4P86N'
      RoleArn: !GetAtt serviceRole.Arn
      # KubernetesNetworkConfig:
      #   ServiceIpv4Cidr: "192.168.0.0/16"
      ResourcesVpcConfig:
        SubnetIds: !Ref SubnetIds
        SecurityGroupIds: [!Ref SecurityGroup]
        EndpointPrivateAccess: True
        EndpointPublicAccess: False
      EnabledClusterLoggingTypes: ["audit"]
      KubernetesApiAccess:
        Roles:
          - Arn: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/some_admin_role"
            Username: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/some_admin_role"
            Groups: ["system:masters"]
      Tags:
        - Key: ClusterName
          Value: myCluster
  serviceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal: { Service: eks.amazonaws.com }
            Action: sts:AssumeRole
      Path: "/"
      ManagedPolicyArns:
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEKSClusterPolicy'
        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEKSServicePolicy'

I receive the below error message - Resource handler returned message: "ValidationException: status code: 400, request id: a5dd50b6-45ed-4df3-899a-3a670684c1dc" (RequestToken: 3bd292a0-5091-1a0c-6d56-e05748dd22b3, HandlerErrorCode: GeneralServiceException)

Can someone give me some input as to what is wrong here, does this extension work for others.

SairamKummari avatar Jul 05 '21 10:07 SairamKummari