Cloudformation - 构建堆栈时 Rds 失败

Cloudformation - Rds fails when stack is build

我正在创建一个 cloudformation 模板,它将创建一个具有 2 个子网的 vpc,一个用于 ec2 实例,另一个用于 rds (mysql)。我的 yml 文件在 ec2 实例之前工作正常,但是当我将 rds 的详细信息添加到 yml 文件时,它在构建堆栈时失败了。

---
AWSTemplateFormatVersion: 2010-09-09
Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 11.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
      InstanceTenancy: default
  InternetGateway:
    Type: AWS::EC2::InternetGateway
  VPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref VPC
      InternetGatewayId: !Ref InternetGateway
  SubnetA:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: us-east-2a
      VpcId: !Ref VPC
      CidrBlock: 11.0.1.0/24
      MapPublicIpOnLaunch: true
  SubnetB:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: us-east-2a
      VpcId: !Ref VPC
      CidrBlock: 11.0.0.0/24
      MapPublicIpOnLaunch: false
  RouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
  InternetRoute:
    Type: AWS::EC2::Route
    DependsOn: VPCGatewayAttachment
    Properties:
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway
      RouteTableId: !Ref RouteTable
  SubnetARouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref RouteTable
      SubnetId: !Ref SubnetA
  SubnetBRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref RouteTable
      SubnetId: !Ref SubnetB
  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: "Internet Group"
      GroupDescription: "SSH traffic in, all traffic out."
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: "22"
          ToPort: "22"
          CidrIp: 0.0.0.0/0
      SecurityGroupEgress:
        - IpProtocol: -1
          CidrIp: 0.0.0.0/0
  webserver:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: webserver
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
          Description: For traffic from Internet
      GroupDescription: Security Group for demo server
      VpcId: !Ref VPC
  EC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      AvailabilityZone: us-east-2a
      BlockDeviceMappings:
        - DeviceName: /dev/xvda
          Ebs:
            DeleteOnTermination: "true"
            VolumeSize: "8"
            VolumeType: gp2
      ImageId: ami-0bdcc6c05dec346bf
      InstanceType: t2.micro
      KeyName: (webserver)
      NetworkInterfaces:
        - Description: Primary network interface
          DeviceIndex: 0
          SubnetId: !Ref SubnetA
          GroupSet:
            - Ref: webserver
  ListS3BucketsInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
      Roles:
        - Ref: S3FullAccess
  ListS3BucketsPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: ListS3BucketsPolicy
      PolicyDocument:
        Statement:
          - Effect: Allow
            Action:
              - s3:List*
            Resource: "*"
      Roles:
        - Ref: S3FullAccess
  S3FullAccess:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: "/"
  MyDB:
    Type: AWS::RDS::DBInstance
    Properties:
      DBSecurityGroups:
        - Ref: webserver
      AllocatedStorage: "5"
      DBInstanceClass: db.m1.small
      Engine: MySQL
      EngineVersion: "5.7.22"
      DBName: db
      MasterUsername: db
      MasterUserPassword: 123a
      MultiAZ: false
  DBEC2SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Open database for access
      SecurityGroupIngress:
        - IpProtocol: tcp
      FromPort: "3306"
      ToPort: "3306"
      SourceSecurityGroupName:
        Ref: webserver

我已尽力解决错误。 rds模板取自https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-rds.html.

下面是固定模板

---
AWSTemplateFormatVersion: 2010-09-09
Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 11.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
      InstanceTenancy: default
  InternetGateway:
    Type: AWS::EC2::InternetGateway
  VPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref VPC
      InternetGatewayId: !Ref InternetGateway
  SubnetA:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: us-east-2a
      VpcId: !Ref VPC
      CidrBlock: 11.0.1.0/24
      MapPublicIpOnLaunch: true
  SubnetB:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: us-east-2b
      VpcId: !Ref VPC
      CidrBlock: 11.0.0.0/24
      MapPublicIpOnLaunch: false
  RouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
  InternetRoute:
    Type: AWS::EC2::Route
    DependsOn: VPCGatewayAttachment
    Properties:
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway
      RouteTableId: !Ref RouteTable
  SubnetARouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref RouteTable
      SubnetId: !Ref SubnetA
  SubnetBRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref RouteTable
      SubnetId: !Ref SubnetB
  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: "Internet Group"
      GroupDescription: "SSH traffic in, all traffic out."
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: "22"
          ToPort: "22"
          CidrIp: 0.0.0.0/0
      SecurityGroupEgress:
        - IpProtocol: -1
          CidrIp: 0.0.0.0/0
  webserver:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: webserver
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
          Description: For traffic from Internet
      GroupDescription: Security Group for demo server
      VpcId: !Ref VPC
  EC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      AvailabilityZone: us-east-2a
      BlockDeviceMappings:
        - DeviceName: /dev/xvda
          Ebs:
            DeleteOnTermination: "true"
            VolumeSize: "8"
            VolumeType: gp2
      ImageId: ami-0bdcc6c05dec346bf
      InstanceType: t2.micro
      KeyName: (webserver)
      NetworkInterfaces:
        - Description: Primary network interface
          DeviceIndex: 0
          SubnetId: !Ref SubnetA
          GroupSet:
            - Ref: webserver
  ListS3BucketsInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
      Roles:
        - Ref: S3FullAccess
  ListS3BucketsPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: ListS3BucketsPolicy
      PolicyDocument:
        Statement:
          - Effect: Allow
            Action:
              - s3:List*
            Resource: "*"
      Roles:
        - Ref: S3FullAccess
  S3FullAccess:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: "/"
  MyDB:
    Type: AWS::RDS::DBInstance
    DependsOn: myDBSubnetGroup
    Properties:
      VPCSecurityGroups:
        - !Ref DBEC2SecurityGroup
      AllocatedStorage: "5"
      DBInstanceClass: db.t2.micro
      Engine: MySQL
      EngineVersion: "5.7.22"
      DBName: db
      MasterUsername: db
      MasterUserPassword: 123a
      MultiAZ: false
      DBSubnetGroupName: MySubnetGroup
  myDBSubnetGroup: 
    Properties:
      DBSubnetGroupName: MySubnetGroup
      DBSubnetGroupDescription: subnet group
      SubnetIds: 
        - !Ref SubnetA
        - !Ref SubnetB
    Type: "AWS::RDS::DBSubnetGroup"
  DBEC2SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Open database for access
      VpcId: !Ref VPC
      SecurityGroupIngress:
          - IpProtocol: tcp
            FromPort: 3306
            ToPort: 3306
            SourceSecurityGroupId: !Ref webserver

模板存在多个问题,以下是一些提示:

  • 使用 YAML 确保语法正确,尤其是在使用列表时确保它们嵌套在正确的属性下。
  • 确保资源是否应位于您指定的特定 VPC 中。
  • RDS 实例需要一个数据库子网组,至少有 2 个子网跨 2 个可用区。
  • 安全组和资源必须存在于同一个VPC中。
  • 对 RDS 实例使用 VPCSecurityGroup 而不是 DBSecurityGroups。