Initial commit from kro/examples/aws/eks-cluster-mgmt

charts/kro/resource-groups/eks/rg-eks-basic.yaml

@@ -0,0 +1,342 @@
+# yamllint disable rule:line-length
+---
+apiVersion: kro.run/v1alpha1
+kind: ResourceGraphDefinition
+metadata:
+  name: eksclusterbasic.kro.run
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  schema:
+    apiVersion: v1alpha1
+    kind: EksClusterBasic
+    spec:
+      name: string
+      tenant: string
+      environment: string
+      region: string
+      accountId: string
+      managementAccountId: string
+      k8sVersion: string
+      adminRoleName: string
+      fleetSecretManagerSecretNameSuffix: string
+      domainName: string
+      aws_partition: string | default="aws"
+      aws_dns_suffix: string | default="amazonaws.com"
+      network:
+        vpcID: string
+        subnets:
+          controlplane:
+            subnet1ID: string
+            subnet2ID: string
+          workers:
+            subnet1ID: string
+            subnet2ID: string
+      workloads: string # Define if we want to deploy workloads application
+      gitops:
+        addonsRepoBasePath: string
+        addonsRepoPath: string
+        addonsRepoRevision: string
+        addonsRepoUrl: string
+        fleetRepoBasePath: string
+        fleetRepoPath: string
+        fleetRepoRevision: string
+        fleetRepoUrl: string
+      addons:
+        enable_external_secrets: string
+        external_secrets_namespace: string
+        external_secrets_service_account: string
+    status:
+      clusterARN: ${ekscluster.status.ackResourceMetadata.arn}
+      cdata: ${ekscluster.status.certificateAuthority.data}
+      endpoint: ${ekscluster.status.endpoint}
+      clusterState: ${ekscluster.status.status}
+
+
+  resources:
+
+    ###########################################################
+    # EKS Cluster
+    ###########################################################
+    - id: clusterRole
+      template:
+        apiVersion: iam.services.k8s.aws/v1alpha1
+        kind: Role
+        metadata:
+          namespace: "${schema.spec.name}"
+          name: "${schema.spec.name}-cluster-role"
+          annotations:
+            services.k8s.aws/region: ${schema.spec.region}
+        spec:
+          name: "${schema.spec.name}-cluster-role"
+          policies:
+            - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
+            - arn:aws:iam::aws:policy/AmazonEKSComputePolicy
+            - arn:aws:iam::aws:policy/AmazonEKSBlockStoragePolicy
+            - arn:aws:iam::aws:policy/AmazonEKSLoadBalancingPolicy
+            - arn:aws:iam::aws:policy/AmazonEKSNetworkingPolicy
+          assumeRolePolicyDocument: |
+            {
+              "Version": "2012-10-17",
+              "Statement": [
+                {
+                  "Effect": "Allow",
+                  "Principal": {
+                    "Service": "eks.amazonaws.com"
+                  },
+                  "Action": [
+                    "sts:AssumeRole",
+                    "sts:TagSession"
+                  ]
+                }
+              ]
+            }
+    - id: nodeRole
+      template:
+        apiVersion: iam.services.k8s.aws/v1alpha1
+        kind: Role
+        metadata:
+          namespace: "${schema.spec.name}"
+          name: "${schema.spec.name}-cluster-node-role"
+          annotations:
+            services.k8s.aws/region: ${schema.spec.region}
+        spec:
+          name: "${schema.spec.name}-cluster-node-role"
+          policies:
+            - arn:aws:iam::aws:policy/AmazonEKSWorkerNodeMinimalPolicy
+            - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly
+            - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
+            - arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
+          assumeRolePolicyDocument: |
+            {
+              "Version": "2012-10-17",
+              "Statement": [
+                {
+                  "Effect": "Allow",
+                  "Principal": {
+                    "Service": "ec2.amazonaws.com"
+                  },
+                  "Action": [
+                    "sts:AssumeRole",
+                    "sts:TagSession"
+                  ]
+                }
+              ]
+            }
+    # https://aws-controllers-k8s.github.io/community/reference/eks/v1alpha1/cluster/
+    - id: ekscluster
+      readyWhen:
+        - ${ekscluster.status.status == "ACTIVE"}
+      template:
+        apiVersion: eks.services.k8s.aws/v1alpha1
+        kind: Cluster
+        metadata:
+          namespace: "${schema.spec.name}"
+          name: "${schema.spec.name}"
+          # implicit dependencies with roles
+          annotations:
+            clusterRoleArn: "${clusterRole.status.ackResourceMetadata.arn}"
+            nodeRoleArn: "${nodeRole.status.ackResourceMetadata.arn}"
+            services.k8s.aws/region: ${schema.spec.region}
+        spec:
+          name: "${schema.spec.name}"
+          roleARN: "${clusterRole.status.ackResourceMetadata.arn}"
+          version: "${schema.spec.k8sVersion}"
+          accessConfig:
+            authenticationMode: "API_AND_CONFIG_MAP"
+            bootstrapClusterCreatorAdminPermissions: true
+          computeConfig:
+            enabled: true
+            nodeRoleARN: ${nodeRole.status.ackResourceMetadata.arn}
+            nodePools:
+              - system
+              - general-purpose
+          kubernetesNetworkConfig:
+            ipFamily: ipv4
+            elasticLoadBalancing:
+              enabled: true
+          logging: 
+            clusterLogging:
+            - enabled: true
+              types:
+              - api
+              - audit
+              - authenticator
+              - controllerManager
+              - scheduler
+          storageConfig:
+            blockStorage:
+              enabled: true
+          resourcesVPCConfig:
+            endpointPrivateAccess: true
+            endpointPublicAccess: true
+            subnetIDs:
+              - ${schema.spec.network.subnets.controlplane.subnet1ID}
+              - ${schema.spec.network.subnets.controlplane.subnet2ID}
+          zonalShiftConfig: 
+            enabled: true
+          tags: 
+            kro-management: ${schema.spec.name}
+            tenant: ${schema.spec.tenant}
+            environment: ${schema.spec.environment}
+
+    - id: podIdentityAddon
+      template:
+        apiVersion: eks.services.k8s.aws/v1alpha1
+        kind: Addon
+        metadata:
+          name: eks-pod-identity-agent
+          namespace: "${schema.spec.name}"
+          annotations:
+            clusterArn: "${ekscluster.status.ackResourceMetadata.arn}"
+            services.k8s.aws/region: ${schema.spec.region}
+        spec:
+          name: eks-pod-identity-agent
+          addonVersion: v1.3.4-eksbuild.1
+          clusterName: "${schema.spec.name}"
+
+    ###########################################################
+    # ArgoCD Integration
+    ###########################################################
+    - id: argocdSecret
+      template:
+        apiVersion: v1
+        kind: Secret
+        metadata:
+          name: "${schema.spec.name}"
+          namespace: argocd
+          labels:
+            argocd.argoproj.io/secret-type: cluster
+            # Compatible fleet-management
+            fleet_member: spoke
+            tenant: "${schema.spec.tenant}"
+            environment: "${schema.spec.environment}"
+            aws_cluster_name: "${schema.spec.name}"
+            workloads: "${schema.spec.workloads}"
+            #using : useSelector: true for centralized mode
+
+            enable_external_secrets: "${schema.spec.addons.enable_external_secrets}"
+
+          annotations:
+            # GitOps Bridge
+            accountId: "${schema.spec.accountId}"
+            aws_account_id: "${schema.spec.accountId}"
+            region: "${schema.spec.region}"
+            aws_region: "${schema.spec.region}"
+            aws_central_region: "${schema.spec.region}"   # used in fleet-management gitops
+            oidcProvider: "${ekscluster.status.identity.oidc.issuer}"
+            aws_cluster_name: "${schema.spec.name}"
+            aws_vpc_id: "${schema.spec.network.vpcID}"
+            # GitOps Configuration
+            addons_repo_basepath: "${schema.spec.gitops.addonsRepoBasePath}"
+            addons_repo_path: "${schema.spec.gitops.addonsRepoPath}"
+            addons_repo_revision: "${schema.spec.gitops.addonsRepoRevision}"
+            addons_repo_url: "${schema.spec.gitops.addonsRepoUrl}"
+            fleet_repo_basepath: "${schema.spec.gitops.fleetRepoBasePath}"
+            fleet_repo_path: "${schema.spec.gitops.fleetRepoPath}"
+            fleet_repo_revision: "${schema.spec.gitops.fleetRepoRevision}"
+            fleet_repo_url: "${schema.spec.gitops.fleetRepoUrl}"
+            # Generic
+            external_secrets_namespace: "${schema.spec.addons.external_secrets_namespace}"
+            external_secrets_service_account: "${schema.spec.addons.external_secrets_service_account}"
+
+            access_entry_arn: "${accessEntry.status.ackResourceMetadata.arn}"
+        type: Opaque
+        # TODO bug in KRO, it always see some drifts..
+        stringData:
+          name: "${schema.spec.name}"
+          server: "${ekscluster.status.ackResourceMetadata.arn}"
+          project: "default"
+    - id: accessEntry
+      readyWhen:
+      - ${accessEntry.status.conditions.exists(x, x.type == 'ACK.ResourceSynced' && x.status == "True")} #check on ACK condition
+      template:
+        apiVersion: eks.services.k8s.aws/v1alpha1
+        kind: AccessEntry
+        metadata:
+          namespace: "${schema.spec.name}"
+          name: "${schema.spec.name}-access-entry"
+          annotations:
+            services.k8s.aws/region: ${schema.spec.region}
+        spec:
+          clusterName: "${schema.spec.name}"
+          accessPolicies:
+            - accessScope:
+                type: "cluster"
+              policyARN: "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+          principalARN: "arn:aws:iam::${schema.spec.managementAccountId}:role/hub-cluster-argocd-controller"          
+          type: STANDARD
+
+    - id: accessEntryAdmin
+      template:
+        apiVersion: eks.services.k8s.aws/v1alpha1
+        kind: AccessEntry
+        metadata:
+          namespace: "${schema.spec.name}"
+          name: "${schema.spec.name}-access-entry-admin"
+          annotations:
+            services.k8s.aws/region: ${schema.spec.region}
+        spec:
+          clusterName: "${schema.spec.name}"
+          accessPolicies:
+            - accessScope:
+                type: "cluster"
+              policyARN: "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+          principalARN: "arn:aws:iam::${schema.spec.accountId}:role/${schema.spec.adminRoleName}"
+          type: STANDARD
+
+
+    ###########################################################
+    # External Secrets AddOn Pod Identity
+    ###########################################################
+    - id: externalSecretsRole
+      template:
+        apiVersion: iam.services.k8s.aws/v1alpha1
+        kind: Role
+        metadata:
+          namespace: "${schema.spec.name}"
+          name: "${schema.spec.name}-external-secrets-role"
+          annotations:
+            services.k8s.aws/region: ${schema.spec.region}
+        spec:
+          name: "${schema.spec.name}-external-secrets-role"
+          policies:
+            - arn:aws:iam::aws:policy/SecretsManagerReadWrite
+          assumeRolePolicyDocument: |
+            {
+              "Version": "2012-10-17",
+              "Statement": [
+                {
+                  "Effect": "Allow",
+                  "Principal": {
+                    "Service": "pods.eks.amazonaws.com"
+                  },
+                  "Action": [
+                    "sts:AssumeRole",
+                    "sts:TagSession"
+                  ]
+                }
+              ]
+            }
+    - id: externalSecretsPodIdentityAssociation
+      readyWhen:
+      - ${externalSecretsPodIdentityAssociation.status.conditions.exists(x, x.type == 'ACK.ResourceSynced' && x.status == "True")} #check on ACK condition
+      template:
+        apiVersion: eks.services.k8s.aws/v1alpha1
+        kind: PodIdentityAssociation
+        metadata:
+          name: "${schema.spec.name}-external-secrets"
+          namespace: "${schema.spec.name}"
+          annotations:
+            services.k8s.aws/region: ${schema.spec.region}
+        spec:
+          clusterName: "${schema.spec.name}"
+          namespace: argocd
+          roleARN: "${externalSecretsRole.status.ackResourceMetadata.arn}"
+          serviceAccount: external-secrets-sa
+          tags:
+            environment: "${schema.spec.environment}"
+            managedBy: ACK
+            application: external-secrets
+

charts/kro/resource-groups/eks/rg-eks.yaml

@@ -0,0 +1,175 @@
+apiVersion: kro.run/v1alpha1
+kind: ResourceGraphDefinition
+metadata:
+  name: ekscluster.kro.run
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  schema:
+    apiVersion: v1alpha1
+    kind: EksCluster
+    spec:
+      name: string
+      tenant: string | default="auto1"
+      environment: string | default="staging"
+      region: string | default="us-west-2"
+      k8sVersion: string | default="1.34"
+      accountId: string
+      managementAccountId: string
+      adminRoleName: string | default="Admin"
+      fleetSecretManagerSecretNameSuffix: string | default="argocd-secret"
+      domainName: string | default="cluster.example.com"
+      vpc:
+        create: boolean | default=true
+        vpcCidr: string | default="10.0.0.0/16"
+        publicSubnet1Cidr: string | default="10.0.1.0/24"
+        publicSubnet2Cidr: string | default="10.0.2.0/24"
+        privateSubnet1Cidr: string | default="10.0.11.0/24"
+        privateSubnet2Cidr: string | default="10.0.12.0/24"
+        vpcId: string | default=""
+        publicSubnet1Id: string | default=""
+        publicSubnet2Id: string | default=""
+        privateSubnet1Id: string | default=""
+        privateSubnet2Id: string | default=""
+      workloads: string | default="false" # Define if we want to deploy workloads application
+      gitops:
+        addonsRepoBasePath: string | default="addons/"
+        addonsRepoPath: string | default="bootstrap"
+        addonsRepoRevision: string | default="main"
+        addonsRepoUrl: string | default="https://github.com/allamand/eks-cluster-mgmt"
+
+        fleetRepoBasePath: string | default="fleet/"
+        fleetRepoPath: string | default="bootstrap"
+        fleetRepoRevision: string | default="main"
+        fleetRepoUrl: string | default="https://github.com/allamand/eks-cluster-mgmt"
+
+      addons:
+
+        enable_external_secrets: string | default="true"
+        external_secrets_namespace: string | default="external-secrets"
+        external_secrets_service_account: string | default="external-secrets-sa"
+
+  resources:
+  - id: vpc
+    includeWhen:
+      - ${schema.spec.vpc.create}
+    readyWhen:
+    - ${vpc.status.conditions.exists(x, x.type == 'Ready' && x.status == "True")} # Check on kro conditions
+    template:
+      apiVersion: kro.run/v1alpha1
+      kind: Vpc
+      metadata:
+        name: ${schema.spec.name}
+        namespace: ${schema.spec.name}
+        labels:
+          app.kubernetes.io/instance: ${schema.spec.name}
+        annotations:
+          argocd.argoproj.io/tracking-id: clusters:kro.run/Vpc:${schema.spec.name}/${schema.spec.name}
+      spec:
+        name: ${schema.spec.name}
+        region: ${schema.spec.region}
+        cidr:
+          vpcCidr: ${schema.spec.vpc.vpcCidr}
+          publicSubnet1Cidr: ${schema.spec.vpc.publicSubnet1Cidr}
+          publicSubnet2Cidr: ${schema.spec.vpc.publicSubnet2Cidr}
+          privateSubnet1Cidr: ${schema.spec.vpc.privateSubnet1Cidr}
+          privateSubnet2Cidr: ${schema.spec.vpc.privateSubnet2Cidr}
+  - id: eksWithVpc
+    includeWhen:
+      - ${schema.spec.vpc.create}
+    readyWhen:
+      - ${eksWithVpc.status.conditions.exists(x, x.type == 'Ready' && x.status == "True")} # Check on kro conditions
+    template:
+      apiVersion: kro.run/v1alpha1
+      kind: EksClusterBasic
+      metadata:
+        name: ${schema.spec.name}
+        namespace: ${schema.spec.name}
+        labels:
+          app.kubernetes.io/instance: ${schema.spec.name}
+        annotations:
+          argocd.argoproj.io/tracking-id: clusters:kro.run/EksCluster:${schema.spec.name}/${schema.spec.name}
+      spec:
+        name: ${schema.spec.name}
+        tenant: ${schema.spec.tenant}
+        environment: ${schema.spec.environment}
+        region: ${schema.spec.region}
+        accountId: ${schema.spec.accountId}
+        managementAccountId: ${schema.spec.managementAccountId}
+        k8sVersion: ${schema.spec.k8sVersion}
+        adminRoleName: ${schema.spec.adminRoleName}
+        fleetSecretManagerSecretNameSuffix: ${schema.spec.fleetSecretManagerSecretNameSuffix}
+        domainName: ${schema.spec.domainName}
+        network:
+          vpcID: "${vpc.status.vpcID}"
+          subnets:
+            controlplane:
+              subnet1ID: "${vpc.status.privateSubnet1ID}"
+              subnet2ID: "${vpc.status.privateSubnet2ID}"
+            workers:
+              subnet1ID: "${vpc.status.privateSubnet1ID}"
+              subnet2ID: "${vpc.status.privateSubnet2ID}"
+        workloads: ${schema.spec.workloads}
+        gitops:
+          addonsRepoBasePath: ${schema.spec.gitops.addonsRepoBasePath}
+          addonsRepoPath: ${schema.spec.gitops.addonsRepoPath}
+          addonsRepoRevision: ${schema.spec.gitops.addonsRepoRevision}
+          addonsRepoUrl: ${schema.spec.gitops.addonsRepoUrl}
+          fleetRepoBasePath: ${schema.spec.gitops.fleetRepoBasePath}
+          fleetRepoPath: ${schema.spec.gitops.fleetRepoPath}
+          fleetRepoRevision: ${schema.spec.gitops.fleetRepoRevision}
+          fleetRepoUrl: ${schema.spec.gitops.fleetRepoUrl}
+        addons:
+          enable_external_secrets: ${schema.spec.addons.enable_external_secrets}
+          external_secrets_namespace: ${schema.spec.addons.external_secrets_namespace}
+          external_secrets_service_account: ${schema.spec.addons.external_secrets_service_account}
+  - id: eksExistingVpc
+    includeWhen:
+      - ${!schema.spec.vpc.create}
+    readyWhen:
+      - ${eksExistingVpc.status.conditions.exists(x, x.type == 'Ready' && x.status == "True")} # Check on kro conditions
+    template:
+      apiVersion: kro.run/v1alpha1
+      kind: EksClusterBasic
+      metadata:
+        name: ${schema.spec.name}
+        namespace: ${schema.spec.name}
+        labels:
+          app.kubernetes.io/instance: ${schema.spec.name}
+        annotations:
+          argocd.argoproj.io/tracking-id: clusters:kro.run/EksCluster:${schema.spec.name}/${schema.spec.name}
+      spec:
+        name: ${schema.spec.name}
+        tenant: ${schema.spec.tenant}
+        environment: ${schema.spec.environment}
+        region: ${schema.spec.region}
+        accountId: ${schema.spec.accountId}
+        managementAccountId: ${schema.spec.managementAccountId}
+        k8sVersion: ${schema.spec.k8sVersion}
+        adminRoleName: ${schema.spec.adminRoleName}
+        fleetSecretManagerSecretNameSuffix: ${schema.spec.fleetSecretManagerSecretNameSuffix}
+        domainName: ${schema.spec.domainName}
+        network:
+          vpcID: "${schema.spec.vpc.vpcId}"
+          subnets:
+            controlplane:
+              subnet1ID: "${schema.spec.vpc.privateSubnet1Id}"
+              subnet2ID: "${schema.spec.vpc.privateSubnet2Id}"
+            workers:
+              subnet1ID: "${schema.spec.vpc.privateSubnet1Id}"
+              subnet2ID: "${schema.spec.vpc.privateSubnet2Id}"
+        workloads: ${schema.spec.workloads}
+        gitops:
+          addonsRepoBasePath: ${schema.spec.gitops.addonsRepoBasePath}
+          addonsRepoPath: ${schema.spec.gitops.addonsRepoPath}
+          addonsRepoRevision: ${schema.spec.gitops.addonsRepoRevision}
+          addonsRepoUrl: ${schema.spec.gitops.addonsRepoUrl}
+          fleetRepoBasePath: ${schema.spec.gitops.fleetRepoBasePath}
+          fleetRepoPath: ${schema.spec.gitops.fleetRepoPath}
+          fleetRepoRevision: ${schema.spec.gitops.fleetRepoRevision}
+          fleetRepoUrl: ${schema.spec.gitops.fleetRepoUrl}
+        addons:
+          enable_external_secrets: ${schema.spec.addons.enable_external_secrets}
+          external_secrets_namespace: ${schema.spec.addons.external_secrets_namespace}
+          external_secrets_service_account: ${schema.spec.addons.external_secrets_service_account}

charts/kro/resource-groups/eks/rg-vpc.yaml

@@ -0,0 +1,247 @@
+apiVersion: kro.run/v1alpha1
+kind: ResourceGraphDefinition
+metadata:
+  name: vpc.kro.run
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  schema:
+    apiVersion: v1alpha1
+    kind: Vpc
+    spec:
+      name: string
+      region: string
+      cidr:
+        vpcCidr: string | default="10.0.0.0/16"
+        publicSubnet1Cidr: string | default="10.0.1.0/24"
+        publicSubnet2Cidr: string | default="10.0.2.0/24"
+        privateSubnet1Cidr: string | default="10.0.11.0/24"
+        privateSubnet2Cidr: string | default="10.0.12.0/24"
+    status:
+      vpcID: ${vpc.status.vpcID}
+      publicSubnet1ID: ${publicSubnet1.status.subnetID}
+      publicSubnet2ID: ${publicSubnet2.status.subnetID}
+      privateSubnet1ID: ${privateSubnet1.status.subnetID}
+      privateSubnet2ID: ${privateSubnet2.status.subnetID}
+  resources: # how to publish a field in the RG claim e.g. vpcID
+  - id: vpc
+    template:
+      apiVersion: ec2.services.k8s.aws/v1alpha1
+      kind: VPC
+      metadata:
+        namespace: ${schema.spec.name}
+        name: ${schema.spec.name}-vpc
+        annotations:
+          services.k8s.aws/region: ${schema.spec.region}
+      spec:
+        cidrBlocks: 
+        - ${schema.spec.cidr.vpcCidr}
+        enableDNSSupport: true
+        enableDNSHostnames: true
+        tags:
+          - key: "Name"
+            value: ${schema.spec.name}-vpc
+  - id: internetGateway
+    template:
+      apiVersion: ec2.services.k8s.aws/v1alpha1
+      kind: InternetGateway
+      metadata:
+        namespace: ${schema.spec.name}
+        name: ${schema.spec.name}-igw
+        annotations:
+          services.k8s.aws/region: ${schema.spec.region}
+      spec:
+        vpc: ${vpc.status.vpcID}
+        tags:
+          - key: "Name"
+            value: ${schema.spec.name}-igw
+  - id: natGateway1
+    template:
+      apiVersion: ec2.services.k8s.aws/v1alpha1
+      kind: NATGateway
+      metadata:
+        namespace: ${schema.spec.name}
+        name: ${schema.spec.name}-nat-gateway1
+        annotations:
+          services.k8s.aws/region: ${schema.spec.region}
+      spec:
+        subnetID: ${publicSubnet1.status.subnetID}
+        allocationID: ${eip1.status.allocationID}
+        tags:
+          - key: "Name"
+            value: ${schema.spec.name}-nat-gateway1
+  - id: natGateway2
+    template:
+      apiVersion: ec2.services.k8s.aws/v1alpha1
+      kind: NATGateway
+      metadata:
+        namespace: ${schema.spec.name}
+        name: ${schema.spec.name}-nat-gateway2
+        annotations:
+          services.k8s.aws/region: ${schema.spec.region}
+      spec:
+        subnetID: ${publicSubnet2.status.subnetID}
+        allocationID: ${eip2.status.allocationID}
+        tags:
+          - key: "Name"
+            value: ${schema.spec.name}-nat-gateway2
+  - id: eip1
+    template:
+      apiVersion: ec2.services.k8s.aws/v1alpha1
+      kind: ElasticIPAddress
+      metadata:
+        namespace: ${schema.spec.name}
+        name: ${schema.spec.name}-eip1
+        annotations:
+          services.k8s.aws/region: ${schema.spec.region}
+      spec:
+        tags:
+          - key: "Name"
+            value: ${schema.spec.name}-eip1
+  - id: eip2
+    template:
+      apiVersion: ec2.services.k8s.aws/v1alpha1
+      kind: ElasticIPAddress
+      metadata:
+        namespace: ${schema.spec.name}
+        name: ${schema.spec.name}-eip2
+        annotations:
+          services.k8s.aws/region: ${schema.spec.region}
+      spec:
+        tags:
+          - key: "Name"
+            value: ${schema.spec.name}-eip2
+  - id: publicRoutetable
+    template:
+      apiVersion: ec2.services.k8s.aws/v1alpha1
+      kind: RouteTable
+      metadata:
+        namespace: ${schema.spec.name}
+        name: ${schema.spec.name}-public-routetable
+        annotations:
+          services.k8s.aws/region: ${schema.spec.region}
+      spec:
+        vpcID: ${vpc.status.vpcID}
+        routes:
+        - destinationCIDRBlock: 0.0.0.0/0
+          gatewayID: ${internetGateway.status.internetGatewayID}
+        tags:
+          - key: "Name"
+            value: ${schema.spec.name}-public-routetable
+  - id: privateRoutetable1
+    template:
+      apiVersion: ec2.services.k8s.aws/v1alpha1
+      kind: RouteTable
+      metadata:
+        namespace: ${schema.spec.name}
+        name: ${schema.spec.name}-private-routetable1
+        annotations:
+          services.k8s.aws/region: ${schema.spec.region}
+      spec:
+        vpcID: ${vpc.status.vpcID}
+        routes:
+        - destinationCIDRBlock: 0.0.0.0/0
+          natGatewayID: ${natGateway1.status.natGatewayID}
+        tags:
+          - key: "Name"
+            value: ${schema.spec.name}-private-routetable1
+  - id: privateRoutetable2
+    template:
+      apiVersion: ec2.services.k8s.aws/v1alpha1
+      kind: RouteTable
+      metadata:
+        namespace: ${schema.spec.name}
+        name: ${schema.spec.name}-private-routetable2
+        annotations:
+          services.k8s.aws/region: ${schema.spec.region}
+      spec:
+        vpcID: ${vpc.status.vpcID}
+        routes:
+        - destinationCIDRBlock: 0.0.0.0/0
+          natGatewayID: ${natGateway2.status.natGatewayID}
+        tags:
+          - key: "Name"
+            value: ${schema.spec.name}-private-routetable2
+  - id: publicSubnet1
+    template:
+      apiVersion: ec2.services.k8s.aws/v1alpha1
+      kind: Subnet
+      metadata:
+        namespace: ${schema.spec.name}
+        name: ${schema.spec.name}-public-subnet1
+        annotations:
+          services.k8s.aws/region: ${schema.spec.region}
+      spec:
+        availabilityZone: ${schema.spec.region}a
+        cidrBlock: ${schema.spec.cidr.publicSubnet1Cidr}
+        mapPublicIPOnLaunch: true
+        vpcID: ${vpc.status.vpcID}
+        routeTables:
+        - ${publicRoutetable.status.routeTableID}
+        tags:
+          - key: "Name"
+            value: ${schema.spec.name}-public-subnet1
+          - key: kubernetes.io/role/elb
+            value: '1'
+  - id: publicSubnet2
+    template:
+      apiVersion: ec2.services.k8s.aws/v1alpha1
+      kind: Subnet
+      metadata:
+        namespace: ${schema.spec.name}
+        name: ${schema.spec.name}-public-subnet2
+        annotations:
+          services.k8s.aws/region: ${schema.spec.region}
+      spec:
+        availabilityZone: ${schema.spec.region}b
+        cidrBlock: ${schema.spec.cidr.publicSubnet2Cidr}
+        mapPublicIPOnLaunch: true
+        vpcID: ${vpc.status.vpcID}
+        routeTables:
+        - ${publicRoutetable.status.routeTableID}
+        tags:
+          - key: "Name"
+            value: ${schema.spec.name}-public-subnet2
+          - key: kubernetes.io/role/elb
+            value: '1'
+  - id: privateSubnet1
+    template:
+      apiVersion: ec2.services.k8s.aws/v1alpha1
+      kind: Subnet
+      metadata:
+        namespace: ${schema.spec.name}
+        name: ${schema.spec.name}-private-subnet1
+        annotations:
+          services.k8s.aws/region: ${schema.spec.region}
+      spec:
+        availabilityZone: ${schema.spec.region}a
+        cidrBlock: ${schema.spec.cidr.privateSubnet1Cidr}
+        vpcID: ${vpc.status.vpcID}
+        routeTables:
+        - ${privateRoutetable1.status.routeTableID}
+        tags:
+          - key: "Name"
+            value: ${schema.spec.name}-private-subnet1
+          - key: kubernetes.io/role/internal-elb
+            value: '1'
+  - id: privateSubnet2
+    template:
+      apiVersion: ec2.services.k8s.aws/v1alpha1
+      kind: Subnet
+      metadata:
+        namespace: ${schema.spec.name}
+        name: ${schema.spec.name}-private-subnet2
+        annotations:
+          services.k8s.aws/region: ${schema.spec.region}
+      spec:
+        availabilityZone: ${schema.spec.region}b
+        cidrBlock: ${schema.spec.cidr.privateSubnet2Cidr}
+        vpcID: ${vpc.status.vpcID}
+        routeTables:
+        - ${privateRoutetable2.status.routeTableID}
+        tags:
+          - key: "Name"
+            value: ${schema.spec.name}-private-subnet2
+          - key: kubernetes.io/role/internal-elb
+            value: '1'