The product described by this documentation, Anthos Clusters on AWS (previous generation), is now in maintenance mode. All new installs must use the current generation product, Anthos clusters on AWS.

AWSManagementService

The AWSManagementServiceresource contains configuration information for your GKE on AWS management service.

You configure a YAML file named anthos-gke.yaml before creating your management service. The anthos-gke tool uses the configuration when creating your management service.

The contents of your anthos-gke.yaml file depend on if you use anthos-gke to create a dedicated AWS Virtual Private Cloud (VPC) for you, or if you use an existing AWS VPC.

Dedicated VPC

apiVersion: multicloud.cluster.gke.io/v1
kind: AWSManagementService
metadata:
  name: management
spec:
  version: ANTHOS_CLI_VERSION
  region: AWS_REGION
  authentication:
    awsIAM:
      adminIdentityARNs:
      - ADMIN_AWS_IAM_ARN
  kmsKeyARN: KMS_KEY_ARN
  databaseEncryption:
    kmsKeyARN: KMS_KEY_ARN
  googleCloud:
    projectID: GCP_PROJECT_ID
    serviceAccountKeys:
      managementService: MANAGEMENT_KEY_PATH
      connectAgent: CONNECT_KEY_PATH
      node: NODE_KEY_PATH
  iam:
      permissionsBoundary: IAM_PERMISSIONS_BOUNDARY
      path: IAM_PATH
  dedicatedVPC:
    vpcCIDRBlock: VPC_CIDR_BLOCK
    availabilityZones:
    - ZONE_1
    - ZONE_2
    - ZONE_3
    privateSubnetCIDRBlocks:
    - PRIVATE_CIDR_BLOCK_1
    - PRIVATE_CIDR_BLOCK_2
    - PRIVATE_CIDR_BLOCK_3
    publicSubnetCIDRBlocks:
    - PUBLIC_CIDR_BLOCK_1
    - PUBLIC_CIDR_BLOCK_2
    - PUBLIC_CIDR_BLOCK_3
  # Optional section
  rootVolume:
    volumeType: ROOT_VOLUME_TYPE
    iops: ROOT_VOLUME_IOPS
    kmsKeyARN: ROOT_VOLUME_KEY
  dataVolume:
    volumeType: DATA_VOLUME_TYPE
    iops: DATA_VOLUME_IOPS
    kmsKeyARN: DATA_VOLUME_KEY
  tags:
    tag-name: tag-value
  bastionHost:
    allowedSSHCIDRBlocks:
    - SSH_CIDR_BLOCK
    rootVolume:
      volumeType: ROOT_VOLUME_TYPE
      iops: ROOT_VOLUME_IOPS
      kmsKeyARN: ROOT_VOLUME_KEY
  bootstrapS3Bucket: BOOTSTRAP_S3_BUCKET
  proxy: PROXY_JSON_FILE
  terraform:
    invokeManually: No
    stateGCSBucket: GCS_BUCKET_NAME

Existing VPC

apiVersion: multicloud.cluster.gke.io/v1
kind: AWSManagementService
metadata:
  name: management
spec:
  version: ANTHOS_CLI_VERSION
  region: AWS_REGION
  authentication:
    awsIAM:
      adminIdentityARNs:
      - ADMIN_AWS_IAM_ARN
  kmsKeyARN: KMS_KEY_ARN
  databaseEncryption:
    kmsKeyARN: KMS_KEY_ARN
  securityGroupIDs:
    - SECURITY_GROUP_IDS
  googleCloud:
    projectID: GCP_PROJECT_ID
    serviceAccountKeys:
      managementService: MANAGEMENT_KEY_PATH
      connectAgent: CONNECT_KEY_PATH
      node: NODE_KEY_PATH
  iam:
      permissionsBoundary: IAM_PERMISSIONS_BOUNDARY
      path: IAM_PATH
  existingVPC:
    subnetID: [MANAGEMENT_SUBNET_ID]
    allowedSSHSecurityGroupIDs: [SSH_SECURITY_GROUPS]
  # Optional fields
  rootVolume:
    volumeType: ROOT_VOLUME_TYPE
    iops: ROOT_VOLUME_IOPS
    kmsKeyARN: ROOT_VOLUME_KEY
  dataVolume:
    volumeType: DATA_VOLUME_TYPE
    iops: DATA_VOLUME_IOPS
    kmsKeyARN: DATA_VOLUME_KEY
  ubuntuRepositoryMirror: 'packages.cloud.google.com'
  bastionHost:
    subnetID: [BASTION_HOST_SUBNET_ID]
    allowedSSHCIDRBlocks:
    - [SSH_CIDR_BLOCK]
    rootVolume:
      volumeType: ROOT_VOLUME_TYPE
      iops: ROOT_VOLUME_IOPS
      kmsKeyARN: ROOT_VOLUME_KEY
  bootstrapS3Bucket: BOOTSTRAP_S3_BUCKET
  tags:
    tag-name: tag-value
  proxy: PROXY_JSON_FILE
  terraform:
    invokeManually: No
    stateGCSBucket: GCS_BUCKET_NAME

The following sections describe these fields.

`spec.version`

The value of spec.version is the version of the management service anthos- gke creates. The version matches the output of anthos-gke version. For example, aws-1.14.1-gke.0.

`spec.region`

The value of spec.region is the AWS region where you want to deploy the management service. For example, us-east-1.

`spec.authentication.awsIAM`

The value of spec.authentication.awsIAM.adminIdentityARNs is a string with the Amazon resource name (ARN) of an AWS IAM user with permissions to create a GKE on AWS management service. For example, arn:aws:iam::123456789:user/someuser.

`spec.kmsKeyARN`

The value of spec.kmsKeyARN is a string with the Amazon resource name (ARN) or alias of the AWS KMS key created in Prerequisites. GKE on AWS uses the key for envelope encryption. For example, arn:aws:kms:us-west-1:123456789:key/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee.

`spec.databaseEncryption`

The value of spec.databaseEncryption.kmsKeyARN is a string with the Amazon resource name (ARN) or key alias of the AWS KMS key that GKE on AWS uses to encrypt application-layer secrets in clusters. For example, arn:aws:kms:us-west-1:123456789:key/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee.

`spec.securityGroupIDs`

The value of spec.securityGroupIDs is a list of additional AWS security group IDs assigned to the management service VM. For example [sg-00123456789abcd, sg-00123456789def1]`.

`spec.dedicatedVPC`

This field represents the desired VPC settings.

Name	Description	Type	Example
vpcCIDRBlock	The CIDR block of your desired AWS VPC. Must be between /16 and /28 bits.	`string`	10.0.0.0/16
availabilityZones	Availability zones to deploy control plane replicas in. Each zone will have its own subnet and needs a separate CIDR block.	`list(string)`	[us-east-1a, us-east-1b]
privateSubnetCIDRBlocks	CIDR block for private subnets within the VPC in each availability zone. Needs to be a subset of `vpcCIDRBlock`. You need to have one subnet per availability zone.	`list(string)`	[10.0.101.0/24, 10.0.102.0/24]
publicSubnetCIDRBlocks	CIDR block for public subnets within the VPC in each availability zone. Needs to be a subset of `vpcCIDRBlock`. You need to have one subnet per availability zone.	`list(string)`	[10.0.1.0/24, 10.0.2.0/24]
bastionAllowedSSHCIDRBlocks	CIDR blocks to allow inbound SSH access from. This field is deprecated in GKE on AWS 1.5. Use `spec.bastionHost` in version 1.5 or higher.	`string`	[104.132.0.0/14]

`spec.existingVPC`

Fields under spec.existingVPC configure GKE on AWS to use an existing AWS VPC.

Name	Description	Type	Example
subnetID	Subnet ID where the management service runs.	`string`	subnet-00123456789ab
allowedSSHSecurityGroupIDs	List of security group IDs allowed SSH access within the VPC.	list(string)	[sg-00123456789abcd, sg-00123456789def1]

`spec.googleCloud`

Fields under spec.googleCloud configure your Google Cloud project and IAM service account keys.

Name	Description	Type	Example
projectID	Google Cloud Google Cloud project.	`string`	`my-gcp-project-id`
serviceAccountKeys	File paths to the service account keys.	serviceAccountKeys

`spec.googleCloud.serviceAccountKeys`

Fields under spec.googleCloud.serviceAccountKeys include local file paths to the GCP service account keys. See Prerequisites for detailed descriptions of each key.

Name	Description	Type	Example
`managementService`	Service account key used by the management cluster	string	`path/to/key/management-sa-key.json`
`connectAgent`	Service account key used by the GKE Hub Connect Agent	string	`path/to/key/hub-sa-key.json`
`node`	Service account key used by the nodes	string	`path/to/key/node-sa-key.json`

`spec.iam`

Fields under spec.iam configure optional AWS IAM parameters for your GKE on AWS environment.

Name	Description	Type	Example
permissionsBoundary	ARN of the Permissions boundaries for IAM roles	`string`	`arn:aws:iam::126285863215:policy/testPolicyBoundary`
path	Path to the IAM role	`string`	`/org_abc/team_abc/member_abc/`

`spec.bastionHost`

The spec.bastionHost section is optional and describes a bastion host.

A bastion host is an EC2 instance placed in a public subnet. It allows inbound SSH access from a specified CIDR block and has outbound SSH access into your GKE on AWS management service and user clusters.

You can create a bastion host for either dedicatedVPC or existingVPC installations. The allowedSSHCIDRBlocks field specifies the inbound range of addresses allowed, and must be non-empty.

If a bastion host does not exist, GKE on AWS creates a new bastion host.

For a dedicatedVPC installation, the GKE on AWS creates a subnet.
For an existingVPC installation, you need to provide a subnet for the bastion host and ensure that this subnet has connectivity into your VPC.

You can modify your bastion host by changing or deleting the spec.bastionHost field and running anthos-gke aws management init, followed by anthos-gke aws management apply.

Name	Description	Type	Example
subnetID	The ID of the subnet where the bastion host runs. For `existingVPC` installations, the subnet must allow ingress from where you will access it on port 22. Also, make sure your VPC allows inbound access from this subnet. For `dedicatedVPC` installations, do not specify this field. GKE on AWS will provision the subnet with the required access.	string	subnet-003bdf7b0f5e21e45
allowedSSHCIDRBlocks	CIDR blocks to allow inbound SSH access from.	`list(string)`	[104.132.0.0/14]
rootVolume	An object describing the bastion host's root volume.	`object`	`{volumeType: gp2}`

spec.rootVolume, spec.dataVolume, and spec.bastionHost.rootVolume

These following table describes common fields for the following objects:

spec.rootVolume, for control plane root disk volumes
spec.dataVolume, for control plane data disk volumes
spec.bastionHost.rootVolume, for bastion host root disk volumes

Name	Description	Type	Example	Required
volumeType	The node's AWS EBS volume type. Can be `gp2` (default) or `gp3`.	`string`	`gp2`	no
iops	The amount of provisioned IO operations per second (IOPS) for volumes. Only valid when `volumeType` is `GP3`. For more information, see General Purpose SSD volumes (gp3).	`integer`	`5000`	no
kmsKeyARN	The ARN of the AWS KMS key used to encrypt the EBS volume. For more information, see Using a customer managed CMK to encrypt volumes.	`string`	`arn:aws:kms:us-west-1:123456789:key/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee`	no

`spec.tags`

Name	Description	Type	Example
tags	Optional key/value metadata assigned to each AWS resource supporting the management service.	`map(string)`	{Environment: Production, Team: Analytics}

`spec.proxy`

The spec.proxy field configures an optional HTTP/HTTPS proxy.

Name	Description	Type	Example
proxy	Path to proxy configuration file.	Relative path from `anthos-gke.yaml`	`proxy.json`

`spec.bootstrapS3Bucket`

The spec.bootstrapS3Bucket field configures an S3 bucket name for GKE on AWS .

Name	Description	Type	Example
bootstrapS3Bucket	Optional field for the AWS S3 bucket name where GKE on AWS stores configuration information. If you want to create multiple GKE on AWS management services in the same AWS region, set this value to a unique bucket name.	`string`	`example-s3-bucket`

`spec.terraform`

The spec.terraform.invokeManually field configures the anthos-gke command to not create a management service.

Name	Description	Type	Example
invokeManually	Optional field that configures the `anthos-gke` command-line tool not to create a management service after building and validating your configuration. If you set `invokeManually` to `Yes`, you can edit and apply the Terraform configuration files manually.	`Yes`, `No`	`Yes`
stateGCSBucket	Optional field that specifies a pre-existing Google Cloud Storage bucket for Terraform to store its configuration data.	`string`	`example-GCS-bucket`