Fatal编程技术网

Amazon web services 云形成和私有子网

amazon-web-services amazon-cloudformation

Amazon web services 云形成和私有子网,amazon-web-services,amazon-cloudformation,amazon-ecs,Amazon Web Services,Amazon Cloudformation,Amazon Ecs,我正在尝试通过CloudFormation构建一个ECS集群。群集实例将驻留的子网是私有的。此外,我已经从我构建的EC2创建了一个映像,并验证了SSM代理、ECS代理和cloud init是否已安装并正在运行。我还在我的安全组中添加了一个入站规则,以允许来自私有子网的子网/CIDR以及端点的HTTPS通信 我已将以下端点添加到我的专用子网: com.amazonaws.us-west-2.ssm com.amazonaws.us-west-2.ssmmessages com.amazonaws

我正在尝试通过CloudFormation构建一个ECS集群。群集实例将驻留的子网是私有的。此外,我已经从我构建的EC2创建了一个映像,并验证了SSM代理、ECS代理和cloud init是否已安装并正在运行。我还在我的安全组中添加了一个入站规则,以允许来自私有子网的子网/CIDR以及端点的HTTPS通信

我已将以下端点添加到我的专用子网:

  • com.amazonaws.us-west-2.ssm
  • com.amazonaws.us-west-2.ssmmessages
  • com.amazonaws.us-west-2.ecs
  • com.amazonaws.us-west-2.ecs-agent
  • com.amazonaws.us-west-2.ecs-telemetry
  • com.amazonaws.us-west-2.cloudformation
这是我的CF模板:

Description: >-
  A stack for deploying containerized applications onto a cluster of EC2 hosts
  using Elastic Container Service. This stack runs containers on hosts that are
  in a public VPC subnet, and includes a public facing load balancer to register
  the services in.
Parameters:
  DesiredCapacity:
    Type: Number
    Default: '1'
    Description: Number of EC2 instances to launch in your ECS cluster.
  MaxSize:
    Type: Number
    Default: '2'
    Description: Maximum number of EC2 instances that can be launched in your ECS cluster.
  ECSAMI:
    Description: AMI ID
    Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
    Default: /aws/service/ecs/optimized-ami/amazon-linux-2/recommended/image_id
  InstanceType:
    Description: EC2 instance type
    Type: String
    Default: t2.micro
  SecurityGroup:
    Description: Select the Security Group to use for the ECS cluster hosts
    Type: 'AWS::EC2::SecurityGroup::Id'
  Subnets:
    Description: Choose which subnets this ECS cluster should be deployed to
    Type: 'List<AWS::EC2::Subnet::Id>'
  VPC:
    Description: Choose which VPC this ECS cluster should be deployed to
    Type: 'AWS::EC2::VPC::Id'

Resources:
  ECSCluster:
    Type: 'AWS::ECS::Cluster'
    Properties:
      Clustername: change-name
    
  ECSAutoScalingGroup:
    Type: 'AWS::AutoScaling::AutoScalingGroup'
    Properties:
      AvailabilityZones:
        - 'us-west-2a'
#      VPCZoneIdentifier:
#        - '
      LaunchConfigurationName: !Ref ContainerInstances
      MinSize: '1'
      MaxSize: !Ref MaxSize
      DesiredCapacity: !Ref DesiredCapacity
    CreationPolicy:
      ResourceSignal:
        Count: 1
        Timeout: PT5M
    UpdatePolicy:
      AutoScalingReplacingUpdate:
       WillReplace: 'true'
    
  ContainerInstances:
    Type: 'AWS::AutoScaling::LaunchConfiguration'
    Properties:
      ImageId: <custom ami>
      SecurityGroups:
        - !Ref SecurityGroup
      InstanceType: !Ref InstanceType
      IamInstanceProfile: !Ref EC2InstanceProfile
      UserData:
        "Fn::Base64":
         !Sub |
          #!/bin/bash -xe
          yum update -y 
          yum install -y aws-cfn-bootstrap
          yum install cloud-init
          echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config
          /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ECSAutoScalingGroup --region ${AWS::Region}
          systemctl enable amazon-ssm-agent
          systemctl start amazon-ssm-agent
          
         
    
  AutoscalingRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - application-autoscaling.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: service-autoscaling
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'application-autoscaling:*'
                  - 'cloudwatch:DescribeAlarms'
                  - 'cloudwatch:PutMetricAlarm'
                  - 'ecs:DescribeServices'
                  - 'ecs:UpdateService'
                Resource: '*'
    
  EC2InstanceProfile:
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      Path: /
      Roles:
        - !Ref EC2Role
    
  EC2Role:
    Type: 'AWS::IAM::Role'
    Properties:
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore'
        - 'arn:aws:iam::aws:policy/AmazonECS_FullAccess'
        - 'arn:aws:iam::aws:policy/CloudWatchFullAccess'
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: ecs-service
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'ecs:CreateCluster'
                  - 'ecs:DeregisterContainerInstance'
                  - 'ecs:DiscoverPollEndpoint'
                  - 'ecs:Poll'
                  - 'ecs:RegisterContainerInstance'
                  - 'ecs:StartTelemetrySession'
                  - 'ecs:Submit*'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                  - 'ecr:GetAuthorizationToken'
                  - 'ecr:BatchGetImage'
                  - 'ecr:GetDownloadUrlForLayer'
                Resource: '*'
    
  ECSRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ecs.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: ecs-service
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'ec2:AttachNetworkInterface'
                  - 'ec2:CreateNetworkInterface'
                  - 'ec2:CreateNetworkInterfacePermission'
                  - 'ec2:DeleteNetworkInterface'
                  - 'ec2:DeleteNetworkInterfacePermission'
                  - 'ec2:Describe*'
                  - 'ec2:DetachNetworkInterface'
                  - 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer'
                  - 'elasticloadbalancing:DeregisterTargets'
                  - 'elasticloadbalancing:Describe*'
                  - 'elasticloadbalancing:RegisterInstancesWithLoadBalancer'
                  - 'elasticloadbalancing:RegisterTargets'
                Resource: '*'
    
Outputs:
  ClusterName:
    Description: The name of the ECS cluster
    Value: !Ref ECSCluster
    Export:
      Name: !Join 
        - ':'
        - - !Ref 'AWS::StackName'
          - ClusterName
  ECSRole:
    Description: The ARN of the ECS role
    Value: !GetAtt ECSRole.Arn
    Export:
      Name: !Join 
        - ':'
        - - !Ref 'AWS::StackName'
          - ECSRole
非常感谢您的帮助,谢谢您抽出时间。

可能的原因如下:

yum install cloud-init
由于缺少
-y
yum
可能正在等待手动确认。该线路应更换为

yum install -y cloud-init
此外,我不确定以下内容的含义:

      ImageId: <custom ami>
谢谢你的回复。我将尝试将该参数添加到cloudinit命令中。但是,我确实创建了一个ec2映像,并验证了cloud init已安装,并且两个ecs/ssm代理都在运行。我在cf模板中引用了该图像的ami,我只是为了post@ShaneGarnetti没问题。所以我想它现在起作用了?不幸的是仍然失败。我按照您的建议添加了“-y”,并将imageID更改为“!Ref ECSAMI”@shanegarneti您必须安装到实例并检查日志、
/var/log/cloud init output.log
和其他存在的文件。问题是EC2甚至没有被创建。似乎CF无法与我的VPC通话。我注意到我尝试在中启动的VPC以10.*开头。我已经在实验室vpc中成功地运行了它,从172开始。*即使添加了端点,它仍然失败,EC2从未构建。 
      ImageId: <custom ami>

      ImageId: !Ref ECSAMI