使用 Amazon CloudFormation 创建启动模板
本节提供了使用 Amazon CloudFormation 创建 Amazon EC2 启动模板的示例。启动模板允许您创建用于在 Amazon 中配置和预置 Amazon EC2 实例的模板。通过启动模板,您可以存储启动参数,而无需在每次启动实例时都指定这些参数。有关更多示例,请参阅 AWS::EC2::LaunchTemplate
资源中的示例部分。
有关启动模板的更多信息,请参阅从启动模板启动实例。
有关创建启动模板用于自动扩缩组的信息,请参阅《Amazon EC2 Auto Scaling 用户指南》中的启动模板。
创建指定安全组、标签、用户数据和 IAM 角色的启动模板
此代码段显示 AWS::EC2::LaunchTemplate 资源,其中包含启动实例的配置信息。您可以为 ImageId
、InstanceType
、SecurityGroups
、UserData
和 TagSpecifications
属性指定值。SecurityGroups
属性会指定一个现有 EC2 安全组和一个新安全组。Ref
函数会获取在堆栈模板中其他位置声明的 AWS::EC2::SecurityGroup 资源 myNewEC2SecurityGroup
的 ID。
启动模板包括自定义用户数据的部分。在本节中,您可以传入实例启动时运行的配置任务和脚本。在此示例中,用户数据安装 Amazon Systems Manager 代理并启动该代理。
启动模板还包含一个 IAM 角色,该角色允许在实例上运行的应用程序代表您执行操作。此示例显示启动模板的 AWS::IAM::Role 资源,其使用 IamInstanceProfile
属性来指定 IAM 角色。Ref
函数会获取 AWS::IAM::InstanceProfile 资源 myInstanceProfile
的名称。要配置 IAM 角色的权限,请指定 ManagedPolicyArns
属性的值。
JSON
{ "Resources":{ "myLaunchTemplate":{ "Type":"AWS::EC2::LaunchTemplate", "Properties":{ "LaunchTemplateName":{ "Fn::Sub": "${AWS::StackName}-launch-template" }, "LaunchTemplateData":{ "ImageId":"
ami-02354e95b3example
", "InstanceType":"t3.micro
", "IamInstanceProfile":{ "Name":{ "Ref":"myInstanceProfile" } }, "SecurityGroupIds":[ { "Ref":"myNewEC2SecurityGroup
" }, "sg-083cd3bfb8example
" ], "UserData":{ "Fn::Base64":{ "Fn::Join": [ "", [ "#!/bin/bash\n
", "cd /tmp\n
", "yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm\n
", "systemctl enable amazon-ssm-agent\n
", "systemctl start amazon-ssm-agent\n
" ] ] } }, "TagSpecifications":[ { "ResourceType":"instance", "Tags":[ { "Key":"environment
", "Value":"development
" } ] }, { "ResourceType":"volume", "Tags":[ { "Key":"environment
", "Value":"development
" } ] } ] } } }, "myInstanceRole":{ "Type":"AWS::IAM::Role", "Properties":{ "RoleName":"InstanceRole", "AssumeRolePolicyDocument":{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":[ "ec2.amazonaws.com" ] }, "Action":[ "sts:AssumeRole" ] } ] }, "ManagedPolicyArns":[ "arn:aws:iam::aws:policy/myCustomerManagedPolicy
" ] } }, "myInstanceProfile":{ "Type":"AWS::IAM::InstanceProfile", "Properties":{ "Path":"/", "Roles":[ { "Ref":"myInstanceRole" } ] } } } }
YAML
--- Resources: myLaunchTemplate: Type: AWS::EC2::LaunchTemplate Properties: LaunchTemplateName: !Sub ${AWS::StackName}-launch-template LaunchTemplateData: ImageId:
ami-02354e95b3example
InstanceType:t3.micro
IamInstanceProfile: Name: !Ref myInstanceProfile SecurityGroupIds: - !RefmyNewEC2SecurityGroup
-sg-083cd3bfb8example
UserData: Fn::Base64: !Sub |#!/bin/bash cd /tmp yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm systemctl enable amazon-ssm-agent systemctl start amazon-ssm-agent
TagSpecifications: - ResourceType: instance Tags: - Key:environment
Value:development
- ResourceType: volume Tags: - Key:environment
Value:development
myInstanceRole: Type: AWS::IAM::Role Properties: RoleName: InstanceRole AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Principal: Service: - 'ec2.amazonaws.com' Action: - 'sts:AssumeRole' ManagedPolicyArns: - 'arn:aws:iam::aws:policy/myCustomerManagedPolicy
' myInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: '/' Roles: - !Ref myInstanceRole