Amazon web services 有没有办法使用加密的AMI创建启动配置？_Amazon Web Services_Terraform_Terraform Provider Aws_Aws Kms_Aws Auto Scaling

Amazon web services 有没有办法使用加密的AMI创建启动配置？

amazon-web-services terraform

Amazon web services 有没有办法使用加密的AMI创建启动配置？,amazon-web-services,terraform,terraform-provider-aws,aws-kms,aws-auto-scaling,Amazon Web Services,Terraform,Terraform Provider Aws,Aws Kms,Aws Auto Scaling,我正在创建一个自动缩放组，但启动配置一直失败，因为我使用的是加密的AMI（为了安全起见，必须这样做），但它在计时器后崩溃，并出现以下错误： Error: "autoscaling group": Waiting up to 5m0s: Need at least 1 healthy instances in ASG, have 0. Most recent activity: { ActivityId: "35c5cb87-fc76-a0bc-e547-xxxx

我正在创建一个自动缩放组，但启动配置一直失败，因为我使用的是加密的AMI（为了安全起见，必须这样做），但它在计时器后崩溃，并出现以下错误：

Error: "autoscaling group": Waiting up to 5m0s: Need at least 1 healthy instances in ASG, have 0. Most recent activity: {
  ActivityId: "35c5cb87-fc76-a0bc-e547-xxxxxx",
  AutoScalingGroupName: "autoscaling group",
  Cause: "At 2020-06-23T16:24:50Z an instance was started in response to a difference between desired and actual capacity, increasing the capacity from 0 to 1.",
  Description: "Launching a new EC2 instance: i-xxxxx.  Status Reason: Instance became unhealthy while waiting for instance to be in InService state. Termination Reason: Client.InternalError: Client error on launch",
  Details: "{\"Subnet ID\":\"subnet-xxxxxxx\",\"Availability Zone\":\"us-east-2b\"}",
  EndTime: 2020-06-23 16:25:23 +0000 UTC,
  Progress: 100,
  StartTime: 2020-06-23 16:24:52.392 +0000 UTC,
  StatusCode: "Cancelled",
  StatusMessage: "Instance became unhealthy while waiting for instance to be in InService state. Termination Reason: Client.InternalError: Client error on launch"
}

政策是这样的

resource "aws_iam_policy" "kms_policy" {
  name        = "KMS_grant"
  path        = "/"
  description = "A policy to allow the autoscaling group to use KMS"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:DescribeKey"
      ],
      "Effect": "Allow",
      "Resource": "*"
      "Condition": {
        "StringEquals": {
          "kms:ViaService": [
            "ec2.us-west-2.amazonaws.com",
            "rds.us-west-2.amazonaws.com"
          ]
        }
      }
    }
  ]
}
EOF
}

对不起，如果不是很详细，任何帮助将不胜感激。

我也在使用这个

您已经获取了EC2和RDS访问权限。对于启动配置，yoy还需要向用于加密卷的KMS CMK授予自动缩放服务访问权

您已获取EC2和RDS访问权限。对于启动配置，yoy还需要向用于加密卷的KMS CMK授予自动缩放服务访问权

[方案][1]

下面是amazon提供的解决方案 [1] ：

[解决方案][1]

下面是amazon提供的解决方案

[1] ：

你可以分享你是如何创建AMI的，也可以分享创建ASG的地形代码吗？我没有创建AMI，我会将模块添加到问题中。如果你没有创建AMI，那么你可以添加aws ec2描述图像的输出吗？图像ID AMI xxxx（用你正在使用的AMI替换

AMI xxx

）请您可以对其进行审查，但查看EBS卷上的加密配置很有用。为什么您认为这是因为加密的AMI而发生的？@ydaetskcoR我没有创建它我的公司did您可以分享您创建AMI的方式以及创建ASG的地形代码吗？我没有创建AMI，我将把模块添加到问题中如果您没有创建AMI，那么您可以添加

aws ec2描述图像的输出吗？图像ID AMI xxxx

（用您正在使用的AMI替换

AMI xxx

）请？您可以对其进行审查，但查看EBS卷上的加密配置非常有用。您认为这是因为加密的AMI造成的吗？@ydaetskcoR我没有创建它，是我的公司创建的

{
    "Images": [
        {
            "Architecture": "x86_64",
            "CreationDate": "2020-06-15T19:01:08.000Z",
            "ImageId": "ami-xxxxxxx",
            "ImageLocation": "8xxxxxxx/amazon-linux-ami-2-x",
            "ImageType": "machine",
            "Public": false,
            "OwnerId": "8xxxxxxx",
            "PlatformDetails": "Linux/UNIX",
            "UsageOperation": "RunInstances",
            "State": "available",
            "BlockDeviceMappings": [
                {
                    "DeviceName": "/dev/xvda",
                    "Ebs": {
                        "DeleteOnTermination": true,
                        "SnapshotId": "snap-xxxxxx",
                        "VolumeSize": 8,
                        "VolumeType": "gp2",
                        "Encrypted": true
                    }
                }
            ],
            "EnaSupport": true,
            "Hypervisor": "xen",
            "Name": "amazon-linux-ami-2-x",
            "RootDeviceName": "/dev/xvda",
            "RootDe

module "asg" {
  source  = "terraform-aws-modules/autoscaling/aws"
  version = "~> 3.0"

  name = "service"

  # Launch configuration
  lc_name = "launch-config"

  image_id                    = "ami-xxxx"
  instance_type               = "t2.micro"
  associate_public_ip_address = true
  recreate_asg_when_lc_changes = true
  iam_instance_profile        = "${aws_iam_instance_profile.kms_instance.name}"
  security_groups             = [module.network.autoscale_security_group]

  ebs_block_device = [
    {
      device_name           = "/dev/xvdz"
      volume_type           = "gp2"
      volume_size           = "50"
      delete_on_termination = true
    },
  ]

  root_block_device = [
    {
      volume_size = "50"
      volume_type = "gp2"
      delete_on_termination = true
    },
  ]

  # Auto scaling group
  asg_name                  = "asg_name"
  vpc_zone_identifier       = ["subnet-xxxxx", "subnet-xxxx"]
  health_check_type         = "EC2"
  min_size                  = 1
  max_size                  = 1
  desired_capacity          = 1
  wait_for_capacity_timeout = "5m"
  force_delete              = true

  tags = ommitted
}

{
   "Sid": "Allow service-linked role use of the CMK",
   "Effect": "Allow",
   "Principal": {
       "AWS": [
           "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
       ]
   },
   "Action": [
       "kms:Encrypt",
       "kms:Decrypt",
       "kms:ReEncrypt*",
       "kms:GenerateDataKey*",
       "kms:DescribeKey"
   ],
   "Resource": "*"
}

{
   "Sid": "Allow attachment of persistent resources",
   "Effect": "Allow",
   "Principal": {
       "AWS": [
           "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
       ]
   },
   "Action": [
       "kms:CreateGrant"
   ],
   "Resource": "*",
   "Condition": {
       "Bool": {
           "kms:GrantIsForAWSResource": true
       }
    }
}