AWS Cloudformation 上的 UserData 未部署在 EC2 实例上

Posted 2023-03-04

【中文标题】AWS Cloudformation 上的 UserData 未部署在 EC2 实例上

【英文标题】：UserData on AWS Cloudformation not getting deployed on EC2 instance

【发布时间】：2021-12-26 05:04:17

【问题描述】：

我正在尝试使用 kubectl 和 nodejs 等工具引导 EC2。但是，我无法执行 UserData。有人可以帮我解决下面的脚本吗：

AWSTemplateFormatVersion: 2010-09-09
Description: Part 1 - Build a webapp stack with CloudFormation

Resources:
  WebAppInstance:
    Type: AWS::EC2::Instance
    Properties:
      AvailabilityZone: us-east-2a
      ImageId: ami-074cce78125f09d61
      InstanceType: t2.micro
      SecurityGroupIds:
        - !Ref WebAppSecurityGroup
      UserData: 
        Fn::Base64: |
          !Sub |
            #!/bin/bash -xe
            yum install nodejs -y
            curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.21.2/2021-07-05/bin/linux/amd64/kubectl

  WebAppSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: !Join ["-", [webapp-security-group, dev]]
      GroupDescription: "Allow HTTP/HTTPS and SSH inbound and outbound traffic"
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0

  WebAppEIP:
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc
      InstanceId: !Ref WebAppInstance
      Tags:
        - Key: Name
          Value: !Join ["-", [webapp-eip, dev]]

  RootRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: "/"

  RolePolicies:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: root
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action: "*"
            Resource: "*"
      Roles:
        - !Ref RootRole

  RootInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
      Roles:
        - !Ref RootRole

  candidateUser:
    Type: 'AWS::IAM::User'
    Properties:
      UserName: candidate # give a name to this user
      LoginProfile: # specify a password for this user
        Password: DTelek0m
        PasswordResetRequired: false # make this user to set a new password on next sign-in
      Path: '/'
      ManagedPolicyArns: # list of ARNs of IAM managed policies that you want to attach to the user
        - arn:aws:iam::aws:policy/AmazonEC2FullAccess
        - arn:aws:iam::aws:policy/EC2InstanceConnect

Outputs:
  WebsiteURL:
    Value: !Sub http://$WebAppEIP
    Description: WebApp URL

EC2 没有任何问题，但我无法在此基础上安装软件包。到目前为止，我尝试部署 nodejs、nginx、kubectl。

【问题讨论】：

查看this answer 的系统日志和 cloud-init 日志。

@jarmod 没有关于 UserData 的日志。

您的UserData 没有安装任何kubectl 和tomcat。所以不清楚到底是什么问题。

通过系统日志，我指的是监控和故障排除 > 从 EC2 控制台中获取系统日志。它将显示启动时间日志。如果需要，将 echo 语句添加到您的用户数据并重新启动。

@Marcin 已更新脚本以使其更加清晰。我正在尝试安装 kubectl 和 nodejs。

【参考方案1】：

工作解决方案：

发现的问题是缺少 curl 安装。

AWSTemplateFormatVersion: 2010-09-09
Description: Part 1 - Build a webapp stack with CloudFormation

Resources:
  WebAppInstance:
    Type: AWS::EC2::Instance
    Properties:
      AvailabilityZone: us-east-2a
      ImageId: ami-074cce78125f09d61
      InstanceType: t2.micro
      SecurityGroupIds:
        - !Ref WebAppSecurityGroup
      UserData:
        Fn::Base64:
          !Sub |
            #!/bin/bash -xe
            sudo yum install curl
            curl -o kubectl https://amazon-eks.s3.us-west-2.amazonaws.com/1.21.2/2021-07-05/bin/linux/amd64/kubectl
            sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl

  WebAppSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: !Join ["-", [webapp-security-group, dev]]
      GroupDescription: "Allow HTTP/HTTPS and SSH inbound and outbound traffic"
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0

  WebAppEIP:
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc
      InstanceId: !Ref WebAppInstance
      Tags:
        - Key: Name
          Value: !Join ["-", [webapp-eip, dev]]

  RootRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: "/"

  RolePolicies:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: root
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action: "*"
            Resource: "*"
      Roles:
        - !Ref RootRole

  RootInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
      Roles:
        - !Ref RootRole

  candidateUser:
    Type: 'AWS::IAM::User'
    Properties:
      UserName: candidate # give a name to this user
      LoginProfile: # specify a password for this user
        Password: DTelek0m
        PasswordResetRequired: false # make this user to set a new password on next sign-in
      Path: '/'
      ManagedPolicyArns: # list of ARNs of IAM managed policies that you want to attach to the user
        - arn:aws:iam::aws:policy/AmazonEC2FullAccess
        - arn:aws:iam::aws:policy/EC2InstanceConnect

Outputs:
  WebsiteURL:
    Value: !Sub http://$WebAppEIP
    Description: WebApp URL