AWS CloudFormation:默认 VPC“vpc”中不存在安全组“sg-”

Posted

技术标签:

【中文标题】AWS CloudFormation:默认 VPC“vpc”中不存在安全组“sg-”【英文标题】:AWS CloudFormation: The security group 'sg-' does not exist in default VPC 'vpc' 【发布时间】:2021-06-28 14:54:31 【问题描述】:

我有这个模板代码,我正试图在我的 ElasticBeanStalk 应用程序中实现它,但它引用了我的默认 vpc,我找不到如何引用我自己的 VPC 而不是默认 VPC。 这是我的 YAML 代码:(我只需要知道如何引用我的 VpcID)

我尝试添加我在 aws 资源中找到的一些行,但它们不起作用:(每一行单独使用我没有一起使用)

Type: 'AWS::EC2::VPC::Id'

VpcId: String

       Vpc:
        Default: "vpc-"
        Type: String
      VpcCidr:
       Default: "10.0.0.0/16"
        Type: String

这是我的原始代码:

    Resources:
  MyCacheSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: "Lock cache down to webserver access only"
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort:
            Fn::GetOptionSetting:
              OptionName: CachePort
              DefaultValue: 11211
          ToPort:
            Fn::GetOptionSetting:
              OptionName: CachePort
              DefaultValue: 11211
          SourceSecurityGroupName:
            Ref: AWSEBSecurityGroup
  MyElastiCache:
    Type: 'AWS::ElastiCache::CacheCluster'
    Properties:
      CacheNodeType:
        Fn::GetOptionSetting:
          OptionName: CacheNodeType
          DefaultValue: cache.t2.micro
      NumCacheNodes:
        Fn::GetOptionSetting:
          OptionName: NumCacheNodes
          DefaultValue: 1
      Engine:
        Fn::GetOptionSetting:
          OptionName: Engine
          DefaultValue: redis
      VpcSecurityGroupIds:
        -
          Fn::GetAtt:
            - MyCacheSecurityGroup
            - GroupId
  AWSEBAutoScalingGroup :
    Metadata :
      ElastiCacheConfig :
        CacheName :
          Ref : MyElastiCache
        CacheSize :
           Fn::GetOptionSetting:
             OptionName : NumCacheNodes
             DefaultValue: 1
  WebServerUser : 
    Type : AWS::IAM::User
    Properties :
      Path : "/"
      Policies:
        -
          PolicyName: root
          PolicyDocument :
            Statement :
              -
                Effect : Allow
                Action : 
                  - cloudformation:DescribeStackResource
                  - cloudformation:ListStackResources
                  - elasticache:DescribeCacheClusters
                Resource : "*"
  WebServerKeys :
    Type : AWS::IAM::AccessKey
    Properties :
      UserName :
        Ref: WebServerUser

Outputs:
  WebsiteURL:
    Description: sample output only here to show inline string function parsing
    Value: |
      http://awseb-AWSEB-1U7AK1W53691K-1263338585.ca-central-1.elb.amazonaws.com
  MyElastiCacheName:
    Description: Name of the elasticache
    Value:
      Ref : MyElastiCache
  NumCacheNodes:
    Description: Number of cache nodes in MyElastiCache
    Value:
      Fn::GetOptionSetting:
        OptionName : NumCacheNodes
        DefaultValue: 1

files:
  "/etc/cfn/cfn-credentials" :
    content : |
      AWSAccessKeyId=` "Ref" : "WebServerKeys" `
      AWSSecretKey=` "Fn::GetAtt" : ["WebServerKeys", "SecretAccessKey"] `
    mode : "000400"
    owner : root
    group : root

  "/etc/cfn/get-cache-nodes" :
    content : |
      # Define environment variables for command line tools
      export AWS_ELASTICACHE_HOME="/home/ec2-user/elasticache/$(ls /home/ec2-user/elasticache/)"
      export AWS_CLOUDFORMATION_HOME=/opt/aws/apitools/cfn
      export PATH=$AWS_CLOUDFORMATION_HOME/bin:$AWS_ELASTICACHE_HOME/bin:$PATH
      export AWS_CREDENTIAL_FILE=/etc/cfn/cfn-credentials
      export JAVA_HOME=/usr/lib/jvm/jre

      # Grab the Cache node names and configure the php page
      aws cloudformation list-stack-resources --stack ` "Ref" : "AWS::StackName" ` --region ` "Ref" : "AWS::Region" ` --output text | grep MyElastiCache | awk 'print $4' | xargs -I  aws elasticache describe-cache-clusters --cache-cluster-id  --region ` "Ref" : "AWS::Region" ` --show-cache-node-info --output text | grep '^ENDPOINT' | awk 'print $2 ":" $3' > ` "Fn::GetOptionSetting" :  "OptionName" : "NodeListPath", "DefaultValue" : "/var/www/html/nodelist"  `
    mode : "000500"
    owner : root
    group : root

  "/etc/cfn/hooks.d/cfn-cache-change.conf" :
    "content": |
      [cfn-cache-size-change]
      triggers=post.update
      path=Resources.AWSEBAutoScalingGroup.Metadata.ElastiCacheConfig
      action=/etc/cfn/get-cache-nodes
      runas=root

sources :
  "/home/ec2-user/elasticache" : "https://s3.amazonaws.com/elasticache-downloads/AmazonElastiCacheCli-latest.zip"

commands: 
  make-elasticache-executable:
    command: chmod -R ugo+x /home/ec2-user/elasticache/*/bin/*

packages : 
  "yum" :
    "aws-apitools-cfn"  : []

container_commands:
  initial_cache_nodes:
    command: /etc/cfn/get-cache-nodes

【问题讨论】:

【参考方案1】:

您必须使用 VpcId 属性将您的安全组放入您的 VPC:

  MyCacheSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: "Lock cache down to webserver access only"
      VpcId: !Ref VpcId
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort:
            Fn::GetOptionSetting:
              OptionName: CachePort
              DefaultValue: 11211
          ToPort:
            Fn::GetOptionSetting:
              OptionName: CachePort
              DefaultValue: 11211
          SourceSecurityGroupName:
            Ref: AWSEBSecurityGroup

【讨论】:

它不起作用,它直接返回此错误:应用程序版本示例 Application-24 中的配置文件 .ebextensions/elasticache-iam-with-script.config 包含无效的 YAML 或 JSON。 YAML 异常:无效 Yaml:无法确定标签的构造函数 !Ref 在“”,第 7 行,第 14 列:VpcId:!Ref VpcId ^,JSON 异常:无效 JSON:位置 0 处的意外字符 (R) .. 更新配置文件。【参考方案2】:

我只是重写了整件事,在一个文件中使用这个:

Resources:
  MyElastiCache:
    Type: "AWS::ElastiCache::CacheCluster"
    Properties:
      CacheNodeType:
        Fn::GetOptionSetting:
          OptionName : "CacheNodeType"
          DefaultValue : "cache.t2.micro"
      NumCacheNodes:
        Fn::GetOptionSetting:
          OptionName : "NumCacheNodes"
          DefaultValue : "1"
      Engine:
        Fn::GetOptionSetting:
          OptionName : "Engine"
          DefaultValue : "memcached"
      CacheSubnetGroupName:
        Ref: "MyCacheSubnets"
      VpcSecurityGroupIds:
        - Ref: "MemcachedSecurityGroup"
  MemcachedSecurityGroup:
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      GroupDescription: "Lock cache down to webserver access only"
      VpcId:
        Fn::GetOptionSetting:
          OptionName : "VpcId"
      SecurityGroupIngress :
        - IpProtocol : "tcp"
          FromPort :
            Fn::GetOptionSetting:
              OptionName : "CachePort"
              DefaultValue: "11211"
          ToPort :
            Fn::GetOptionSetting:
              OptionName : "CachePort"
              DefaultValue: "11211"
          SourceSecurityGroupId:
            Ref: "AWSEBSecurityGroup"
  MyCacheSubnets:
    Type: "AWS::ElastiCache::SubnetGroup"
    Properties:
      Description: "Subnets for ElastiCache"
      SubnetIds:
        Fn::GetOptionSetting:
          OptionName : "CacheSubnets"
Outputs:
  ElastiCache:
    Description : "ID of ElastiCache Cache Cluster with Memcached"
    Value :
      Ref : "MyElastiCache"

在另一个 .config 文件中使用这个:

option_settings:
  "aws:elasticbeanstalk:customoption":
    CacheNodeType : cache.t2.micro
    NumCacheNodes : 1
    Engine : memcached
    CachePort : 11211
    CacheSubnets:
      - subnet-
      - subnet-
      - subnet-
    VpcId: vpc-

【讨论】:

以上是关于AWS CloudFormation:默认 VPC“vpc”中不存在安全组“sg-”的主要内容,如果未能解决你的问题,请参考以下文章

AWS CloudFormation VPC CIDR 分配给安全组

如何使用 AWS CloudFormation 创建 Amazon VPC?

即使在我指定了自定义 VPC 之后,我的用于自动缩放组的 Cloudformation YAML 也会继续在默认 VPC 中创建 EC2 实例

AWS 中的 cloudformation 最佳实践

AWS学习笔记--利用CloudFormation管理AWS资源

如何在 AWS 中刷新 VPC 中的 DNS 条目?