如何在 CloudFormation 模板中为 Elastic Beanstalk 启动配置指定安全组?
How Do I Specify a Security Group for Elastic Beanstalk Launch Configuration in CloudFormation Template?
我在 CloudFormation 模板中定义了以下安全组:
"APIInstanceSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security Group for Application EC2 Instances,
"VpcId": "vpc-10a75377",
"Tags": [{
"Key": "Name",
"Value": "APIInstanceSG" }
}]
}
}
我还定义了一个 Elastic Beanstalk 环境,在 OptionSettings 中包含以下内容:
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "SecurityGroups",
"Value": { "Ref": "APIInstanceSG" }
}
当我使用此模板创建堆栈时,安全组是在 CloudFormation 尝试创建 EB 环境之前创建的,但是当它尝试创建 EB 环境时,它失败并出现以下错误:
Configuration validation exception: Invalid option value: 'sg-994fcbe4' (Namespace: 'aws:autoscaling:launchconfiguration', OptionName: 'SecurityGroups'): The security group 'sg-994fcbe4' does not exist
sg-994fcbe4是创建的安全组的ID
Elastic Beanstalk 环境配置如下:
"AspectAPIEnv": {
"Type": "AWS::ElasticBeanstalk::Environment",
"Properties": {
"ApplicationName": "application-name",
"EnvironmentName": "environment-name",
"SolutionStackName": "64bit Amazon Linux 2016.09 v3.1.0 running Node.js",
"Tier": {
"Name": "WebServer",
"Type": "Standard"
},
"OptionSettings": [
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "EC2KeyName",
"Value": "ec2-key"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "IamInstanceProfile",
"Value": "aws-elasticbeanstalk-ec2-role"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "ImageId",
"Value": "ami-d8356acf"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "InstanceType",
"Value": "t2.micro"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "SecurityGroups",
"Value": { "Ref": "APIInstanceSG" }
},
{
"Namespace": "aws:autoscaling:trigger",
"OptionName": "UpperThreshold",
"Value": "6000000"
},
{
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "MaxBatchSize",
"Value": "1"
},
{
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "MinInstancesInService",
"Value": "1"
},
{
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "RollingUpdateEnabled",
"Value": "true"
},
{
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "RollingUpdateType",
"Value": "Health"
},
{
"Namespace": "aws:elasticbeanstalk:command",
"OptionName": "BatchSize",
"Value": "30"
},
{
"Namespace": "aws:elasticbeanstalk:container:nodejs",
"OptionName": "NodeVersion",
"Value": "6.2.2"
},
{
"Namespace": "aws:elasticbeanstalk:environment",
"OptionName": "ServiceRole",
"Value": "aws-elasticbeanstalk-service-role"
},
{
"Namespace": "aws:elasticbeanstalk:healthreporting:system",
"OptionName": "SystemType",
"Value": "enhanced"
},
{
"Namespace": "aws:elasticbeanstalk:managedactions",
"OptionName": "ManagedActionsEnabled",
"Value": "true"
},
{
"Namespace": "aws:elasticbeanstalk:managedactions",
"OptionName": "PreferredStartTime",
"Value": "SUN:09:02"
},
{
"Namespace": "aws:elasticbeanstalk:managedactions:platformupdate",
"OptionName": "UpdateLevel",
"Value": "minor"
},
{
"Namespace": "aws:elb:healthcheck",
"OptionName": "Interval",
"Value": "10"
},
{
"Namespace": "aws:elb:loadbalancer",
"OptionName": "CrossZone",
"Value": "true"
},
{
"Namespace": "aws:elb:loadbalancer",
"OptionName": "LoadBalancerHTTPPort",
"Value": "80"
},
{
"Namespace": "aws:elb:loadbalancer",
"OptionName": "SecurityGroups",
"Value": { "Ref": "APILoadBalancerSG" }
},
{
"Namespace": "aws:elb:loadbalancer",
"OptionName": "ManagedSecurityGroup",
"Value": { "Ref": "APILoadBalancerSG" }
},
{
"Namespace": "aws:elb:policies",
"OptionName": "ConnectionDrainingEnabled",
"Value": "true"
}
],
"Tags": [
{
"Key": "Name",
"Value": "AspectAPIEnv"
}
]
},
"DependsOn": "RDSInstance"
}
克服这个问题:
You need to change the EB Security Group from AWS CLI, you cannot do it from AWS Web Console.
考虑到您已经有 AWS CLI installed,如果您想要更改安全组,则需要执行此命令:
aws elasticbeanstalk update-environment –environment-name –option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=SecurityGroups,Value=””
您应该在 LC 定义中设置 DependsOn 属性,以确保它在堆栈创建期间存在于 SG 之前。否则你不能保证参考有效。
"APIInstanceSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security Group for Application EC2 Instances,
"VpcId": "vpc-10a75377",
"Tags": [{
"Key": "Name",
"Value": "APIInstanceSG" }
}]
},
"DependsOn" : "APIInstanceSG"
}
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html
在您的模板中,而不是
"DependsOn" : "RDSInstance"
写入:
"DependsOn": ["APIInstanceSG", "RDSInstance"]
更多信息:http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html
查看您的 AWS::ElasticBeanstalk::Environment 资源后,我能够重现您遇到的错误。正如 Marc Young 在对您的问题的评论中所建议的那样,您没有为您的环境指定 VPC。由于您的安全组位于 VPC 中,因此无法从不在同一 VPC 中的资源访问它。
要修复它,您必须将以下配置选项添加到您的环境中:
{
"Namespace" : "aws:ec2:vpc",
"OptionName" : "VPCId",
"Value" : "vpc-10a75377"
},
如果您指定 VPC,使用更新后的模板创建堆栈将失败,并显示一条错误消息,提示您还需要指定环境子网,因此您必须添加以下选项:
{
"Namespace" : "aws:ec2:vpc",
"OptionName" : "Subnets",
"Value" : <insert the subnet for your instances here>
},
{
"Namespace" : "aws:ec2:vpc",
"OptionName" : "ELBSubnets",
"Value" : <insert the subnet for your load balancer here>
}
您可以在 Elastic Beanstalk CloudFormation sample templates 中查看 VPC 中 Beanstalk 应用程序的工作示例。
我在 CloudFormation 模板中定义了以下安全组:
"APIInstanceSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security Group for Application EC2 Instances,
"VpcId": "vpc-10a75377",
"Tags": [{
"Key": "Name",
"Value": "APIInstanceSG" }
}]
}
}
我还定义了一个 Elastic Beanstalk 环境,在 OptionSettings 中包含以下内容:
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "SecurityGroups",
"Value": { "Ref": "APIInstanceSG" }
}
当我使用此模板创建堆栈时,安全组是在 CloudFormation 尝试创建 EB 环境之前创建的,但是当它尝试创建 EB 环境时,它失败并出现以下错误:
Configuration validation exception: Invalid option value: 'sg-994fcbe4' (Namespace: 'aws:autoscaling:launchconfiguration', OptionName: 'SecurityGroups'): The security group 'sg-994fcbe4' does not exist
sg-994fcbe4是创建的安全组的ID
Elastic Beanstalk 环境配置如下:
"AspectAPIEnv": {
"Type": "AWS::ElasticBeanstalk::Environment",
"Properties": {
"ApplicationName": "application-name",
"EnvironmentName": "environment-name",
"SolutionStackName": "64bit Amazon Linux 2016.09 v3.1.0 running Node.js",
"Tier": {
"Name": "WebServer",
"Type": "Standard"
},
"OptionSettings": [
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "EC2KeyName",
"Value": "ec2-key"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "IamInstanceProfile",
"Value": "aws-elasticbeanstalk-ec2-role"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "ImageId",
"Value": "ami-d8356acf"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "InstanceType",
"Value": "t2.micro"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "SecurityGroups",
"Value": { "Ref": "APIInstanceSG" }
},
{
"Namespace": "aws:autoscaling:trigger",
"OptionName": "UpperThreshold",
"Value": "6000000"
},
{
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "MaxBatchSize",
"Value": "1"
},
{
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "MinInstancesInService",
"Value": "1"
},
{
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "RollingUpdateEnabled",
"Value": "true"
},
{
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "RollingUpdateType",
"Value": "Health"
},
{
"Namespace": "aws:elasticbeanstalk:command",
"OptionName": "BatchSize",
"Value": "30"
},
{
"Namespace": "aws:elasticbeanstalk:container:nodejs",
"OptionName": "NodeVersion",
"Value": "6.2.2"
},
{
"Namespace": "aws:elasticbeanstalk:environment",
"OptionName": "ServiceRole",
"Value": "aws-elasticbeanstalk-service-role"
},
{
"Namespace": "aws:elasticbeanstalk:healthreporting:system",
"OptionName": "SystemType",
"Value": "enhanced"
},
{
"Namespace": "aws:elasticbeanstalk:managedactions",
"OptionName": "ManagedActionsEnabled",
"Value": "true"
},
{
"Namespace": "aws:elasticbeanstalk:managedactions",
"OptionName": "PreferredStartTime",
"Value": "SUN:09:02"
},
{
"Namespace": "aws:elasticbeanstalk:managedactions:platformupdate",
"OptionName": "UpdateLevel",
"Value": "minor"
},
{
"Namespace": "aws:elb:healthcheck",
"OptionName": "Interval",
"Value": "10"
},
{
"Namespace": "aws:elb:loadbalancer",
"OptionName": "CrossZone",
"Value": "true"
},
{
"Namespace": "aws:elb:loadbalancer",
"OptionName": "LoadBalancerHTTPPort",
"Value": "80"
},
{
"Namespace": "aws:elb:loadbalancer",
"OptionName": "SecurityGroups",
"Value": { "Ref": "APILoadBalancerSG" }
},
{
"Namespace": "aws:elb:loadbalancer",
"OptionName": "ManagedSecurityGroup",
"Value": { "Ref": "APILoadBalancerSG" }
},
{
"Namespace": "aws:elb:policies",
"OptionName": "ConnectionDrainingEnabled",
"Value": "true"
}
],
"Tags": [
{
"Key": "Name",
"Value": "AspectAPIEnv"
}
]
},
"DependsOn": "RDSInstance"
}
克服这个问题:
You need to change the EB Security Group from AWS CLI, you cannot do it from AWS Web Console.
考虑到您已经有 AWS CLI installed,如果您想要更改安全组,则需要执行此命令:
aws elasticbeanstalk update-environment –environment-name –option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=SecurityGroups,Value=””
您应该在 LC 定义中设置 DependsOn 属性,以确保它在堆栈创建期间存在于 SG 之前。否则你不能保证参考有效。
"APIInstanceSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security Group for Application EC2 Instances,
"VpcId": "vpc-10a75377",
"Tags": [{
"Key": "Name",
"Value": "APIInstanceSG" }
}]
},
"DependsOn" : "APIInstanceSG"
}
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html
在您的模板中,而不是
"DependsOn" : "RDSInstance"
写入:
"DependsOn": ["APIInstanceSG", "RDSInstance"]
更多信息:http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html
查看您的 AWS::ElasticBeanstalk::Environment 资源后,我能够重现您遇到的错误。正如 Marc Young 在对您的问题的评论中所建议的那样,您没有为您的环境指定 VPC。由于您的安全组位于 VPC 中,因此无法从不在同一 VPC 中的资源访问它。
要修复它,您必须将以下配置选项添加到您的环境中:
{
"Namespace" : "aws:ec2:vpc",
"OptionName" : "VPCId",
"Value" : "vpc-10a75377"
},
如果您指定 VPC,使用更新后的模板创建堆栈将失败,并显示一条错误消息,提示您还需要指定环境子网,因此您必须添加以下选项:
{
"Namespace" : "aws:ec2:vpc",
"OptionName" : "Subnets",
"Value" : <insert the subnet for your instances here>
},
{
"Namespace" : "aws:ec2:vpc",
"OptionName" : "ELBSubnets",
"Value" : <insert the subnet for your load balancer here>
}
您可以在 Elastic Beanstalk CloudFormation sample templates 中查看 VPC 中 Beanstalk 应用程序的工作示例。