Amazon web services 有没有办法使用加密的AMI创建启动配置?
我正在创建一个自动缩放组,但启动配置一直失败,因为我使用的是加密的AMI(为了安全起见,必须这样做),但它在计时器后崩溃,并出现以下错误:Amazon web services 有没有办法使用加密的AMI创建启动配置?,amazon-web-services,terraform,terraform-provider-aws,aws-kms,aws-auto-scaling,Amazon Web Services,Terraform,Terraform Provider Aws,Aws Kms,Aws Auto Scaling,我正在创建一个自动缩放组,但启动配置一直失败,因为我使用的是加密的AMI(为了安全起见,必须这样做),但它在计时器后崩溃,并出现以下错误: Error: "autoscaling group": Waiting up to 5m0s: Need at least 1 healthy instances in ASG, have 0. Most recent activity: { ActivityId: "35c5cb87-fc76-a0bc-e547-xxxx
Error: "autoscaling group": Waiting up to 5m0s: Need at least 1 healthy instances in ASG, have 0. Most recent activity: {
ActivityId: "35c5cb87-fc76-a0bc-e547-xxxxxx",
AutoScalingGroupName: "autoscaling group",
Cause: "At 2020-06-23T16:24:50Z an instance was started in response to a difference between desired and actual capacity, increasing the capacity from 0 to 1.",
Description: "Launching a new EC2 instance: i-xxxxx. Status Reason: Instance became unhealthy while waiting for instance to be in InService state. Termination Reason: Client.InternalError: Client error on launch",
Details: "{\"Subnet ID\":\"subnet-xxxxxxx\",\"Availability Zone\":\"us-east-2b\"}",
EndTime: 2020-06-23 16:25:23 +0000 UTC,
Progress: 100,
StartTime: 2020-06-23 16:24:52.392 +0000 UTC,
StatusCode: "Cancelled",
StatusMessage: "Instance became unhealthy while waiting for instance to be in InService state. Termination Reason: Client.InternalError: Client error on launch"
}
政策是这样的
resource "aws_iam_policy" "kms_policy" {
name = "KMS_grant"
path = "/"
description = "A policy to allow the autoscaling group to use KMS"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:CreateGrant",
"kms:ListGrants",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": "*"
"Condition": {
"StringEquals": {
"kms:ViaService": [
"ec2.us-west-2.amazonaws.com",
"rds.us-west-2.amazonaws.com"
]
}
}
}
]
}
EOF
}
对不起,如果不是很详细,任何帮助将不胜感激。
我也在使用这个您已经获取了EC2和RDS访问权限。对于启动配置,yoy还需要向用于加密卷的KMS CMK授予自动缩放服务访问权
您已获取EC2和RDS访问权限。对于启动配置,yoy还需要向用于加密卷的KMS CMK授予自动缩放服务访问权 [方案][1] 下面是amazon提供的解决方案 [1] :[解决方案][1] 下面是amazon提供的解决方案
[1] :你可以分享你是如何创建AMI的,也可以分享创建ASG的地形代码吗?我没有创建AMI,我会将模块添加到问题中。如果你没有创建AMI,那么你可以添加aws ec2描述图像的输出吗?图像ID AMI xxxx(用你正在使用的AMI替换
AMI xxx
)请您可以对其进行审查,但查看EBS卷上的加密配置很有用。为什么您认为这是因为加密的AMI而发生的?@ydaetskcoR我没有创建它我的公司did您可以分享您创建AMI的方式以及创建ASG的地形代码吗?我没有创建AMI,我将把模块添加到问题中如果您没有创建AMI,那么您可以添加aws ec2描述图像的输出吗?图像ID AMI xxxx
(用您正在使用的AMI替换AMI xxx
)请?您可以对其进行审查,但查看EBS卷上的加密配置非常有用。您认为这是因为加密的AMI造成的吗?@ydaetskcoR我没有创建它,是我的公司创建的
{
"Images": [
{
"Architecture": "x86_64",
"CreationDate": "2020-06-15T19:01:08.000Z",
"ImageId": "ami-xxxxxxx",
"ImageLocation": "8xxxxxxx/amazon-linux-ami-2-x",
"ImageType": "machine",
"Public": false,
"OwnerId": "8xxxxxxx",
"PlatformDetails": "Linux/UNIX",
"UsageOperation": "RunInstances",
"State": "available",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"DeleteOnTermination": true,
"SnapshotId": "snap-xxxxxx",
"VolumeSize": 8,
"VolumeType": "gp2",
"Encrypted": true
}
}
],
"EnaSupport": true,
"Hypervisor": "xen",
"Name": "amazon-linux-ami-2-x",
"RootDeviceName": "/dev/xvda",
"RootDe
module "asg" {
source = "terraform-aws-modules/autoscaling/aws"
version = "~> 3.0"
name = "service"
# Launch configuration
lc_name = "launch-config"
image_id = "ami-xxxx"
instance_type = "t2.micro"
associate_public_ip_address = true
recreate_asg_when_lc_changes = true
iam_instance_profile = "${aws_iam_instance_profile.kms_instance.name}"
security_groups = [module.network.autoscale_security_group]
ebs_block_device = [
{
device_name = "/dev/xvdz"
volume_type = "gp2"
volume_size = "50"
delete_on_termination = true
},
]
root_block_device = [
{
volume_size = "50"
volume_type = "gp2"
delete_on_termination = true
},
]
# Auto scaling group
asg_name = "asg_name"
vpc_zone_identifier = ["subnet-xxxxx", "subnet-xxxx"]
health_check_type = "EC2"
min_size = 1
max_size = 1
desired_capacity = 1
wait_for_capacity_timeout = "5m"
force_delete = true
tags = ommitted
}
{
"Sid": "Allow service-linked role use of the CMK",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
]
},
"Action": [
"kms:CreateGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}