Amazon web services 云形成和私有子网
我正在尝试通过CloudFormation构建一个ECS集群。群集实例将驻留的子网是私有的。此外,我已经从我构建的EC2创建了一个映像,并验证了SSM代理、ECS代理和cloud init是否已安装并正在运行。我还在我的安全组中添加了一个入站规则,以允许来自私有子网的子网/CIDR以及端点的HTTPS通信 我已将以下端点添加到我的专用子网:Amazon web services 云形成和私有子网,amazon-web-services,amazon-cloudformation,amazon-ecs,Amazon Web Services,Amazon Cloudformation,Amazon Ecs,我正在尝试通过CloudFormation构建一个ECS集群。群集实例将驻留的子网是私有的。此外,我已经从我构建的EC2创建了一个映像,并验证了SSM代理、ECS代理和cloud init是否已安装并正在运行。我还在我的安全组中添加了一个入站规则,以允许来自私有子网的子网/CIDR以及端点的HTTPS通信 我已将以下端点添加到我的专用子网: com.amazonaws.us-west-2.ssm com.amazonaws.us-west-2.ssmmessages com.amazonaws
- com.amazonaws.us-west-2.ssm
- com.amazonaws.us-west-2.ssmmessages
- com.amazonaws.us-west-2.ecs
- com.amazonaws.us-west-2.ecs-agent
- com.amazonaws.us-west-2.ecs-telemetry
- com.amazonaws.us-west-2.cloudformation
Description: >-
A stack for deploying containerized applications onto a cluster of EC2 hosts
using Elastic Container Service. This stack runs containers on hosts that are
in a public VPC subnet, and includes a public facing load balancer to register
the services in.
Parameters:
DesiredCapacity:
Type: Number
Default: '1'
Description: Number of EC2 instances to launch in your ECS cluster.
MaxSize:
Type: Number
Default: '2'
Description: Maximum number of EC2 instances that can be launched in your ECS cluster.
ECSAMI:
Description: AMI ID
Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
Default: /aws/service/ecs/optimized-ami/amazon-linux-2/recommended/image_id
InstanceType:
Description: EC2 instance type
Type: String
Default: t2.micro
SecurityGroup:
Description: Select the Security Group to use for the ECS cluster hosts
Type: 'AWS::EC2::SecurityGroup::Id'
Subnets:
Description: Choose which subnets this ECS cluster should be deployed to
Type: 'List<AWS::EC2::Subnet::Id>'
VPC:
Description: Choose which VPC this ECS cluster should be deployed to
Type: 'AWS::EC2::VPC::Id'
Resources:
ECSCluster:
Type: 'AWS::ECS::Cluster'
Properties:
Clustername: change-name
ECSAutoScalingGroup:
Type: 'AWS::AutoScaling::AutoScalingGroup'
Properties:
AvailabilityZones:
- 'us-west-2a'
# VPCZoneIdentifier:
# - '
LaunchConfigurationName: !Ref ContainerInstances
MinSize: '1'
MaxSize: !Ref MaxSize
DesiredCapacity: !Ref DesiredCapacity
CreationPolicy:
ResourceSignal:
Count: 1
Timeout: PT5M
UpdatePolicy:
AutoScalingReplacingUpdate:
WillReplace: 'true'
ContainerInstances:
Type: 'AWS::AutoScaling::LaunchConfiguration'
Properties:
ImageId: <custom ami>
SecurityGroups:
- !Ref SecurityGroup
InstanceType: !Ref InstanceType
IamInstanceProfile: !Ref EC2InstanceProfile
UserData:
"Fn::Base64":
!Sub |
#!/bin/bash -xe
yum update -y
yum install -y aws-cfn-bootstrap
yum install cloud-init
echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ECSAutoScalingGroup --region ${AWS::Region}
systemctl enable amazon-ssm-agent
systemctl start amazon-ssm-agent
AutoscalingRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- application-autoscaling.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: service-autoscaling
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'application-autoscaling:*'
- 'cloudwatch:DescribeAlarms'
- 'cloudwatch:PutMetricAlarm'
- 'ecs:DescribeServices'
- 'ecs:UpdateService'
Resource: '*'
EC2InstanceProfile:
Type: 'AWS::IAM::InstanceProfile'
Properties:
Path: /
Roles:
- !Ref EC2Role
EC2Role:
Type: 'AWS::IAM::Role'
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore'
- 'arn:aws:iam::aws:policy/AmazonECS_FullAccess'
- 'arn:aws:iam::aws:policy/CloudWatchFullAccess'
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: ecs-service
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'ecs:CreateCluster'
- 'ecs:DeregisterContainerInstance'
- 'ecs:DiscoverPollEndpoint'
- 'ecs:Poll'
- 'ecs:RegisterContainerInstance'
- 'ecs:StartTelemetrySession'
- 'ecs:Submit*'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
- 'ecr:GetAuthorizationToken'
- 'ecr:BatchGetImage'
- 'ecr:GetDownloadUrlForLayer'
Resource: '*'
ECSRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ecs.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: ecs-service
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'ec2:AttachNetworkInterface'
- 'ec2:CreateNetworkInterface'
- 'ec2:CreateNetworkInterfacePermission'
- 'ec2:DeleteNetworkInterface'
- 'ec2:DeleteNetworkInterfacePermission'
- 'ec2:Describe*'
- 'ec2:DetachNetworkInterface'
- 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer'
- 'elasticloadbalancing:DeregisterTargets'
- 'elasticloadbalancing:Describe*'
- 'elasticloadbalancing:RegisterInstancesWithLoadBalancer'
- 'elasticloadbalancing:RegisterTargets'
Resource: '*'
Outputs:
ClusterName:
Description: The name of the ECS cluster
Value: !Ref ECSCluster
Export:
Name: !Join
- ':'
- - !Ref 'AWS::StackName'
- ClusterName
ECSRole:
Description: The ARN of the ECS role
Value: !GetAtt ECSRole.Arn
Export:
Name: !Join
- ':'
- - !Ref 'AWS::StackName'
- ECSRole
非常感谢您的帮助,谢谢您抽出时间。可能的原因如下:
yum install cloud-init
由于缺少-y
,yum
可能正在等待手动确认。该线路应更换为
yum install -y cloud-init
此外,我不确定以下内容的含义:
ImageId: <custom ami>
谢谢你的回复。我将尝试将该参数添加到cloudinit命令中。但是,我确实创建了一个ec2映像,并验证了cloud init已安装,并且两个ecs/ssm代理都在运行。我在cf模板中引用了该图像的ami,我只是为了post@ShaneGarnetti没问题。所以我想它现在起作用了?不幸的是仍然失败。我按照您的建议添加了“-y”,并将imageID更改为“!Ref ECSAMI”@shanegarneti您必须安装到实例并检查日志、
/var/log/cloud init output.log
和其他存在的文件。问题是EC2甚至没有被创建。似乎CF无法与我的VPC通话。我注意到我尝试在中启动的VPC以10.*开头。我已经在实验室vpc中成功地运行了它,从172开始。*即使添加了端点,它仍然失败,EC2从未构建。
ImageId: <custom ami>
ImageId: !Ref ECSAMI