如何在 CloudFormation 模板中为 Elastic Beanstalk 启动配置指定安全组?
Posted
技术标签:
【中文标题】如何在 CloudFormation 模板中为 Elastic Beanstalk 启动配置指定安全组?【英文标题】:How Do I Specify a Security Group for Elastic Beanstalk Launch Configuration in CloudFormation Template? 【发布时间】:2017-04-01 22:46:23 【问题描述】:我在 CloudFormation 模板中定义了以下安全组:
"APIInstanceSG":
"Type": "AWS::EC2::SecurityGroup",
"Properties":
"GroupDescription": "Security Group for Application EC2 Instances,
"VpcId": "vpc-10a75377",
"Tags": [
"Key": "Name",
"Value": "APIInstanceSG"
]
我还定义了一个 Elastic Beanstalk 环境,其中包含以下选项设置:
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "SecurityGroups",
"Value": "Ref": "APIInstanceSG"
当我使用此模板创建堆栈时,会在 CloudFormation 尝试创建 EB 环境之前创建安全组,但是当它尝试创建 EB 环境时,它会失败并出现以下错误:
配置验证异常:无效选项值:“sg-994fcbe4”(命名空间:“aws:autoscaling:launchconfiguration”,选项名称:“SecurityGroups”):安全组“sg-994fcbe4”不存在
sg-994fcbe4 是创建的安全组的 ID
Elastic Beanstalk 环境配置如下:
"AspectAPIEnv":
"Type": "AWS::ElasticBeanstalk::Environment",
"Properties":
"ApplicationName": "application-name",
"EnvironmentName": "environment-name",
"SolutionStackName": "64bit Amazon Linux 2016.09 v3.1.0 running Node.js",
"Tier":
"Name": "WebServer",
"Type": "Standard"
,
"OptionSettings": [
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "EC2KeyName",
"Value": "ec2-key"
,
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "IamInstanceProfile",
"Value": "aws-elasticbeanstalk-ec2-role"
,
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "ImageId",
"Value": "ami-d8356acf"
,
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "InstanceType",
"Value": "t2.micro"
,
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "SecurityGroups",
"Value": "Ref": "APIInstanceSG"
,
"Namespace": "aws:autoscaling:trigger",
"OptionName": "UpperThreshold",
"Value": "6000000"
,
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "MaxBatchSize",
"Value": "1"
,
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "MinInstancesInService",
"Value": "1"
,
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "RollingUpdateEnabled",
"Value": "true"
,
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "RollingUpdateType",
"Value": "Health"
,
"Namespace": "aws:elasticbeanstalk:command",
"OptionName": "BatchSize",
"Value": "30"
,
"Namespace": "aws:elasticbeanstalk:container:nodejs",
"OptionName": "NodeVersion",
"Value": "6.2.2"
,
"Namespace": "aws:elasticbeanstalk:environment",
"OptionName": "ServiceRole",
"Value": "aws-elasticbeanstalk-service-role"
,
"Namespace": "aws:elasticbeanstalk:healthreporting:system",
"OptionName": "SystemType",
"Value": "enhanced"
,
"Namespace": "aws:elasticbeanstalk:managedactions",
"OptionName": "ManagedActionsEnabled",
"Value": "true"
,
"Namespace": "aws:elasticbeanstalk:managedactions",
"OptionName": "PreferredStartTime",
"Value": "SUN:09:02"
,
"Namespace": "aws:elasticbeanstalk:managedactions:platformupdate",
"OptionName": "UpdateLevel",
"Value": "minor"
,
"Namespace": "aws:elb:healthcheck",
"OptionName": "Interval",
"Value": "10"
,
"Namespace": "aws:elb:loadbalancer",
"OptionName": "CrossZone",
"Value": "true"
,
"Namespace": "aws:elb:loadbalancer",
"OptionName": "LoadBalancerHTTPPort",
"Value": "80"
,
"Namespace": "aws:elb:loadbalancer",
"OptionName": "SecurityGroups",
"Value": "Ref": "APILoadBalancerSG"
,
"Namespace": "aws:elb:loadbalancer",
"OptionName": "ManagedSecurityGroup",
"Value": "Ref": "APILoadBalancerSG"
,
"Namespace": "aws:elb:policies",
"OptionName": "ConnectionDrainingEnabled",
"Value": "true"
],
"Tags": [
"Key": "Name",
"Value": "AspectAPIEnv"
]
,
"DependsOn": "RDSInstance"
【问题讨论】:
您确定启动配置与安全组位于同一 VPC 中? 是的,所有实例都在 VPC 内 您可以向我们展示您的 Beanstalk 环境资源的模板 sn-p 吗? 好的,现在刚刚添加 谢谢,我已经添加了答案。 @MarcYoung 在正确的轨道上,您的环境资源缺少 VPC 选项设置。 【参考方案1】:查看您的 AWS::ElasticBeanstalk::Environment 资源后,我能够重现您遇到的错误。正如 Marc Young 在对您的问题的评论中所建议的那样,您没有为您的环境指定 VPC。由于您的安全组位于 VPC 中,因此无法从不在同一 VPC 中的资源访问它。
要修复它,您必须将以下配置选项添加到您的环境中:
"Namespace" : "aws:ec2:vpc",
"OptionName" : "VPCId",
"Value" : "vpc-10a75377"
,
如果您指定 VPC,使用更新的模板创建堆栈将失败,并显示一条错误消息,指出您还需要指定环境子网,因此您必须添加以下选项:
"Namespace" : "aws:ec2:vpc",
"OptionName" : "Subnets",
"Value" : <insert the subnet for your instances here>
,
"Namespace" : "aws:ec2:vpc",
"OptionName" : "ELBSubnets",
"Value" : <insert the subnet for your load balancer here>
您可以在Elastic Beanstalk CloudFormation sample templates 中查看 VPC 中 Beanstalk 应用程序的工作示例。
【讨论】:
【参考方案2】:要克服这个问题:
您需要从 AWS CLI 更改 EB 安全组,您无法从 AWS Web 控制台执行此操作。
考虑到您已经拥有 AWS CLI installed,如果您想更改安全组,则需要执行此命令:
aws elasticbeanstalk update-environment –environment-name –option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=SecurityGroups,Value=””
Source
【讨论】:
我需要能够作为 cloudformation 模板的一部分来执行此操作 那么设置value="" 应该清除分配给Env 的所有安全组吗?如果是这样,那对我不起作用。我只想删除 Beanstalk 自动生成的那个。【参考方案3】:
您应该在 LC 定义中设置 DependsOn 属性,以确保在堆栈创建期间它存在于 SG 之前。否则你不能保证引用会起作用。
"APIInstanceSG":
"Type": "AWS::EC2::SecurityGroup",
"Properties":
"GroupDescription": "Security Group for Application EC2 Instances,
"VpcId": "vpc-10a75377",
"Tags": [
"Key": "Name",
"Value": "APIInstanceSG"
]
,
"DependsOn" : "APIInstanceSG"
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html
【讨论】:
【参考方案4】:在您的模板中,而不是
"DependsOn" : "RDSInstance"
写:
"DependsOn": ["APIInstanceSG", "RDSInstance"]
更多信息:http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html
【讨论】:
以上是关于如何在 CloudFormation 模板中为 Elastic Beanstalk 启动配置指定安全组?的主要内容,如果未能解决你的问题,请参考以下文章
在 Cloudformation 模板中为 AWS API Gateway 使用 IAM 角色
在 Cloudformation 模板中为 API 网关启用 CORS DEFAULT 4XX/5XX
如何在cloudformation中为我的beantalk定义nodejs的版本