使用云形成在 AWS EC2 实例中创建文件的最佳实践
Best practice to create a file in AWS EC2 instance using cloud formation
有很多选择可以做到这一点,但我不知道哪个是最好的。我一开始尝试做如下:
ServiceInstance:
Type: "AWS::EC2::Instance"
Properties:
ImageId: !Ref AmiId, !Ref LatestOnescoutAmi ]
InstanceType: !Ref InstanceType
SubnetId: !ImportValue vpc-stack-PublicASubnet
SecurityGroupIds:
- !Ref ServiceSecurityGroup
KeyName: !Ref KeyName
UserData:
'Fn::Base64': !Sub |
#cloud-config
write_files:
- path: /etc/sysconfig/cloudformation
permissions: 0644
owner: root
content: |
STACK_NAME=${AWS::StackName}
AWS_REGION=${AWS::Region}
- path: /etc/datadog-agent/conf.d/mysql.d/conf.yaml
permissions: 0644
owner: dd-agent
content: |
init_config:
instances:
- server: some-db-host
user: some-admin
pass: some-password
port: 3306
tags:
- dbinstanceidentifier:someide
runcmd:
## enable datadog agent
- systemctl start datadog-agent
- systemctl start application.service
但后来我的 /etc/datadog-agent/conf.d/mysql.d/conf.yaml 增长了,我有大约 13 个块,将它们硬编码到模板中并不好。最好保持模板通用并将配置文件作为参数传递。
但是,根据此,无法将文件或文件内容传递给云形成。
在我能想到的其他两个选项中,上面的方法是我看到的最简单的方法。
将配置存储在 SSM 中,然后在 ec2 启动时将其取回。
创建一个接受文件路径的自动缩放和启动组,但它比我需要的更复杂:
LaunchConfig:
Type: AWS::AutoScaling::LaunchConfiguration
Metadata:
AWS::CloudFormation::Init:
configSets:
service_configuration:
- datadog_setup
datadog_setup:
files:
/etc/datadog-agent/conf.d/mysql.d/conf.yaml:
content: "@file://./config/conf-${Env}.yaml"
mode: "000644"
owner: "root"
group: "root"
commands:
start_datadog:
command: service datadog-agent start
知道如何以简单、通用和安全的方式做到这一点吗?
给出一个例子将不胜感激。
提前致谢。
我是如何用另一种方式做到这一点的,我创建了 S3 存储桶,然后为我的 ec2 实例创建了一个可以访问这个 s3 存储桶并可以下载文件的角色,然后在我的 runcmd 部分,我下载了这个文件。
ServiceInstance:
Type: "AWS::EC2::Instance"
Properties:
InstanceType: !Ref InstanceType
IamInstanceProfile: !Ref InstanceProfile
UserData:
'Fn::Base64': !Sub |
#cloud-config
write_files:
- path: /etc/sysconfig/cloudformation
permissions: 0644
owner: root
content: |
STACK_NAME=${AWS::StackName}
AWS_REGION=${AWS::Region}
runcmd:
- aws s3 cp s3://${ArtifactsBucketName}/dd-get-secrets.py /home/ec2-user/dd-get-secrets.py
InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles: [!Ref IAMRole]
IAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ec2.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
Policies:
- PolicyName: allow-downloading-dd-templates
PolicyDocument:
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:ListBucket
Resource: !Sub "arn:aws:s3:::${ArtifactsBucketName}/*"
有很多选择可以做到这一点,但我不知道哪个是最好的。我一开始尝试做如下:
ServiceInstance:
Type: "AWS::EC2::Instance"
Properties:
ImageId: !Ref AmiId, !Ref LatestOnescoutAmi ]
InstanceType: !Ref InstanceType
SubnetId: !ImportValue vpc-stack-PublicASubnet
SecurityGroupIds:
- !Ref ServiceSecurityGroup
KeyName: !Ref KeyName
UserData:
'Fn::Base64': !Sub |
#cloud-config
write_files:
- path: /etc/sysconfig/cloudformation
permissions: 0644
owner: root
content: |
STACK_NAME=${AWS::StackName}
AWS_REGION=${AWS::Region}
- path: /etc/datadog-agent/conf.d/mysql.d/conf.yaml
permissions: 0644
owner: dd-agent
content: |
init_config:
instances:
- server: some-db-host
user: some-admin
pass: some-password
port: 3306
tags:
- dbinstanceidentifier:someide
runcmd:
## enable datadog agent
- systemctl start datadog-agent
- systemctl start application.service
但后来我的 /etc/datadog-agent/conf.d/mysql.d/conf.yaml 增长了,我有大约 13 个块,将它们硬编码到模板中并不好。最好保持模板通用并将配置文件作为参数传递。
但是,根据此
在我能想到的其他两个选项中,上面的方法是我看到的最简单的方法。
将配置存储在 SSM 中,然后在 ec2 启动时将其取回。
创建一个接受文件路径的自动缩放和启动组,但它比我需要的更复杂:
LaunchConfig: Type: AWS::AutoScaling::LaunchConfiguration Metadata: AWS::CloudFormation::Init: configSets: service_configuration: - datadog_setup datadog_setup: files: /etc/datadog-agent/conf.d/mysql.d/conf.yaml: content: "@file://./config/conf-${Env}.yaml" mode: "000644" owner: "root" group: "root" commands: start_datadog: command: service datadog-agent start
知道如何以简单、通用和安全的方式做到这一点吗? 给出一个例子将不胜感激。 提前致谢。
我是如何用另一种方式做到这一点的,我创建了 S3 存储桶,然后为我的 ec2 实例创建了一个可以访问这个 s3 存储桶并可以下载文件的角色,然后在我的 runcmd 部分,我下载了这个文件。
ServiceInstance:
Type: "AWS::EC2::Instance"
Properties:
InstanceType: !Ref InstanceType
IamInstanceProfile: !Ref InstanceProfile
UserData:
'Fn::Base64': !Sub |
#cloud-config
write_files:
- path: /etc/sysconfig/cloudformation
permissions: 0644
owner: root
content: |
STACK_NAME=${AWS::StackName}
AWS_REGION=${AWS::Region}
runcmd:
- aws s3 cp s3://${ArtifactsBucketName}/dd-get-secrets.py /home/ec2-user/dd-get-secrets.py
InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles: [!Ref IAMRole]
IAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ec2.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
Policies:
- PolicyName: allow-downloading-dd-templates
PolicyDocument:
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:ListBucket
Resource: !Sub "arn:aws:s3:::${ArtifactsBucketName}/*"