Amazon web services 如何在CloudFormation模板中为Elastic Beanstalk启动配置指定安全组?
我在CloudFormation模板中定义了以下安全组:Amazon web services 如何在CloudFormation模板中为Elastic Beanstalk启动配置指定安全组?,amazon-web-services,amazon-elastic-beanstalk,amazon-cloudformation,aws-security-group,Amazon Web Services,Amazon Elastic Beanstalk,Amazon Cloudformation,Aws Security Group,我在CloudFormation模板中定义了以下安全组: "APIInstanceSG": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Security Group for Application EC2 Instances, "VpcId": "vpc-10a75377", "Tags": [{ "Key": "Name", "Valu
"APIInstanceSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security Group for Application EC2 Instances,
"VpcId": "vpc-10a75377",
"Tags": [{
"Key": "Name",
"Value": "APIInstanceSG" }
}]
}
}
我还定义了一个弹性Beanstalk环境,其中包含以下内部选项设置:
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "SecurityGroups",
"Value": { "Ref": "APIInstanceSG" }
}
当我使用此模板创建堆栈时,会在CloudFormation尝试创建EB环境之前创建安全组,但当它尝试创建EB环境时,会失败,出现以下错误:
配置验证异常:无效选项值:“sg-994fcbe4”(命名空间:“aws:autoscaling:launchconfiguration”,选项名称:“SecurityGroups”):安全组“sg-994fcbe4”不存在
sg-994fcbe4是创建的安全组的ID
Elastic Beanstalk环境配置如下:
"AspectAPIEnv": {
"Type": "AWS::ElasticBeanstalk::Environment",
"Properties": {
"ApplicationName": "application-name",
"EnvironmentName": "environment-name",
"SolutionStackName": "64bit Amazon Linux 2016.09 v3.1.0 running Node.js",
"Tier": {
"Name": "WebServer",
"Type": "Standard"
},
"OptionSettings": [
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "EC2KeyName",
"Value": "ec2-key"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "IamInstanceProfile",
"Value": "aws-elasticbeanstalk-ec2-role"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "ImageId",
"Value": "ami-d8356acf"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "InstanceType",
"Value": "t2.micro"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "SecurityGroups",
"Value": { "Ref": "APIInstanceSG" }
},
{
"Namespace": "aws:autoscaling:trigger",
"OptionName": "UpperThreshold",
"Value": "6000000"
},
{
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "MaxBatchSize",
"Value": "1"
},
{
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "MinInstancesInService",
"Value": "1"
},
{
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "RollingUpdateEnabled",
"Value": "true"
},
{
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "RollingUpdateType",
"Value": "Health"
},
{
"Namespace": "aws:elasticbeanstalk:command",
"OptionName": "BatchSize",
"Value": "30"
},
{
"Namespace": "aws:elasticbeanstalk:container:nodejs",
"OptionName": "NodeVersion",
"Value": "6.2.2"
},
{
"Namespace": "aws:elasticbeanstalk:environment",
"OptionName": "ServiceRole",
"Value": "aws-elasticbeanstalk-service-role"
},
{
"Namespace": "aws:elasticbeanstalk:healthreporting:system",
"OptionName": "SystemType",
"Value": "enhanced"
},
{
"Namespace": "aws:elasticbeanstalk:managedactions",
"OptionName": "ManagedActionsEnabled",
"Value": "true"
},
{
"Namespace": "aws:elasticbeanstalk:managedactions",
"OptionName": "PreferredStartTime",
"Value": "SUN:09:02"
},
{
"Namespace": "aws:elasticbeanstalk:managedactions:platformupdate",
"OptionName": "UpdateLevel",
"Value": "minor"
},
{
"Namespace": "aws:elb:healthcheck",
"OptionName": "Interval",
"Value": "10"
},
{
"Namespace": "aws:elb:loadbalancer",
"OptionName": "CrossZone",
"Value": "true"
},
{
"Namespace": "aws:elb:loadbalancer",
"OptionName": "LoadBalancerHTTPPort",
"Value": "80"
},
{
"Namespace": "aws:elb:loadbalancer",
"OptionName": "SecurityGroups",
"Value": { "Ref": "APILoadBalancerSG" }
},
{
"Namespace": "aws:elb:loadbalancer",
"OptionName": "ManagedSecurityGroup",
"Value": { "Ref": "APILoadBalancerSG" }
},
{
"Namespace": "aws:elb:policies",
"OptionName": "ConnectionDrainingEnabled",
"Value": "true"
}
],
"Tags": [
{
"Key": "Name",
"Value": "AspectAPIEnv"
}
]
},
"DependsOn": "RDSInstance"
}
要克服这一点:
您需要从AWS CLI更改EB安全组,但无法从AWS Web控制台进行更改
考虑到您已经拥有AWS CLI,如果要更改安全组,则需要执行以下命令:
aws elasticbeanstalk update-environment –environment-name –option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=SecurityGroups,Value=””
您应该在LC定义中设置DependsOn属性,以确保它在堆栈创建期间存在于SG之前。否则,您不能保证引用将起作用
"APIInstanceSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security Group for Application EC2 Instances,
"VpcId": "vpc-10a75377",
"Tags": [{
"Key": "Name",
"Value": "APIInstanceSG" }
}]
},
"DependsOn" : "APIInstanceSG"
}
在模板中,而不是
"DependsOn" : "RDSInstance"
写:
"DependsOn": ["APIInstanceSG", "RDSInstance"]
更多信息:查看您的AWS::ElasticBeanstalk::Environment资源后,我能够重现您遇到的错误。正如Marc Young在对您的问题的评论中所建议的,您并没有为您的环境指定专有网络。由于您的安全组位于专有网络中,因此无法从不在同一专有网络中的资源访问它 要修复此问题,必须将以下配置选项添加到环境中:
{
"Namespace" : "aws:ec2:vpc",
"OptionName" : "VPCId",
"Value" : "vpc-10a75377"
},
如果指定VPC,则使用更新的模板创建堆栈将失败,并显示一条错误消息,说明您还需要指定环境子网,因此您必须添加以下选项:
{
"Namespace" : "aws:ec2:vpc",
"OptionName" : "Subnets",
"Value" : <insert the subnet for your instances here>
},
{
"Namespace" : "aws:ec2:vpc",
"OptionName" : "ELBSubnets",
"Value" : <insert the subnet for your load balancer here>
}
{
“名称空间”:“aws:ec2:vpc”,
“OptionName”:“子网”,
“价值”:
},
{
“名称空间”:“aws:ec2:vpc”,
“OptionName”:“子网”,
“价值”:
}
您可以在中的VPC中检查Beanstalk应用程序的工作示例。您确定启动配置与安全组在同一VPC中?是的,所有实例都在VPCI中。您可以向我们显示Beanstalk环境资源的模板片段吗?当然,现在刚刚添加了它谢谢,我补充了一个答案@MarcYoung的做法是正确的,您的环境资源缺少VPC选项设置。我需要能够将此作为cloudformation模板的一部分