如何在CloudFormation模板中为Elastic Beanstalk启动配置指定安全组? [英] How Do I Specify a Security Group for Elastic Beanstalk Launch Configuration in CloudFormation Template?
问题描述
我在CloudFormation模板中定义了以下安全组:
I have the following security group defined in my CloudFormation template:
"APIInstanceSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security Group for Application EC2 Instances,
"VpcId": "vpc-10a75377",
"Tags": [{
"Key": "Name",
"Value": "APIInstanceSG" }
}]
}
}
我还定义了一个Elastic Beanstalk环境,其中在OptionSettings中包含以下内容:
I also have an Elastic Beanstalk environment defined containing the following inside OptionSettings:
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "SecurityGroups",
"Value": { "Ref": "APIInstanceSG" }
}
当我使用此模板创建堆栈,将在CloudFormation尝试创建EB环境之前创建安全组,但是当尝试创建EB环境时,安全组将失败,并显示以下错误:
When I create a stack using this template, the security group is created before CloudFormation attempts to create the EB environment but when it tries to create the EB environment, it failes with the following error:
配置验证异常:无效的选项值:'sg-994fcbe4'(名称空间:'aws:autoscaling:launchconfiguration',OptionName:'SecurityGroups'):安全组'sg-994fcbe4'不存在
Configuration validation exception: Invalid option value: 'sg-994fcbe4' (Namespace: 'aws:autoscaling:launchconfiguration', OptionName: 'SecurityGroups'): The security group 'sg-994fcbe4' does not exist
sg-994fcbe4是创建的安全组的ID
sg-994fcbe4 is the ID of the security group that was created
Elastic Beanstalk Environment配置如下:
The Elastic Beanstalk Environment config is as follows:
"AspectAPIEnv": {
"Type": "AWS::ElasticBeanstalk::Environment",
"Properties": {
"ApplicationName": "application-name",
"EnvironmentName": "environment-name",
"SolutionStackName": "64bit Amazon Linux 2016.09 v3.1.0 running Node.js",
"Tier": {
"Name": "WebServer",
"Type": "Standard"
},
"OptionSettings": [
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "EC2KeyName",
"Value": "ec2-key"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "IamInstanceProfile",
"Value": "aws-elasticbeanstalk-ec2-role"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "ImageId",
"Value": "ami-d8356acf"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "InstanceType",
"Value": "t2.micro"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "SecurityGroups",
"Value": { "Ref": "APIInstanceSG" }
},
{
"Namespace": "aws:autoscaling:trigger",
"OptionName": "UpperThreshold",
"Value": "6000000"
},
{
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "MaxBatchSize",
"Value": "1"
},
{
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "MinInstancesInService",
"Value": "1"
},
{
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "RollingUpdateEnabled",
"Value": "true"
},
{
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "RollingUpdateType",
"Value": "Health"
},
{
"Namespace": "aws:elasticbeanstalk:command",
"OptionName": "BatchSize",
"Value": "30"
},
{
"Namespace": "aws:elasticbeanstalk:container:nodejs",
"OptionName": "NodeVersion",
"Value": "6.2.2"
},
{
"Namespace": "aws:elasticbeanstalk:environment",
"OptionName": "ServiceRole",
"Value": "aws-elasticbeanstalk-service-role"
},
{
"Namespace": "aws:elasticbeanstalk:healthreporting:system",
"OptionName": "SystemType",
"Value": "enhanced"
},
{
"Namespace": "aws:elasticbeanstalk:managedactions",
"OptionName": "ManagedActionsEnabled",
"Value": "true"
},
{
"Namespace": "aws:elasticbeanstalk:managedactions",
"OptionName": "PreferredStartTime",
"Value": "SUN:09:02"
},
{
"Namespace": "aws:elasticbeanstalk:managedactions:platformupdate",
"OptionName": "UpdateLevel",
"Value": "minor"
},
{
"Namespace": "aws:elb:healthcheck",
"OptionName": "Interval",
"Value": "10"
},
{
"Namespace": "aws:elb:loadbalancer",
"OptionName": "CrossZone",
"Value": "true"
},
{
"Namespace": "aws:elb:loadbalancer",
"OptionName": "LoadBalancerHTTPPort",
"Value": "80"
},
{
"Namespace": "aws:elb:loadbalancer",
"OptionName": "SecurityGroups",
"Value": { "Ref": "APILoadBalancerSG" }
},
{
"Namespace": "aws:elb:loadbalancer",
"OptionName": "ManagedSecurityGroup",
"Value": { "Ref": "APILoadBalancerSG" }
},
{
"Namespace": "aws:elb:policies",
"OptionName": "ConnectionDrainingEnabled",
"Value": "true"
}
],
"Tags": [
{
"Key": "Name",
"Value": "AspectAPIEnv"
}
]
},
"DependsOn": "RDSInstance"
}
推荐答案
查看了您的AWS :: ElasticBeanstalk :: Environment资源之后,我能够重现您遇到的错误。正如Marc Young在对您的问题的评论中所建议的那样,您并未为您的环境指定VPC。由于您的安全组位于VPC中,因此无法从不在同一VPC中的资源访问该安全组。
After looking at your AWS::ElasticBeanstalk::Environment resource, I was able to reproduce the error you are experiencing. As Marc Young suggested in a comment to your question, you are not specifying a VPC for your environment. Because your security group is in a VPC, it's not accessible from resources that are not also in the same VPC.
要对其进行修复,必须将以下配置选项添加至您的环境:
To fix it, you must add the following configuration option to your environment:
{
"Namespace" : "aws:ec2:vpc",
"OptionName" : "VPCId",
"Value" : "vpc-10a75377"
},
如果指定VPC,则使用更新后的模板创建堆栈将失败,并显示一条错误消息,提示您还需要指定环境子网,因此必须添加以下选项:
If you specify a VPC, creating a stack with the updated template will fail with an error message saying that you also need to specify the environment subnets, so you will have to add the following options:
{
"Namespace" : "aws:ec2:vpc",
"OptionName" : "Subnets",
"Value" : <insert the subnet for your instances here>
},
{
"Namespace" : "aws:ec2:vpc",
"OptionName" : "ELBSubnets",
"Value" : <insert the subnet for your load balancer here>
}
您可以在VPC中的< a href = http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/sample-templates-services-us-east-1.html#d0e189981 rel = noreferrer> Elastic Beanstalk CloudFormation示例模板。
这篇关于如何在CloudFormation模板中为Elastic Beanstalk启动配置指定安全组?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
