将不可导入的资源导入到CloudForformation栈(&Q) [英] "Importing" non-importable resources into a CloudFormation stack
本文介绍了将不可导入的资源导入到CloudForformation栈(&Q)的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
使用AWS CloudFortification,您可以将supported types的现有资源导入到新的或现有的堆栈中。不支持某些资源,如路由和各种关联和附件。我猜其中许多不是成熟的&q;资源,只是作为其他资源的一个组件存在于幕后。
我发现,通过导入ChangeSet成功导入VPC和Internet网关后,只需将其添加到模板中,并创建并执行更新ChangeSet,就可以";伪导入&qot;现有的VPCGatewayAttach。添加VPCGatewayAttach时不会出现错误,并且还会成为堆栈的一部分。在下面的演示中,您可以注意到有问题的VPCGatewayAttach的PhysicalResourceId在最初创建和随后删除并重新添加到堆栈之间发生了变化。(注意:最初通过模板创建是为了简化示例--通常这是一个不在堆栈中的现有资源)。我不确定这是否反映了现有附件的实际破坏并重新创建了新附件,或者只是附件没有实际的PhysicalResourceId,但在添加到Stack时随机分配了一个。
我的问题是:
VPCGatewayAttach的"假导入"在生产环境中是否是非破坏性的,即非中断性的?
如果是无中断的,还可以使用相同的技术以无中断的方式将哪些其他不支持Import的资源有效地带入Stack中:只需在模板中添加等效资源,然后创建并执行更新ChangeSet。我主要考虑路由以及其他关联和附件。
如果要跳过运行,我已将本地运行的输出作为最后一个文件包含在下面。
case-XXXXXXXXXX-example.ps1:
echo "---------------------------------------------------------------------------"
echo "---------------------------------------------------------------------------"
echo "- Demonstration for Case XXXXXXXXXX"
echo "---------------------------------------------------------------------------"
echo "---------------------------------------------------------------------------"
echo "-"
echo "---------------------------------------------------------------------------"
echo "Create S3 bucket and upload templates"
echo "---------------------------------------------------------------------------"
aws s3api create-bucket --bucket case-XXXXXXXXXX --no-paginate --no-cli-pager
aws s3 sync . s3://case-XXXXXXXXXX --exclude * --include *.yaml --no-paginate --no-cli-pager
echo "---------------------------------------------------------------------------"
echo "- Create stack with VPC, Internet Gateway, and Gateway Attachment"
echo "- (the latter has DeletionPolicy: Retain)"
echo "---------------------------------------------------------------------------"
echo "- Create stack"
aws cloudformation create-stack --stack-name case-XXXXXXXXXX --template-url https://case-XXXXXXXXXX.s3.amazonaws.com/case-XXXXXXXXXX-example-1.yaml --no-paginate --no-cli-pager
echo "- Wait stack create complete"
aws cloudformation wait stack-create-complete --stack-name case-XXXXXXXXXX --no-paginate --no-cli-pager
echo "- Describe stack and resources"
echo "- Note the PhysicalResourceId of the Gateway Attachment."
aws cloudformation describe-stacks --stack-name case-XXXXXXXXXX --no-paginate --no-cli-pager
aws cloudformation describe-stack-resources --stack-name case-XXXXXXXXXX --no-paginate --no-cli-pager
echo "---------------------------------------------------------------------------"
echo "- Create and execute a change-set that removes the Gateway Attachment"
echo "- This leaves us in a state simulating having IMPORTed the VPC and"
echo "- Internet Gateway, but the Gateway Attachment is not in the stack."
echo "- This sets up the next part which actually demonstrates a 'fake import'"
echo "- of the Gateway Attachment"
echo "---------------------------------------------------------------------------"
echo "- Create change-set"
aws cloudformation create-change-set --stack-name case-XXXXXXXXXX --change-set-name delete-igw-attach --template-url https://case-XXXXXXXXXX.s3.amazonaws.com/case-XXXXXXXXXX-example-2.yaml --no-paginate --no-cli-pager
echo "- Wait change-set create complete"
aws cloudformation wait change-set-create-complete --stack-name case-XXXXXXXXXX --change-set-name delete-igw-attach --no-paginate --no-cli-pager
echo "- Describe change-set"
aws cloudformation describe-change-set --stack-name case-XXXXXXXXXX --change-set-name delete-igw-attach --no-paginate --no-cli-pager
echo "- Execute change-set"
aws cloudformation execute-change-set --stack-name case-XXXXXXXXXX --change-set-name delete-igw-attach --no-paginate --no-cli-pager
echo "- Wait stack update complete"
aws cloudformation wait stack-update-complete --stack-name case-XXXXXXXXXX --no-paginate --no-cli-pager
echo "---------------------------------------------------------------------------"
echo "- Note the Gateway Attachment is not in the stack, but the Internet Gateway"
echo "- is still attached to the VPC"
echo "---------------------------------------------------------------------------"
aws cloudformation describe-stack-resources --stack-name case-XXXXXXXXXX --no-paginate --no-cli-pager
aws ec2 describe-internet-gateways --filter "Name=tag:Name,Values=Case-XXXXXXXXXX" --no-paginate --no-cli-pager
echo "---------------------------------------------------------------------------"
echo "- THE WHOLE POINT OF THIS DEMONSTRATION IS NEXT"
echo "- 'Fake Import' the Gateway Attachment just by adding it to the template and"
echo "- creating and executing an UPDATE change-set."
echo "---------------------------------------------------------------------------"
echo "- Create change-set"
aws cloudformation create-change-set --stack-name case-XXXXXXXXXX --change-set-name fake-import-igw-attach --template-url https://case-XXXXXXXXXX.s3.amazonaws.com/case-XXXXXXXXXX-example-3.yaml --no-paginate --no-cli-pager
echo "- Wait change-set create complete"
aws cloudformation wait change-set-create-complete --stack-name case-XXXXXXXXXX --change-set-name fake-import-igw-attach --no-paginate --no-cli-pager
echo "- Describe change-set"
aws cloudformation describe-change-set --stack-name case-XXXXXXXXXX --change-set-name fake-import-igw-attach --no-paginate --no-cli-pager
echo "- Execute change-set"
aws cloudformation execute-change-set --stack-name case-XXXXXXXXXX --change-set-name fake-import-igw-attach --no-paginate --no-cli-pager
echo "- Wait stack update complete"
aws cloudformation wait stack-update-complete --stack-name case-XXXXXXXXXX --no-paginate --no-cli-pager
echo "---------------------------------------------------------------------------"
echo "- Note that the Gateway Attachment is now in the stack and the Internet"
echo "- Gateway is still attached, and there weren't any errors."
echo "- The PhysicalResourceId did change, however."
echo "---------------------------------------------------------------------------"
aws cloudformation describe-stack-resources --stack-name case-XXXXXXXXXX --no-paginate --no-cli-pager
aws ec2 describe-internet-gateways --filter "Name=tag:Name,Values=Case-XXXXXXXXXX" --no-paginate --no-cli-pager
echo "---------------------------------------------------------------------------"
echo "- Delete stack"
echo "---------------------------------------------------------------------------"
aws cloudformation delete-stack --stack-name case-XXXXXXXXXX --no-paginate --no-cli-pager
echo "- Wait stack delete complete"
aws cloudformation wait stack-delete-complete --stack-name case-XXXXXXXXXX --no-paginate --no-cli-pager
echo "---------------------------------------------------------------------------"
echo "- Delete S3 bucket with templates"
echo "---------------------------------------------------------------------------"
aws s3 rb s3://case-XXXXXXXXXX --force --no-paginate --no-cli-pager
echo "---------------------------------------------------------------------------"
echo "- DONE"
echo "---------------------------------------------------------------------------"
case-XXXXXXXXXX-example-1.yaml
Description: >
Create the VPC, Internet Gateway, and attach the gateway
to the VPC, with a DeletionPolicy of Retain so that we can
remove it from the stack without deleting it. Run with
aws cloudformation create-stack.
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.187.32.0/24
Tags:
- Key: Name
Value: Case-XXXXXXXXXX
IGW:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: Case-XXXXXXXXXX
IGWassoc:
Type: AWS::EC2::VPCGatewayAttachment
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref IGW
case-XXXXXXXXXX-example-2.yaml
Description: >
Delete the gateway attachment, but it will be retained
so we can import it next. Run with aws cloudformation
create-change-set --change-set-type UPDATE
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.187.32.0/24
Tags:
- Key: Name
Value: Case-XXXXXXXXXX
IGW:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: Case-XXXXXXXXXX
case-XXXXXXXXXX-example3.yaml
Description: >
Create the gateway attachment. It already exists, and is
not importable but this action succeeds and SEEMS to be
non-destructive. Run with aws cloudformation
create-change-set --change-set-type UPDATE
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.187.32.0/24
Tags:
- Key: Name
Value: Case-XXXXXXXXXX
IGW:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: Case-XXXXXXXXXX
IGWassoc:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref IGW
output.txt
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Demonstration for Case XXXXXXXXXX
---------------------------------------------------------------------------
---------------------------------------------------------------------------
-
---------------------------------------------------------------------------
Create S3 bucket and upload templates
---------------------------------------------------------------------------
{
"Location": "/case-XXXXXXXXXX"
}
upload: .case-XXXXXXXXXX-example-2.yaml to s3://case-XXXXXXXXXX/case-XXXXXXXXXX-example-2.yaml
upload: .case-XXXXXXXXXX-example-1.yaml to s3://case-XXXXXXXXXX/case-XXXXXXXXXX-example-1.yaml
upload: .case-XXXXXXXXXX-example-3.yaml to s3://case-XXXXXXXXXX/case-XXXXXXXXXX-example-3.yaml
---------------------------------------------------------------------------
- Create stack with VPC, Internet Gateway, and Gateway Attachment
- (the latter has DeletionPolicy: Retain)
---------------------------------------------------------------------------
- Create stack
{
"StackId": "arn:aws:cloudformation:us-east-1:606679984871:stack/case-XXXXXXXXXX/6bf590e0-3cb7-11ec-b30d-0a5d84963829"
}
- Wait stack create complete
- Describe stack and resources
- Note the PhysicalResourceId of the Gateway Attachment.
{
"Stacks": [
{
"StackId": "arn:aws:cloudformation:us-east-1:606679984871:stack/case-XXXXXXXXXX/6bf590e0-3cb7-11ec-b30d-0a5d84963829",
"StackName": "case-XXXXXXXXXX",
"Description": "Create the VPC, Internet Gateway, and attach the gateway to the VPC, with a DeletionPolicy of Retain so that we can remove it from the stack without deleting it. Run with aws cloudformation create-stack.
",
"CreationTime": "2021-11-03T15:05:03.251000+00:00",
"RollbackConfiguration": {},
"StackStatus": "CREATE_COMPLETE",
"DisableRollback": false,
"NotificationARNs": [],
"Tags": [],
"EnableTerminationProtection": false,
"DriftInformation": {
"StackDriftStatus": "NOT_CHECKED"
}
}
]
}
{
"StackResources": [
{
"StackName": "case-XXXXXXXXXX",
"StackId": "arn:aws:cloudformation:us-east-1:606679984871:stack/case-XXXXXXXXXX/6bf590e0-3cb7-11ec-b30d-0a5d84963829",
"LogicalResourceId": "IGW",
"PhysicalResourceId": "igw-028cb469265fa34a8",
"ResourceType": "AWS::EC2::InternetGateway",
"Timestamp": "2021-11-03T15:05:49.880000+00:00",
"ResourceStatus": "CREATE_COMPLETE",
"DriftInformation": {
"StackResourceDriftStatus": "NOT_CHECKED"
}
},
{
"StackName": "case-XXXXXXXXXX",
"StackId": "arn:aws:cloudformation:us-east-1:606679984871:stack/case-XXXXXXXXXX/6bf590e0-3cb7-11ec-b30d-0a5d84963829",
"LogicalResourceId": "IGWassoc",
"PhysicalResourceId": "case-IGWas-ZHZQ0DZ9KXLS",
"ResourceType": "AWS::EC2::VPCGatewayAttachment",
"Timestamp": "2021-11-03T15:06:08.293000+00:00",
"ResourceStatus": "CREATE_COMPLETE",
"DriftInformation": {
"StackResourceDriftStatus": "NOT_CHECKED"
}
},
{
"StackName": "case-XXXXXXXXXX",
"StackId": "arn:aws:cloudformation:us-east-1:606679984871:stack/case-XXXXXXXXXX/6bf590e0-3cb7-11ec-b30d-0a5d84963829",
"LogicalResourceId": "VPC",
"PhysicalResourceId": "vpc-03b26a31ca1bca800",
"ResourceType": "AWS::EC2::VPC",
"Timestamp": "2021-11-03T15:05:28.179000+00:00",
"ResourceStatus": "CREATE_COMPLETE",
"DriftInformation": {
"StackResourceDriftStatus": "NOT_CHECKED"
}
}
]
}
---------------------------------------------------------------------------
- Create and execute a change-set that removes the Gateway Attachment
- This leaves us in a state simulating having IMPORTed the VPC and
- Internet Gateway, but the Gateway Attachment is not in the stack.
- This sets up the next part which actually demonstrates a 'fake import'
- of the Gateway Attachment
---------------------------------------------------------------------------
- Create change-set
{
"Id": "arn:aws:cloudformation:us-east-1:606679984871:changeSet/delete-igw-attach/631b12ca-c8f4-407d-b248-b2766a730eba",
"StackId": "arn:aws:cloudformation:us-east-1:606679984871:stack/case-XXXXXXXXXX/6bf590e0-3cb7-11ec-b30d-0a5d84963829"
}
- Wait change-set create complete
- Describe change-set
{
"ChangeSetName": "delete-igw-attach",
"ChangeSetId": "arn:aws:cloudformation:us-east-1:606679984871:changeSet/delete-igw-attach/631b12ca-c8f4-407d-b248-b2766a730eba",
"StackId": "arn:aws:cloudformation:us-east-1:606679984871:stack/case-XXXXXXXXXX/6bf590e0-3cb7-11ec-b30d-0a5d84963829",
"StackName": "case-XXXXXXXXXX",
"CreationTime": "2021-11-03T15:06:40.618000+00:00",
"ExecutionStatus": "AVAILABLE",
"Status": "CREATE_COMPLETE",
"NotificationARNs": [],
"RollbackConfiguration": {},
"Capabilities": [],
"Changes": [
{
"Type": "Resource",
"ResourceChange": {
"Action": "Remove",
"LogicalResourceId": "IGWassoc",
"PhysicalResourceId": "case-IGWas-ZHZQ0DZ9KXLS",
"ResourceType": "AWS::EC2::VPCGatewayAttachment",
"Scope": [],
"Details": []
}
}
],
"IncludeNestedStacks": false
}
- Execute change-set
- Wait stack update complete
---------------------------------------------------------------------------
- Note the Gateway Attachment is not in the stack, but the Internet Gateway
- is still attached to the VPC
---------------------------------------------------------------------------
{
"StackResources": [
{
"StackName": "case-XXXXXXXXXX",
"StackId": "arn:aws:cloudformation:us-east-1:606679984871:stack/case-XXXXXXXXXX/6bf590e0-3cb7-11ec-b30d-0a5d84963829",
"LogicalResourceId": "IGW",
"PhysicalResourceId": "igw-028cb469265fa34a8",
"ResourceType": "AWS::EC2::InternetGateway",
"Timestamp": "2021-11-03T15:05:49.880000+00:00",
"ResourceStatus": "CREATE_COMPLETE",
"DriftInformation": {
"StackResourceDriftStatus": "NOT_CHECKED"
}
},
{
"StackName": "case-XXXXXXXXXX",
"StackId": "arn:aws:cloudformation:us-east-1:606679984871:stack/case-XXXXXXXXXX/6bf590e0-3cb7-11ec-b30d-0a5d84963829",
"LogicalResourceId": "VPC",
"PhysicalResourceId": "vpc-03b26a31ca1bca800",
"ResourceType": "AWS::EC2::VPC",
"Timestamp": "2021-11-03T15:05:28.179000+00:00",
"ResourceStatus": "CREATE_COMPLETE",
"DriftInformation": {
"StackResourceDriftStatus": "NOT_CHECKED"
}
}
]
}
{
"InternetGateways": [
{
"Attachments": [
{
"State": "available",
"VpcId": "vpc-03b26a31ca1bca800"
}
],
"InternetGatewayId": "igw-028cb469265fa34a8",
"OwnerId": "606679984871",
"Tags": [
{
"Key": "aws:cloudformation:logical-id",
"Value": "IGW"
},
{
"Key": "Name",
"Value": "Case-XXXXXXXXXX"
},
{
"Key": "aws:cloudformation:stack-name",
"Value": "case-XXXXXXXXXX"
},
{
"Key": "aws:cloudformation:stack-id",
"Value": "arn:aws:cloudformation:us-east-1:606679984871:stack/case-XXXXXXXXXX/6bf590e0-3cb7-11ec-b30d-0a5d84963829"
}
]
}
]
}
---------------------------------------------------------------------------
- THE WHOLE POINT OF THIS DEMONSTRATION IS NEXT
- 'Fake Import' the Gateway Attachment just by adding it to the template and
- creating and executing an UPDATE change-set.
---------------------------------------------------------------------------
- Create change-set
{
"Id": "arn:aws:cloudformation:us-east-1:606679984871:changeSet/fake-import-igw-attach/95510e17-3f44-4ba4-be9e-4183cbb143ca",
"StackId": "arn:aws:cloudformation:us-east-1:606679984871:stack/case-XXXXXXXXXX/6bf590e0-3cb7-11ec-b30d-0a5d84963829"
}
- Wait change-set create complete
- Describe change-set
{
"ChangeSetName": "fake-import-igw-attach",
"ChangeSetId": "arn:aws:cloudformation:us-east-1:606679984871:changeSet/fake-import-igw-attach/95510e17-3f44-4ba4-be9e-4183cbb143ca",
"StackId": "arn:aws:cloudformation:us-east-1:606679984871:stack/case-XXXXXXXXXX/6bf590e0-3cb7-11ec-b30d-0a5d84963829",
"StackName": "case-XXXXXXXXXX",
"CreationTime": "2021-11-03T15:07:52.172000+00:00",
"ExecutionStatus": "AVAILABLE",
"Status": "CREATE_COMPLETE",
"NotificationARNs": [],
"RollbackConfiguration": {},
"Capabilities": [],
"Changes": [
{
"Type": "Resource",
"ResourceChange": {
"Action": "Add",
"LogicalResourceId": "IGWassoc",
"ResourceType": "AWS::EC2::VPCGatewayAttachment",
"Scope": [],
"Details": []
}
}
],
"IncludeNestedStacks": false
}
- Execute change-set
- Wait stack update complete
---------------------------------------------------------------------------
- Note that the Gateway Attachment is now in the stack and the Internet
- Gateway is still attached, and there weren't any errors.
- The PhysicalResourceId did change, however.
---------------------------------------------------------------------------
{
"StackResources": [
{
"StackName": "case-XXXXXXXXXX",
"StackId": "arn:aws:cloudformation:us-east-1:606679984871:stack/case-XXXXXXXXXX/6bf590e0-3cb7-11ec-b30d-0a5d84963829",
"LogicalResourceId": "IGW",
"PhysicalResourceId": "igw-028cb469265fa34a8",
"ResourceType": "AWS::EC2::InternetGateway",
"Timestamp": "2021-11-03T15:05:49.880000+00:00",
"ResourceStatus": "CREATE_COMPLETE",
"DriftInformation": {
"StackResourceDriftStatus": "NOT_CHECKED"
}
},
{
"StackName": "case-XXXXXXXXXX",
"StackId": "arn:aws:cloudformation:us-east-1:606679984871:stack/case-XXXXXXXXXX/6bf590e0-3cb7-11ec-b30d-0a5d84963829",
"LogicalResourceId": "IGWassoc",
"PhysicalResourceId": "case-IGWas-3DBXKEM6SFPL",
"ResourceType": "AWS::EC2::VPCGatewayAttachment",
"Timestamp": "2021-11-03T15:08:48.657000+00:00",
"ResourceStatus": "CREATE_COMPLETE",
"DriftInformation": {
"StackResourceDriftStatus": "NOT_CHECKED"
}
},
{
"StackName": "case-XXXXXXXXXX",
"StackId": "arn:aws:cloudformation:us-east-1:606679984871:stack/case-XXXXXXXXXX/6bf590e0-3cb7-11ec-b30d-0a5d84963829",
"LogicalResourceId": "VPC",
"PhysicalResourceId": "vpc-03b26a31ca1bca800",
"ResourceType": "AWS::EC2::VPC",
"Timestamp": "2021-11-03T15:05:28.179000+00:00",
"ResourceStatus": "CREATE_COMPLETE",
"DriftInformation": {
"StackResourceDriftStatus": "NOT_CHECKED"
}
}
]
}
{
"InternetGateways": [
{
"Attachments": [
{
"State": "available",
"VpcId": "vpc-03b26a31ca1bca800"
}
],
"InternetGatewayId": "igw-028cb469265fa34a8",
"OwnerId": "606679984871",
"Tags": [
{
"Key": "aws:cloudformation:logical-id",
"Value": "IGW"
},
{
"Key": "Name",
"Value": "Case-XXXXXXXXXX"
},
{
"Key": "aws:cloudformation:stack-name",
"Value": "case-XXXXXXXXXX"
},
{
"Key": "aws:cloudformation:stack-id",
"Value": "arn:aws:cloudformation:us-east-1:606679984871:stack/case-XXXXXXXXXX/6bf590e0-3cb7-11ec-b30d-0a5d84963829"
}
]
}
]
}
---------------------------------------------------------------------------
- Delete stack
---------------------------------------------------------------------------
- Wait stack delete complete
---------------------------------------------------------------------------
- Delete S3 bucket with templates
---------------------------------------------------------------------------
delete: s3://case-XXXXXXXXXX/case-XXXXXXXXXX-example-3.yaml
delete: s3://case-XXXXXXXXXX/case-XXXXXXXXXX-example-2.yaml
delete: s3://case-XXXXXXXXXX/case-XXXXXXXXXX-example-1.yaml
remove_bucket: case-XXXXXXXXXX
---------------------------------------------------------------------------
- DONE
---------------------------------------------------------------------------
推荐答案
尝试使用aws::ec2::route进行此操作,但失败,并显示";路由已存在。";
因此,虽然我可能可以通过暴力强制VPCGatewayAttach进入堆栈,但我不能使用路由以及可能的其他资源类型。
调查哪些资源可能存在的时间不值得为无文档记录的方法付出努力。
将资源放入不支持导入的Stack中的最佳方法是使用脚本删除现有的不可导入资源,然后使用更改集重新创建它们。这必须在维护窗口期间完成,因为在非冗余系统中肯定会出现停机。这篇关于将不可导入的资源导入到CloudForformation栈(&Q)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
