fincd-aws · August 30, 2020 17:40
diff --git a/windows-eks-launchtemplate.cfn.template.yaml b/windows-eks-launchtemplate.cfn.template.yaml
  NodeLaunchTemplate:
    Type: 'AWS::EC2::LaunchTemplate'
    Properties:
      LaunchTemplateData:
        BlockDeviceMappings:
          - DeviceName: /dev/sda1
            Ebs:
              DeleteOnTermination: true
              VolumeSize: !Ref NodeVolumeSize
              VolumeType: gp2
        IamInstanceProfile:
          Arn: !GetAtt NodeInstanceProfile.Arn
        ImageId: !If 
          - HasNodeImageId
          - Ref: NodeImageId
          - Ref: NodeImageIdSSMParam
        InstanceType: !Ref NodeInstanceType
        KeyName: !Ref KeyName
        SecurityGroupIds: !Ref NodeSecurityGroups
        UserData: !Base64 
          'Fn::Sub': >
            <powershell>

            [string]$EKSBinDir = "$env:ProgramFiles\Amazon\EKS"

            [string]$EKSBootstrapScriptName = 'Start-EKSBootstrap.ps1'

            [string]$EKSBootstrapScriptFile =
            "$EKSBinDir\$EKSBootstrapScriptName"

            [string]$cfn_signal =
            "$env:ProgramFiles\Amazon\cfn-bootstrap\cfn-signal.exe"
            
            ## disable realtime scanning
            # Set-MpPreference -DisableRealtimeMonitoring $true
            ## disable all of Windows Defender
            #reg.exe ADD 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' /t REG_DWORD /v DisableAntiSpyware /d 1
            ## remove Windows Defender
            Uninstall-WindowsFeature -Name Windows-Defender

            # enable kube-proxy alpha DSR network mode
            (Get-Content $EKSBootstrapScriptFile).replace('"--proxy-mode=kernelspace",', '"--proxy-mode=kernelspace", "--feature-gates WinDSR=true", "--enable-dsr",') | Set-Content $EKSBootstrapScriptFile

            & $EKSBootstrapScriptFile -EKSClusterName ${ClusterName}
            ${BootstrapArguments} 3>&1 4>&1 5>&1 6>&1

            $LastError = if ($?) { 0 } else { $Error[0].Exception.HResult }

            & $cfn_signal --exit-code=$LastError `
              --stack="${AWS::StackName}" `
              --resource="NodeGroup" `
              --region=${AWS::Region}
            </powershell>
        MetadataOptions:
          HttpPutResponseHopLimit: 2
          HttpEndpoint: enabled
          HttpTokens: !If 
            - IMDSv1Disabled
            - required
            - optional
            ## remove Windows Defender
            Uninstall-WindowsFeature -Name Windows-Defender

            # enable kube-proxy alpha DSR network mode
            (Get-Content $EKSBootstrapScriptFile).replace('"--proxy-mode=kernelspace",', '"--proxy-mode=kernelspace", "--feature-gates WinDSR=true", "--enable-dsr",') | Set-Content $EKSBootstrapScriptFile

            & $EKSBootstrapScriptFile -EKSClusterName ${ClusterName}
            ${BootstrapArguments} 3>&1 4>&1 5>&1 6>&1

            $LastError = if ($?) { 0 } else { $Error[0].Exception.HResult }

            & $cfn_signal --exit-code=$LastError `
              --stack="${AWS::StackName}" `
              --resource="NodeGroup" `
              --region=${AWS::Region}
            </powershell>
	NodeLaunchTemplate:
	Type: 'AWS::EC2::LaunchTemplate'
	Properties:
	LaunchTemplateData:
	BlockDeviceMappings:
	- DeviceName: /dev/sda1
	Ebs:
	DeleteOnTermination: true
	VolumeSize: !Ref NodeVolumeSize
	VolumeType: gp2
	IamInstanceProfile:
	Arn: !GetAtt NodeInstanceProfile.Arn
	ImageId: !If
	- HasNodeImageId
	- Ref: NodeImageId
	- Ref: NodeImageIdSSMParam
	InstanceType: !Ref NodeInstanceType
	KeyName: !Ref KeyName
	SecurityGroupIds: !Ref NodeSecurityGroups
	UserData: !Base64
	'Fn::Sub': >
	<powershell>

	[string]$EKSBinDir = "$env:ProgramFiles\Amazon\EKS"

	[string]$EKSBootstrapScriptName = 'Start-EKSBootstrap.ps1'

	[string]$EKSBootstrapScriptFile =
	"$EKSBinDir\$EKSBootstrapScriptName"

	[string]$cfn_signal =
	"$env:ProgramFiles\Amazon\cfn-bootstrap\cfn-signal.exe"

	## disable realtime scanning
	# Set-MpPreference -DisableRealtimeMonitoring $true
	## disable all of Windows Defender
	#reg.exe ADD 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' /t REG_DWORD /v DisableAntiSpyware /d 1
	## remove Windows Defender
	Uninstall-WindowsFeature -Name Windows-Defender

	# enable kube-proxy alpha DSR network mode
	(Get-Content $EKSBootstrapScriptFile).replace('"--proxy-mode=kernelspace",', '"--proxy-mode=kernelspace", "--feature-gates WinDSR=true", "--enable-dsr",') \| Set-Content $EKSBootstrapScriptFile

	& $EKSBootstrapScriptFile -EKSClusterName ${ClusterName}
	${BootstrapArguments} 3>&1 4>&1 5>&1 6>&1

	$LastError = if ($?) { 0 } else { $Error[0].Exception.HResult }

	& $cfn_signal --exit-code=$LastError `
	--stack="${AWS::StackName}" `
	--resource="NodeGroup" `
	--region=${AWS::Region}
	</powershell>
	MetadataOptions:
	HttpPutResponseHopLimit: 2
	HttpEndpoint: enabled
	HttpTokens: !If
	- IMDSv1Disabled
	- required
	- optional
	## remove Windows Defender
	Uninstall-WindowsFeature -Name Windows-Defender

	# enable kube-proxy alpha DSR network mode
	(Get-Content $EKSBootstrapScriptFile).replace('"--proxy-mode=kernelspace",', '"--proxy-mode=kernelspace", "--feature-gates WinDSR=true", "--enable-dsr",') \| Set-Content $EKSBootstrapScriptFile

	& $EKSBootstrapScriptFile -EKSClusterName ${ClusterName}
	${BootstrapArguments} 3>&1 4>&1 5>&1 6>&1

	$LastError = if ($?) { 0 } else { $Error[0].Exception.HResult }

	& $cfn_signal --exit-code=$LastError `
	--stack="${AWS::StackName}" `
	--resource="NodeGroup" `
	--region=${AWS::Region}
	</powershell>