使用云形成模板的 AWS Systems Manager

AWS Systems Manager using cloud formation template

我开始为 AWS Systems Manager 写一些东西来:

  1. 创建自定义 Windows 和 Linux 图片以及
  2. 如何将 Windows 和 Linux 更新应用于有用的 AMI...

我正在关注 this example,但是当我 运行 时无法获得结果。

这是我收到的错误:

Template format error: At least one Resources member must be defined.

请让我知道我在这里做错了什么,我已经查看了代码但无法找到我做错了什么。

#description: Create a Golden AMI with Linux distribution packages(ClamAV) and Amazon
#software(SSM & Inspector). For details,see https://github.com/miztiik/AWS-Demos/tree/master/How-To/setup-ami-lifecycle-management-using-ssm
Resources:
 Ec2Instance:
   Type: 'AWS::EC2::Instance'  
assumeRole: "{{AutomationAssumeRole}}"
parameters:
  SourceAmiId:
    type: String
    description: "(Required) The source Amazon Machine Image ID."
    default: ami-0d2692b6acea72ee6
  InstanceIamRole:
    type: String
    description: "(Required) The name of the role that enables Systems Manager (SSM)
      to manage the instance."
    default: ManagedInstanceRole
  AutomationAssumeRole:
    type: String
    description: "(Required) The ARN of the role that allows Automation to perform
      the actions on your behalf."
    default: arn:aws:iam::{{global:ACCOUNT_ID}}:role/AutomationServiceRole
  SubnetId:
    type: String
    description: "(Required) The subnet that the created instance will be placed into."
    default: subnet-0a72519be8028a56c
  TargetAmiName:
    type: String
    description: "(Optional) The name of the new AMI that will be created. Default
      is a system-generated string including the source AMI id, and the creation time
      and date."
    default: GoldenAMI-RH-7_on_{{global:DATE_TIME}}
  InstanceType:
    type: String
    description: "(Optional) Type of instance to launch as the workspace host. Instance
      types vary by region. Default is t2.micro."
    default: t2.micro
  PreUpdateScript:
    type: String
    description: (Optional) URL of a script to run before updates are applied. Default
      ("none") is to not run a script.
    default: none
  PostUpdateScript:
    type: String
    description: (Optional) URL of a script to run after package updates are applied.
      Default ("none") is to not run a script.
    default: none
  IncludePackages:
    type: String
    description: (Optional) Only update these named packages. By default ("all"),
      all available updates are applied.
    default: all
  ExcludePackages:
    type: String
    description: (Optional) Names of packages to hold back from updates, under all
      conditions. By default ("none"), no package is excluded.
    default: none
  lambdaFunctionName:
    type: String
    description: "(Required) The name of the lambda function. Default ('none') is
      to not run a script."
    default: Automation-UpdateSsmParam
mainSteps:
- name: launchInstance
  action: aws:runInstances
  maxAttempts: 5
  timeoutSeconds: 1200
  onFailure: Abort
  inputs:
    ImageId: "{{SourceAmiId}}"
    InstanceType: "{{InstanceType}}"
    SubnetId: "{{ SubnetId }}"
    UserData: IyEvYmluL2Jhc2gNCg0KZnVuY3Rpb24gZ2V0X2NvbnRlbnRzKCkgew0KICAgIGlmIFsgLXggIiQod2hpY2ggY3VybCkiIF07IHRoZW4NCiAgICAgICAgY3VybCAtcyAtZiAiJDEiDQogICAgZWxpZiBbIC14ICIkKHdoaWNoIHdnZXQpIiBdOyB0aGVuDQogICAgICAgIHdnZXQgIiQxIiAtTyAtDQogICAgZWxzZQ0KICAgICAgICBkaWUgIk5vIGRvd25sb2FkIHV0aWxpdHkgKGN1cmwsIHdnZXQpIg0KICAgIGZpDQp9DQoNCnJlYWRvbmx5IElERU5USVRZX1VSTD0iaHR0cDovLzE2OS4yNTQuMTY5LjI1NC8yMDE2LTA2LTMwL2R5bmFtaWMvaW5zdGFuY2UtaWRlbnRpdHkvZG9jdW1lbnQvIg0KcmVhZG9ubHkgVFJVRV9SRUdJT049JChnZXRfY29udGVudHMgIiRJREVOVElUWV9VUkwiIHwgYXdrIC1GXCIgJy9yZWdpb24vIHsgcHJpbnQgJDQgfScpDQpyZWFkb25seSBERUZBVUxUX1JFR0lPTj0idXMtZWFzdC0xIg0KcmVhZG9ubHkgUkVHSU9OPSIke1RSVUVfUkVHSU9OOi0kREVGQVVMVF9SRUdJT059Ig0KDQpyZWFkb25seSBTQ1JJUFRfTkFNRT0iYXdzLWluc3RhbGwtc3NtLWFnZW50Ig0KIFNDUklQVF9VUkw9Imh0dHBzOi8vYXdzLXNzbS1kb3dubG9hZHMtJFJFR0lPTi5zMy5hbWF6b25hd3MuY29tL3NjcmlwdHMvJFNDUklQVF9OQU1FIg0KDQppZiBbICIkUkVHSU9OIiA9ICJjbi1ub3J0aC0xIiBdOyB0aGVuDQogIFNDUklQVF9VUkw9Imh0dHBzOi8vYXdzLXNzbS1kb3dubG9hZHMtJFJFR0lPTi5zMy5jbi1ub3J0aC0xLmFtYXpvbmF3cy5jb20uY24vc2NyaXB0cy8kU0NSSVBUX05BTUUiDQpmaQ0KDQppZiBbICIkUkVHSU9OIiA9ICJ1cy1nb3Ytd2VzdC0xIiBdOyB0aGVuDQogIFNDUklQVF9VUkw9Imh0dHBzOi8vYXdzLXNzbS1kb3dubG9hZHMtJFJFR0lPTi5zMy11cy1nb3Ytd2VzdC0xLmFtYXpvbmF3cy5jb20vc2NyaXB0cy8kU0NSSVBUX05BTUUiDQpmaQ0KDQpjZCAvdG1wDQpGSUxFX1NJWkU9MA0KTUFYX1JFVFJZX0NPVU5UPTMNClJFVFJZX0NPVU5UPTANCg0Kd2hpbGUgWyAkUkVUUllfQ09VTlQgLWx0ICRNQVhfUkVUUllfQ09VTlQgXSA7IGRvDQogIGVjaG8gQVdTLVVwZGF0ZUxpbnV4QW1pOiBEb3dubG9hZGluZyBzY3JpcHQgZnJvbSAkU0NSSVBUX1VSTA0KICBnZXRfY29udGVudHMgIiRTQ1JJUFRfVVJMIiA+ICIkU0NSSVBUX05BTUUiDQogIEZJTEVfU0laRT0kKGR1IC1rIC90bXAvJFNDUklQVF9OQU1FIHwgY3V0IC1mMSkNCiAgZWNobyBBV1MtVXBkYXRlTGludXhBbWk6IEZpbmlzaGVkIGRvd25sb2FkaW5nIHNjcmlwdCwgc2l6ZTogJEZJTEVfU0laRQ0KICBpZiBbICRGSUxFX1NJWkUgLWd0IDAgXTsgdGhlbg0KICAgIGJyZWFrDQogIGVsc2UNCiAgICBpZiBbWyAkUkVUUllfQ09VTlQgLWx0IE1BWF9SRVRSWV9DT1VOVCBdXTsgdGhlbg0KICAgICAgUkVUUllfQ09VTlQ9JCgoUkVUUllfQ09VTlQrMSkpOw0KICAgICAgZWNobyBBV1MtVXBkYXRlTGludXhBbWk6IEZpbGVTaXplIGlzIDAsIHJldHJ5Q291bnQ6ICRSRVRSWV9DT1VOVA0KICAgIGZpDQogIGZpIA0KZG9uZQ0KDQppZiBbICRGSUxFX1NJWkUgLWd0IDAgXTsgdGhlbg0KICBjaG1vZCAreCAiJFNDUklQVF9OQU1FIg0KICBlY2hvIEFXUy1VcGRhdGVMaW51eEFtaTogUnVubmluZyBVcGRhdGVTU01BZ2VudCBzY3JpcHQgbm93IC4uLi4NCiAgLi8iJFNDUklQVF9OQU1FIiAtLXJlZ2lvbiAiJFJFR0lPTiINCmVsc2UNCiAgZWNobyBBV1MtVXBkYXRlTGludXhBbWk6IFVuYWJsZSB0byBkb3dubG9hZCBzY3JpcHQsIHF1aXR0aW5nIC4uLi4NCmZp
    MinInstanceCount: 1
    MaxInstanceCount: 3
    IamInstanceProfileName: "{{InstanceIamRole}}"
- name: updateOSSoftware
  action: aws:runCommand
  maxAttempts: 3
  timeoutSeconds: 3600
  onFailure: Abort
  inputs:
    DocumentName: AWS-RunShellScript
    InstanceIds:
    - "{{launchInstance.InstanceIds}}"
    Parameters:
      commands:
      - set -e
      - '[ -x "$(which wget)" ] && get_contents=''wget  -O -'''
      - '[ -x "$(which curl)" ] && get_contents=''curl -s -f '''
      - eval $get_contents https://aws-ssm-downloads-{{global:REGION}}.s3.amazonaws.com/scripts/aws-update-linux-instance
        > /tmp/aws-update-linux-instance
      - chmod +x /tmp/aws-update-linux-instance
      - "/tmp/aws-update-linux-instance --pre-update-script '{{PreUpdateScript}}'
        --post-update-script '{{PostUpdateScript}}' --include-packages '{{IncludePackages}}'
        --exclude-packages '{{ExcludePackages}}' 2>&1 | tee /tmp/aws-update-linux-instance.log"
- name: installCustomizations
  action: aws:runCommand
  maxAttempts: 3
  timeoutSeconds: 600
  onFailure: Abort
  inputs:
    DocumentName: AWS-RunShellScript
    InstanceIds:
    - "{{launchInstance.InstanceIds}}"
    Parameters:
      commands:
      - curl -O http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
      - rpm -ivh epel-release-latest-7.noarch.rpm
      - yum -y install httpd
      - systemctl enable httpd
      - systemctl restart httpd
      - sudo yum --enablerepo=epel install -y clamav
      - yum-config-manager --disable epel
      - cat /etc/motd >> /var/www/html/index.html
      - echo 'Welcome' >> /var/www/html/index.html
      - cat > /etc/motd <<- EOF
      - "           __  __ _                 _                        _   _             "
      - "     /\   |  \/  (_)     /\        | |                      | | (_)            "
      - "    /  \  | \  / |_     /  \  _   _| |_ ___  _ __ ___   __ _| |_ _  ___
        \ _ __  "
      - "   / /\ \ | |\/| | |   / /\ \| | | | __/ _ \| '_ ` _ \ / _` | __|
        |/ _ \| '_ \ "
      - "  / ____ \| |  | | |  / ____ \ |_| | || (_) | | | | | | (_| | |_| | (_)
        | | | |"
      - " /_/    \_\_|  |_|_| /_/    \_\__,_|\__\___/|_| |_| |_|\__,_|\__|_|\___/|_|
        |_|"
      - "   "
      - "   "
      - EOF
- name: installInspectorAgent
  action: aws:runCommand
  maxAttempts: 3
  timeoutSeconds: 600
  onFailure: Abort
  inputs:
    DocumentName: AmazonInspector-ManageAWSAgent
    InstanceIds:
    - "{{launchInstance.InstanceIds}}"
    Parameters:
      Operation: Install
- name: installUnifiedCloudWatchAgent
  action: aws:runCommand
  maxAttempts: 3
  timeoutSeconds: 600
  onFailure: Abort
  inputs:
    DocumentName: AWS-ConfigureAWSPackage
    InstanceIds:
    - "{{launchInstance.InstanceIds}}"
    Parameters:
      name: AmazonCloudWatchAgent
      action: Install
- name: stopInstance
  action: aws:changeInstanceState
  maxAttempts: 3
  timeoutSeconds: 1200
  onFailure: Abort
  inputs:
    InstanceIds:
    - "{{launchInstance.InstanceIds}}"
    DesiredState: stopped
- name: createImage
  action: aws:createImage
  maxAttempts: 3
  onFailure: Abort
  inputs:
    InstanceId: "{{launchInstance.InstanceIds}}"
    ImageName: "{{TargetAmiName}}"
    NoReboot: true
    ImageDescription: AMI Generated by EC2 Automation on {{global:DATE_TIME}} from
      {{SourceAmiId}}
- name: createEncryptedCopy
  action: aws:copyImage
  maxAttempts: 3
  onFailure: Abort
  inputs:
    SourceImageId: "{{createImage.ImageId}}"
    SourceRegion: "{{global:REGION}}"
    ImageName: Encrypted-{{TargetAmiName}}
    ImageDescription: Encrypted GoldenAMI by SSM Automation on {{global:DATE_TIME}}
      from source AMI {{createImage.ImageId}}
    Encrypted: true
- name: createTagsForEncryptedImage
  action: aws:createTags
  maxAttempts: 1
  onFailure: Continue
  inputs:
    ResourceType: EC2
    ResourceIds:
    - "{{createEncryptedCopy.ImageId}}"
    Tags:
    - Key: Automation-Id
      Value: "{{automation:EXECUTION_ID}}"
    - Key: Owner
      Value: Mystique
    - Key: SourceAMI
      Value: "{{SourceAmiId}}"
    - Key: Amazon-Inspector
      Value: 'true'
    - Key: Amazon-SSM
      Value: 'true'
    - Key: Encrypted
      Value: 'true'
- name: updateSsmParam
  action: aws:invokeLambdaFunction
  timeoutSeconds: 1200
  maxAttempts: 1
  onFailure: Abort
  inputs:
    FunctionName: Automation-UpdateSsmParam
    Payload: '{"parameterName":"/GoldenAMI/Linux/RedHat-7/latest", "parameterValue":"{{createEncryptedCopy.ImageId}}"}'
- name: terminateInstance
  action: aws:changeInstanceState
  maxAttempts: 3
  onFailure: Continue
  inputs:
    InstanceIds:
    - "{{launchInstance.InstanceIds}}"
    DesiredState: terminated
- name: deleteUnEcryptedImage
  action: aws:deleteImage
  maxAttempts: 3
  timeoutSeconds: 180
  onFailure: Abort
  inputs:
    ImageId: "{{createImage.ImageId}}"
outputs:
- createImage.ImageId

我希望它 运行 并在 AWS SSM 中创建参数存储和文档。

您上面粘贴的代码是 Systems Manager (SSM) document 而不是 CloudFormation 模板。这就是 CF 抱怨模板格式错误的原因。

与 CloudFormation 模板类似,SSM 文档支持 JSON 和 YAML 格式。

正如您在同一个 GitHub 存储库中的 README description 中看到的那样,JSON 文件用于创建 SSM 文档。