Warning: file_get_contents(/data/phpspider/zhask/data//catemap/1/amazon-web-services/12.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Amazon web services 使用列表配置Cloudformation安全组_Amazon Web Services_Amazon Cloudformation_Aws Security Group - Fatal编程技术网
Fatal编程技术网

Amazon web services 使用列表配置Cloudformation安全组

amazon-web-services amazon-cloudformation

Amazon web services 使用列表配置Cloudformation安全组,amazon-web-services,amazon-cloudformation,aws-security-group,Amazon Web Services,Amazon Cloudformation,Aws Security Group,我正在定义一个cloudformation堆栈,其中安全组应允许来自指定IP地址的流量进入。我已经将这些IP地址定义为映射,将来当我们在平台上为新客户提供服务时,它们将不断增长。我当前的云形成堆栈看起来像 AWSTemplateFormatVersion: '2010-09-09' Description: Security group. Parameters: VPCStackName: Type: String Description: The name of VP

我正在定义一个cloudformation堆栈,其中安全组应允许来自指定IP地址的流量进入。我已经将这些IP地址定义为映射,将来当我们在平台上为新客户提供服务时,它们将不断增长。我当前的云形成堆栈看起来像

AWSTemplateFormatVersion: '2010-09-09'  
Description: Security group.

Parameters:
  VPCStackName:
    Type: String
    Description: The name of VPC stack

Mappings:
  # Security group configuration for different environments
  SecurityGroupConfiguration:
    PROD: 
      IPAddress: "149.250.241.202/32 149.250.241.202/32"
    NON-PROD: 
      IPAddress: "149.250.241.202/32, 149.250.241.204/32, 149.250.241.205/32"

Resources:

  # Add security groups and their ingress
  PublicSubnetSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Test security group
      VpcId: 
        Fn::ImportValue:
          !Sub "${VPCStackName}-vpcid"
      SecurityGroupIngress:
        - CidrIp: !FindInMap ['SecurityGroupConfiguration', 'PROD', 'IPAddress']
          IpProtocol: -1
这不允许创建SG,无论我用“,”或“;”分隔它们

我想尝试的第二种方法是将这些映射定义为一个列表,并根据配置的元素数量动态地迭代它们。对于PROD和NON-PROD,列表将有不同数量的IP地址,因此我无法定义索引。例如,生产将有4个IP地址,而非生产可能只有2个IP地址。如果我为它定义索引!选择时,同一个CFN模板将不适用于这两种环境

AWSTemplateFormatVersion: '2010-09-09'  
Description: Security group.

Parameters:
  VPCStackName:
    Type: String
    Description: The name of VPC stack

Mappings:
  # Security group configuration for different environments

  SecurityGroupConfiguration:
  PROD: 
    IPAddress: 
      - 149.250.241.202/32
      - 149.250.241.203/32
  NON-PROD: 
    IPAddress: 
      - 149.250.241.202/32
      - 149.250.241.204/32
      - 149.250.241.205/32

Resources:

  # Add security groups and their ingress
  PublicSubnetSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Test security group
      VpcId: 
        Fn::ImportValue:
          !Sub "${VPCStackName}-vpcid"
      SecurityGroupIngress:
        - CidrIp: for (i in SecurityGroupConfiguration)
            <Dynamically iterate over list to produce all the ip addresses>
            !Select [i, !FindInMap ['SecurityGroupConfiguration', 'PROD', 'IPAddress']]
          IpProtocol: -1
有没有办法解决这个问题?

使您能够在创建、更改自定义资源时更新或删除堆栈时,在AWS CloudFormation随时运行的模板中编写自定义配置逻辑

你可以用。将Lambda函数与自定义资源关联时,无论何时创建、更新或删除自定义资源,都会调用该函数。AWS CloudFormation调用Lambda API来调用函数,并将所有请求数据(如请求类型和资源属性)传递给函数

Lambda函数的强大功能和可定制性,结合AWS CloudFormation,您可以自定义方式更新安全组

有一些开源项目可以帮助您快速编写

您是否考虑过使用模板库来生成CloudFormation模板?什么样的模板库@nicholas.hauschild?我可以从jenkins或任何其他CI/CD工具执行它们吗?对于Python,我刚才在Google上快速搜索了一个结果:Mako@nicholas.hauschild CFN本身是否有其他方法可以实现这一点?模板化增加了额外的开销。谢谢你的链接。