AWS CloudFormation:默认 VPC“vpc”中不存在安全组“sg-”
Posted
技术标签:
【中文标题】AWS CloudFormation:默认 VPC“vpc”中不存在安全组“sg-”【英文标题】:AWS CloudFormation: The security group 'sg-' does not exist in default VPC 'vpc' 【发布时间】:2021-06-28 14:54:31 【问题描述】:我有这个模板代码,我正试图在我的 ElasticBeanStalk 应用程序中实现它,但它引用了我的默认 vpc,我找不到如何引用我自己的 VPC 而不是默认 VPC。 这是我的 YAML 代码:(我只需要知道如何引用我的 VpcID)
我尝试添加我在 aws 资源中找到的一些行,但它们不起作用:(每一行单独使用我没有一起使用)
Type: 'AWS::EC2::VPC::Id'
VpcId: String
Vpc:
Default: "vpc-"
Type: String
VpcCidr:
Default: "10.0.0.0/16"
Type: String
这是我的原始代码:
Resources:
MyCacheSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: "Lock cache down to webserver access only"
SecurityGroupIngress:
- IpProtocol: tcp
FromPort:
Fn::GetOptionSetting:
OptionName: CachePort
DefaultValue: 11211
ToPort:
Fn::GetOptionSetting:
OptionName: CachePort
DefaultValue: 11211
SourceSecurityGroupName:
Ref: AWSEBSecurityGroup
MyElastiCache:
Type: 'AWS::ElastiCache::CacheCluster'
Properties:
CacheNodeType:
Fn::GetOptionSetting:
OptionName: CacheNodeType
DefaultValue: cache.t2.micro
NumCacheNodes:
Fn::GetOptionSetting:
OptionName: NumCacheNodes
DefaultValue: 1
Engine:
Fn::GetOptionSetting:
OptionName: Engine
DefaultValue: redis
VpcSecurityGroupIds:
-
Fn::GetAtt:
- MyCacheSecurityGroup
- GroupId
AWSEBAutoScalingGroup :
Metadata :
ElastiCacheConfig :
CacheName :
Ref : MyElastiCache
CacheSize :
Fn::GetOptionSetting:
OptionName : NumCacheNodes
DefaultValue: 1
WebServerUser :
Type : AWS::IAM::User
Properties :
Path : "/"
Policies:
-
PolicyName: root
PolicyDocument :
Statement :
-
Effect : Allow
Action :
- cloudformation:DescribeStackResource
- cloudformation:ListStackResources
- elasticache:DescribeCacheClusters
Resource : "*"
WebServerKeys :
Type : AWS::IAM::AccessKey
Properties :
UserName :
Ref: WebServerUser
Outputs:
WebsiteURL:
Description: sample output only here to show inline string function parsing
Value: |
http://awseb-AWSEB-1U7AK1W53691K-1263338585.ca-central-1.elb.amazonaws.com
MyElastiCacheName:
Description: Name of the elasticache
Value:
Ref : MyElastiCache
NumCacheNodes:
Description: Number of cache nodes in MyElastiCache
Value:
Fn::GetOptionSetting:
OptionName : NumCacheNodes
DefaultValue: 1
files:
"/etc/cfn/cfn-credentials" :
content : |
AWSAccessKeyId=` "Ref" : "WebServerKeys" `
AWSSecretKey=` "Fn::GetAtt" : ["WebServerKeys", "SecretAccessKey"] `
mode : "000400"
owner : root
group : root
"/etc/cfn/get-cache-nodes" :
content : |
# Define environment variables for command line tools
export AWS_ELASTICACHE_HOME="/home/ec2-user/elasticache/$(ls /home/ec2-user/elasticache/)"
export AWS_CLOUDFORMATION_HOME=/opt/aws/apitools/cfn
export PATH=$AWS_CLOUDFORMATION_HOME/bin:$AWS_ELASTICACHE_HOME/bin:$PATH
export AWS_CREDENTIAL_FILE=/etc/cfn/cfn-credentials
export JAVA_HOME=/usr/lib/jvm/jre
# Grab the Cache node names and configure the php page
aws cloudformation list-stack-resources --stack ` "Ref" : "AWS::StackName" ` --region ` "Ref" : "AWS::Region" ` --output text | grep MyElastiCache | awk 'print $4' | xargs -I aws elasticache describe-cache-clusters --cache-cluster-id --region ` "Ref" : "AWS::Region" ` --show-cache-node-info --output text | grep '^ENDPOINT' | awk 'print $2 ":" $3' > ` "Fn::GetOptionSetting" : "OptionName" : "NodeListPath", "DefaultValue" : "/var/www/html/nodelist" `
mode : "000500"
owner : root
group : root
"/etc/cfn/hooks.d/cfn-cache-change.conf" :
"content": |
[cfn-cache-size-change]
triggers=post.update
path=Resources.AWSEBAutoScalingGroup.Metadata.ElastiCacheConfig
action=/etc/cfn/get-cache-nodes
runas=root
sources :
"/home/ec2-user/elasticache" : "https://s3.amazonaws.com/elasticache-downloads/AmazonElastiCacheCli-latest.zip"
commands:
make-elasticache-executable:
command: chmod -R ugo+x /home/ec2-user/elasticache/*/bin/*
packages :
"yum" :
"aws-apitools-cfn" : []
container_commands:
initial_cache_nodes:
command: /etc/cfn/get-cache-nodes
【问题讨论】:
【参考方案1】:您必须使用 VpcId 属性将您的安全组放入您的 VPC:
MyCacheSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: "Lock cache down to webserver access only"
VpcId: !Ref VpcId
SecurityGroupIngress:
- IpProtocol: tcp
FromPort:
Fn::GetOptionSetting:
OptionName: CachePort
DefaultValue: 11211
ToPort:
Fn::GetOptionSetting:
OptionName: CachePort
DefaultValue: 11211
SourceSecurityGroupName:
Ref: AWSEBSecurityGroup
【讨论】:
它不起作用,它直接返回此错误:应用程序版本示例 Application-24 中的配置文件 .ebextensions/elasticache-iam-with-script.config 包含无效的 YAML 或 JSON。 YAML 异常:无效 Yaml:无法确定标签的构造函数 !Ref 在“我只是重写了整件事,在一个文件中使用这个:
Resources:
MyElastiCache:
Type: "AWS::ElastiCache::CacheCluster"
Properties:
CacheNodeType:
Fn::GetOptionSetting:
OptionName : "CacheNodeType"
DefaultValue : "cache.t2.micro"
NumCacheNodes:
Fn::GetOptionSetting:
OptionName : "NumCacheNodes"
DefaultValue : "1"
Engine:
Fn::GetOptionSetting:
OptionName : "Engine"
DefaultValue : "memcached"
CacheSubnetGroupName:
Ref: "MyCacheSubnets"
VpcSecurityGroupIds:
- Ref: "MemcachedSecurityGroup"
MemcachedSecurityGroup:
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupDescription: "Lock cache down to webserver access only"
VpcId:
Fn::GetOptionSetting:
OptionName : "VpcId"
SecurityGroupIngress :
- IpProtocol : "tcp"
FromPort :
Fn::GetOptionSetting:
OptionName : "CachePort"
DefaultValue: "11211"
ToPort :
Fn::GetOptionSetting:
OptionName : "CachePort"
DefaultValue: "11211"
SourceSecurityGroupId:
Ref: "AWSEBSecurityGroup"
MyCacheSubnets:
Type: "AWS::ElastiCache::SubnetGroup"
Properties:
Description: "Subnets for ElastiCache"
SubnetIds:
Fn::GetOptionSetting:
OptionName : "CacheSubnets"
Outputs:
ElastiCache:
Description : "ID of ElastiCache Cache Cluster with Memcached"
Value :
Ref : "MyElastiCache"
在另一个 .config 文件中使用这个:
option_settings:
"aws:elasticbeanstalk:customoption":
CacheNodeType : cache.t2.micro
NumCacheNodes : 1
Engine : memcached
CachePort : 11211
CacheSubnets:
- subnet-
- subnet-
- subnet-
VpcId: vpc-
【讨论】:
以上是关于AWS CloudFormation:默认 VPC“vpc”中不存在安全组“sg-”的主要内容,如果未能解决你的问题,请参考以下文章
AWS CloudFormation VPC CIDR 分配给安全组
如何使用 AWS CloudFormation 创建 Amazon VPC?
即使在我指定了自定义 VPC 之后,我的用于自动缩放组的 Cloudformation YAML 也会继续在默认 VPC 中创建 EC2 实例