Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'
InstanceType:
Description: WebServer EC2 instance type
Type: String
Default: t3.micro
AllowedValues:
- t3.nano
- t3.micro
- t3.small
- t3.medium
- t3a.nano
- t3a.micro
- t3a.small
- t3a.medium
- m5.large
- m5.xlarge
- m5.2xlarge
- m5a.large
- m5a.xlarge
- m5a.2xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
ConstraintDescription: must be a valid EC2 instance type.
Resources:
WebServerInstance:
Type: AWS::EC2::Instance
Properties:
ImageId: !Ref LatestAmiId
InstanceType: !Ref InstanceType
SecurityGroupIds:
- !Ref WebServerSecurityGroup
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
# Get the latest CloudFormation package
yum update -y aws-cfn-bootstrap
# Run cfn-init
/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource WebServerInstance --region ${AWS::Region} || error_exit 'Failed to run cfn-init'
# Start up the cfn-hup daemon to listen for changes to the EC2 instance metadata
/opt/aws/bin/cfn-hup || error_exit 'Failed to start cfn-hup'
# Signal success or failure
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource WebServerInstance --region ${AWS::Region}
Metadata:
AWS::CloudFormation::Init:
config:
packages:
yum:
httpd: []
php: []
files:
/var/www/html/index.php:
content: |
Hello World!";
?>
mode: '000644'
owner: apache
group: apache
/etc/cfn/cfn-hup.conf:
content: !Sub |
[main]
stack=${AWS::StackId}
region=${AWS::Region}
# The interval used to check for changes to the resource metadata in minutes. Default is 15
interval=2
mode: '000400'
owner: root
group: root
/etc/cfn/hooks.d/cfn-auto-reloader.conf:
content: !Sub |
[cfn-auto-reloader-hook]
triggers=post.update
path=Resources.WebServerInstance.Metadata.AWS::CloudFormation::Init
action=/opt/aws/bin/cfn-init -s ${AWS::StackId} -r WebServerInstance --region ${AWS::Region}
runas=root
services:
systemd:
httpd:
enabled: true
ensureRunning: true
cfn-hup:
enabled: true
ensureRunning: true
files:
- /etc/cfn/cfn-hup.conf
- /etc/cfn/hooks.d/cfn-auto-reloader.conf
CreationPolicy:
ResourceSignal:
Timeout: PT5M
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP access via port 80
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Outputs:
WebsiteURL:
Value: !Sub 'http://${WebServerInstance.PublicDnsName}'
Description: URL of the web application
```
**要使用此模板启动堆栈**
1. 复制该模板并将其作为文本文件本地保存到您的系统中。注意保存位置,因为您需要在后续步骤中使用此文件。
1. 登录到 Amazon Web Services 管理控制台 并打开 Amazon CloudFormation 控制台 [https://console.aws.amazon.com/cloudformation](https://console.amazonaws.cn/cloudformation/)。
1. 依次选择**创建堆栈、使用新资源(标准)**。
1. 选择**选择现有模板**。
1. 在**指定模板**下,选择**上传模板文件**,浏览到您在第一步中创建的文件,然后选择**下一步**。
1. 在**指定堆栈详细信息**页面上,输入 **UpdateTutorial** 作为堆栈名称。
1. 在**参数**下,保持所有参数不变,然后选择两次**下一步**。
1. 在**审核并创建**屏幕上,选择**提交**。
当您的堆栈状态变成 `CREATE_COMPLETE` 后,**输出**选项卡会显示网站的 URL。如果您选择 `WebsiteURL` 的输出值,您将看到新 PHP 应用程序在工作。
## 第 2 步:更新应用程序
现在您已部署好堆栈,接下来更新应用程序吧。我们将对应用程序所打印出的文本进行简单更改。要执行此操作,我们将添加回显命令至 index.php 文件,如此模板代码段所示:
```
files:
/var/www/html/index.php:
content: |
Hello World!";
echo "This is an updated version of our application.
";
?>
mode: '000644'
owner: apache
group: apache
```
使用文本编辑器手动编辑您保存在本地的模板文件。
现在,更新堆栈。
**要使用更新后的模板更新堆栈**
1. 在 CloudFormation 控制台中,选择您的 **UpdateTutorial** 堆栈。
1. 选择**更新、直接更新**。
1. 选择**替换现有模板**。
1. 在**指定模板**下,选择**上传模板文件**,上传修改的模板文件模板,然后选择**下一步**。
1. 在**指定堆栈详细信息**页面上,保持所有参数相同,然后选择两次**下一步**。
1. 在**审核**页面上,审核您的更改。在**更改**下,您应该会看到 CloudFormation 将更新 `WebServerInstance` 资源。
1. 选择**提交**。
当您的堆栈处于 `UPDATE_COMPLETE` 状态时,您可以再次选择 `WebsiteURL` 输出值以验证应用程序的更改已生效。`cfn-hup` 进程守护程序每 2 分钟运行一次,因此最多能花 2 分钟在堆栈更新后更改应用程序。
要查看已更新资源集,请转至 CloudFormation 控制台。在**事件**选项卡上,查看堆栈事件。在此特别示例中,Amazon EC2 实例 `WebServerInstance` 的元数据已更新,这导致 CloudFormation 也会重新评估其他资源(`WebServerSecurityGroup`)以确保没有其他更改。其他堆栈资源都未修改。CloudFormation 将只更新堆栈中受堆栈的任何更改影响的资源。此类更改可直接进行,如属性或元数据更改,也可由依赖项或 `Ref`、`GetAtt` 中的数据流或其他内部模板函数导致。有关更多信息,请参阅[内置函数参考](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html)。
这一简单更新对此过程进行了阐述。但是,您可以对您的 Amazon EC2 实例中所部署文件和软件包进行更复杂的更改。例如,您可能会确定需要将 MySQL 与 MySQL 的 PHP 支持一起添加到实例中。要执行此操作,只需要将附加软件包和文件与任何附加服务一起添加到配置中,然后更新堆栈以部署更改。
```
packages:
yum:
httpd: []
php: []
mysql: []
php-mysql: []
mysql-server: []
mysql-libs: []
...
services:
systemd:
httpd:
enabled: true
ensureRunning: true
cfn-hup:
enabled: true
ensureRunning: true
files:
- /etc/cfn/cfn-hup.conf
- /etc/cfn/hooks.d/cfn-auto-reloader.conf
mysqld:
enabled: true
ensureRunning: true
```
您可以更新 CloudFormation 元数据,将应用程序所使用的软件包更新到新版本。前述示例中,每个软件包的版本属性都为空,这表示 `cfn-init` 应安装最新版的软件包。
```
packages:
yum:
httpd: []
php: []
```
您可以视需要指定软件包的版本字符串。如果您在后续更新堆栈调用中更改版本字符串,则会部署新版软件包。此处显示 RubyGems 软件包版本号的使用示例。支持版本化的任何软件包都可以有特定版本。
```
packages:
rubygems:
mysql: []
rubygems-update:
- "1.6.2"
rake:
- "0.8.7"
rails:
- "2.3.11"
```
## 第 3 步:添加使用密钥对的 SSH 访问权限
您还可以更新模板中的资源,以添加原先未在模板中指定的属性。为了阐明上述操作,我们将会添加 Amazon EC2 密钥对到现有 EC2 实例中,然后在 Amazon EC2 安全组中打开端口 22,从而使您可以使用 Secure Shell(SSH)访问实例。
**向现有 Amazon EC2 实例添加 SSH 访问权限**
1. 向模板额外添加两个参数,从而以现有 Amazon EC2 密钥对和 SSH 位置的名称进行传递。
```
Parameters:
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
Type: AWS::EC2::KeyPair::KeyName
ConstraintDescription: must be the name of an existing EC2 KeyPair.
SSHLocation:
Description: The IP address that can be used to SSH to the EC2 instances in CIDR format (e.g. 203.0.113.1/32)
Type: String
MinLength: 9
MaxLength: 18
Default: 0.0.0.0/0
AllowedPattern: '^(\d{1,3}\.){3}\d{1,3}\/\d{1,2}$'
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
```
1. 将 `KeyName` 属性添加到 Amazon EC2 实例。
```
WebServerInstance:
Type: AWS::EC2::Instance
Properties:
ImageId: !Ref LatestAmiId
InstanceType: !Ref InstanceType
KeyName: !Ref KeyName
SecurityGroupIds:
- !Ref WebServerSecurityGroup
```
1. 将端口 22 和 SSH 位置添加到 Amazon EC2 安全组的入口规则。
```
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP access via port 80 and SSH access via port 22
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: !Ref SSHLocation
```
1. 使用与 [第 2 步:更新应用程序](#update-stack-update-application) 中所述的相同步骤更新堆栈。
## 第 4 步:更新实例类型
现在,让我们演示一下如何通过更改实例类型来更新底层基础设施。
我们到目前为止所建立的堆栈使用 t3.micro Amazon EC2 实例。假设您新建的网站获取的流量比 t3.micro 实例能处理的流量多,且您现在想移动到 m5.large Amazon EC2 实例类型中。如果实例类型的架构发生变化,则必须使用不同的 AMI 创建实例。但是,t3.micro 和 m5.large 都使用相同的 CPU 架构并运行 Amazon Linux 2(x86\$164)AMI。有关更多信息,请参阅《Amazon EC2 用户指南》**中的[更改实例类型的兼容性](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/resize-limitations.html)。
让我们使用在上一步中进行修改的模板更改实例类型。由于 `InstanceType` 是模板的输入参数,我们不需要修改模板;我们能在**指定堆栈详细信息**页面上更改参数值。
**要使用新的参数值更新堆栈**
1. 在 CloudFormation 控制台中,选择您的 **UpdateTutorial** 堆栈。
1. 选择**更新、直接更新**。
1. 选择**使用当前模板**,然后选择**下一步**。
1. 在**指定堆栈详细信息**页面上,将文本框中 **InstanceType** 的值从 `t3.micro` 更改为 `m5.large`。然后,选择两次**下一步**。
1. 在**审核**页面上,审核您的更改。在**更改**下,您应该会看到 CloudFormation 将更新 `WebServerInstance` 资源。
1. 选择**提交**。
对于 EBS 支持的 Amazon EC2 实例,可以通过启动和停止实例来动态更改实例类型。CloudFormation 会尝试通过更新实例类型并重启实例来优化更改,因此实例 ID 不会更改。但是,实例重启时,实例的公用 IP 地址会更改。为了确保在更改后正确绑定弹性 IP 地址,CloudFormation 还会更新弹性 IP 地址。您可以在**事件**选项卡上的 CloudFormation 控制台中看到更改。
要通过 Amazon Web Services 管理控制台 检查实例类型,请打开 Amazon EC2 控制台并在其中查找您的实例。
## 第 5 步:更新 AMI
现在,让我们更新堆栈以使用下一代 Amazon Linux,即 Amazon Linux 2023。
更新 AMI 是一项重大更改,需要更换实例。我们不能只通过启动和停止实例来修改 AMI;CloudFormation 会将此视为对资源不可变属性的更改。要更改不可变属性进,CloudFormation 必须启动替代资源,在此例中是运行新 AMI 的新 Amazon EC2 实例。
让我们来看看如何更新堆栈模板以使用 Amazon Linux 2023。关键更改包括更新 AMI 参数和从 `yum` 更改为 `dnf` 程序包管理器。
```
AWSTemplateFormatVersion: 2010-09-09
Parameters:
LatestAmiId:
Description: The latest Amazon Linux 2023 AMI from the Parameter Store
Type: AWS::SSM::Parameter::Value
Default: '/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64'
InstanceType:
Description: WebServer EC2 instance type
Type: String
Default: t3.micro
AllowedValues:
- t3.nano
- t3.micro
- t3.small
- t3.medium
- t3a.nano
- t3a.micro
- t3a.small
- t3a.medium
- m5.large
- m5.xlarge
- m5.2xlarge
- m5a.large
- m5a.xlarge
- m5a.2xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
ConstraintDescription: must be a valid EC2 instance type.
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
Type: AWS::EC2::KeyPair::KeyName
ConstraintDescription: must be the name of an existing EC2 KeyPair.
SSHLocation:
Description: The IP address that can be used to SSH to the EC2 instances in CIDR format (e.g. 203.0.113.1/32)
Type: String
MinLength: 9
MaxLength: 18
Default: 0.0.0.0/0
AllowedPattern: '^(\d{1,3}\.){3}\d{1,3}\/\d{1,2}$'
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
Resources:
WebServerInstance:
Type: AWS::EC2::Instance
Properties:
ImageId: !Ref LatestAmiId
InstanceType: !Ref InstanceType
KeyName: !Ref KeyName
SecurityGroupIds:
- !Ref WebServerSecurityGroup
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
# Get the latest CloudFormation package
dnf update -y aws-cfn-bootstrap
# Run cfn-init
/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource WebServerInstance --region ${AWS::Region} || error_exit 'Failed to run cfn-init'
# Start up the cfn-hup daemon to listen for changes to the EC2 instance metadata
/opt/aws/bin/cfn-hup || error_exit 'Failed to start cfn-hup'
# Signal success or failure
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource WebServerInstance --region ${AWS::Region}
Metadata:
AWS::CloudFormation::Init:
config:
packages:
dnf:
httpd: []
php: []
files:
/var/www/html/index.php:
content: |
Hello World!";
echo "This is an updated version of our application.
";
echo "Running on Amazon Linux 2023!
";
?>
mode: '000644'
owner: apache
group: apache
/etc/cfn/cfn-hup.conf:
content: !Sub |
[main]
stack=${AWS::StackId}
region=${AWS::Region}
# The interval used to check for changes to the resource metadata in minutes. Default is 15
interval=2
mode: '000400'
owner: root
group: root
/etc/cfn/hooks.d/cfn-auto-reloader.conf:
content: !Sub |
[cfn-auto-reloader-hook]
triggers=post.update
path=Resources.WebServerInstance.Metadata.AWS::CloudFormation::Init
action=/opt/aws/bin/cfn-init -s ${AWS::StackId} -r WebServerInstance --region ${AWS::Region}
runas=root
services:
systemd:
httpd:
enabled: true
ensureRunning: true
cfn-hup:
enabled: true
ensureRunning: true
files:
- /etc/cfn/cfn-hup.conf
- /etc/cfn/hooks.d/cfn-auto-reloader.conf
CreationPolicy:
ResourceSignal:
Timeout: PT5M
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP access via port 80 and SSH access via port 22
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: !Ref SSHLocation
Outputs:
WebsiteURL:
Value: !Sub 'http://${WebServerInstance.PublicDnsName}'
Description: URL of the web application
```
使用与 [第 2 步:更新应用程序](#update-stack-update-application) 中所述的相同步骤更新堆栈。
在新实例运行之后,CloudFormation 将更新堆栈中的其他资源以指向新资源。创建所有新资源并删除旧资源的过程称为 `UPDATE_CLEANUP`。此时,您将注意到堆栈中实例的实例 ID 和应用程序 URL 已随着更新而更改。**事件**表中的事件包含描述“Requested update has a change to an immutable property and hence creating a new physical resource”,以指示资源已被替代。
或者:如果您已将应用程序代码写入您想更新的 AMI 中,您可以使用同一堆栈更新机制更新 AMI 以加载您的新应用程序。
**要使用自定义应用程序代码更新 AMI**
1. 创建含有应用程序或操作系统更改的新 AMI。有关更多信息,请参阅《Amazon EC2 用户指南》**中的[创建 Amazon EBS-backed AMI](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html)。
1. 更新您的模板以合并新 AMI ID。
1. 使用与 [第 2 步:更新应用程序](#update-stack-update-application) 中所述的相同步骤更新堆栈。
在您更新堆栈时,CloudFormation 检测到 AMI ID 已更改,然后用我们启动前一个更新所使用的方法触发堆栈更新。
## 可用性和影响注意事项
不同的属性会对堆栈中的资源造成不同的影响。您可以使用 CloudFormation 更新任何属性,但是您应该在进行任何更改之前考虑以下问题:
1. 更新会如何影响资源本身? 例如,更新警报阈值会使警报在更新期间处于非活动状态。正如我们所见,更改实例类型时需要停止并重启实例。CloudFormation 使用底层资源的更新或修改操作来对资源进行更改。要了解更改的影响,您应该查看特定资源的文档。
1. 更改可变还是不可变? 对资源属性的某些更改,如更改 Amazon EC2 实例上的 AMI,不受基础服务的支持。如果更改可变,CloudFormation 将使用适用于基础资源的“Update”或“Modify”类型 API。对于不可变的属性更改,CloudFormation 将用更新后的属性创建新资源,然后再删除旧资源之前将此资源链接至堆栈。虽然 CloudFormation 尝试减少堆栈资源的停机时间,但替代资源是一个多步骤过程,需要时间。重新配置堆栈期间,您的应用程序不能全面运行。例如,它可能不能为请求提供服务或访问数据库。
## 相关资源
有关使用 CloudFormation 启动应用程序的更多信息以及集成其他配置与 Puppet 和 Opscode Chef 等部署服务的更多信息,请参阅以下白皮书:
+ [通过 CloudFormation 启动应用程序](https://s3.amazonaws.com/cloudformation-examples/BoostrappingApplicationsWithAWSCloudFormation.pdf)
+ [将 CloudFormation 与 Opscode Chef 集成](https://s3.amazonaws.com/cloudformation-examples/IntegratingAWSCloudFormationWithOpscodeChef.pdf)
+ [将 CloudFormation 与 Puppet 集成](https://s3.amazonaws.com/cloudformation-examples/IntegratingAWSCloudFormationWithPuppet.pdf)
# 创建已扩展且负载均衡的应用程序
在本演练中,您将创建一个堆栈,该堆栈可帮助您设置已扩展且负载平衡的应用程序。此演练为您提供将用于创建堆栈的示例模板。此示例模板预置了自动扩缩组、应用程序负载均衡器、控制负载均衡器和自动扩缩组流量的安全组,以及用于发布有关扩展活动的通知的 Amazon SNS 通知配置。
本模板将创建一个或多个 Amazon EC2 实例和一个应用程序负载均衡器。如果您通过本模板创建堆栈,则需为使用的 Amazon 资源支付相应费用。
## 完整堆栈模板
我们从使用模板开始。
**YAML**
```
AWSTemplateFormatVersion: 2010-09-09
Parameters:
InstanceType:
Description: The EC2 instance type
Type: String
Default: t3.micro
AllowedValues:
- t3.micro
- t3.small
- t3.medium
KeyName:
Description: Name of an existing EC2 key pair to allow SSH access to the instances
Type: AWS::EC2::KeyPair::KeyName
LatestAmiId:
Description: The latest Amazon Linux 2 AMI from the Parameter Store
Type: AWS::SSM::Parameter::Value
Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'
OperatorEmail:
Description: The email address to notify when there are any scaling activities
Type: String
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: 9
MaxLength: 18
Default: 0.0.0.0/0
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
Subnets:
Type: 'List'
Description: At least two public subnets in different Availability Zones in the selected VPC
VPC:
Type: AWS::EC2::VPC::Id
Description: A virtual private cloud (VPC) that enables resources in public subnets to connect to the internet
Resources:
ELBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: ELB Security Group
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
EC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: EC2 Security Group
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupId:
Fn::GetAtt:
- ELBSecurityGroup
- GroupId
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: !Ref SSHLocation
EC2TargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 30
HealthCheckProtocol: HTTP
HealthCheckTimeoutSeconds: 15
HealthyThresholdCount: 5
Matcher:
HttpCode: '200'
Name: EC2TargetGroup
Port: 80
Protocol: HTTP
TargetGroupAttributes:
- Key: deregistration_delay.timeout_seconds
Value: '20'
UnhealthyThresholdCount: 3
VpcId: !Ref VPC
ALBListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- Type: forward
TargetGroupArn: !Ref EC2TargetGroup
LoadBalancerArn: !Ref ApplicationLoadBalancer
Port: 80
Protocol: HTTP
ApplicationLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Scheme: internet-facing
Subnets: !Ref Subnets
SecurityGroups:
- !GetAtt ELBSecurityGroup.GroupId
LaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: !Sub ${AWS::StackName}-launch-template
LaunchTemplateData:
ImageId: !Ref LatestAmiId
InstanceType: !Ref InstanceType
KeyName: !Ref KeyName
SecurityGroupIds:
- !Ref EC2SecurityGroup
UserData:
Fn::Base64: !Sub |
#!/bin/bash
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "Hello World!
" > /var/www/html/index.html
NotificationTopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint: !Ref OperatorEmail
Protocol: email
WebServerGroup:
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
LaunchTemplate:
LaunchTemplateId: !Ref LaunchTemplate
Version: !GetAtt LaunchTemplate.LatestVersionNumber
MaxSize: '3'
MinSize: '1'
NotificationConfigurations:
- TopicARN: !Ref NotificationTopic
NotificationTypes: ['autoscaling:EC2_INSTANCE_LAUNCH', 'autoscaling:EC2_INSTANCE_LAUNCH_ERROR', 'autoscaling:EC2_INSTANCE_TERMINATE', 'autoscaling:EC2_INSTANCE_TERMINATE_ERROR']
TargetGroupARNs:
- !Ref EC2TargetGroup
VPCZoneIdentifier: !Ref Subnets
```
**JSON**
```
{
"AWSTemplateFormatVersion":"2010-09-09",
"Parameters":{
"InstanceType":{
"Description":"The EC2 instance type",
"Type":"String",
"Default":"t3.micro",
"AllowedValues":[
"t3.micro",
"t3.small",
"t3.medium"
]
},
"KeyName":{
"Description":"Name of an existing EC2 key pair to allow SSH access to the instances",
"Type":"AWS::EC2::KeyPair::KeyName"
},
"LatestAmiId":{
"Description":"The latest Amazon Linux 2 AMI from the Parameter Store",
"Type":"AWS::SSM::Parameter::Value",
"Default":"/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2"
},
"OperatorEmail":{
"Description":"The email address to notify when there are any scaling activities",
"Type":"String"
},
"SSHLocation":{
"Description":"The IP address range that can be used to SSH to the EC2 instances",
"Type":"String",
"MinLength":9,
"MaxLength":18,
"Default":"0.0.0.0/0",
"ConstraintDescription":"Must be a valid IP CIDR range of the form x.x.x.x/x."
},
"Subnets":{
"Type":"List",
"Description":"At least two public subnets in different Availability Zones in the selected VPC"
},
"VPC":{
"Type":"AWS::EC2::VPC::Id",
"Description":"A virtual private cloud (VPC) that enables resources in public subnets to connect to the internet"
}
},
"Resources":{
"ELBSecurityGroup":{
"Type":"AWS::EC2::SecurityGroup",
"Properties":{
"GroupDescription":"ELB Security Group",
"VpcId":{
"Ref":"VPC"
},
"SecurityGroupIngress":[
{
"IpProtocol":"tcp",
"FromPort":80,
"ToPort":80,
"CidrIp":"0.0.0.0/0"
}
]
}
},
"EC2SecurityGroup":{
"Type":"AWS::EC2::SecurityGroup",
"Properties":{
"GroupDescription":"EC2 Security Group",
"VpcId":{
"Ref":"VPC"
},
"SecurityGroupIngress":[
{
"IpProtocol":"tcp",
"FromPort":80,
"ToPort":80,
"SourceSecurityGroupId":{
"Fn::GetAtt":[
"ELBSecurityGroup",
"GroupId"
]
}
},
{
"IpProtocol":"tcp",
"FromPort":22,
"ToPort":22,
"CidrIp":{
"Ref":"SSHLocation"
}
}
]
}
},
"EC2TargetGroup":{
"Type":"AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties":{
"HealthCheckIntervalSeconds":30,
"HealthCheckProtocol":"HTTP",
"HealthCheckTimeoutSeconds":15,
"HealthyThresholdCount":5,
"Matcher":{
"HttpCode":"200"
},
"Name":"EC2TargetGroup",
"Port":80,
"Protocol":"HTTP",
"TargetGroupAttributes":[
{
"Key":"deregistration_delay.timeout_seconds",
"Value":"20"
}
],
"UnhealthyThresholdCount":3,
"VpcId":{
"Ref":"VPC"
}
}
},
"ALBListener":{
"Type":"AWS::ElasticLoadBalancingV2::Listener",
"Properties":{
"DefaultActions":[
{
"Type":"forward",
"TargetGroupArn":{
"Ref":"EC2TargetGroup"
}
}
],
"LoadBalancerArn":{
"Ref":"ApplicationLoadBalancer"
},
"Port":80,
"Protocol":"HTTP"
}
},
"ApplicationLoadBalancer":{
"Type":"AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties":{
"Scheme":"internet-facing",
"Subnets":{
"Ref":"Subnets"
},
"SecurityGroups":[
{
"Fn::GetAtt":[
"ELBSecurityGroup",
"GroupId"
]
}
]
}
},
"LaunchTemplate":{
"Type":"AWS::EC2::LaunchTemplate",
"Properties":{
"LaunchTemplateName":{
"Fn::Sub":"${AWS::StackName}-launch-template"
},
"LaunchTemplateData":{
"ImageId":{
"Ref":"LatestAmiId"
},
"InstanceType":{
"Ref":"InstanceType"
},
"KeyName":{
"Ref":"KeyName"
},
"SecurityGroupIds":[
{
"Ref":"EC2SecurityGroup"
}
],
"UserData":{
"Fn::Base64":{
"Fn::Join":[
"",
[
"#!/bin/bash\n",
"yum update -y\n",
"yum install -y httpd\n",
"systemctl start httpd\n",
"systemctl enable httpd\n",
"echo \"Hello World!
\" > /var/www/html/index.html"
]
]
}
}
}
}
},
"NotificationTopic":{
"Type":"AWS::SNS::Topic",
"Properties":{
"Subscription":[
{
"Endpoint":{
"Ref":"OperatorEmail"
},
"Protocol":"email"
}
]
}
},
"WebServerGroup":{
"Type":"AWS::AutoScaling::AutoScalingGroup",
"Properties":{
"LaunchTemplate":{
"LaunchTemplateId":{
"Ref":"LaunchTemplate"
},
"Version":{
"Fn::GetAtt":[
"LaunchTemplate",
"LatestVersionNumber"
]
}
},
"MaxSize":"3",
"MinSize":"1",
"NotificationConfigurations":[
{
"TopicARN":{
"Ref":"NotificationTopic"
},
"NotificationTypes":[
"autoscaling:EC2_INSTANCE_LAUNCH",
"autoscaling:EC2_INSTANCE_LAUNCH_ERROR",
"autoscaling:EC2_INSTANCE_TERMINATE",
"autoscaling:EC2_INSTANCE_TERMINATE_ERROR"
]
}
],
"TargetGroupARNs":[
{
"Ref":"EC2TargetGroup"
}
],
"VPCZoneIdentifier":{
"Ref":"Subnets"
}
}
}
}
}
```
## 模板演练
此模板的第一部分指定了 `Parameters`。必须向每个参数分配一个运行时的值,使 Amazon CloudFormation 能够成功预置堆栈。稍后在模板中指定的资源会引用这些值并使用这些数据。
+ `InstanceType`:Amazon EC2 Auto Scaling 预置的 EC2 实例类型。如果未指定,则默认使用 `t3.micro`。
+ `KeyName`:用于允许 SSH 访问实例的现有 EC2 密钥对。
+ `LatestAmiId`:实例的亚马逊机器映像(AMI)。如果未指定,则您的实例将使用由 Amazon 维护的 Amazon Systems Manager 公有参数,通过 Amazon Linux 2 AMI 启动。有关更多信息,请参阅 *Amazon Systems Manager User Guide* 中的 [Finding public parameters](https://docs.amazonaws.cn/systems-manager/latest/userguide/parameter-store-finding-public-parameters.html)。
+ `OperatorEmail`:您要发送扩展活动通知的电子邮件地址。
+ `SSHLocation`:可用于通过 SSH 连接到实例的 IP 地址范围。
+ `Subnets`:位于不同可用区的至少两个公有子网。
+ `VPC`:您账户中的虚拟私有云(VPC),其允许公有子网中的资源连接到互联网。
**注意**
您可以使用默认 VPC 和默认子网来允许实例访问互联网。如果使用您自己的 VPC,请确保它拥有映射到您工作时所在区域的每个可用区的子网。您至少必须具有两个公有子网,且这些子网可用于创建负载均衡器。
此模板的下一个部分指定了 `Resources`。本部分指定堆栈资源及其属性。
[https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) 资源 `ELBSecurityGroup`
+ `SecurityGroupIngress` 包含一个 TCP 入口规则,该规则允许来自端口 80 上的*所有 IP 地址*("CidrIp" : "0.0.0.0/0")的访问。
[https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) 资源 `EC2SecurityGroup`
+ `SecurityGroupIngress` 包含两个入口规则:1) 允许来自您为 `SSHLocation` 输入参数提供的 IP 地址范围内的 SSH 访问(端口 22)的 TCP 入口规则;2) 允许通过指定负载均衡器的安全组实现的来自负载均衡器的访问的 TCP 入口规则。[GetAtt](resources-section-structure.md#resource-properties-getatt) 函数用于获取具有逻辑名称 `ELBSecurityGroup` 的安全组 ID。
[AWS::ElasticLoadBalancingV2::TargetGroup](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html) 资源 `EC2TargetGroup`
+ `Port`、`Protocol` 和 `HealthCheckProtocol` 指定 `ApplicationLoadBalancer` 要向其中路由流量以及 Elastic Load Balancing 用于检查 EC2 实例运行状况的 EC2 实例端口(80)和协议(HTTP)。
+ `HealthCheckIntervalSeconds` 指定 EC2 实例的每次运行状况检查之间有 30 秒的时间间隔。`HealthCheckTimeoutSeconds` 定义为 Elastic Load Balancing 等待来自运行状况检查目标响应的时间(本示例中为 15 秒)。超时时间超过之后,Elastic Load Balancing 将标记 EC2 实例运行状况检查为“运行状况不佳”。当 EC2 实例连续三次未通过运行状况检查 (`UnhealthyThresholdCount`) 时,Elastic Load Balancing 会停止将流量路由到该 EC2 实例,直到该实例连续五次运行状况检查均正常 (`HealthyThresholdCount`)。此时,Elastic Load Balancing 认为实例运行状况良好,并再次开始将流量路由到该实例。
+ `TargetGroupAttributes` 将目标组的取消注册延迟值更新为 20 秒。默认情况下,Elastic Load Balancing 会等待 300 秒,才会完成注销过程。
[AWS::ElasticLoadBalancingV2::Listener](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html) 资源 `ALBListener`
+ `DefaultActions` 指定负载均衡器侦听的端口、负载均衡器转发请求的目标组以及用于路由请求的协议。
[AWS::ElasticLoadBalancingV2::LoadBalancer](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-loadbalancer.html) 资源 `ApplicationLoadBalancer`
+ `Subnets` 将 `Subnets` 输入参数的值作为要在其中创建负载均衡器节点的公有子网列表。
+ `SecurityGroup` 获取安全组的 ID,该安全组充当虚拟防火墙,以便负载均衡器节点控制传入流量。[GetAtt](resources-section-structure.md#resource-properties-getatt) 函数用于获取具有逻辑名称 `ELBSecurityGroup` 的安全组 ID。
[AWS::EC2::LaunchTemplate](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) 资源 `LaunchTemplate`
+ `ImageId` 将 `LatestAmiId` 输入参数的值作为要使用的 AMI。
+ `KeyName` 将 `KeyName` 输入参数的值作为要使用的 EC2 密钥对。
+ `SecurityGroupIds` 获取逻辑名称为 `EC2SecurityGroup` 的安全组的 ID,该安全组充当虚拟防火墙,以便 EC2 实例控制传入流量。
+ `UserData` 是在实例启动并运行之后运行的配置脚本。在此示例中,脚本安装 Apache 并创建 index.html 文件。
[AWS::SNS::Topic](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html) 资源 `NotificationTopic`
+ 当有任何扩展活动时,`Subscription` 将 `OperatorEmail` 输入参数的值作为通知收件人的电子邮件地址。
[AWS::AutoScaling::AutoScalingGroup](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) 资源 `WebServerGroup`
+ `MinSize` 和 `MaxSize` 设置自动扩缩组中的 EC2 实例的最小和最大数量。
+ `TargetGroupARNs` 使用逻辑名称为 `EC2TargetGroup` 的目标组的 ARN。随着此自动扩缩组的扩展,它会自动向该目标组注册和注销实例。
+ `VPCZoneIdentifier` 将 `Subnets` 输入参数的值作为要在其中创建 EC2 实例的公有子网列表。
## 步骤 1:启动堆栈
在启动堆栈之前,请检查您是否拥有可以使用以下所有服务的 Amazon Identity and Access Management(IAM)权限:Amazon EC2、Amazon EC2 Auto Scaling、Amazon Systems Manager、Elastic Load Balancing、Amazon SNS 和 Amazon CloudFormation。
以下过程涉及从文件上传示例堆栈模板。在本地计算机上打开文本编辑器并添加其中一个模板。使用文件名 `sampleloadbalancedappstack.template` 保存该文件。
**启动堆栈模板**
1. 登录到 Amazon Web Services 管理控制台 并打开 Amazon CloudFormation 控制台 [https://console.aws.amazon.com/cloudformation](https://console.amazonaws.cn/cloudformation/)。
1. 依次选择**创建堆栈**和**使用新资源(标准)**。
1. 在**指定模板**下,选择**上传模板文件**,然后选择**选择文件**,上传 `sampleloadbalancedappstack.template` 文件。
1. 选择**下一步**。
1. 在**指定堆栈详细信息**页面上,键入堆栈的名称(例如 **SampleLoadBalancedAppStack**)。
1. 在**参数**下,查看堆栈的参数并为没有默认值的所有参数提供值,包括 **OperatorEmail**、**SSHLocation**、**KeyName**、**VPC** 和 **Subnets**。
1. 选择**下一步**两次。
1. 在**审核**页面上,审核并确认设置。
1. 选择**提交**。
您可以在 Amazon CloudFormation 控制台的**状态**列中查看堆栈的状态。Amazon CloudFormation 成功创建堆栈后,您将收到 **CREATE\$1COMPLETE** 状态。
**注意**
创建堆栈后,必须先确认订阅,电子邮件地址才能开始接收通知。有关更多信息,请参阅《Amazon EC2 Auto Scaling 用户指南》中的[自动扩缩组扩展时获取 Amazon SNS 通知](https://docs.amazonaws.cn/autoscaling/ec2/userguide/ec2-auto-scaling-sns-notifications.html)。
## 步骤 2:清除示例资源
为确保您无需为未使用的示例资源付费,请删除堆栈。
**删除堆栈**
1. 在 Amazon CloudFormation 控制台中,选择 **SampleLoadBalancedAppStack** 堆栈。
1. 选择**删除**。
1. 在确认消息中,选择**删除堆栈**。
**SampleLoadBalancedAppStack** 的状态更改为 **DELETE\$1IN\$1PROGRESS**。当 Amazon CloudFormation 完成删除堆栈后,它会将从列表中移堆栈除。
使用本演练中的示例模板构建您自己的堆栈模板。有关更多信息,请参阅 *Amazon EC2 Auto Scaling User Guide* 中的 [Tutorial: Set up a scaled and load-balanced application](https://docs.amazonaws.cn/autoscaling/ec2/userguide/tutorial-ec2-auto-scaling-load-balancer.html)。
# 与其他 Amazon Web Services 账户中的 VPC 建立对等连接
您可以使用 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-vpcpeeringconnection.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-vpcpeeringconnection.html) 与其他 Amazon Web Services 账户中的虚拟私有云(VPC)建立对等连接。这会在两个 VPC 之间创建网络连接,使您能够在它们之间路由流量,它们可以像在同一网络中那样进行通信。VPC 对等连接有助于简化数据访问和数据传输。
要建立 VPC 对等连接,您需要为单个 CloudFormation 堆栈中的两个单独 Amazon Web Services 账户 授权。
有关 VPC 对等连接及其限制的更多信息,请参阅 [Amazon VPC 对等连接指南](https://docs.amazonaws.cn/vpc/latest/peering/)。
## 先决条件
1. 您需要为对等连接提供对等 VPC ID、对等 Amazon Web Services 账户 ID 以及[跨账户访问角色](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html)。
**注意**
本演练涉及两个账户:第一个是允许跨账户对等的账户 (*接受方账户*)。第二个是请求对等连接的账户 (*请求者账户*)。
1. 要接受 VPC 对等连接,您必须能够担任跨账户访问角色。该资源的行为方式与同一账户中的 VPC 对等连接资源相同。要了解 IAM 管理员如何授予代入跨账户角色的权限,请参阅 *IAM 用户指南*中的[向用户授予切换角色的权限](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html)。
## 步骤 1:创建 VPC 和跨账户角色
在该步骤中,您需要在*接受方账户* 中创建 VPC 和角色。
**创建 VPC 和跨账户访问角色**
1. 登录到 Amazon Web Services 管理控制台 并打开 Amazon CloudFormation 控制台 [https://console.aws.amazon.com/cloudformation](https://console.amazonaws.cn/cloudformation/)。
1. 在**堆栈**页面,选择右上角的**创建堆栈**,然后选择**使用新资源(标准)**。
1. 在**先决条件 – 准备模板**中,选择**选择现有模板**,然后依次选择**上传模板文件** > **选择文件**。
1. 在本地计算机上打开文本编辑器并添加以下模板之一。保存文件并返回控制台,将其选择为模板文件。
**Example JSON**
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create a VPC and an assumable role for cross account VPC peering.",
"Parameters": {
"PeerRequesterAccountId": {
"Type": "String"
}
},
"Resources": {
"vpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.1.0.0/16",
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "default"
}
},
"peerRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Principal": {
"AWS": {
"Ref": "PeerRequesterAccountId"
}
},
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow"
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:AcceptVpcPeeringConnection",
"Resource": "*"
}
]
}
}
]
}
}
},
"Outputs": {
"VPCId": {
"Value": {
"Ref": "vpc"
}
},
"RoleARN": {
"Value": {
"Fn::GetAtt": [
"peerRole",
"Arn"
]
}
}
}
}
```
**Example YAML**
```
AWSTemplateFormatVersion: 2010-09-09
Description: Create a VPC and an assumable role for cross account VPC peering.
Parameters:
PeerRequesterAccountId:
Type: String
Resources:
vpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.1.0.0/16
EnableDnsSupport: false
EnableDnsHostnames: false
InstanceTenancy: default
peerRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Principal:
AWS: !Ref PeerRequesterAccountId
Action:
- 'sts:AssumeRole'
Effect: Allow
Path: /
Policies:
- PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: 'ec2:AcceptVpcPeeringConnection'
Resource: '*'
Outputs:
VPCId:
Value: !Ref vpc
RoleARN:
Value: !GetAtt
- peerRole
- Arn
```
1. 选择**下一步**。
1. 为堆栈提供一个名称(例如 **VPC-owner**),然后在 **PeerRequesterAccountId** 字段中输入*请求者账户*的 Amazon Web Services 账户 ID。
1. 接受默认值,然后选择 **Next**。
1. 选择**我确认 Amazon CloudFormation 可能创建 IAM 资源**,然后选择**创建堆栈**。
## 步骤 2:创建包含 `AWS::EC2::VPCPeeringConnection` 的模板
现在,您已创建 VPC 和跨账户角色,您可以与使用另一个 Amazon Web Services 账户(*请求者账户*)的 VPC 进行对等。
**创建包含 [AWS::EC2::VPCPeeringConnection](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-vpcpeeringconnection.html) 资源的模板**
1. 返回 Amazon CloudFormation 控制台主页。
1. 在**堆栈**页面,选择右上角的**创建堆栈**,然后选择**使用新资源(标准)**。
1. 在**先决条件 – 准备模板**中,选择**选择现有模板**,然后依次选择**上传模板文件** > **选择文件**。
1. 在本地计算机上打开文本编辑器并添加以下模板之一。保存文件并返回控制台,将其选择为模板文件。
**Example JSON**
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create a VPC and a VPC Peering connection using the PeerRole to accept.",
"Parameters": {
"PeerVPCAccountId": {
"Type": "String"
},
"PeerVPCId": {
"Type": "String"
},
"PeerRoleArn": {
"Type": "String"
}
},
"Resources": {
"vpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.2.0.0/16",
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "default"
}
},
"vpcPeeringConnection": {
"Type": "AWS::EC2::VPCPeeringConnection",
"Properties": {
"VpcId": {
"Ref": "vpc"
},
"PeerVpcId": {
"Ref": "PeerVPCId"
},
"PeerOwnerId": {
"Ref": "PeerVPCAccountId"
},
"PeerRoleArn": {
"Ref": "PeerRoleArn"
}
}
}
},
"Outputs": {
"VPCId": {
"Value": {
"Ref": "vpc"
}
},
"VPCPeeringConnectionId": {
"Value": {
"Ref": "vpcPeeringConnection"
}
}
}
}
```
**Example YAML**
```
AWSTemplateFormatVersion: 2010-09-09
Description: Create a VPC and a VPC Peering connection using the PeerRole to accept.
Parameters:
PeerVPCAccountId:
Type: String
PeerVPCId:
Type: String
PeerRoleArn:
Type: String
Resources:
vpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.2.0.0/16
EnableDnsSupport: false
EnableDnsHostnames: false
InstanceTenancy: default
vpcPeeringConnection:
Type: AWS::EC2::VPCPeeringConnection
Properties:
VpcId: !Ref vpc
PeerVpcId: !Ref PeerVPCId
PeerOwnerId: !Ref PeerVPCAccountId
PeerRoleArn: !Ref PeerRoleArn
Outputs:
VPCId:
Value: !Ref vpc
VPCPeeringConnectionId:
Value: !Ref vpcPeeringConnection
```
1. 选择**下一步**。
1. 为堆栈提供一个名称(例如,**VPC-peering-connection**)。
1. 接受默认值,然后选择 **Next**。
1. 选择**我确认 Amazon CloudFormation 可能创建 IAM 资源**,然后选择**创建堆栈**。
## 创建具有高度限制策略的模板
在将您的 VPC 与另一个 Amazon Web Services 账户 对等时,您可能需要创建一个高度限制的策略。
以下示例模板显示如何更改 VPC 对等所有者模板 (上面步骤 1 中创建的*接受方账户*),以加强对它的限制。
**Example JSON**
```
{
"AWSTemplateFormatVersion":"2010-09-09",
"Description":"Create a VPC and an assumable role for cross account VPC peering.",
"Parameters":{
"PeerRequesterAccountId":{
"Type":"String"
}
},
"Resources":{
"peerRole":{
"Type":"AWS::IAM::Role",
"Properties":{
"AssumeRolePolicyDocument":{
"Statement":[
{
"Action":[
"sts:AssumeRole"
],
"Effect":"Allow",
"Principal":{
"AWS":{
"Ref":"PeerRequesterAccountId"
}
}
}
]
},
"Path":"/",
"Policies":[
{
"PolicyDocument":{
"Statement":[
{
"Action":"ec2:acceptVpcPeeringConnection",
"Effect":"Allow",
"Resource":{
"Fn::Sub":"arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}"
}
},
{
"Action":"ec2:acceptVpcPeeringConnection",
"Condition":{
"StringEquals":{
"ec2:AccepterVpc":{
"Fn::Sub":"arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}"
}
}
},
"Effect":"Allow",
"Resource":{
"Fn::Sub":"arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc-peering-connection/*"
}
}
],
"Version":"2012-10-17"
},
"PolicyName":"root"
}
]
}
},
"vpc":{
"Type":"AWS::EC2::VPC",
"Properties":{
"CidrBlock":"10.1.0.0/16",
"EnableDnsHostnames":false,
"EnableDnsSupport":false,
"InstanceTenancy":"default"
}
}
},
"Outputs":{
"RoleARN":{
"Value":{
"Fn::GetAtt":[
"peerRole",
"Arn"
]
}
},
"VPCId":{
"Value":{
"Ref":"vpc"
}
}
}
}
```
**Example YAML**
```
AWSTemplateFormatVersion: 2010-09-09
Description: Create a VPC and an assumable role for cross account VPC peering.
Parameters:
PeerRequesterAccountId:
Type: String
Resources:
peerRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- 'sts:AssumeRole'
Effect: Allow
Principal:
AWS:
Ref: PeerRequesterAccountId
Path: /
Policies:
- PolicyDocument:
Statement:
- Action: 'ec2:acceptVpcPeeringConnection'
Effect: Allow
Resource:
'Fn::Sub': 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}'
- Action: 'ec2:acceptVpcPeeringConnection'
Condition:
StringEquals:
'ec2:AccepterVpc':
'Fn::Sub': 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}'
Effect: Allow
Resource:
'Fn::Sub': >-
arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc-peering-connection/*
Version: 2012-10-17
PolicyName: root
vpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.1.0.0/16
EnableDnsHostnames: false
EnableDnsSupport: false
InstanceTenancy: default
Outputs:
RoleARN:
Value:
'Fn::GetAtt':
- peerRole
- Arn
VPCId:
Value:
Ref: vpc
```
要访问 VPC,您可以使用上面步骤 2 中使用的请求者模板。
有关更多信息,请参阅*《Amazon VPC 对等连接指南》*中的[VPC 对等连接的身份和访问权限管理](https://docs.amazonaws.cn/vpc/latest/peering/security-iam.html)。
# 通过 CodeDeploy 使用 CloudFormation 执行 ECS 蓝/绿部署
要更新在 Amazon Elastic Container Service(Amazon ECS)上运行的应用程序,您可以使用 CodeDeploy 蓝绿部署策略。此策略有助于尽可能减少因更改应用程序版本造成的中断。
在蓝绿部署中,您可以在当前的实时环境(称为*蓝色*)之外创建一个新的应用程序环境(称为*绿色*)。这使您可以先监控和测试绿色环境,然后再将实时流量从蓝色环境路由到绿色环境。在绿色环境开始为实时流量提供服务后,您可以安全地终止蓝色环境。
要使用 CloudFormation 在 ECS 上执行 CodeDeploy 蓝绿部署,请在堆栈模板中包括以下信息:
+ 描述 `AWS::CodeDeploy::BlueGreen` 钩子的 `Hooks` 部分。
+ 指定 `AWS::CodeDeployBlueGreen` 变换的 `Transform` 部分。
以下主题提供了有关为 ECS 上的蓝绿部署设置 CloudFormation 模板的指导。
**Topics**
+ [
# 关于蓝绿部署
](about-blue-green-deployments.md)
+ [
# 使用 CloudFormation 管理 ECS 蓝/绿部署时的注意事项
](blue-green-considerations.md)
+ [
# `AWS::CodeDeploy::BlueGreen` 钩子语法
](blue-green-hook-syntax.md)
+ [
# 蓝绿部署模板示例
](blue-green-template-example.md)
# 关于蓝绿部署
本主题概述了如何使用 CloudFormation 执行蓝绿部署。此外还介绍了如何准备用于蓝绿部署的 CloudFormation 模板。
**Topics**
+ [
## 工作原理
](#blue-green-how-it-works)
+ [会启动绿色部署的资源更新](#blue-green-resources)
+ [准备 模板](#blue-green-setup)
+ [为蓝绿部署建模](#blue-green-required)
+ [更改集](#blue-green-changesets)
+ [监控堆栈事件](#blue-green-events)
+ [IAM 权限](#blue-green-iam)
## 工作原理
使用 CloudFormation 通过 CodeDeploy 执行 ECS 蓝绿部署时,首先创建一个堆栈模板,用于定义蓝色和绿色应用程序环境的资源,包括指定要使用的流量路由和稳定设置。然后基于该模板创建一个堆栈。这会生成蓝色(当前)应用程序。CloudFormation 仅在堆栈创建过程中创建蓝色资源。绿色部署的资源仅在需要时才会创建。
然后,如果在将来的堆栈更新中更新蓝色应用程序中的任务定义或任务集资源,CloudFormation 会执行以下操作:
+ 生成所有必需的绿色应用程序环境资源
+ 根据指定的流量路由参数转移流量
+ 删除蓝色资源
如果在绿色部署成功和完成之前的任何时刻发生错误,CloudFormation 会将堆栈回滚到启动整个绿色部署之前的状态。
## 会启动绿色部署的资源更新
执行将会更新特定 ECS 资源的特定属性的堆栈更新时,CloudFormation 将会启动绿色部署过程。将会启动此过程的资源有:
+ [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-taskdefinition.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-taskdefinition.html)
+ [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-taskset.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-taskset.html)
但是,如果对这些资源的更新不涉及需要替换的属性更改,则不会启动绿色部署。有关更多信息,请参阅 [理解堆栈资源的更新行为](using-cfn-updating-stacks-update-behaviors.md)。
请注意,不能在同一堆栈更新操作中同时包括对上述资源的更新以及对其他资源的更新。如果需要更新列出的资源以及同一堆栈中的其他资源,则有两种选择:
+ 执行两个单独的堆栈更新操作:一个仅包括对上述资源的更新,另一个单独的堆栈更新包括对任何其他资源的更改。
+ 从模板中删除 `Transform` 和 `Hooks` 部分,然后执行堆栈更新。在这种情况下,CloudFormation 不会执行绿色部署。
## 准备模板以执行 ECS 蓝/绿部署
要在堆栈上启用蓝/绿部署,请在执行堆栈更新之前在堆栈模板中包含以下部分。
+ 将 `AWS::CodeDeployBlueGreen` 转换的引用添加到模板中:
```
"Transform": [
"AWS::CodeDeployBlueGreen"
],
```
+ 添加调用 `AWS::CodeDeploy::BlueGreen` 挂钩并指定部署属性的 `Hooks` 部分。有关更多信息,请参阅 [`AWS::CodeDeploy::BlueGreen` 钩子语法](blue-green-hook-syntax.md)。
+ 在 `Resources` 部分中,定义部署的蓝色和绿色资源。
您可以在第一次创建模板时(即创建堆栈本身之前)添加这些部分,也可以在执行堆栈更新之前将它们添加到现有模板中。如果是为新堆栈指定蓝/绿部署,则 CloudFormation 只在堆栈创建期间创建蓝色资源 - 仅当在堆栈更新期间需要绿色部署的资源时才会创建它们。
## 使用 CloudFormation 资源对蓝/绿部署建模
要在 ECS 上执行 CodeDeploy 蓝绿部署,CloudFormation 模板需要包含为部署建模的资源,例如 Amazon ECS 服务和负载均衡器。如需更详细地了解这些资源代表了什么,请参阅《Amazon CodeDeploy 用户指南》中的[开始 Amazon ECS 部署之前](https://docs.amazonaws.cn/codedeploy/latest/userguide/deployment-steps-ecs.html#deployment-steps-prerequisites-ecs)。
| 要求 | 资源 | 必需/可选 | 如果替换则会启动蓝绿部署? |
| --- | --- | --- | --- |
| Amazon ECS 集群 | [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-cluster.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-cluster.html) | 可选。可以使用默认集群。 | 否 |
| Amazon ECS 服务 | [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-service.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-service.html) | 必需。 | 否 |
| 应用程序或网络负载均衡器 | [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-properties-ecs-service-loadbalancer.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-properties-ecs-service-loadbalancer.html) | 必需。 | 否 |
| 生产侦听器 | [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html) | 必需。 | 否 |
| 测试侦听器 | [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html) | 可选。 | 否 |
| 两个目标组 | [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html) | 必需。 | 否 |
| Amazon ECS 任务定义 | [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-taskdefinition.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-taskdefinition.html) | 必需。 | 是 |
| 您的 Amazon ECS 应用程序的容器 | [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-properties-ecs-taskdefinition-containerdefinition.html#cfn-ecs-taskdefinition-containerdefinition-name](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-properties-ecs-taskdefinition-containerdefinition.html#cfn-ecs-taskdefinition-containerdefinition-name) | 必需。 | 否 |
| 您的替换任务集的端口 | [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-properties-ecs-taskdefinition-portmapping.html#cfn-ecs-taskdefinition-portmapping-containerport](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-properties-ecs-taskdefinition-portmapping.html#cfn-ecs-taskdefinition-portmapping-containerport) | 必需。 | 否 |
## 更改集
我们强烈建议您在执行会启动绿色部署的堆栈更新之前创建更改集。这样便于您在执行堆栈更新之前查看对堆栈作出的实际更改。请注意,资源更改可能不会按堆栈更新期间的执行顺序列出。有关更多信息,请参阅 [使用更改集更新 CloudFormation 堆栈](using-cfn-updating-stacks-changesets.md)。
## 监控堆栈事件
您可以在 **Stack**(堆栈)页面的 **Events**(事件)选项卡上,使用 Amazon CLI 查看 ECS 部署的每个步骤生成的堆栈事件。有关更多信息,请参阅 [监控堆栈进度](monitor-stack-progress.md)。
## 蓝绿部署所需的 IAM 权限
为了使 CloudFormation 成功执行蓝绿部署,您必须具有以下 CodeDeploy 权限:
+ `codedeploy:Get*`
+ `codedeploy:CreateCloudFormationDeployment`
有关更多信息,请参阅《服务授权参考》中的 [Actions, resources, and condition keys for CodeDeploy](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awscodedeploy.html)**。
# 使用 CloudFormation 管理 ECS 蓝/绿部署时的注意事项
使用 CloudFormation 来通过 CodeDeploy 执行 ECS 蓝绿部署的过程,不同于仅使用 CodeDeploy 的标准 Amazon ECS 部署过程。要详细了解这些区别,请参阅《Amazon CodeDeploy 用户指南》中的[通过 CodeDeploy 和 Amazon CloudFormation 进行的 Amazon ECS 蓝绿部署的区别](https://docs.amazonaws.cn/codedeploy/latest/userguide/deployments-create-ecs-cfn.html#differences-ecs-bg-cfn)**。
使用 CloudFormation 管理蓝绿部署时,需要记住某些限制和注意事项:
+ 只有对特定资源的更新才会启动绿色部署。有关更多信息,请参阅 [会启动绿色部署的资源更新](about-blue-green-deployments.md#blue-green-resources)。
+ 不能在同一堆栈更新中包括启动绿色部署的资源更新和对其他资源的更新。有关更多信息,请参阅 [会启动绿色部署的资源更新](about-blue-green-deployments.md#blue-green-resources)。
+ 您只能将单个 ECS 服务指定为部署目标。
+ 如果参数的值由 CloudFormation 模糊处理,则 CodeDeploy 无法在绿色部署期间更新该参数,并且会导致错误和堆栈更新失败。这些方法包括:
+ 使用 `NoEcho` 属性定义的参数。
+ 使用动态引用从外部服务检索其值的参数。有关动态引用的更多信息,请参阅[使用动态引用获取存储在其他服务中的值](dynamic-references.md)。
+ 要取消仍在进行的绿色部署,请取消 CloudFormation 中的堆栈更新,而不是 CodeDeploy 或 ECS。有关更多信息,请参阅 [取消堆栈更新](using-cfn-stack-update-cancel.md)。更新完成之后,将无法取消它。但是,您可以利用任何先前的设置再次更新堆栈。
+ 定义 ECS 蓝绿部署的模板目前不支持以下 CloudFormation 功能:
+ 声明 [outputs](outputs-section-structure.md) 或使用 [Fn::ImportValue](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-importvalue.html) 导入其他堆栈中的值。
+ 导入资源。有关资源导入的更多信息,请参阅[将 Amazon 资源导入 CloudFormation 堆栈](import-resources.md)。
+ 您不能在包含嵌套堆栈资源的模板中使用 `AWS::CodeDeploy::BlueGreen` 钩子。有关嵌套堆栈的更多信息,请参阅[使用嵌套堆栈将模板拆分为可重复使用的部分](using-cfn-nested-stacks.md)。
+ 在嵌套堆栈中使用 `AWS::CodeDeploy::BlueGreen` 钩子。
# `AWS::CodeDeploy::BlueGreen` 钩子语法
以下语法描述了 ECS 蓝绿部署的 `AWS::CodeDeploy::BlueGreen` 钩子结构。
## 语法
```
"Hooks": {
"Logical ID": {
"Type": "AWS::CodeDeploy::BlueGreen",
"Properties": {
"TrafficRoutingConfig": {
"Type": "Traffic routing type",
"TimeBasedCanary": {
"StepPercentage": Integer,
"BakeTimeMins": Integer
},
"TimeBasedLinear": {
"StepPercentage": Integer,
"BakeTimeMins": Integer
}
},
"AdditionalOptions": {"TerminationWaitTimeInMinutes": Integer},
"LifecycleEventHooks": {
"BeforeInstall": "FunctionName",
"AfterInstall": "FunctionName",
"AfterAllowTestTraffic": "FunctionName",
"BeforeAllowTraffic": "FunctionName",
"AfterAllowTraffic": "FunctionName"
},
"ServiceRole": "CodeDeployServiceRoleName",
"Applications": [
{
"Target": {
"Type": "AWS::ECS::Service",
"LogicalID": "Logical ID of AWS::ECS::Service"
},
"ECSAttributes": {
"TaskDefinitions": [
"Logical ID of AWS::ECS::TaskDefinition (Blue)",
"Logical ID of AWS::ECS::TaskDefinition (Green)"
],
"TaskSets": [
"Logical ID of AWS::ECS::TaskSet (Blue)",
"Logical ID of AWS::ECS::TaskSet (Green)"
],
"TrafficRouting": {
"ProdTrafficRoute": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"LogicalID": "Logical ID of AWS::ElasticLoadBalancingV2::Listener (Production)"
},
"TestTrafficRoute": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"LogicalID": "Logical ID of AWS::ElasticLoadBalancingV2::Listener (Test)"
},
"TargetGroups": [
"Logical ID of AWS::ElasticLoadBalancingV2::TargetGroup (Blue)",
"Logical ID of AWS::ElasticLoadBalancingV2::TargetGroup (Green)"
]
}
}
}
]
}
}
}
```
## 属性
逻辑 ID(也称为*逻辑名称*)
在模板的 `Hooks` 部分中声明的钩子。逻辑 ID 必须为字母数字 (A-Za-z0-9),并且在模板中具有唯一性。
*是否必需*:是
`Type`
挂钩的类型。`AWS::CodeDeploy::BlueGreen`
*是否必需*:是
`Properties`
挂钩的属性。
*是否必需*:是
`TrafficRoutingConfig`
流量路由配置设置。
*必需*:否
默认配置为基于时间的 canary 流量转移,具有 15% 的步骤百分比和五分钟的稳定时间。
`Type`
部署配置使用的流量转移类型。
有效值:AllAtOnce \$1 TimeBasedCanary \$1 TimeBasedLinear
*是否必需*:是
`TimeBasedCanary`
指定一个配置,以两个增量将流量从部署的一个版本转移到另一个版本。
*必需*:如果指定 `TimeBasedCanary` 作为流量路由类型,则必须包含 `TimeBasedCanary` 参数。
`StepPercentage`
在 `TimeBasedCanary` 部署的第一个增量中要转移的流量百分比。步骤百分比必须为 14% 或更大。
*必需*:否
`BakeTimeMins`
`TimeBasedCanary` 部署的第一次和第二次流量转移之间的分钟数。
*必需*:否
`TimeBasedLinear`
指定一个配置,以相等的增量将流量从部署的一个版本转移到另一个版本,每个增量之间的分钟数相等。
*必需*:如果指定 `TimeBasedLinear` 作为流量路由类型,则必须包含 `TimeBasedLinear` 参数。
`StepPercentage`
在 `TimeBasedLinear` 部署的每个增量开始时转移的流量百分比。步骤百分比必须为 14% 或更大。
*必需*:否
`BakeTimeMins`
`TimeBasedLinear` 部署的每次增量流量转移之间的分钟数。
*必需*:否
`AdditionalOptions`
蓝/绿部署的其他选项。
*必需*:否
`TerminationWaitTimeInMinutes`
指定终止蓝色资源之前等待的时间(以分钟为单位)。
*必需*:否
`LifecycleEventHooks`
使用生命周期事件挂钩指定 CodeDeploy 可以调用的用于验证部署的 Lambda 函数。对于部署生命周期事件,您可以使用相同函数或不同函数。验证测试完成后,Lambda `AfterAllowTraffic` 函数会回调 CodeDeploy 并提供 `Succeeded` 或 `Failed` 结果。有关更多信息,请参阅《Amazon CodeDeploy 用户指南》中的 [AppSpec 的“hooks”部分](https://docs.amazonaws.cn/codedeploy/latest/userguide/reference-appspec-file-structure-hooks.html)。
*必需*:否
`BeforeInstall`
用于在创建替换任务集之前运行任务的函数。
*必需*:否
`AfterInstall`
用于在创建替换任务集并且其中一个目标组与之关联后运行任务的函数。
*必需*:否
`AfterAllowTestTraffic`
用于在测试侦听器为替换任务集提供流量后运行任务的函数。
*必需*:否
`BeforeAllowTraffic`
用于在第二个目标组与替换任务集关联之后但在流量转移到替换任务集之前运行任务的函数。
*必需*:否
`AfterAllowTraffic`
用于在第二个目标组为替换任务集提供流量后运行任务的函数。
*必需*:否
`ServiceRole`
CloudFormation 用于执行蓝绿部署的执行角色。有关必要权限的列表,请参阅 [蓝绿部署所需的 IAM 权限](about-blue-green-deployments.md#blue-green-iam)。
*必需*:否
`Applications`
指定 Amazon ECS 应用程序的属性。
*是否必需*:是
`Target`
*是否必需*:是
`Type`
资源的类型。
*是否必需*:是
`LogicalID`
资源的逻辑 ID。
*是否必需*:是
`ECSAttributes`
代表 Amazon ECS 应用程序部署的各种需求的资源。
*是否必需*:是
`TaskDefinitions`
运行包含 Amazon ECS 应用程序的 Docker 容器所用的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-taskdefinition.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-taskdefinition.html) 资源的逻辑 ID。
*是否必需*:是
`TaskSets`
用作应用程序任务集的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-taskset.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-taskset.html) 资源的逻辑 ID。
*是否必需*:是
`TrafficRouting`
指定用于流量路由的资源。
*是否必需*:是
`ProdTrafficRoute`
负载均衡器将流量定向到目标组所用的侦听器。
*是否必需*:是
`Type`
资源的类型。`AWS::ElasticLoadBalancingV2::Listener`
*是否必需*:是
`LogicalID`
资源的逻辑 ID。
*是否必需*:是
`TestTrafficRoute`
负载均衡器将流量定向到目标组所用的侦听器。
*是否必需*:是
`Type`
资源的类型。`AWS::ElasticLoadBalancingV2::Listener`
*是否必需*:是
`LogicalID`
资源的逻辑 ID。
*必需*:否
`TargetGroups`
用作目标组以将流量传送到注册目标的资源的逻辑 ID。
*是否必需*:是
# 蓝绿部署模板示例
以下示例模板设置了 ECS 上的 CodeDeploy 蓝绿部署,流量路由进度为每个步骤 15%,每个步骤之间的稳定期为 5 分钟。
使用模板创建堆栈将会预置部署的初始配置。如果您随后对 `BlueTaskSet` 资源中需要替换的属性进行了任何更改,则 CloudFormation 会在堆栈更新过程中启动绿色部署。
## JSON
```
{
"AWSTemplateFormatVersion":"2010-09-09",
"Parameters":{
"Vpc":{ "Type":"AWS::EC2::VPC::Id" },
"Subnet1":{ "Type":"AWS::EC2::Subnet::Id" },
"Subnet2":{ "Type":"AWS::EC2::Subnet::Id" }
},
"Transform":[ "AWS::CodeDeployBlueGreen" ],
"Hooks":{
"CodeDeployBlueGreenHook":{
"Type":"AWS::CodeDeploy::BlueGreen",
"Properties":{
"TrafficRoutingConfig":{
"Type":"TimeBasedCanary",
"TimeBasedCanary":{
"StepPercentage":15,
"BakeTimeMins":5
}
},
"Applications":[
{
"Target":{
"Type":"AWS::ECS::Service",
"LogicalID":"ECSDemoService"
},
"ECSAttributes":{
"TaskDefinitions":[ "BlueTaskDefinition","GreenTaskDefinition" ],
"TaskSets":[ "BlueTaskSet","GreenTaskSet" ],
"TrafficRouting":{
"ProdTrafficRoute":{
"Type":"AWS::ElasticLoadBalancingV2::Listener",
"LogicalID":"ALBListenerProdTraffic"
},
"TargetGroups":[ "ALBTargetGroupBlue","ALBTargetGroupGreen" ]
}
}
}
]
}
}
},
"Resources":{
"ExampleSecurityGroup":{
"Type":"AWS::EC2::SecurityGroup",
"Properties":{
"GroupDescription":"Security group for ec2 access",
"VpcId":{ "Ref":"Vpc" },
"SecurityGroupIngress":[
{
"IpProtocol":"tcp",
"FromPort":80,
"ToPort":80,
"CidrIp":"0.0.0.0/0"
},
{
"IpProtocol":"tcp",
"FromPort":8080,
"ToPort":8080,
"CidrIp":"0.0.0.0/0"
},
{
"IpProtocol":"tcp",
"FromPort":22,
"ToPort":22,
"CidrIp":"0.0.0.0/0"
}
]
}
},
"ALBTargetGroupBlue":{
"Type":"AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties":{
"HealthCheckIntervalSeconds":5,
"HealthCheckPath":"/",
"HealthCheckPort":"80",
"HealthCheckProtocol":"HTTP",
"HealthCheckTimeoutSeconds":2,
"HealthyThresholdCount":2,
"Matcher":{ "HttpCode":"200" },
"Port":80,
"Protocol":"HTTP",
"Tags":[{ "Key":"Group","Value":"Example" }],
"TargetType":"ip",
"UnhealthyThresholdCount":4,
"VpcId":{ "Ref":"Vpc" }
}
},
"ALBTargetGroupGreen":{
"Type":"AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties":{
"HealthCheckIntervalSeconds":5,
"HealthCheckPath":"/",
"HealthCheckPort":"80",
"HealthCheckProtocol":"HTTP",
"HealthCheckTimeoutSeconds":2,
"HealthyThresholdCount":2,
"Matcher":{ "HttpCode":"200" },
"Port":80,
"Protocol":"HTTP",
"Tags":[{ "Key":"Group","Value":"Example" }],
"TargetType":"ip",
"UnhealthyThresholdCount":4,
"VpcId":{ "Ref":"Vpc" }
}
},
"ExampleALB":{
"Type":"AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties":{
"Scheme":"internet-facing",
"SecurityGroups":[{ "Ref":"ExampleSecurityGroup" }],
"Subnets":[{ "Ref":"Subnet1" },{ "Ref":"Subnet2" }],
"Tags":[{ "Key":"Group","Value":"Example" }],
"Type":"application",
"IpAddressType":"ipv4"
}
},
"ALBListenerProdTraffic":{
"Type":"AWS::ElasticLoadBalancingV2::Listener",
"Properties":{
"DefaultActions":[
{
"Type":"forward",
"ForwardConfig":{
"TargetGroups":[
{
"TargetGroupArn":{ "Ref":"ALBTargetGroupBlue" },
"Weight":1
}
]
}
}
],
"LoadBalancerArn":{ "Ref":"ExampleALB" },
"Port":80,
"Protocol":"HTTP"
}
},
"ALBListenerProdRule":{
"Type":"AWS::ElasticLoadBalancingV2::ListenerRule",
"Properties":{
"Actions":[
{
"Type":"forward",
"ForwardConfig":{
"TargetGroups":[
{
"TargetGroupArn":{ "Ref":"ALBTargetGroupBlue" },
"Weight":1
}
]
}
}
],
"Conditions":[
{
"Field":"http-header",
"HttpHeaderConfig":{
"HttpHeaderName":"User-Agent",
"Values":[ "Mozilla" ]
}
}
],
"ListenerArn":{ "Ref":"ALBListenerProdTraffic" },
"Priority":1
}
},
"ECSTaskExecutionRole":{
"Type":"AWS::IAM::Role",
"Properties":{
"AssumeRolePolicyDocument":{
"Version": "2012-10-17",
"Statement":[
{
"Sid":"",
"Effect":"Allow",
"Principal":{
"Service":"ecs-tasks.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
},
"ManagedPolicyArns":[ "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" ]
}
},
"BlueTaskDefinition":{
"Type":"AWS::ECS::TaskDefinition",
"Properties":{
"ExecutionRoleArn":{
"Fn::GetAtt":[ "ECSTaskExecutionRole","Arn" ]
},
"ContainerDefinitions":[
{
"Name":"DemoApp",
"Image":"nginxdemos/hello:latest",
"Essential":true,
"PortMappings":[
{
"HostPort":80,
"Protocol":"tcp",
"ContainerPort":80
}
]
}
],
"RequiresCompatibilities":[ "FARGATE" ],
"NetworkMode":"awsvpc",
"Cpu":"256",
"Memory":"512",
"Family":"ecs-demo"
}
},
"ECSDemoCluster":{
"Type":"AWS::ECS::Cluster",
"Properties":{}
},
"ECSDemoService":{
"Type":"AWS::ECS::Service",
"Properties":{
"Cluster":{ "Ref":"ECSDemoCluster" },
"DesiredCount":1,
"DeploymentController":{ "Type":"EXTERNAL" }
}
},
"BlueTaskSet":{
"Type":"AWS::ECS::TaskSet",
"Properties":{
"Cluster":{ "Ref":"ECSDemoCluster" },
"LaunchType":"FARGATE",
"NetworkConfiguration":{
"AwsVpcConfiguration":{
"AssignPublicIp":"ENABLED",
"SecurityGroups":[{ "Ref":"ExampleSecurityGroup" }],
"Subnets":[{ "Ref":"Subnet1" },{ "Ref":"Subnet2" }]
}
},
"PlatformVersion":"1.4.0",
"Scale":{
"Unit":"PERCENT",
"Value":100
},
"Service":{ "Ref":"ECSDemoService"},
"TaskDefinition":{ "Ref":"BlueTaskDefinition" },
"LoadBalancers":[
{
"ContainerName":"DemoApp",
"ContainerPort":80,
"TargetGroupArn":{ "Ref":"ALBTargetGroupBlue" }
}
]
}
},
"PrimaryTaskSet":{
"Type":"AWS::ECS::PrimaryTaskSet",
"Properties":{
"Cluster":{ "Ref":"ECSDemoCluster" },
"Service":{ "Ref":"ECSDemoService" },
"TaskSetId":{ "Fn::GetAtt":[ "BlueTaskSet","Id" ]
}
}
}
}
}
```
## YAML
```
AWSTemplateFormatVersion: 2010-09-09
Parameters:
Vpc:
Type: AWS::EC2::VPC::Id
Subnet1:
Type: AWS::EC2::Subnet::Id
Subnet2:
Type: AWS::EC2::Subnet::Id
Transform:
- 'AWS::CodeDeployBlueGreen'
Hooks:
CodeDeployBlueGreenHook:
Type: AWS::CodeDeploy::BlueGreen
Properties:
TrafficRoutingConfig:
Type: TimeBasedCanary
TimeBasedCanary:
StepPercentage: 15
BakeTimeMins: 5
Applications:
- Target:
Type: AWS::ECS::Service
LogicalID: ECSDemoService
ECSAttributes:
TaskDefinitions:
- BlueTaskDefinition
- GreenTaskDefinition
TaskSets:
- BlueTaskSet
- GreenTaskSet
TrafficRouting:
ProdTrafficRoute:
Type: AWS::ElasticLoadBalancingV2::Listener
LogicalID: ALBListenerProdTraffic
TargetGroups:
- ALBTargetGroupBlue
- ALBTargetGroupGreen
Resources:
ExampleSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for ec2 access
VpcId: !Ref Vpc
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 8080
ToPort: 8080
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
ALBTargetGroupBlue:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 5
HealthCheckPath: /
HealthCheckPort: '80'
HealthCheckProtocol: HTTP
HealthCheckTimeoutSeconds: 2
HealthyThresholdCount: 2
Matcher:
HttpCode: '200'
Port: 80
Protocol: HTTP
Tags:
- Key: Group
Value: Example
TargetType: ip
UnhealthyThresholdCount: 4
VpcId: !Ref Vpc
ALBTargetGroupGreen:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 5
HealthCheckPath: /
HealthCheckPort: '80'
HealthCheckProtocol: HTTP
HealthCheckTimeoutSeconds: 2
HealthyThresholdCount: 2
Matcher:
HttpCode: '200'
Port: 80
Protocol: HTTP
Tags:
- Key: Group
Value: Example
TargetType: ip
UnhealthyThresholdCount: 4
VpcId: !Ref Vpc
ExampleALB:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Scheme: internet-facing
SecurityGroups:
- !Ref ExampleSecurityGroup
Subnets:
- !Ref Subnet1
- !Ref Subnet2
Tags:
- Key: Group
Value: Example
Type: application
IpAddressType: ipv4
ALBListenerProdTraffic:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- Type: forward
ForwardConfig:
TargetGroups:
- TargetGroupArn: !Ref ALBTargetGroupBlue
Weight: 1
LoadBalancerArn: !Ref ExampleALB
Port: 80
Protocol: HTTP
ALBListenerProdRule:
Type: AWS::ElasticLoadBalancingV2::ListenerRule
Properties:
Actions:
- Type: forward
ForwardConfig:
TargetGroups:
- TargetGroupArn: !Ref ALBTargetGroupBlue
Weight: 1
Conditions:
- Field: http-header
HttpHeaderConfig:
HttpHeaderName: User-Agent
Values:
- Mozilla
ListenerArn: !Ref ALBListenerProdTraffic
Priority: 1
ECSTaskExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy'
BlueTaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
ExecutionRoleArn: !GetAtt
- ECSTaskExecutionRole
- Arn
ContainerDefinitions:
- Name: DemoApp
Image: 'nginxdemos/hello:latest'
Essential: true
PortMappings:
- HostPort: 80
Protocol: tcp
ContainerPort: 80
RequiresCompatibilities:
- FARGATE
NetworkMode: awsvpc
Cpu: '256'
Memory: '512'
Family: ecs-demo
ECSDemoCluster:
Type: AWS::ECS::Cluster
Properties: {}
ECSDemoService:
Type: AWS::ECS::Service
Properties:
Cluster: !Ref ECSDemoCluster
DesiredCount: 1
DeploymentController:
Type: EXTERNAL
BlueTaskSet:
Type: AWS::ECS::TaskSet
Properties:
Cluster: !Ref ECSDemoCluster
LaunchType: FARGATE
NetworkConfiguration:
AwsVpcConfiguration:
AssignPublicIp: ENABLED
SecurityGroups:
- !Ref ExampleSecurityGroup
Subnets:
- !Ref Subnet1
- !Ref Subnet2
PlatformVersion: 1.4.0
Scale:
Unit: PERCENT
Value: 100
Service: !Ref ECSDemoService
TaskDefinition: !Ref BlueTaskDefinition
LoadBalancers:
- ContainerName: DemoApp
ContainerPort: 80
TargetGroupArn: !Ref ALBTargetGroupBlue
PrimaryTaskSet:
Type: AWS::ECS::PrimaryTaskSet
Properties:
Cluster: !Ref ECSDemoCluster
Service: !Ref ECSDemoService
TaskSetId: !GetAtt
- BlueTaskSet
- Id
```
# CloudFormation 模板代码段
本部分提供了很多示例应用场景,您可以用其了解如何声明多种 Amazon CloudFormation 模板部件。您还可以将代码段用作您的自定义模板的起始部分。
**Topics**
+ [
# 通用模板代码段
](quickref-general.md)
+ [
# 自动扩缩 CloudFormation 模板代码段
](quickref-autoscaling.md)
+ [
# Amazon 账单控制台模板代码段
](quickref-billingconductor.md)
+ [
# Amazon CloudFormation 模板代码段
](quickref-cloudformation.md)
+ [
# Amazon CloudFront 模板代码段
](quickref-cloudfront.md)
+ [
# Amazon CloudWatch 模板代码段
](quickref-cloudwatch.md)
+ [
# Amazon CloudWatch Logs 模板代码段
](quickref-cloudwatchlogs.md)
+ [
# Amazon DynamoDB 模板代码段
](quickref-dynamodb.md)
+ [
# Amazon EC2 CloudFormation 模板代码段
](quickref-ec2.md)
+ [
# Amazon Elastic Container Service 示例模板
](quickref-ecs.md)
+ [
# Amazon Elastic File System 示例模板
](quickref-efs.md)
+ [
# Elastic Beanstalk 模板代码段
](quickref-elasticbeanstalk.md)
+ [
# Elastic Load Balancing 模板代码段
](quickref-elb.md)
+ [
# Amazon Identity and Access Management 模板代码段
](quickref-iam.md)
+ [
# Amazon Lambda 模板
](quickref-lambda.md)
+ [
# Amazon Redshift 模板代码段
](quickref-redshift.md)
+ [
# Amazon RDS 模板代码段
](quickref-rds.md)
+ [
# Route 53 模板代码段
](quickref-route53.md)
+ [
# Amazon S3 模板代码段
](quickref-s3.md)
+ [
# Amazon SNS 模板代码段
](quickref-sns.md)
+ [
# Amazon SQS 模板代码段
](scenario-sqs-queue.md)
+ [
# Amazon Timestream 模板代码片段
](scenario-timestream-queue.md)
# 通用模板代码段
以下示例介绍了并非特定于某个 Amazon 服务的不同 CloudFormation 模板功能。
**Topics**
+ [
## Base64 编码的 UserData 属性
](#scenario-userdata-base64)
+ [
## 使用 Base64 编码的 UserData 属性,具有 AccessKey 和 SecretKey
](#scenario-userdata-base64-with-keys)
+ [
## 含一个文字字符串参数的 Parameters 部分
](#scenario-one-string-parameter)
+ [
## 含有带正则表达式约束的字符串参数的 Parameters 部分
](#scenario-constraint-string-parameter)
+ [
## 含有数字参数的 Parameters 部分,带有 MinValue 和 MaxValue 约束
](#scenario-one-number-min-parameter)
+ [
## 含有数字参数的 Parameters 部分,带有 AllowedValues 约束
](#scenario-one-number-parameter)
+ [
## 含一个文字 CommaDelimitedList 参数的 Parameters 部分
](#scenario-one-list-parameter)
+ [
## 包含基于伪参数的参数值的 Parameters 部分
](#scenario-one-pseudo-parameter)
+ [
## 带有三个映射的 Mapping 部分
](#scenario-mapping-with-four-maps)
+ [
## 基于文字字符串的 Description
](#scenario-description-from-literal-string)
+ [
## 带有一个文件字符串输出的 Outputs 部分
](#scenario-output-with-literal-string)
+ [
## 包含一个资源引用和一个伪参数输出的 Outputs 部分
](#scenario-output-with-ref-and-pseudo-ref)
+ [
## 包含一个基于函数的输出、一个文字字符串、一个引用和一个伪参数的 Outputs 部分
](#scenario-output-with-complex-spec)
+ [
## 模板格式版本
](#scenario-format-version)
+ [
## Amazon Tags 属性
](#scenario-format-aws-tag)
## Base64 编码的 UserData 属性
此示例演示了使用 `Fn::Base64` 和 `Fn::Join` 函数的 `UserData` 属性集合。引用 `MyValue` 和 `MyName` 是必须要在模板的 `Parameters` 部分定义的参数。文字字符串 `Hello World` 只是此示例传输作为 `UserData` 的一部分的另一个值。
### JSON
```
1. "UserData" : {
2. "Fn::Base64" : {
3. "Fn::Join" : [ ",", [
4. { "Ref" : "MyValue" },
5. { "Ref" : "MyName" },
6. "Hello World" ] ]
7. }
8. }
```
### YAML
```
1. UserData:
2. Fn::Base64: !Sub |
3. Ref: MyValue
4. Ref: MyName
5. Hello World
```
## 使用 Base64 编码的 UserData 属性,具有 AccessKey 和 SecretKey
此示例演示了使用 `Fn::Base64` 和 `Fn::Join` 函数的 `UserData` 属性集合。它包含 `AccessKey` 和 `SecretKey` 信息。参考 `AccessKey` 和 `SecretKey` 是必须要在模板的 Parameters 部分中定义的参数。
### JSON
```
1. "UserData" : {
2. "Fn::Base64" : {
3. "Fn::Join" : [ "", [
4. "ACCESS_KEY=", { "Ref" : "AccessKey" },
5. "SECRET_KEY=", { "Ref" : "SecretKey" } ]
6. ]
7. }
8. }
```
### YAML
```
1. UserData:
2. Fn::Base64: !Sub |
3. ACCESS_KEY=${AccessKey}
4. SECRET_KEY=${SecretKey}
```
## 含一个文字字符串参数的 Parameters 部分
以下示例描述了有效的 Parameters 部分声明,其中声明有单个 `String` 类型参数。
### JSON
```
1. "Parameters" : {
2. "UserName" : {
3. "Type" : "String",
4. "Default" : "nonadmin",
5. "Description" : "Assume a vanilla user if no command-line spec provided"
6. }
7. }
```
### YAML
```
1. Parameters:
2. UserName:
3. Type: String
4. Default: nonadmin
5. Description: Assume a vanilla user if no command-line spec provided
```
## 含有带正则表达式约束的字符串参数的 Parameters 部分
以下示例描述了有效的 Parameters 部分声明,其中声明有单个 `String` 类型参数。`AdminUserAccount` 参数的默认值为 `admin`。参数值的最小长度必须为 1,最大长度必须为 16,且其中包含字母字符和数字,但必须以字母字符开头。
### JSON
```
1. "Parameters" : {
2. "AdminUserAccount": {
3. "Default": "admin",
4. "NoEcho": "true",
5. "Description" : "The admin account user name",
6. "Type": "String",
7. "MinLength": "1",
8. "MaxLength": "16",
9. "AllowedPattern" : "[a-zA-Z][a-zA-Z0-9]*"
10. }
11. }
```
### YAML
```
1. Parameters:
2. AdminUserAccount:
3. Default: admin
4. NoEcho: true
5. Description: The admin account user name
6. Type: String
7. MinLength: 1
8. MaxLength: 16
9. AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
```
## 含有数字参数的 Parameters 部分,带有 MinValue 和 MaxValue 约束
以下示例描述了有效的 Parameters 部分声明,其中声明有单个 `Number` 类型参数。`WebServerPort` 参数的默认值为 80,最小值为 1,最大值为 65535。
### JSON
```
1. "Parameters" : {
2. "WebServerPort": {
3. "Default": "80",
4. "Description" : "TCP/IP port for the web server",
5. "Type": "Number",
6. "MinValue": "1",
7. "MaxValue": "65535"
8. }
9. }
```
### YAML
```
1. Parameters:
2. WebServerPort:
3. Default: 80
4. Description: TCP/IP port for the web server
5. Type: Number
6. MinValue: 1
7. MaxValue: 65535
```
## 含有数字参数的 Parameters 部分,带有 AllowedValues 约束
以下示例描述了有效的 Parameters 部分声明,其中声明有单个 `Number` 类型参数。`WebServerPort` 参数的默认值为 80,且只允许值 80 和 8888。
### JSON
```
1. "Parameters" : {
2. "WebServerPortLimited": {
3. "Default": "80",
4. "Description" : "TCP/IP port for the web server",
5. "Type": "Number",
6. "AllowedValues" : ["80", "8888"]
7. }
8. }
```
### YAML
```
1. Parameters:
2. WebServerPortLimited:
3. Default: 80
4. Description: TCP/IP port for the web server
5. Type: Number
6. AllowedValues:
7. - 80
8. - 8888
```
## 含一个文字 CommaDelimitedList 参数的 Parameters 部分
以下示例描述了有效的 `Parameters` 部分声明,其中声明了单个 `CommaDelimitedList` 类型参数。`NoEcho` 属性设置为 `TRUE`,该属性将使用 **describe-stacks** 输出中的星号(\$1\$1\$1\$1\$1)掩盖其值,但存储在下面指定位置的信息除外。
**重要**
使用 `NoEcho` 属性不会遮蔽在以下各区段中存储的任何信息:
`Metadata` 模板区段。CloudFormation 不会转换、修改或编辑您在 `Metadata` 部分中包含的任何信息。有关更多信息,请参阅 [Metadata](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html)。
`Outputs` 模板区段。有关更多信息,请参阅 [Outputs](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html)。
资源定义的 `Metadata` 属性。有关更多信息,请参阅 [`Metadata` 属性](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-attribute-metadata.html)。
强烈建议您不要使用这些机制来包含敏感信息,例如密码。
**重要**
我们建议不要将敏感信息直接嵌入 CloudFormation 模板中,而应使用堆栈模板中的动态参数来引用在 CloudFormation 外部存储和管理的敏感信息,例如 Amazon Systems Manager Parameter Store 或 Amazon Secrets Manager 中的敏感信息。
有关更多信息,请参阅[请勿将凭证嵌入您的模板](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/security-best-practices.html#creds)最佳实践。
### JSON
```
1. "Parameters" : {
2. "UserRoles" : {
3. "Type" : "CommaDelimitedList",
4. "Default" : "guest,newhire",
5. "NoEcho" : "TRUE"
6. }
7. }
```
### YAML
```
1. Parameters:
2. UserRoles:
3. Type: CommaDelimitedList
4. Default: "guest,newhire"
5. NoEcho: true
```
## 包含基于伪参数的参数值的 Parameters 部分
以下示例说明 EC2 用户数据中使用伪参数 `AWS::StackName` 和 `AWS::Region` 的命令。有关伪参数的更多信息,请参阅[使用伪参数获取 Amazon 值](pseudo-parameter-reference.md)。
### JSON
```
1. "UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
2. "#!/bin/bash -xe\n",
3. "yum install -y aws-cfn-bootstrap\n",
4.
5. "/opt/aws/bin/cfn-init -v ",
6. " --stack ", { "Ref" : "AWS::StackName" },
7. " --resource LaunchConfig ",
8. " --region ", { "Ref" : "AWS::Region" }, "\n",
9.
10. "/opt/aws/bin/cfn-signal -e $? ",
11. " --stack ", { "Ref" : "AWS::StackName" },
12. " --resource WebServerGroup ",
13. " --region ", { "Ref" : "AWS::Region" }, "\n"
14. ]]}}
15. }
```
### YAML
```
1. UserData:
2. Fn::Base64: !Sub |
3. #!/bin/bash -xe
4. yum update -y aws-cfn-bootstrap
5. /opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource LaunchConfig --region ${AWS::Region}
6. /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource WebServerGroup --region ${AWS::Region}
```
## 带有三个映射的 Mapping 部分
以下示例描述了其中包含三个映射的有效 `Mapping` 部分声明。映射在与 `Stop`、`SlowDown` 或 `Go` 映射密钥匹配时提供分配至相应 `RGBColor` 属性的 RGB 值。
### JSON
```
1. "Mappings" : {
2. "LightColor" : {
3. "Stop" : {
4. "Description" : "red",
5. "RGBColor" : "RED 255 GREEN 0 BLUE 0"
6. },
7. "SlowDown" : {
8. "Description" : "yellow",
9. "RGBColor" : "RED 255 GREEN 255 BLUE 0"
10. },
11. "Go" : {
12. "Description" : "green",
13. "RGBColor" : "RED 0 GREEN 128 BLUE 0"
14. }
15. }
16. }
```
### YAML
```
1. Mappings:
2. LightColor:
3. Stop:
4. Description: red
5. RGBColor: "RED 255 GREEN 0 BLUE 0"
6. SlowDown:
7. Description: yellow
8. RGBColor: "RED 255 GREEN 255 BLUE 0"
9. Go:
10. Description: green
11. RGBColor: "RED 0 GREEN 128 BLUE 0"
```
## 基于文字字符串的 Description
以下示例描述了有效的 `Description` 部分声明,其中的值基于文字字符串。此代码段可用于模板、参数、资源、属性或输出。
### JSON
```
1. "Description" : "Replace this value"
```
### YAML
```
1. Description: "Replace this value"
```
## 带有一个文件字符串输出的 Outputs 部分
此示例显示的是基于文字字符串的输出分配。
### JSON
```
1. "Outputs" : {
2. "MyPhone" : {
3. "Value" : "Please call 555-5555",
4. "Description" : "A random message for aws cloudformation describe-stacks"
5. }
6. }
```
### YAML
```
1. Outputs:
2. MyPhone:
3. Value: Please call 555-5555
4. Description: A random message for aws cloudformation describe-stacks
```
## 包含一个资源引用和一个伪参数输出的 Outputs 部分
此示例显示的是含有两个输出分配的 `Outputs` 部分。一个基于资源,另一个基于伪引用。
### JSON
```
1. "Outputs" : {
2. "SNSTopic" : { "Value" : { "Ref" : "MyNotificationTopic" } },
3. "StackName" : { "Value" : { "Ref" : "AWS::StackName" } }
4. }
```
### YAML
```
1. Outputs:
2. SNSTopic:
3. Value: !Ref MyNotificationTopic
4. StackName:
5. Value: !Ref AWS::StackName
```
## 包含一个基于函数的输出、一个文字字符串、一个引用和一个伪参数的 Outputs 部分
此示例显示的是带有一个输出分配的输出部分。Join 函数用于连接值,将百分比符号用作分隔符。
### JSON
```
1. "Outputs" : {
2. "MyOutput" : {
3. "Value" : { "Fn::Join" :
4. [ "%", [ "A-string", {"Ref" : "AWS::StackName" } ] ]
5. }
6. }
7. }
```
### YAML
```
1. Outputs:
2. MyOutput:
3. Value: !Join [ %, [ 'A-string', !Ref 'AWS::StackName' ]]
```
## 模板格式版本
以下代码段描述了有效的 `AWSTemplateFormatVersion` 部分声明。
### JSON
```
1. "AWSTemplateFormatVersion" : "2010-09-09"
```
### YAML
```
1. AWSTemplateFormatVersion: '2010-09-09'
```
## Amazon Tags 属性
本示例将展示 Amazon `Tags` 属性。您将在资源的 Properties 部分中执行该属性。资源被创建后,会标上您声明的标签。
### JSON
```
1. "Tags" : [
2. {
3. "Key" : "keyname1",
4. "Value" : "value1"
5. },
6. {
7. "Key" : "keyname2",
8. "Value" : "value2"
9. }
10. ]
```
### YAML
```
1. Tags:
2. -
3. Key: "keyname1"
4. Value: "value1"
5. -
6. Key: "keyname2"
7. Value: "value2"
```
# 自动扩缩 CloudFormation 模板代码段
凭借 Amazon EC2 Auto Scaling,您可以通过扩缩策略或计划扩缩自动扩缩 Amazon EC2 实例。自动扩缩组是 Amazon EC2 实例的集合,这些实例支持自动扩缩和实例集管理功能,例如例如扩缩策略、计划操作、运行状况检查、生命周期挂钩和负载平衡。
Application Auto Scaling 通过扩展策略或计划扩展,可以自动扩展 Amazon EC2 以外的其他资源。
您可以使用 Amazon CloudFormation 模板创建和配置自动扩缩组、扩缩策略、计划操作以及其他自动扩缩资源,将其作为基础架构的一部分。模板可以让您轻松地以可重复且一致的方式管理和自动部署自动扩缩资源。
以下示例模板代码段描述了 Amazon EC2 Auto Scaling 和 Application Auto Scaling 的 Amazon CloudFormation 资源或组件。这些代码段旨在集成到模板中,不打算独立运行。
**Topics**
+ [配置 Amazon EC2 Auto Scaling 资源](quickref-ec2-auto-scaling.md)
+ [配置 Application Auto Scaling 资源](quickref-application-auto-scaling.md)
# 使用 Amazon CloudFormation 配置 Amazon EC2 Auto Scaling 资源
以下示例演示了要包含在模板中的不同代码段,以便与 Amazon EC2 Auto Scaling 一起使用。
**Topics**
+ [
## 创建单个实例自动扩缩组
](#scenario-single-instance-as-group)
+ [
## 创建具有附加负载均衡器的自动扩缩组
](#scenario-as-group)
+ [
## 创建具有通知的自动扩缩组
](#scenario-as-notification)
+ [
## 创建使用 `CreationPolicy` 和 `UpdatePolicy` 的自动扩缩组
](#scenario-as-updatepolicy)
+ [
## 创建分步扩缩策略
](#scenario-step-scaling-policy)
+ [
## 混合实例组示例
](#scenario-mixed-instances-group-template-examples)
+ [
## 启动配置示例
](#scenario-launch-config-template-examples)
## 创建单个实例自动扩缩组
此示例显示具有单个实例的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) 资源以帮助您开始使用。自动扩缩组的 `VPCZoneIdentifier` 属性指定三个不同可用区中的一系列现有子网。在创建堆栈之前,必须先从您的账户指定适用的子网 ID。`LaunchTemplate` 属性引用具有在模板其他位置中定义的逻辑名称 `myLaunchTemplate` 的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) 资源。
**注意**
有关启动模板的示例,请参阅 Amazon EC2 代码段部分中的 [使用 CloudFormation 创建启动模板](quickref-ec2-launch-templates.md) 和 `AWS::EC2::LaunchTemplate` 资源中的[示例](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html#aws-resource-ec2-launchtemplate--examples)部分。
### JSON
```
1. "myASG" : {
2. "Type" : "AWS::AutoScaling::AutoScalingGroup",
3. "Properties" : {
4. "VPCZoneIdentifier" : [ "subnetIdAz1", "subnetIdAz2", "subnetIdAz3" ],
5. "LaunchTemplate" : {
6. "LaunchTemplateId" : {
7. "Ref" : "myLaunchTemplate"
8. },
9. "Version" : {
10. "Fn::GetAtt" : [
11. "myLaunchTemplate",
12. "LatestVersionNumber"
13. ]
14. }
15. },
16. "MaxSize" : "1",
17. "MinSize" : "1"
18. }
19. }
```
### YAML
```
1. myASG:
2. Type: AWS::AutoScaling::AutoScalingGroup
3. Properties:
4. VPCZoneIdentifier:
5. - subnetIdAz1
6. - subnetIdAz2
7. - subnetIdAz3
8. LaunchTemplate:
9. LaunchTemplateId: !Ref myLaunchTemplate
10. Version: !GetAtt myLaunchTemplate.LatestVersionNumber
11. MaxSize: '1'
12. MinSize: '1'
```
## 创建具有附加负载均衡器的自动扩缩组
此示例显示了用于在多个服务器之间实现负载均衡的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) 资源。它指定在同一模板中的其他位置声明的 Amazon 资源的逻辑名称。
1. `VPCZoneIdentifier` 属性指定将在其中创建自动扩缩组的 EC2 实例的两个 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-subnet.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-subnet.html) 资源的逻辑名称:`myPublicSubnet1` 和 `myPublicSubnet2`。
1. `LaunchTemplate` 属性指定具有逻辑名称 `myLaunchTemplate` 的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) 资源。
1. `TargetGroupARNs` 属性列出用于将流量路由到自动扩缩组的应用程序负载均衡器或网络负载均衡器的目标组。在此示例中,指定了一个目标组,即具有逻辑名称 `myTargetGroup` 的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html) 资源。
### JSON
```
1. "myServerGroup" : {
2. "Type" : "AWS::AutoScaling::AutoScalingGroup",
3. "Properties" : {
4. "VPCZoneIdentifier" : [ { "Ref" : "myPublicSubnet1" }, { "Ref" : "myPublicSubnet2" } ],
5. "LaunchTemplate" : {
6. "LaunchTemplateId" : {
7. "Ref" : "myLaunchTemplate"
8. },
9. "Version" : {
10. "Fn::GetAtt" : [
11. "myLaunchTemplate",
12. "LatestVersionNumber"
13. ]
14. }
15. },
16. "MaxSize" : "5",
17. "MinSize" : "1",
18. "TargetGroupARNs" : [ { "Ref" : "myTargetGroup" } ]
19. }
20. }
```
### YAML
```
1. myServerGroup:
2. Type: AWS::AutoScaling::AutoScalingGroup
3. Properties:
4. VPCZoneIdentifier:
5. - !Ref myPublicSubnet1
6. - !Ref myPublicSubnet2
7. LaunchTemplate:
8. LaunchTemplateId: !Ref myLaunchTemplate
9. Version: !GetAtt myLaunchTemplate.LatestVersionNumber
10. MaxSize: '5'
11. MinSize: '1'
12. TargetGroupARNs:
13. - !Ref myTargetGroup
```
### 另请参阅
有关根据 `ALBRequestCountPerTarget` 预定义指标为应用程序负载均衡器创建具有目标跟踪扩展策略的自动扩缩组的详细示例,请参阅 `AWS::AutoScaling::ScalingPolicy` 资源中的[示例](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-scalingpolicy.html#aws-resource-autoscaling-scalingpolicy--examples)部分。
## 创建具有通知的自动扩缩组
此示例显示的是在指定事件发生时发送 Amazon SNS 通知的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) 资源。`NotificationConfigurations` 属性指定 Amazon CloudFormation 在其中发送通知的 SNS 主题和将导致 Amazon CloudFormation 发送通知的事件。当 `NotificationTypes` 指定的事件发生时,Amazon CloudFormation 会发送一条通知至 `TopicARN` 指定的 SNS 主题中。启动堆栈时,Amazon CloudFormation 会创建在同一模板中声明的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-subscription.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-subscription.html) 资源(`snsTopicForAutoScalingGroup`)。
自动扩缩组的 `VPCZoneIdentifier` 属性指定三个不同可用区中的一系列现有子网。在创建堆栈之前,必须先从您的账户指定适用的子网 ID。`LaunchTemplate` 属性引用在同一模板中的其他位置声明的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) 资源的逻辑名称。
### JSON
```
1. "myASG" : {
2. "Type" : "AWS::AutoScaling::AutoScalingGroup",
3. "DependsOn": [
4. "snsTopicForAutoScalingGroup"
5. ],
6. "Properties" : {
7. "VPCZoneIdentifier" : [ "subnetIdAz1", "subnetIdAz2", "subnetIdAz3" ],
8. "LaunchTemplate" : {
9. "LaunchTemplateId" : {
10. "Ref" : "logicalName"
11. },
12. "Version" : {
13. "Fn::GetAtt" : [
14. "logicalName",
15. "LatestVersionNumber"
16. ]
17. }
18. },
19. "MaxSize" : "5",
20. "MinSize" : "1",
21. "NotificationConfigurations" : [
22. {
23. "TopicARN" : { "Ref" : "snsTopicForAutoScalingGroup" },
24. "NotificationTypes" : [
25. "autoscaling:EC2_INSTANCE_LAUNCH",
26. "autoscaling:EC2_INSTANCE_LAUNCH_ERROR",
27. "autoscaling:EC2_INSTANCE_TERMINATE",
28. "autoscaling:EC2_INSTANCE_TERMINATE_ERROR",
29. "autoscaling:TEST_NOTIFICATION"
30. ]
31. }
32. ]
33. }
34. }
```
### YAML
```
1. myASG:
2. Type: AWS::AutoScaling::AutoScalingGroup
3. DependsOn:
4. - snsTopicForAutoScalingGroup
5. Properties:
6. VPCZoneIdentifier:
7. - subnetIdAz1
8. - subnetIdAz2
9. - subnetIdAz3
10. LaunchTemplate:
11. LaunchTemplateId: !Ref logicalName
12. Version: !GetAtt logicalName.LatestVersionNumber
13. MaxSize: '5'
14. MinSize: '1'
15. NotificationConfigurations:
16. - TopicARN: !Ref snsTopicForAutoScalingGroup
17. NotificationTypes:
18. - autoscaling:EC2_INSTANCE_LAUNCH
19. - autoscaling:EC2_INSTANCE_LAUNCH_ERROR
20. - autoscaling:EC2_INSTANCE_TERMINATE
21. - autoscaling:EC2_INSTANCE_TERMINATE_ERROR
22. - autoscaling:TEST_NOTIFICATION
```
## 创建使用 `CreationPolicy` 和 `UpdatePolicy` 的自动扩缩组
以下示例演示如何将 `CreationPolicy` 和 `UpdatePolicy` 属性添加到 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) 资源。
示例创建策略会阻止自动扩缩组达到 `CREATE_COMPLETE` 状态,直到 Amazon CloudFormation 在该组准备就绪后收到 `Count` 个成功信号。要发出自动扩缩组已就绪的信号,在实例上运行添加到启动模板用户数据(未显示)的 `cfn-signal` 帮助程序脚本。如果实例未在规定的 `Timeout` 内发送信号,则 CloudFormation 假设未创建实例、资源创建失败和 CloudFormation 回滚堆栈。
示例更新策略指示 CloudFormation 使用 `AutoScalingRollingUpdate` 属性执行滚动更新。滚动更新根据 `MaxBatchSize` 和基于 `PauseTime` 的更新批次之间的暂停时间以小批量的方式更改自动扩缩组(在本示例中,为逐个实例更改)。`MinInstancesInService` 属性指定当 CloudFormation 更新旧实例时,自动扩缩组内必须处于服务状态的实例的最小数量。
`WaitOnResourceSignals` 属性设置为 `true`。CloudFormation 必须在指定的 `PauseTime` 内收到每个新实例的信号,才能继续更新。在执行堆栈更新时,以下 EC2 Auto Scaling 进程会暂停:`HealthCheck`、`ReplaceUnhealthy`、`AZRebalance`、`AlarmNotification` 和 `ScheduledActions`。注意:不要暂停 `Launch`、`Terminate` 或 `AddToLoadBalancer` (如果自动扩缩组正在与 Elastic Load Balancing 一起使用)进程类型,因为这样做会使滚动更新无法正常工作。
自动扩缩组的 `VPCZoneIdentifier` 属性指定三个不同可用区中的一系列现有子网。在创建堆栈之前,必须先从您的账户指定适用的子网 ID。`LaunchTemplate` 属性引用在同一模板中的其他位置声明的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) 资源的逻辑名称。
有关 `CreationPolicy` 和 `UpdatePolicy` 属性的更多信息,请参阅[资源属性引用](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-product-attribute-reference.html)。
### JSON
```
{
"Resources":{
"myASG":{
"CreationPolicy":{
"ResourceSignal":{
"Count":"3",
"Timeout":"PT15M"
}
},
"UpdatePolicy":{
"AutoScalingRollingUpdate":{
"MinInstancesInService":"3",
"MaxBatchSize":"1",
"PauseTime":"PT12M5S",
"WaitOnResourceSignals":"true",
"SuspendProcesses":[
"HealthCheck",
"ReplaceUnhealthy",
"AZRebalance",
"AlarmNotification",
"ScheduledActions",
"InstanceRefresh"
]
}
},
"Type":"AWS::AutoScaling::AutoScalingGroup",
"Properties":{
"VPCZoneIdentifier":[ "subnetIdAz1", "subnetIdAz2", "subnetIdAz3" ],
"LaunchTemplate":{
"LaunchTemplateId":{
"Ref":"logicalName"
},
"Version":{
"Fn::GetAtt":[
"logicalName",
"LatestVersionNumber"
]
}
},
"MaxSize":"5",
"MinSize":"3"
}
}
}
}
```
### YAML
```
---
Resources:
myASG:
CreationPolicy:
ResourceSignal:
Count: '3'
Timeout: PT15M
UpdatePolicy:
AutoScalingRollingUpdate:
MinInstancesInService: '3'
MaxBatchSize: '1'
PauseTime: PT12M5S
WaitOnResourceSignals: true
SuspendProcesses:
- HealthCheck
- ReplaceUnhealthy
- AZRebalance
- AlarmNotification
- ScheduledActions
- InstanceRefresh
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
VPCZoneIdentifier:
- subnetIdAz1
- subnetIdAz2
- subnetIdAz3
LaunchTemplate:
LaunchTemplateId: !Ref logicalName
Version: !GetAtt logicalName.LatestVersionNumber
MaxSize: '5'
MinSize: '3'
```
## 创建分步扩缩策略
此示例显示了使用分步扩缩策略横向扩展自动扩缩组的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-scalingpolicy.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-scalingpolicy.html) 资源。`AdjustmentType` 属性指定 `ChangeInCapacity`,这表示 `ScalingAdjustment` 代表待添加(如果 `ScalingAdjustment` 为正值)或待删除(如果它为负值)实例的数量。在此示例中,`ScalingAdjustment` 为 1;因此,当超出警报阈值时,策略会将组中 EC2 实例的数量增加 1。
[https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudwatch-alarm.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudwatch-alarm.html) 资源 `CPUAlarmHigh` 指定扩缩策略 `ASGScalingPolicyHigh` 作为警报处于 ALARM 状态时要运行的操作(`AlarmActions`)。`Dimensions` 属性引用在同一模板中的其他位置声明的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) 资源的逻辑名称。
### JSON
```
1. {
2. "Resources":{
3. "ASGScalingPolicyHigh":{
4. "Type":"AWS::AutoScaling::ScalingPolicy",
5. "Properties":{
6. "AutoScalingGroupName":{ "Ref":"logicalName" },
7. "PolicyType":"StepScaling",
8. "AdjustmentType":"ChangeInCapacity",
9. "StepAdjustments":[
10. {
11. "MetricIntervalLowerBound":0,
12. "ScalingAdjustment":1
13. }
14. ]
15. }
16. },
17. "CPUAlarmHigh":{
18. "Type":"AWS::CloudWatch::Alarm",
19. "Properties":{
20. "EvaluationPeriods":"2",
21. "Statistic":"Average",
22. "Threshold":"90",
23. "AlarmDescription":"Scale out if CPU > 90% for 2 minutes",
24. "Period":"60",
25. "AlarmActions":[ { "Ref":"ASGScalingPolicyHigh" } ],
26. "Namespace":"AWS/EC2",
27. "Dimensions":[
28. {
29. "Name":"AutoScalingGroupName",
30. "Value":{ "Ref":"logicalName" }
31. }
32. ],
33. "ComparisonOperator":"GreaterThanThreshold",
34. "MetricName":"CPUUtilization"
35. }
36. }
37. }
38. }
```
### YAML
```
1. ---
2. Resources:
3. ASGScalingPolicyHigh:
4. Type: AWS::AutoScaling::ScalingPolicy
5. Properties:
6. AutoScalingGroupName: !Ref logicalName
7. PolicyType: StepScaling
8. AdjustmentType: ChangeInCapacity
9. StepAdjustments:
10. - MetricIntervalLowerBound: 0
11. ScalingAdjustment: 1
12. CPUAlarmHigh:
13. Type: AWS::CloudWatch::Alarm
14. Properties:
15. EvaluationPeriods: 2
16. Statistic: Average
17. Threshold: 90
18. AlarmDescription: 'Scale out if CPU > 90% for 2 minutes'
19. Period: 60
20. AlarmActions:
21. - !Ref ASGScalingPolicyHigh
22. Namespace: AWS/EC2
23. Dimensions:
24. - Name: AutoScalingGroupName
25. Value:
26. !Ref logicalName
27. ComparisonOperator: GreaterThanThreshold
28. MetricName: CPUUtilization
```
### 另请参阅
有关扩展策略的更多示例模板,请参阅 `AWS::AutoScaling::ScalingPolicy` 资源中的[示例](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-scalingpolicy.html#aws-resource-autoscaling-scalingpolicy--examples)部分。
## 混合实例组示例
### 使用基于属性的实例类型选择创建自动扩缩组
此示例显示了 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) 资源,其中包含使用基于属性的实例类型选择启动混合实例组的信息。您指定了 `VCpuCount` 属性的最小值和最大值,以及 `MemoryMiB` 属性的最小值。自动扩缩组使用的所有实例类型都必须与您所需实例的属性匹配。
自动扩缩组的 `VPCZoneIdentifier` 属性指定三个不同可用区中的一系列现有子网。在创建堆栈之前,必须先从您的账户指定适用的子网 ID。`LaunchTemplate` 属性引用在同一模板中的其他位置声明的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) 资源的逻辑名称。
#### JSON
```
1. {
2. "Resources":{
3. "myASG":{
4. "Type":"AWS::AutoScaling::AutoScalingGroup",
5. "Properties":{
6. "VPCZoneIdentifier":[
7. "subnetIdAz1",
8. "subnetIdAz2",
9. "subnetIdAz3"
10. ],
11. "MixedInstancesPolicy":{
12. "LaunchTemplate":{
13. "LaunchTemplateSpecification":{
14. "LaunchTemplateId":{
15. "Ref":"logicalName"
16. },
17. "Version":{
18. "Fn::GetAtt":[
19. "logicalName",
20. "LatestVersionNumber"
21. ]
22. }
23. },
24. "Overrides":[
25. {
26. "InstanceRequirements":{
27. "VCpuCount":{
28. "Min":2,
29. "Max":4
30. },
31. "MemoryMiB":{
32. "Min":2048
33. }
34. }
35. }
36. ]
37. }
38. },
39. "MaxSize":"5",
40. "MinSize":"1"
41. }
42. }
43. }
44. }
```
#### YAML
```
1. ---
2. Resources:
3. myASG:
4. Type: AWS::AutoScaling::AutoScalingGroup
5. Properties:
6. VPCZoneIdentifier:
7. - subnetIdAz1
8. - subnetIdAz2
9. - subnetIdAz3
10. MixedInstancesPolicy:
11. LaunchTemplate:
12. LaunchTemplateSpecification:
13. LaunchTemplateId: !Ref logicalName
14. Version: !GetAtt logicalName.LatestVersionNumber
15. Overrides:
16. - InstanceRequirements:
17. VCpuCount:
18. Min: 2
19. Max: 4
20. MemoryMiB:
21. Min: 2048
22. MaxSize: '5'
23. MinSize: '1'
```
## 启动配置示例
### 创建启动配置
此示例显示了自动扩缩组的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-launchconfiguration.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-launchconfiguration.html) 资源,您可以在其中指定 `ImageId`、`InstanceType` 和 `SecurityGroups` 属性的值。`SecurityGroups` 属性指定在模板中其他位置指定的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) 资源的逻辑名称,以及名为 `myExistingEC2SecurityGroup` 的现有 EC2 安全组。
#### JSON
```
1. "mySimpleConfig" : {
2. "Type" : "AWS::AutoScaling::LaunchConfiguration",
3. "Properties" : {
4. "ImageId" : "ami-02354e95b3example",
5. "InstanceType" : "t3.micro",
6. "SecurityGroups" : [ { "Ref" : "logicalName" }, "myExistingEC2SecurityGroup" ]
7. }
8. }
```
#### YAML
```
1. mySimpleConfig:
2. Type: AWS::AutoScaling::LaunchConfiguration
3. Properties:
4. ImageId: ami-02354e95b3example
5. InstanceType: t3.micro
6. SecurityGroups:
7. - !Ref logicalName
8. - myExistingEC2SecurityGroup
```
### 使用启动配置创建自动扩缩组
此示例显示具有单个实例的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) 资源。自动扩缩组的 `VPCZoneIdentifier` 属性指定三个不同可用区中的一系列现有子网。在创建堆栈之前,必须先从您的账户指定适用的子网 ID。`LaunchConfigurationName` 属性引用具有在模板中定义的逻辑名称 `mySimpleConfig` 的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-launchconfiguration.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-launchconfiguration.html) 资源。
#### JSON
```
1. "myASG" : {
2. "Type" : "AWS::AutoScaling::AutoScalingGroup",
3. "Properties" : {
4. "VPCZoneIdentifier" : [ "subnetIdAz1", "subnetIdAz2", "subnetIdAz3" ],
5. "LaunchConfigurationName" : { "Ref" : "mySimpleConfig" },
6. "MaxSize" : "1",
7. "MinSize" : "1"
8. }
9. }
```
#### YAML
```
1. myASG:
2. Type: AWS::AutoScaling::AutoScalingGroup
3. Properties:
4. VPCZoneIdentifier:
5. - subnetIdAz1
6. - subnetIdAz2
7. - subnetIdAz3
8. LaunchConfigurationName: !Ref mySimpleConfig
9. MaxSize: '1'
10. MinSize: '1'
```
# 使用 Amazon CloudFormation 配置 Application Auto Scaling 资源
本节为不同 Amazon 资源的 Application Auto Scaling 扩展策略和计划操作提供了 Amazon CloudFormation 模板示例。
**重要**
当模板中包含 Application Auto Scaling 代码段时,您可能需要使用 `DependsOn` 属性声明对通过模板创建的特定可扩展资源的依赖关系。这将覆盖默认并行度,并指示 Amazon CloudFormation 按指定的顺序对资源进行操作。否则,可能会在完全设置资源之前应用扩展配置。
有关更多信息,请参阅 [DependsOn 属性](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-attribute-dependson.html)。
**Topics**
+ [
## 创建 AppStream 实例集的扩缩策略
](#w2aac11c41c15c19b9)
+ [
## 为 Aurora 数据库集群创建扩缩策略
](#w2aac11c41c15c19c11)
+ [
## 创建 DynamoDB 表的扩缩策略
](#w2aac11c41c15c19c13)
+ [
## 创建 Amazon ECS 服务的扩缩策略(指标:平均 CPU 和内存)
](#w2aac11c41c15c19c15)
+ [
## 创建 Amazon ECS 服务的扩缩策略(指标:每个目标的平均请求数)
](#w2aac11c41c15c19c17)
+ [
## 使用 Lambda 函数的 cron 表达式创建计划操作
](#w2aac11c41c15c19c19)
+ [
## 使用竞价型实例集的 `at` 表达式创建计划操作
](#w2aac11c41c15c19c21)
## 创建 AppStream 实例集的扩缩策略
此代码段说明如何创建策略并将其应用于使用 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html) 资源的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-appstream-fleet.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-appstream-fleet.html) 资源。[https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) 资源声明一个应用此策略的可扩展目标。Application Auto Scaling 可以扩展队列实例数,最少为 1 个实例,最多为 20 个实例。该策略将实例集的平均容量利用率保持在 75%,横向扩展和横向缩减冷却时间为 300 秒(5 分钟)。
此示例利用 `Fn::Join` 和 `Rev` 内置函数,使用在同一模板中指定的 `AWS::AppStream::Fleet` 资源的逻辑名称来构造 `ResourceId` 属性。有关更多信息,请参阅[内置函数参考](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html)。
### JSON
```
{
"Resources" : {
"ScalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : 20,
"MinCapacity" : 1,
"RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/appstream.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_AppStreamFleet" },
"ServiceNamespace" : "appstream",
"ScalableDimension" : "appstream:fleet:DesiredCapacity",
"ResourceId" : {
"Fn::Join" : [
"/",
[
"fleet",
{
"Ref" : "logicalName"
}
]
]
}
}
},
"ScalingPolicyAppStreamFleet" : {
"Type" : "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties" : {
"PolicyName" : { "Fn::Sub" : "${AWS::StackName}-target-tracking-cpu75" },
"PolicyType" : "TargetTrackingScaling",
"ServiceNamespace" : "appstream",
"ScalableDimension" : "appstream:fleet:DesiredCapacity",
"ResourceId" : {
"Fn::Join" : [
"/",
[
"fleet",
{
"Ref" : "logicalName"
}
]
]
},
"TargetTrackingScalingPolicyConfiguration" : {
"TargetValue" : 75,
"PredefinedMetricSpecification" : {
"PredefinedMetricType" : "AppStreamAverageCapacityUtilization"
},
"ScaleInCooldown" : 300,
"ScaleOutCooldown" : 300
}
}
}
}
}
```
### YAML
```
---
Resources:
ScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 20
MinCapacity: 1
RoleARN:
Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/appstream.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_AppStreamFleet'
ServiceNamespace: appstream
ScalableDimension: appstream:fleet:DesiredCapacity
ResourceId: !Join
- /
- - fleet
- !Ref logicalName
ScalingPolicyAppStreamFleet:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: !Sub ${AWS::StackName}-target-tracking-cpu75
PolicyType: TargetTrackingScaling
ServiceNamespace: appstream
ScalableDimension: appstream:fleet:DesiredCapacity
ResourceId: !Join
- /
- - fleet
- !Ref logicalName
TargetTrackingScalingPolicyConfiguration:
TargetValue: 75
PredefinedMetricSpecification:
PredefinedMetricType: AppStreamAverageCapacityUtilization
ScaleInCooldown: 300
ScaleOutCooldown: 300
```
## 为 Aurora 数据库集群创建扩缩策略
在此代码段中,您注册了 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbcluster.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbcluster.html) 资源。[https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) 资源表示应动态扩展数据库集群以具有 1-8 个 Aurora 副本。您还可以使用 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html) 资源将目标跟踪扩缩策略应用到集群。
在此配置中,`RDSReaderAverageCPUUtilization` 预定义指标用于根据 Aurora 数据库集群中所有 Aurora 副本上 40% 的平均 CPU 利用率来调整该 Aurora 数据库集群。该配置将缩减冷却时间指定为 10 分钟,并将扩展冷却时间指定为 5 分钟。
此示例利用 `Fn::Sub` 内置函数,使用在同一模板中指定的 `AWS::RDS::DBCluster` 资源的逻辑名称来构造 `ResourceId` 属性。有关更多信息,请参阅[内置函数参考](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html)。
### JSON
```
{
"Resources" : {
"ScalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : 8,
"MinCapacity" : 1,
"RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/rds.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_RDSCluster" },
"ServiceNamespace" : "rds",
"ScalableDimension" : "rds:cluster:ReadReplicaCount",
"ResourceId" : { "Fn::Sub" : "cluster:${logicalName}" }
}
},
"ScalingPolicyDBCluster" : {
"Type" : "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties" : {
"PolicyName" : { "Fn::Sub" : "${AWS::StackName}-target-tracking-cpu40" },
"PolicyType" : "TargetTrackingScaling",
"ServiceNamespace" : "rds",
"ScalableDimension" : "rds:cluster:ReadReplicaCount",
"ResourceId" : { "Fn::Sub" : "cluster:${logicalName}" },
"TargetTrackingScalingPolicyConfiguration" : {
"TargetValue" : 40,
"PredefinedMetricSpecification" : {
"PredefinedMetricType" : "RDSReaderAverageCPUUtilization"
},
"ScaleInCooldown" : 600,
"ScaleOutCooldown" : 300
}
}
}
}
}
```
### YAML
```
---
Resources:
ScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 8
MinCapacity: 1
RoleARN:
Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/rds.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_RDSCluster'
ServiceNamespace: rds
ScalableDimension: rds:cluster:ReadReplicaCount
ResourceId: !Sub cluster:${logicalName}
ScalingPolicyDBCluster:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: !Sub ${AWS::StackName}-target-tracking-cpu40
PolicyType: TargetTrackingScaling
ServiceNamespace: rds
ScalableDimension: rds:cluster:ReadReplicaCount
ResourceId: !Sub cluster:${logicalName}
TargetTrackingScalingPolicyConfiguration:
TargetValue: 40
PredefinedMetricSpecification:
PredefinedMetricType: RDSReaderAverageCPUUtilization
ScaleInCooldown: 600
ScaleOutCooldown: 300
```
## 创建 DynamoDB 表的扩缩策略
此代码段说明如何使用 `TargetTrackingScaling` 策略类型创建策略并将其应用于使用 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html) 资源的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-table.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-table.html) 资源。[https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) 资源声明一个应用此策略的可扩展目标,其最小写入容量单位为 5,最大写入容量单位为 15。扩展策略会扩展表的写入容量吞吐量,以 `DynamoDBWriteCapacityUtilization` 预定义指标将目标利用率维持在 50%。
此示例利用 `Fn::Join` 和 `Ref` 内置函数,使用在同一模板中指定的 `AWS::DynamoDB::Table` 资源的逻辑名称来构造 `ResourceId` 属性。有关更多信息,请参阅[内置函数参考](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html)。
**注意**
有关如何为 DynamoDB 资源创建 Amazon CloudFormation 模板的更多信息,请参阅 Amazon 数据库博客上的博客文章[如何使用 Amazon CloudFormation 配置 Amazon DynamoDB 表和索引的自动伸缩](https://www.amazonaws.cn/blogs/database/how-to-use-aws-cloudformation-to-configure-auto-scaling-for-amazon-dynamodb-tables-and-indexes/)。
### JSON
```
{
"Resources" : {
"WriteCapacityScalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : 15,
"MinCapacity" : 5,
"RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable" },
"ServiceNamespace" : "dynamodb",
"ScalableDimension" : "dynamodb:table:WriteCapacityUnits",
"ResourceId" : {
"Fn::Join" : [
"/",
[
"table",
{
"Ref" : "logicalName"
}
]
]
}
}
},
"WriteScalingPolicy" : {
"Type" : "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties" : {
"PolicyName" : "WriteScalingPolicy",
"PolicyType" : "TargetTrackingScaling",
"ScalingTargetId" : { "Ref" : "WriteCapacityScalableTarget" },
"TargetTrackingScalingPolicyConfiguration" : {
"TargetValue" : 50.0,
"ScaleInCooldown" : 60,
"ScaleOutCooldown" : 60,
"PredefinedMetricSpecification" : {
"PredefinedMetricType" : "DynamoDBWriteCapacityUtilization"
}
}
}
}
}
}
```
### YAML
```
---
Resources:
WriteCapacityScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 15
MinCapacity: 5
RoleARN:
Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable'
ServiceNamespace: dynamodb
ScalableDimension: dynamodb:table:WriteCapacityUnits
ResourceId: !Join
- /
- - table
- !Ref logicalName
WriteScalingPolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: WriteScalingPolicy
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref WriteCapacityScalableTarget
TargetTrackingScalingPolicyConfiguration:
TargetValue: 50.0
ScaleInCooldown: 60
ScaleOutCooldown: 60
PredefinedMetricSpecification:
PredefinedMetricType: DynamoDBWriteCapacityUtilization
```
## 创建 Amazon ECS 服务的扩缩策略(指标:平均 CPU 和内存)
此代码段说明如何创建策略并将其应用于使用 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html) 资源的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-service.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-service.html) 资源。[https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) 资源声明一个应用此策略的可扩展目标。Application Auto Scaling 可扩展任务的数量,最少 1 个任务,最多 6 个任务。
此示例创建两个 `TargetTrackingScaling` 策略类型的扩展策略。这些策略用于根据服务的平均 CPU 和内存使用率扩展 ECS 服务。此示例利用 `Fn::Join` 和 `Ref` 内置函数,使用在同一模板中指定的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-cluster.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-cluster.html)(`myContainerCluster`)和 `AWS::ECS::Service`(`myService`)资源的逻辑名称来构造 `ResourceId` 属性。有关更多信息,请参阅[内置函数参考](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html)。
### JSON
```
{
"Resources" : {
"ECSScalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : "6",
"MinCapacity" : "1",
"RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService" },
"ServiceNamespace" : "ecs",
"ScalableDimension" : "ecs:service:DesiredCount",
"ResourceId" : {
"Fn::Join" : [
"/",
[
"service",
{
"Ref" : "myContainerCluster"
},
{
"Fn::GetAtt" : [
"myService",
"Name"
]
}
]
]
}
}
},
"ServiceScalingPolicyCPU" : {
"Type" : "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties" : {
"PolicyName" : { "Fn::Sub" : "${AWS::StackName}-target-tracking-cpu70" },
"PolicyType" : "TargetTrackingScaling",
"ScalingTargetId" : { "Ref" : "ECSScalableTarget" },
"TargetTrackingScalingPolicyConfiguration" : {
"TargetValue" : 70.0,
"ScaleInCooldown" : 180,
"ScaleOutCooldown" : 60,
"PredefinedMetricSpecification" : {
"PredefinedMetricType" : "ECSServiceAverageCPUUtilization"
}
}
}
},
"ServiceScalingPolicyMem" : {
"Type" : "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties" : {
"PolicyName" : { "Fn::Sub" : "${AWS::StackName}-target-tracking-mem90" },
"PolicyType" : "TargetTrackingScaling",
"ScalingTargetId" : { "Ref" : "ECSScalableTarget" },
"TargetTrackingScalingPolicyConfiguration" : {
"TargetValue" : 90.0,
"ScaleInCooldown" : 180,
"ScaleOutCooldown" : 60,
"PredefinedMetricSpecification" : {
"PredefinedMetricType" : "ECSServiceAverageMemoryUtilization"
}
}
}
}
}
}
```
### YAML
```
---
Resources:
ECSScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 6
MinCapacity: 1
RoleARN:
Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService'
ServiceNamespace: ecs
ScalableDimension: 'ecs:service:DesiredCount'
ResourceId: !Join
- /
- - service
- !Ref myContainerCluster
- !GetAtt myService.Name
ServiceScalingPolicyCPU:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: !Sub ${AWS::StackName}-target-tracking-cpu70
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref ECSScalableTarget
TargetTrackingScalingPolicyConfiguration:
TargetValue: 70.0
ScaleInCooldown: 180
ScaleOutCooldown: 60
PredefinedMetricSpecification:
PredefinedMetricType: ECSServiceAverageCPUUtilization
ServiceScalingPolicyMem:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: !Sub ${AWS::StackName}-target-tracking-mem90
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref ECSScalableTarget
TargetTrackingScalingPolicyConfiguration:
TargetValue: 90.0
ScaleInCooldown: 180
ScaleOutCooldown: 60
PredefinedMetricSpecification:
PredefinedMetricType: ECSServiceAverageMemoryUtilization
```
## 创建 Amazon ECS 服务的扩缩策略(指标:每个目标的平均请求数)
以下示例将具有 `ALBRequestCountPerTarget` 预定义指标的目标跟踪扩展策略应用到 ECS 服务。该策略用于在每个目标的请求计数(每分钟)超过目标值时向 ECS 服务添加容量。由于 `DisableScaleIn` 的值设置为 `true`,因此,目标跟踪策略不会从可扩展目标中删除容量。
此示例利用 `Fn::Join` 和 `Fn::GetAtt` 内置函数,使用在同一模板中指定的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-loadbalancer.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-loadbalancer.html)(`myLoadBalancer`)和 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html)(`myTargetGroup`)资源的逻辑名称来构造 `ResourceLabel` 属性。有关更多信息,请参阅[内置函数参考](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html)。
可扩展目标的 `MaxCapacity` 和 `MinCapacity` 属性以及扩展策略的 `TargetValue` 属性引用您在创建或更新堆栈时传递给模板的参数值。
### JSON
```
{
"Resources" : {
"ECSScalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : { "Ref" : "MaxCount" },
"MinCapacity" : { "Ref" : "MinCount" },
"RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService" },
"ServiceNamespace" : "ecs",
"ScalableDimension" : "ecs:service:DesiredCount",
"ResourceId" : {
"Fn::Join" : [
"/",
[
"service",
{
"Ref" : "myContainerCluster"
},
{
"Fn::GetAtt" : [
"myService",
"Name"
]
}
]
]
}
}
},
"ServiceScalingPolicyALB" : {
"Type" : "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties" : {
"PolicyName" : "alb-requests-per-target-per-minute",
"PolicyType" : "TargetTrackingScaling",
"ScalingTargetId" : { "Ref" : "ECSScalableTarget" },
"TargetTrackingScalingPolicyConfiguration" : {
"TargetValue" : { "Ref" : "ALBPolicyTargetValue" },
"ScaleInCooldown" : 180,
"ScaleOutCooldown" : 30,
"DisableScaleIn" : true,
"PredefinedMetricSpecification" : {
"PredefinedMetricType" : "ALBRequestCountPerTarget",
"ResourceLabel" : {
"Fn::Join" : [
"/",
[
{
"Fn::GetAtt" : [
"myLoadBalancer",
"LoadBalancerFullName"
]
},
{
"Fn::GetAtt" : [
"myTargetGroup",
"TargetGroupFullName"
]
}
]
]
}
}
}
}
}
}
}
```
### YAML
```
---
Resources:
ECSScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: !Ref MaxCount
MinCapacity: !Ref MinCount
RoleARN:
Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService'
ServiceNamespace: ecs
ScalableDimension: 'ecs:service:DesiredCount'
ResourceId: !Join
- /
- - service
- !Ref myContainerCluster
- !GetAtt myService.Name
ServiceScalingPolicyALB:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: alb-requests-per-target-per-minute
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref ECSScalableTarget
TargetTrackingScalingPolicyConfiguration:
TargetValue: !Ref ALBPolicyTargetValue
ScaleInCooldown: 180
ScaleOutCooldown: 30
DisableScaleIn: true
PredefinedMetricSpecification:
PredefinedMetricType: ALBRequestCountPerTarget
ResourceLabel: !Join
- '/'
- - !GetAtt myLoadBalancer.LoadBalancerFullName
- !GetAtt myTargetGroup.TargetGroupFullName
```
## 使用 Lambda 函数的 cron 表达式创建计划操作
此代码段使用 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) 资源注册名为 `BLUE` 的函数别名([https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-alias.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-alias.html))的预置并发。它还使用 cron 表达式创建具有重复计划的计划操作。定期计划的时区为 UTC。
它在 `RoleARN` 属性中使用 `Fn::Join` 和 `Ref` 内置函数以指定服务相关角色的 ARN。此示例利用 `Fn::Sub` 内置函数,使用在同一模板中指定的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html) 或 [https://docs.amazonaws.cn/serverless-application-model/latest/developerguide/sam-resource-function.html](https://docs.amazonaws.cn/serverless-application-model/latest/developerguide/sam-resource-function.html) 资源的逻辑名称来构造 `ResourceId` 属性。有关更多信息,请参阅[内置函数参考](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html)。
**注意**
您无法在指向未发布版本(`$LATEST`)的别名上分配预置并发。
有关如何为 Lambda 资源创建 Amazon CloudFormation 模板的更多信息,请参阅 Amazon 计算博客上的博客文章[计划 Amazon Lambda 预置并发性以实现重复使用峰值](https://www.amazonaws.cn/blogs/compute/scheduling-aws-lambda-provisioned-concurrency-for-recurring-peak-usage/)。
### JSON
```
{
"ScalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : 250,
"MinCapacity" : 0,
"RoleARN" : {
"Fn::Join" : [
":",
[
"arn:aws:iam:",
{
"Ref" : "AWS::AccountId"
},
"role/aws-service-role/lambda.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_LambdaConcurrency"
]
]
},
"ServiceNamespace" : "lambda",
"ScalableDimension" : "lambda:function:ProvisionedConcurrency",
"ResourceId" : { "Fn::Sub" : "function:${logicalName}:BLUE" },
"ScheduledActions" : [
{
"ScalableTargetAction" : {
"MinCapacity" : "250"
},
"ScheduledActionName" : "my-scale-out-scheduled-action",
"Schedule" : "cron(0 18 * * ? *)",
"EndTime" : "2022-12-31T12:00:00.000Z"
}
]
}
}
}
```
### YAML
```
ScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 250
MinCapacity: 0
RoleARN: !Join
- ':'
- - 'arn:aws:iam:'
- !Ref 'AWS::AccountId'
- role/aws-service-role/lambda.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_LambdaConcurrency
ServiceNamespace: lambda
ScalableDimension: lambda:function:ProvisionedConcurrency
ResourceId: !Sub function:${logicalName}:BLUE
ScheduledActions:
- ScalableTargetAction:
MinCapacity: 250
ScheduledActionName: my-scale-out-scheduled-action
Schedule: 'cron(0 18 * * ? *)'
EndTime: '2022-12-31T12:00:00.000Z'
```
## 使用竞价型实例集的 `at` 表达式创建计划操作
此代码段展示如何使用 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) 资源创建两个仅对 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-spotfleet.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-spotfleet.html) 资源发生一次的计划操作。每个一次性计划操作的时区均为 UTC。
此示例利用 `Fn::Join` 和 `Ref` 内置函数,使用在同一模板中指定的 `AWS::EC2::SpotFleet` 资源的逻辑名称来构造 `ResourceId` 属性。有关更多信息,请参阅[内置函数参考](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html)。
**注意**
竞价型实例集请求必须使用 `maintain` 作为请求类型。一次性请求或 Spot 型限制不支持自动扩展。
### JSON
```
{
"Resources" : {
"SpotFleetScalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : 0,
"MinCapacity" : 0,
"RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ec2.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest" },
"ServiceNamespace" : "ec2",
"ScalableDimension" : "ec2:spot-fleet-request:TargetCapacity",
"ResourceId" : {
"Fn::Join" : [
"/",
[
"spot-fleet-request",
{
"Ref" : "logicalName"
}
]
]
},
"ScheduledActions" : [
{
"ScalableTargetAction" : {
"MaxCapacity" : "10",
"MinCapacity" : "10"
},
"ScheduledActionName" : "my-scale-out-scheduled-action",
"Schedule" : "at(2022-05-20T13:00:00)"
},
{
"ScalableTargetAction" : {
"MaxCapacity" : "0",
"MinCapacity" : "0"
},
"ScheduledActionName" : "my-scale-in-scheduled-action",
"Schedule" : "at(2022-05-20T21:00:00)"
}
]
}
}
}
}
```
### YAML
```
---
Resources:
SpotFleetScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 0
MinCapacity: 0
RoleARN:
Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ec2.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest'
ServiceNamespace: ec2
ScalableDimension: 'ec2:spot-fleet-request:TargetCapacity'
ResourceId: !Join
- /
- - spot-fleet-request
- !Ref logicalName
ScheduledActions:
- ScalableTargetAction:
MaxCapacity: 10
MinCapacity: 10
ScheduledActionName: my-scale-out-scheduled-action
Schedule: 'at(2022-05-20T13:00:00)'
- ScalableTargetAction:
MaxCapacity: 0
MinCapacity: 0
ScheduledActionName: my-scale-in-scheduled-action
Schedule: 'at(2022-05-20T21:00:00)'
```
# Amazon 账单控制台模板代码段
此示例创建一个包含 10% 全球加价定价规则的定价计划。此定价计划已附加到账单组。账单组还有两个自定义行项目,在账单组总成本的基础上收取 10 美元的费用和 10% 的费用。
## JSON
```
1. {
2. "Parameters": {
3. "LinkedAccountIds": {
4. "Type": "ListNumber"
5. },
6. "PrimaryAccountId": {
7. "Type": "Number"
8. }
9. },
10. "Resources": {
11. "TestPricingRule": {
12. "Type": "AWS::BillingConductor::PricingRule",
13. "Properties": {
14. "Name": "TestPricingRule",
15. "Description": "Test pricing rule created through Cloudformation. Mark everything by 10%.",
16. "Type": "MARKUP",
17. "Scope": "GLOBAL",
18. "ModifierPercentage": 10
19. }
20. },
21. "TestPricingPlan": {
22. "Type": "AWS::BillingConductor::PricingPlan",
23. "Properties": {
24. "Name": "TestPricingPlan",
25. "Description": "Test pricing plan created through Cloudformation.",
26. "PricingRuleArns": [
27. {"Fn::GetAtt": ["TestPricingRule", "Arn"]}
28. ]
29. }
30. },
31. "TestBillingGroup": {
32. "Type": "AWS::BillingConductor::BillingGroup",
33. "Properties": {
34. "Name": "TestBillingGroup",
35. "Description": "Test billing group created through Cloudformation with 1 linked account. The linked account is also the primary account.",
36. "PrimaryAccountId": {
37. "Ref": "PrimaryAccountId"
38. },
39. "AccountGrouping": {
40. "LinkedAccountIds": null
41. },
42. "ComputationPreference": {
43. "PricingPlanArn": {
44. "Fn::GetAtt": ["TestPricingPlan", "Arn"]
45. }
46. }
47. }
48. },
49. "TestFlatCustomLineItem": {
50. "Type": "AWS::BillingConductor::CustomLineItem",
51. "Properties": {
52. "Name": "TestFlatCustomLineItem",
53. "Description": "Test flat custom line item created through Cloudformation for a $10 charge.",
54. "BillingGroupArn": {
55. "Fn::GetAtt": ["TestBillingGroup", "Arn"]
56. },
57. "CustomLineItemChargeDetails": {
58. "Flat": {
59. "ChargeValue": 10
60. },
61. "Type": "FEE"
62. }
63. }
64. },
65. "TestPercentageCustomLineItem": {
66. "Type": "AWS::BillingConductor::CustomLineItem",
67. "Properties": {
68. "Name": "TestPercentageCustomLineItem",
69. "Description": "Test percentage custom line item created through Cloudformation for a %10 additional charge on the overall total bill of the billing group.",
70. "BillingGroupArn": {
71. "Fn::GetAtt": ["TestBillingGroup", "Arn"]
72. },
73. "CustomLineItemChargeDetails": {
74. "Percentage": {
75. "PercentageValue": 10,
76. "ChildAssociatedResources": [
77. {"Fn::GetAtt": ["TestBillingGroup", "Arn"]}
78. ]
79. },
80. "Type": "FEE"
81. }
82. }
83. }
84. }
85. }
```
## YAML
```
1. Parameters:
2. LinkedAccountIds:
3. Type: ListNumber
4. PrimaryAccountId:
5. Type: Number
6. Resources:
7. TestPricingRule:
8. Type: AWS::BillingConductor::PricingRule
9. Properties:
10. Name: 'TestPricingRule'
11. Description: 'Test pricing rule created through Cloudformation. Mark everything by 10%.'
12. Type: 'MARKUP'
13. Scope: 'GLOBAL'
14. ModifierPercentage: 10
15. TestPricingPlan:
16. Type: AWS::BillingConductor::PricingPlan
17. Properties:
18. Name: 'TestPricingPlan'
19. Description: 'Test pricing plan created through Cloudformation.'
20. PricingRuleArns:
21. - !GetAtt TestPricingRule.Arn
22. TestBillingGroup:
23. Type: AWS::BillingConductor::BillingGroup
24. Properties:
25. Name: 'TestBillingGroup'
26. Description: 'Test billing group created through Cloudformation with 1 linked account. The linked account is also the primary account.'
27. PrimaryAccountId: !Ref PrimaryAccountId
28. AccountGrouping:
29. LinkedAccountIds: !Ref LinkedAccountIds
30. ComputationPreference:
31. PricingPlanArn: !GetAtt TestPricingPlan.Arn
32. TestFlatCustomLineItem:
33. Type: AWS::BillingConductor::CustomLineItem
34. Properties:
35. Name: 'TestFlatCustomLineItem'
36. Description: 'Test flat custom line item created through Cloudformation for a $10 charge.'
37. BillingGroupArn: !GetAtt TestBillingGroup.Arn
38. CustomLineItemChargeDetails:
39. Flat:
40. ChargeValue: 10
41. Type: 'FEE'
42. TestPercentageCustomLineItem:
43. Type: AWS::BillingConductor::CustomLineItem
44. Properties:
45. Name: 'TestPercentageCustomLineItem'
46. Description: 'Test percentage custom line item created through Cloudformation for a %10 additional charge on the overall total bill of the billing group.'
47. BillingGroupArn: !GetAtt TestBillingGroup.Arn
48. CustomLineItemChargeDetails:
49. Percentage:
50. PercentageValue: 10
51. ChildAssociatedResources:
52. - !GetAtt TestBillingGroup.Arn
53. Type: 'FEE'
```
# Amazon CloudFormation 模板代码段
**Topics**
+ [
## 嵌套堆栈
](#w2aac11c41c23b5)
+ [
## 等待条件
](#w2aac11c41c23b7)
## 嵌套堆栈
### 在模板中嵌套堆栈
此示例模板包含一个称为 `myStack` 的嵌套堆栈资源。在 Amazon CloudFormation 通过模板创建堆栈时,它创建 `myStack`,其模板是在 `TemplateURL` 属性中指定的。输出值 `StackRef` 返回 `myStack` 的堆栈 ID,值 `OutputFromNestedStack` 从 `myStack` 资源中返回输出值 `BucketName`。`Outputs.nestedstackoutputname` 是预留格式,用于指定嵌套堆栈的输出值,可以在包含模板的任意位置中使用该格式。
有关更多信息,请参阅 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudformation-stack.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudformation-stack.html)。
#### JSON
```
1. {
2. "AWSTemplateFormatVersion" : "2010-09-09",
3. "Resources" : {
4. "myStack" : {
5. "Type" : "AWS::CloudFormation::Stack",
6. "Properties" : {
7. "TemplateURL" : "https://s3.amazonaws.com/cloudformation-templates-us-east-1/S3_Bucket.template",
8. "TimeoutInMinutes" : "60"
9. }
10. }
11. },
12. "Outputs": {
13. "StackRef": {"Value": { "Ref" : "myStack"}},
14. "OutputFromNestedStack" : {
15. "Value" : { "Fn::GetAtt" : [ "myStack", "Outputs.BucketName" ] }
16. }
17. }
18. }
```
#### YAML
```
1. AWSTemplateFormatVersion: '2010-09-09'
2. Resources:
3. myStack:
4. Type: AWS::CloudFormation::Stack
5. Properties:
6. TemplateURL: https://s3.amazonaws.com/cloudformation-templates-us-east-1/S3_Bucket.template
7. TimeoutInMinutes: '60'
8. Outputs:
9. StackRef:
10. Value: !Ref myStack
11. OutputFromNestedStack:
12. Value: !GetAtt myStack.Outputs.BucketName
```
### 使用输入参数在模板中嵌套堆栈
此示例模板包含指定输入参数的堆栈资源。Amazon CloudFormation 通过该模板创建堆栈时,会将 `Parameters` 属性中声明的值对作为输入参数,供创建 `myStackWithParams` 堆栈的模板使用。在此示例中,已指定 `InstanceType` 和 `KeyName` 参数。
有关更多信息,请参阅 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudformation-stack.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudformation-stack.html)。
#### JSON
```
1. {
2. "AWSTemplateFormatVersion" : "2010-09-09",
3. "Resources" : {
4. "myStackWithParams" : {
5. "Type" : "AWS::CloudFormation::Stack",
6. "Properties" : {
7. "TemplateURL" : "https://s3.amazonaws.com/cloudformation-templates-us-east-1/EC2ChooseAMI.template",
8. "Parameters" : {
9. "InstanceType" : "t2.micro",
10. "KeyName" : "mykey"
11. }
12. }
13. }
14. }
15. }
```
#### YAML
```
1. AWSTemplateFormatVersion: '2010-09-09'
2. Resources:
3. myStackWithParams:
4. Type: AWS::CloudFormation::Stack
5. Properties:
6. TemplateURL: https://s3.amazonaws.com/cloudformation-templates-us-east-1/EC2ChooseAMI.template
7. Parameters:
8. InstanceType: t2.micro
9. KeyName: mykey
```
## 等待条件
### 将等待条件用于 Amazon EC2 实例
**重要**
对于 Amazon EC2 和 Auto Scaling 资源,我们建议您使用 CreationPolicy 属性而非等待条件。当实例创建过程成功完成后,将“CreationPolicy”属性添加到这些资源,并使用 cfn-signal 帮助程序脚本发送信号。
如果您无法使用创建策略,请查看以下示例模板,该模板声明了带等待条件的 Amazon EC2 实例。`myWaitCondition` 等待条件使用 `myWaitConditionHandle` 发出信号,使用 `DependsOn` 属性指定等待条件将在创建 Amazon EC2 实例资源后触发,并使用 `Timeout` 属性将等待条件的持续时间指定为 4500 秒。此外,向等待条件发出信号的预签名 URL 将通过 `Ec2Instance` 资源的 `UserData` 属性传输至 Amazon EC2 实例,以使运行在该 Amazon EC2 实例上的应用程序或脚本可以检索预签名 URL,并使用该 URL 向等待条件发出成功或失败信号。您需要使用 `cfn-signal`,或创建向等待条件发出信号的应用程序或脚本。输出值 `ApplicationData` 包含从等待条件信号中传回的数据。
有关更多信息,请参阅 [在 CloudFormation 模板中创建等待条件](using-cfn-waitcondition.md)。
#### JSON
```
1. {
2. "AWSTemplateFormatVersion" : "2010-09-09",
3. "Mappings" : {
4. "RegionMap" : {
5. "us-east-1" : {
6. "AMI" : "ami-0123456789abcdef0"
7. },
8. "us-west-1" : {
9. "AMI" : "ami-0987654321fedcba0"
10. },
11. "eu-west-1" : {
12. "AMI" : "ami-0abcdef123456789a"
13. },
14. "ap-northeast-1" : {
15. "AMI" : "ami-0fedcba987654321b"
16. },
17. "ap-southeast-1" : {
18. "AMI" : "ami-0c1d2e3f4a5b6c7d8"
19. }
20. }
21. },
22. "Resources" : {
23. "Ec2Instance" : {
24. "Type" : "AWS::EC2::Instance",
25. "Properties" : {
26. "UserData" : { "Fn::Base64" : {"Ref" : "myWaitHandle"}},
27. "ImageId" : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "AMI" ]}
28. }
29. },
30. "myWaitHandle" : {
31. "Type" : "AWS::CloudFormation::WaitConditionHandle",
32. "Properties" : {
33. }
34. },
35. "myWaitCondition" : {
36. "Type" : "AWS::CloudFormation::WaitCondition",
37. "DependsOn" : "Ec2Instance",
38. "Properties" : {
39. "Handle" : { "Ref" : "myWaitHandle" },
40. "Timeout" : "4500"
41. }
42. }
43. },
44. "Outputs" : {
45. "ApplicationData" : {
46. "Value" : { "Fn::GetAtt" : [ "myWaitCondition", "Data" ]},
47. "Description" : "The data passed back as part of signalling the WaitCondition."
48. }
49. }
50. }
```
#### YAML
```
1. AWSTemplateFormatVersion: '2010-09-09'
2. Mappings:
3. RegionMap:
4. us-east-1:
5. AMI: ami-0123456789abcdef0
6. us-west-1:
7. AMI: ami-0987654321fedcba0
8. eu-west-1:
9. AMI: ami-0abcdef123456789a
10. ap-northeast-1:
11. AMI: ami-0fedcba987654321b
12. ap-southeast-1:
13. AMI: ami-0c1d2e3f4a5b6c7d8
14. Resources:
15. Ec2Instance:
16. Type: AWS::EC2::Instance
17. Properties:
18. UserData:
19. Fn::Base64: !Ref myWaitHandle
20. ImageId:
21. Fn::FindInMap:
22. - RegionMap
23. - Ref: AWS::Region
24. - AMI
25. myWaitHandle:
26. Type: AWS::CloudFormation::WaitConditionHandle
27. Properties: {}
28. myWaitCondition:
29. Type: AWS::CloudFormation::WaitCondition
30. DependsOn: Ec2Instance
31. Properties:
32. Handle: !Ref myWaitHandle
33. Timeout: '4500'
34. Outputs:
35. ApplicationData:
36. Value: !GetAtt myWaitCondition.Data
37. Description: The data passed back as part of signalling the WaitCondition.
```
### 使用 cfn-signal 帮助程序脚本向等待条件发出信号
此示例演示将成功信号发送到等待条件的 `cfn-signal` 命令行。您需要在 EC2 实例的 `UserData` 属性中定义命令行。
#### JSON
```
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"#!/bin/bash -xe\n",
"/opt/aws/bin/cfn-signal --exit-code 0 '",
{
"Ref": "myWaitHandle"
},
"'\n"
]
]
}
}
```
#### YAML
```
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
/opt/aws/bin/cfn-signal --exit-code 0 '${myWaitHandle}'
```
### 使用 Curl 向等待条件发出信号
此示例显示将成功信号发送到等待条件的 Curl 命令行。
```
1. curl -T /tmp/a "https://cloudformation-waitcondition-test.s3.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-east-1%3A034017226601%3Astack%2Fstack-gosar-20110427004224-test-stack-with-WaitCondition--VEYW%2Fe498ce60-70a1-11e0-81a7-5081d0136786%2FmyWaitConditionHandle?Expires=1303976584&AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE&Signature=ik1twT6hpS4cgNAw7wyOoRejVoo%3D"
```
其中文件 /tmp/a 包含以下 JSON 结构:
```
1. {
2. "Status" : "SUCCESS",
3. "Reason" : "Configuration Complete",
4. "UniqueId" : "ID1234",
5. "Data" : "Application has completed configuration."
6. }
```
此示例显示发送同一成功信号的 Curl 命令行,将 JSON 发送为命令行参数的情况除外。
```
1. curl -X PUT -H 'Content-Type:' --data-binary '{"Status" : "SUCCESS","Reason" : "Configuration Complete","UniqueId" : "ID1234","Data" : "Application has completed configuration."}' "https://cloudformation-waitcondition-test.s3.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-east-1%3A034017226601%3Astack%2Fstack-gosar-20110427004224-test-stack-with-WaitCondition--VEYW%2Fe498ce60-70a1-11e0-81a7-5081d0136786%2FmyWaitConditionHandle?Expires=1303976584&AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE&Signature=ik1twT6hpS4cgNAw7wyOoRejVoo%3D"
```
# Amazon CloudFront 模板代码段
在 Amazon CloudFormation 中,可以将这些示例模板代码段用于 Amazon CloudFront 分发资源。有关更多信息,请参阅 [Amazon CloudFront resource type reference](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/AWS_CloudFront.html)。
**Topics**
+ [
## 具有 Amazon S3 源的 Amazon CloudFront 分布资源
](#scenario-cloudfront-s3origin)
+ [
## 带自定义源的 Amazon CloudFront 分配资源
](#scenario-cloudfront-customorigin)
+ [
## 具有多源支持的 Amazon CloudFront 分配
](#scenario-cloudfront-multiorigin)
+ [
## 以 Lambda 函数为源的 Amazon CloudFront 分发
](#scenario-cloudfront-lambda-origin)
+ [
## 另请参阅
](#w2aac11c41c27c15)
## 具有 Amazon S3 源的 Amazon CloudFront 分布资源
以下示例模板显示使用 [S3Origin](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-s3originconfig.html) 的 Amazon CloudFront [分发](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.html)和旧式来源访问身份(OAI)。有关改用来源访问控制(OAC)的信息,请参阅《Amazon CloudFront 开发人员指南**》中的[限制对 Amazon Simple Storage Service 源的访问](https://docs.amazonaws.cn/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html)。
### JSON
```
1. {
2. "AWSTemplateFormatVersion" : "2010-09-09",
3. "Resources" : {
4. "myDistribution" : {
5. "Type" : "AWS::CloudFront::Distribution",
6. "Properties" : {
7. "DistributionConfig" : {
8. "Origins" : [ {
9. "DomainName" : "amzn-s3-demo-bucket.s3.amazonaws.com",
10. "Id" : "myS3Origin",
11. "S3OriginConfig" : {
12. "OriginAccessIdentity" : "origin-access-identity/cloudfront/E127EXAMPLE51Z"
13. }
14. }],
15. "Enabled" : "true",
16. "Comment" : "Some comment",
17. "DefaultRootObject" : "index.html",
18. "Logging" : {
19. "IncludeCookies" : "false",
20. "Bucket" : "amzn-s3-demo-logging-bucket.s3.amazonaws.com",
21. "Prefix" : "myprefix"
22. },
23. "Aliases" : [ "mysite.example.com", "yoursite.example.com" ],
24. "DefaultCacheBehavior" : {
25. "AllowedMethods" : [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ],
26. "TargetOriginId" : "myS3Origin",
27. "ForwardedValues" : {
28. "QueryString" : "false",
29. "Cookies" : { "Forward" : "none" }
30. },
31. "TrustedSigners" : [ "1234567890EX", "1234567891EX" ],
32. "ViewerProtocolPolicy" : "allow-all"
33. },
34. "PriceClass" : "PriceClass_200",
35. "Restrictions" : {
36. "GeoRestriction" : {
37. "RestrictionType" : "whitelist",
38. "Locations" : [ "AQ", "CV" ]
39. }
40. },
41. "ViewerCertificate" : { "CloudFrontDefaultCertificate" : "true" }
42. }
43. }
44. }
45. }
46. }
```
### YAML
```
1. AWSTemplateFormatVersion: '2010-09-09'
2. Resources:
3. myDistribution:
4. Type: AWS::CloudFront::Distribution
5. Properties:
6. DistributionConfig:
7. Origins:
8. - DomainName: amzn-s3-demo-bucket.s3.amazonaws.com
9. Id: myS3Origin
10. S3OriginConfig:
11. OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z
12. Enabled: 'true'
13. Comment: Some comment
14. DefaultRootObject: index.html
15. Logging:
16. IncludeCookies: 'false'
17. Bucket: amzn-s3-demo-logging-bucket.s3.amazonaws.com
18. Prefix: myprefix
19. Aliases:
20. - mysite.example.com
21. - yoursite.example.com
22. DefaultCacheBehavior:
23. AllowedMethods:
24. - DELETE
25. - GET
26. - HEAD
27. - OPTIONS
28. - PATCH
29. - POST
30. - PUT
31. TargetOriginId: myS3Origin
32. ForwardedValues:
33. QueryString: 'false'
34. Cookies:
35. Forward: none
36. TrustedSigners:
37. - 1234567890EX
38. - 1234567891EX
39. ViewerProtocolPolicy: allow-all
40. PriceClass: PriceClass_200
41. Restrictions:
42. GeoRestriction:
43. RestrictionType: whitelist
44. Locations:
45. - AQ
46. - CV
47. ViewerCertificate:
48. CloudFrontDefaultCertificate: 'true'
```
## 带自定义源的 Amazon CloudFront 分配资源
以下示例模板显示使用 [CustomOrigin](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-customoriginconfig.html) 的 Amazon CloudFront [分发](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.html)。
### JSON
```
1. {
2. "AWSTemplateFormatVersion" : "2010-09-09",
3. "Resources" : {
4. "myDistribution" : {
5. "Type" : "AWS::CloudFront::Distribution",
6. "Properties" : {
7. "DistributionConfig" : {
8. "Origins" : [ {
9. "DomainName" : "www.example.com",
10. "Id" : "myCustomOrigin",
11. "CustomOriginConfig" : {
12. "HTTPPort" : "80",
13. "HTTPSPort" : "443",
14. "OriginProtocolPolicy" : "http-only"
15. }
16. } ],
17. "Enabled" : "true",
18. "Comment" : "Somecomment",
19. "DefaultRootObject" : "index.html",
20. "Logging" : {
21. "IncludeCookies" : "true",
22. "Bucket" : "amzn-s3-demo-logging-bucket.s3.amazonaws.com",
23. "Prefix": "myprefix"
24. },
25. "Aliases" : [
26. "mysite.example.com",
27. "*.yoursite.example.com"
28. ],
29. "DefaultCacheBehavior" : {
30. "TargetOriginId" : "myCustomOrigin",
31. "SmoothStreaming" : "false",
32. "ForwardedValues" : {
33. "QueryString" : "false",
34. "Cookies" : { "Forward" : "all" }
35. },
36. "TrustedSigners" : [
37. "1234567890EX",
38. "1234567891EX"
39. ],
40. "ViewerProtocolPolicy" : "allow-all"
41. },
42. "CustomErrorResponses" : [ {
43. "ErrorCode" : "404",
44. "ResponsePagePath" : "/error-pages/404.html",
45. "ResponseCode" : "200",
46. "ErrorCachingMinTTL" : "30"
47. } ],
48. "PriceClass" : "PriceClass_200",
49. "Restrictions" : {
50. "GeoRestriction" : {
51. "RestrictionType" : "whitelist",
52. "Locations" : [ "AQ", "CV" ]
53. }
54. },
55. "ViewerCertificate": { "CloudFrontDefaultCertificate" : "true" }
56. }
57. }
58. }
59. }
60. }
```
### YAML
```
1. AWSTemplateFormatVersion: '2010-09-09'
2. Resources:
3. myDistribution:
4. Type: AWS::CloudFront::Distribution
5. Properties:
6. DistributionConfig:
7. Origins:
8. - DomainName: www.example.com
9. Id: myCustomOrigin
10. CustomOriginConfig:
11. HTTPPort: '80'
12. HTTPSPort: '443'
13. OriginProtocolPolicy: http-only
14. Enabled: 'true'
15. Comment: Somecomment
16. DefaultRootObject: index.html
17. Logging:
18. IncludeCookies: 'true'
19. Bucket: amzn-s3-demo-logging-bucket.s3.amazonaws.com
20. Prefix: myprefix
21. Aliases:
22. - mysite.example.com
23. - "*.yoursite.example.com"
24. DefaultCacheBehavior:
25. TargetOriginId: myCustomOrigin
26. SmoothStreaming: 'false'
27. ForwardedValues:
28. QueryString: 'false'
29. Cookies:
30. Forward: all
31. TrustedSigners:
32. - 1234567890EX
33. - 1234567891EX
34. ViewerProtocolPolicy: allow-all
35. CustomErrorResponses:
36. - ErrorCode: '404'
37. ResponsePagePath: "/error-pages/404.html"
38. ResponseCode: '200'
39. ErrorCachingMinTTL: '30'
40. PriceClass: PriceClass_200
41. Restrictions:
42. GeoRestriction:
43. RestrictionType: whitelist
44. Locations:
45. - AQ
46. - CV
47. ViewerCertificate:
48. CloudFrontDefaultCertificate: 'true'
```
## 具有多源支持的 Amazon CloudFront 分配
以下示例模板演示如何声明带多源支持的 CloudFront [分配](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.html)。在 [DistributionConfig](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-distributionconfig.html) 中,提供了源列表,并且设置了 [DefaultCacheBehavior](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-defaultcachebehavior.html)。
### JSON
```
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"myDistribution" : {
"Type" : "AWS::CloudFront::Distribution",
"Properties" : {
"DistributionConfig" : {
"Origins" : [ {
"Id" : "myS3Origin",
"DomainName" : "amzn-s3-demo-bucket.s3.amazonaws.com",
"S3OriginConfig" : {
"OriginAccessIdentity" : "origin-access-identity/cloudfront/E127EXAMPLE51Z"
}
},
{
"Id" : "myCustomOrigin",
"DomainName" : "www.example.com",
"CustomOriginConfig" : {
"HTTPPort" : "80",
"HTTPSPort" : "443",
"OriginProtocolPolicy" : "http-only"
}
}
],
"Enabled" : "true",
"Comment" : "Some comment",
"DefaultRootObject" : "index.html",
"Logging" : {
"IncludeCookies" : "true",
"Bucket" : "amzn-s3-demo-logging-bucket.s3.amazonaws.com",
"Prefix" : "myprefix"
},
"Aliases" : [ "mysite.example.com", "yoursite.example.com" ],
"DefaultCacheBehavior" : {
"TargetOriginId" : "myS3Origin",
"ForwardedValues" : {
"QueryString" : "false",
"Cookies" : { "Forward" : "all" }
},
"TrustedSigners" : [ "1234567890EX", "1234567891EX" ],
"ViewerProtocolPolicy" : "allow-all",
"MinTTL" : "100",
"SmoothStreaming" : "true"
},
"CacheBehaviors" : [ {
"AllowedMethods" : [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ],
"TargetOriginId" : "myS3Origin",
"ForwardedValues" : {
"QueryString" : "true",
"Cookies" : { "Forward" : "none" }
},
"TrustedSigners" : [ "1234567890EX", "1234567891EX" ],
"ViewerProtocolPolicy" : "allow-all",
"MinTTL" : "50",
"PathPattern" : "images1/*.jpg"
},
{
"AllowedMethods" : [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ],
"TargetOriginId" : "myCustomOrigin",
"ForwardedValues" : {
"QueryString" : "true",
"Cookies" : { "Forward" : "none" }
},
"TrustedSigners" : [ "1234567890EX", "1234567891EX" ],
"ViewerProtocolPolicy" : "allow-all",
"MinTTL" : "50",
"PathPattern" : "images2/*.jpg"
}
],
"CustomErrorResponses" : [ {
"ErrorCode" : "404",
"ResponsePagePath" : "/error-pages/404.html",
"ResponseCode" : "200",
"ErrorCachingMinTTL" : "30"
} ],
"PriceClass" : "PriceClass_All",
"ViewerCertificate" : { "CloudFrontDefaultCertificate" : "true" }
}
}
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- Id: myS3Origin
DomainName: amzn-s3-demo-bucket.s3.amazonaws.com
S3OriginConfig:
OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z
- Id: myCustomOrigin
DomainName: www.example.com
CustomOriginConfig:
HTTPPort: '80'
HTTPSPort: '443'
OriginProtocolPolicy: http-only
Enabled: 'true'
Comment: Some comment
DefaultRootObject: index.html
Logging:
IncludeCookies: 'true'
Bucket: amzn-s3-demo-logging-bucket.s3.amazonaws.com
Prefix: myprefix
Aliases:
- mysite.example.com
- yoursite.example.com
DefaultCacheBehavior:
TargetOriginId: myS3Origin
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: all
TrustedSigners:
- 1234567890EX
- 1234567891EX
ViewerProtocolPolicy: allow-all
MinTTL: '100'
SmoothStreaming: 'true'
CacheBehaviors:
- AllowedMethods:
- DELETE
- GET
- HEAD
- OPTIONS
- PATCH
- POST
- PUT
TargetOriginId: myS3Origin
ForwardedValues:
QueryString: 'true'
Cookies:
Forward: none
TrustedSigners:
- 1234567890EX
- 1234567891EX
ViewerProtocolPolicy: allow-all
MinTTL: '50'
PathPattern: images1/*.jpg
- AllowedMethods:
- DELETE
- GET
- HEAD
- OPTIONS
- PATCH
- POST
- PUT
TargetOriginId: myCustomOrigin
ForwardedValues:
QueryString: 'true'
Cookies:
Forward: none
TrustedSigners:
- 1234567890EX
- 1234567891EX
ViewerProtocolPolicy: allow-all
MinTTL: '50'
PathPattern: images2/*.jpg
CustomErrorResponses:
- ErrorCode: '404'
ResponsePagePath: "/error-pages/404.html"
ResponseCode: '200'
ErrorCachingMinTTL: '30'
PriceClass: PriceClass_All
ViewerCertificate:
CloudFrontDefaultCertificate: 'true'
```
## 以 Lambda 函数为源的 Amazon CloudFront 分发
以下示例创建了一个前端为指定的 Lambda 函数 URL(作为参数提供)的 CloudFront 分发,启用了仅限 HTTPS 访问、缓存、压缩和全球交付。此示例将 Lambda URL 配置为自定义 HTTPS 来源,并且应用标准 Amazon 缓存策略。该分发针对性能进行了优化,支持 HTTP/2 和 IPv6,输出 CloudFront 域名,允许用户通过 CDN 支持的安全端点访问 Lambda 函数。有关更多信息,请参阅 Amazon 博客上的 [Using Amazon CloudFront with Amazon Lambda as origin to accelerate your web applications](https://www.amazonaws.cn/blogs/networking-and-content-delivery/using-amazon-cloudfront-with-aws-lambda-as-origin-to-accelerate-your-web-applications/)。
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"LambdaEndpoint": {
"Type": "String",
"Description": "The Lambda function URL endpoint without the 'https://'"
}
},
"Resources": {
"MyDistribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"PriceClass": "PriceClass_All",
"HttpVersion": "http2",
"IPV6Enabled": true,
"Origins": [
{
"DomainName": {
"Ref": "LambdaEndpoint"
},
"Id": "LambdaOrigin",
"CustomOriginConfig": {
"HTTPSPort": 443,
"OriginProtocolPolicy": "https-only"
}
}
],
"Enabled": "true",
"DefaultCacheBehavior": {
"TargetOriginId": "LambdaOrigin",
"CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
"ViewerProtocolPolicy": "redirect-to-https",
"SmoothStreaming": "false",
"Compress": "true"
}
}
}
}
},
"Outputs": {
"CloudFrontDomain": {
"Description": "CloudFront default domain name configured",
"Value": {
"Fn::Sub": "https://${MyDistribution.DomainName}/"
}
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: 2010-09-09
Parameters:
LambdaEndpoint:
Type: String
Description: The Lambda function URL endpoint without the 'https://'
Resources:
MyDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
PriceClass: PriceClass_All
HttpVersion: http2
IPV6Enabled: true
Origins:
- DomainName: !Ref LambdaEndpoint
Id: LambdaOrigin
CustomOriginConfig:
HTTPSPort: 443
OriginProtocolPolicy: https-only
Enabled: 'true'
DefaultCacheBehavior:
TargetOriginId: LambdaOrigin
CachePolicyId: '658327ea-f89d-4fab-a63d-7e88639e58f6'
ViewerProtocolPolicy: redirect-to-https
SmoothStreaming: 'false'
Compress: 'true'
Outputs:
CloudFrontDomain:
Description: CloudFront default domain name configured
Value: !Sub https://${MyDistribution.DomainName}/
```
## 另请参阅
有关向 Route 53 记录添加自定义别名以便更好地为 CloudFront 分发命名的示例,请参阅 [CloudFront 分配的别名资源记录集](quickref-route53.md#scenario-user-friendly-url-for-cloudfront-distribution)。
# Amazon CloudWatch 模板代码段
您可以在 Amazon CloudFormation 中使用这些示例模板代码段来帮助描述 Amazon CloudWatch 资源。有关更多信息,请参阅 [Amazon CloudWatch resource type reference](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/AWS_CloudWatch.html)。
**Topics**
+ [
## 账单警报
](#cloudwatch-sample-billing-alarm)
+ [
## CPU 使用率警报
](#cloudwatch-sample-cpu-utilization-alarm)
+ [
## 恢复 Amazon Elastic Compute Cloud 实例
](#cloudwatch-sample-recover-instance)
+ [
## 创建基本控制面板
](#cloudwatch-sample-dashboard-basic)
+ [
## 使用并排显示小部件创建控制面板
](#cloudwatch-sample-dashboard-sidebyside)
## 账单警报
在下面的示例中,Amazon CloudWatch 在您的 Amazon 账户费用超过警报阈值时发送电子邮件通知。要接收使用情况通知,请启用账单提醒。有关更多信息,请参阅《Amazon CloudWatch 用户指南》中的[创建账单警报以监控预估 Amazon 费用](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/monitor_estimated_charges_with_cloudwatch.html)**。
### JSON
```
"SpendingAlarm": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": { "Fn::Join": ["", [
"Alarm if AWS spending is over $",
{ "Ref": "AlarmThreshold" }
]]},
"Namespace": "AWS/Billing",
"MetricName": "EstimatedCharges",
"Dimensions": [{
"Name": "Currency",
"Value" : "USD"
}],
"Statistic": "Maximum",
"Period": "21600",
"EvaluationPeriods": "1",
"Threshold": { "Ref": "AlarmThreshold" },
"ComparisonOperator": "GreaterThanThreshold",
"AlarmActions": [{
"Ref": "BillingAlarmNotification"
}],
"InsufficientDataActions": [{
"Ref": "BillingAlarmNotification"
}]
}
}
```
### YAML
```
SpendingAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription:
'Fn::Join':
- ''
- - Alarm if AWS spending is over $
- !Ref: AlarmThreshold
Namespace: AWS/Billing
MetricName: EstimatedCharges
Dimensions:
- Name: Currency
Value: USD
Statistic: Maximum
Period: '21600'
EvaluationPeriods: '1'
Threshold:
!Ref: "AlarmThreshold"
ComparisonOperator: GreaterThanThreshold
AlarmActions:
- !Ref: "BillingAlarmNotification"
InsufficientDataActions:
- !Ref: "BillingAlarmNotification"
```
## CPU 使用率警报
以下示例代码段创建一个警报,该警报在三个评估周期内 Amazon EC2 实例的平均 CPU 利用率超出 90% 的时间大于 60 秒时发送通知。
### JSON
```
1. "CPUAlarm" : {
2. "Type" : "AWS::CloudWatch::Alarm",
3. "Properties" : {
4. "AlarmDescription" : "CPU alarm for my instance",
5. "AlarmActions" : [ { "Ref" : "logical name of an AWS::SNS::Topic resource" } ],
6. "MetricName" : "CPUUtilization",
7. "Namespace" : "AWS/EC2",
8. "Statistic" : "Average",
9. "Period" : "60",
10. "EvaluationPeriods" : "3",
11. "Threshold" : "90",
12. "ComparisonOperator" : "GreaterThanThreshold",
13. "Dimensions" : [ {
14. "Name" : "InstanceId",
15. "Value" : { "Ref" : "logical name of an AWS::EC2::Instance resource" }
16. } ]
17. }
18. }
```
### YAML
```
1. CPUAlarm:
2. Type: AWS::CloudWatch::Alarm
3. Properties:
4. AlarmDescription: CPU alarm for my instance
5. AlarmActions:
6. - !Ref: "logical name of an AWS::SNS::Topic resource"
7. MetricName: CPUUtilization
8. Namespace: AWS/EC2
9. Statistic: Average
10. Period: '60'
11. EvaluationPeriods: '3'
12. Threshold: '90'
13. ComparisonOperator: GreaterThanThreshold
14. Dimensions:
15. - Name: InstanceId
16. Value: !Ref: "logical name of an AWS::EC2::Instance resource"
```
## 恢复 Amazon Elastic Compute Cloud 实例
当以下 CloudWatch 警报在连续的 15 分钟时间内存在状态检查故障时,它将恢复 EC2 实例。有关警报操作的更多信息,请参阅《Amazon CloudWatch 用户指南》中的[创建警报以停止、终止、重启或恢复 EC2 实例](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/UsingAlarmActions.html)**。
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters" : {
"RecoveryInstance" : {
"Description" : "The EC2 instance ID to associate this alarm with.",
"Type" : "AWS::EC2::Instance::Id"
}
},
"Resources": {
"RecoveryTestAlarm": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "Trigger a recovery when instance status check fails for 15 consecutive minutes.",
"Namespace": "AWS/EC2" ,
"MetricName": "StatusCheckFailed_System",
"Statistic": "Minimum",
"Period": "60",
"EvaluationPeriods": "15",
"ComparisonOperator": "GreaterThanThreshold",
"Threshold": "0",
"AlarmActions": [ {"Fn::Join" : ["", ["arn:aws:automate:", { "Ref" : "AWS::Region" }, ":ec2:recover" ]]} ],
"Dimensions": [{"Name": "InstanceId","Value": {"Ref": "RecoveryInstance"}}]
}
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
RecoveryInstance:
Description: The EC2 instance ID to associate this alarm with.
Type: AWS::EC2::Instance::Id
Resources:
RecoveryTestAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription: Trigger a recovery when instance status check fails for 15
consecutive minutes.
Namespace: AWS/EC2
MetricName: StatusCheckFailed_System
Statistic: Minimum
Period: '60'
EvaluationPeriods: '15'
ComparisonOperator: GreaterThanThreshold
Threshold: '0'
AlarmActions: [ !Sub "arn:aws:automate:${AWS::Region}:ec2:recover" ]
Dimensions:
- Name: InstanceId
Value: !Ref: RecoveryInstance
```
## 创建基本控制面板
以下示例创建一个简单的 CloudWatch 控制面板,其中包含一个显示 CPU 使用率的指标小部件和一个显示消息的文本小部件。
### JSON
```
{
"BasicDashboard": {
"Type": "AWS::CloudWatch::Dashboard",
"Properties": {
"DashboardName": "Dashboard1",
"DashboardBody": "{\"widgets\":[{\"type\":\"metric\",\"x\":0,\"y\":0,\"width\":12,\"height\":6,\"properties\":{\"metrics\":[[\"AWS/EC2\",\"CPUUtilization\",\"InstanceId\",\"i-012345\"]],\"period\":300,\"stat\":\"Average\",\"region\":\"us-east-1\",\"title\":\"EC2 Instance CPU\"}},{\"type\":\"text\",\"x\":0,\"y\":7,\"width\":3,\"height\":3,\"properties\":{\"markdown\":\"Hello world\"}}]}"
}
}
}
```
### YAML
```
BasicDashboard:
Type: AWS::CloudWatch::Dashboard
Properties:
DashboardName: Dashboard1
DashboardBody: '{"widgets":[{"type":"metric","x":0,"y":0,"width":12,"height":6,"properties":{"metrics":[["AWS/EC2","CPUUtilization","InstanceId","i-012345"]],"period":300,"stat":"Average","region":"us-east-1","title":"EC2 Instance CPU"}},{"type":"text","x":0,"y":7,"width":3,"height":3,"properties":{"markdown":"Hello world"}}]}'
```
## 使用并排显示小部件创建控制面板
以下示例创建一个包含两个指标小部件 (并排显示) 的控制面板。
### JSON
```
{
"DashboardSideBySide": {
"Type": "AWS::CloudWatch::Dashboard",
"Properties": {
"DashboardName": "Dashboard1",
"DashboardBody": "{\"widgets\":[{\"type\":\"metric\",\"x\":0,\"y\":0,\"width\":12,\"height\":6,\"properties\":{\"metrics\":[[\"AWS/EC2\",\"CPUUtilization\",\"InstanceId\",\"i-012345\"]],\"period\":300,\"stat\":\"Average\",\"region\":\"us-east-1\",\"title\":\"EC2 Instance CPU\"}},{\"type\":\"metric\",\"x\":12,\"y\":0,\"width\":12,\"height\":6,\"properties\":{\"metrics\":[[\"AWS/S3\",\"BucketSizeBytes\",\"BucketName\",\"amzn-s3-demo-bucket\"]],\"period\":86400,\"stat\":\"Maximum\",\"region\":\"us-east-1\",\"title\":\"amzn-s3-demo-bucket bytes\"}}]}"
}
}
}
```
### YAML
```
DashboardSideBySide:
Type: AWS::CloudWatch::Dashboard
Properties:
DashboardName: Dashboard1
DashboardBody: '{"widgets":[{"type":"metric","x":0,"y":0,"width":12,"height":6,"properties":{"metrics":[["AWS/EC2","CPUUtilization","InstanceId","i-012345"]],"period":300,"stat":"Average","region":"us-east-1","title":"EC2 Instance CPU"}},{"type":"metric","x":12,"y":0,"width":12,"height":6,"properties":{"metrics":[["AWS/S3","BucketSizeBytes","BucketName","amzn-s3-demo-bucket"]],"period":86400,"stat":"Maximum","region":"us-east-1","title":"amzn-s3-demo-bucket bytes"}}]}'
```
# Amazon CloudWatch Logs 模板代码段
Amazon CloudWatch Logs 能够监控系统、应用程序和来自 Amazon EC2 实例或其他源的自定义日志文件。您可以使用 Amazon CloudFormation 配置和管理日志组和指标筛选条件。有关 Amazon CloudWatch Logs 的更多信息,请参阅 [Amazon CloudWatch Logs 用户指南](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html)。
**Topics**
+ [
## 从 Linux 实例将日志发送到 CloudWatch Logs
](#quickref-cloudwatchlogs-example1)
+ [
## 从 Windows 实例将日志发送到 CloudWatch Logs
](#quickref-cloudwatchlogs-example2)
+ [
## 另请参阅
](#w2aac11c41c35c11)
## 从 Linux 实例将日志发送到 CloudWatch Logs
以下模板演示了如何在集成 CloudWatch Logs 的 Amazon Linux 2023 上设置 Web 服务器。该模板将执行以下任务:
+ 安装 Apache 和 PHP。
+ 配置 CloudWatch Logs 代理,将 Apache 访问日志转发到 CloudWatch Logs。
+ 设置一个 IAM 角色让 CloudWatch 代理将日志数据发送到 CloudWatch Logs。
+ 创建自定义警报和通知,监控 404 错误或高带宽使用情况。
来自 Web 服务器的日志事件为 CloudWatch 警报提供了指标数据。两个指标筛选条件描述了将日志信息转换成 CloudWatch 指标的方法。404 指标用于统计出现 404 错误的次数。大小指标用于跟踪请求的大小。如果两分钟内出现两次以上的 404 错误,或平均请求大小在高于 3500 KB 的情况下持续 10 分钟,这两个 CloudWatch 警报将发送通知。
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Sample template that sets up and configures CloudWatch Logs on Amazon Linux 2023 instance.",
"Parameters": {
"KeyName": {
"Description": "Name of an existing EC2 KeyPair to enable SSH access to the instances",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription": "must be the name of an existing EC2 KeyPair."
},
"SSHLocation": {
"Description": "The IP address range that can be used to SSH to the EC2 instances",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
},
"OperatorEmail": {
"Description": "Email address to notify when CloudWatch alarms are triggered (404 errors or high bandwidth usage)",
"Type": "String"
}
},
"Resources": {
"LogRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "LogRolePolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:DescribeLogStreams",
"logs:DescribeLogGroups",
"logs:CreateLogGroup",
"logs:CreateLogStream"
],
"Resource": "*"
}
]
}
}
]
}
},
"LogRoleInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [{"Ref": "LogRole"}]
}
},
"WebServerSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable HTTP access via port 80 and SSH access via port 22",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": {"Ref": "SSHLocation"}
}
]
}
},
"WebServerHost": {
"Type": "AWS::EC2::Instance",
"Metadata": {
"Comment": "Install a simple PHP application on Amazon Linux 2023",
"AWS::CloudFormation::Init": {
"config": {
"packages": {
"dnf": {
"httpd": [],
"php": [],
"php-fpm": []
}
},
"files": {
"/etc/amazon-cloudwatch-agent/amazon-cloudwatch-agent.json": {
"content": {
"logs": {
"logs_collected": {
"files": {
"collect_list": [{
"file_path": "/var/log/httpd/access_log",
"log_group_name": {"Ref": "WebServerLogGroup"},
"log_stream_name": "{instance_id}/apache.log",
"timestamp_format": "%d/%b/%Y:%H:%M:%S %z"
}]
}
}
}
},
"mode": "000644",
"owner": "root",
"group": "root"
},
"/var/www/html/index.php": {
"content": "AWS CloudFormation sample PHP application on Amazon Linux 2023';\n?>\n",
"mode": "000644",
"owner": "apache",
"group": "apache"
},
"/etc/cfn/cfn-hup.conf": {
"content": {
"Fn::Join": [
"",
[
"[main]\n",
"stack=",
{"Ref": "AWS::StackId"},
"\n",
"region=",
{"Ref": "AWS::Region"},
"\n"
]
]
},
"mode": "000400",
"owner": "root",
"group": "root"
},
"/etc/cfn/hooks.d/cfn-auto-reloader.conf": {
"content": {
"Fn::Join": [
"",
[
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.WebServerHost.Metadata.AWS::CloudFormation::Init\n",
"action=/opt/aws/bin/cfn-init -s ",
{"Ref": "AWS::StackId"},
" -r WebServerHost ",
" --region ",
{"Ref": "AWS::Region"},
"\n",
"runas=root\n"
]
]
}
}
},
"services": {
"systemd": {
"httpd": {
"enabled": "true",
"ensureRunning": "true"
},
"php-fpm": {
"enabled": "true",
"ensureRunning": "true"
}
}
}
}
}
},
"CreationPolicy": {
"ResourceSignal": {
"Timeout": "PT5M"
}
},
"Properties": {
"ImageId": "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64}}",
"KeyName": {"Ref": "KeyName"},
"InstanceType": "t3.micro",
"SecurityGroupIds": [{"Ref": "WebServerSecurityGroup"}],
"IamInstanceProfile": {"Ref": "LogRoleInstanceProfile"},
"UserData": {"Fn::Base64": {"Fn::Join": [ "", [
"#!/bin/bash\n",
"dnf update -y aws-cfn-bootstrap\n",
"dnf install -y amazon-cloudwatch-agent\n",
"/opt/aws/bin/cfn-init -v --stack ", {"Ref": "AWS::StackName"}, " --resource WebServerHost --region ", {"Ref": "AWS::Region"}, "\n",
"\n",
"# Verify Apache log directory exists and create if needed\n",
"mkdir -p /var/log/httpd\n",
"\n",
"# Start CloudWatch agent\n",
"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/etc/amazon-cloudwatch-agent/amazon-cloudwatch-agent.json -s\n",
"\n",
"# Signal success\n",
"/opt/aws/bin/cfn-signal -e $? --stack ", {"Ref": "AWS::StackName"}, " --resource WebServerHost --region ", {"Ref": "AWS::Region"}, "\n"
]]}}
}
},
"WebServerLogGroup": {
"Type": "AWS::Logs::LogGroup",
"DeletionPolicy": "Retain",
"UpdateReplacePolicy": "Retain",
"Properties": {
"RetentionInDays": 7
}
},
"404MetricFilter": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"LogGroupName": {"Ref": "WebServerLogGroup"},
"FilterPattern": "[ip, identity, user_id, timestamp, request, status_code = 404, size, ...]",
"MetricTransformations": [
{
"MetricValue": "1",
"MetricNamespace": "test/404s",
"MetricName": "test404Count"
}
]
}
},
"BytesTransferredMetricFilter": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"LogGroupName": {"Ref": "WebServerLogGroup"},
"FilterPattern": "[ip, identity, user_id, timestamp, request, status_code, size, ...]",
"MetricTransformations": [
{
"MetricValue": "$size",
"MetricNamespace": "test/BytesTransferred",
"MetricName": "testBytesTransferred"
}
]
}
},
"404Alarm": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "The number of 404s is greater than 2 over 2 minutes",
"MetricName": "test404Count",
"Namespace": "test/404s",
"Statistic": "Sum",
"Period": "60",
"EvaluationPeriods": "2",
"Threshold": "2",
"AlarmActions": [{"Ref": "AlarmNotificationTopic"}],
"ComparisonOperator": "GreaterThanThreshold"
}
},
"BandwidthAlarm": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "The average volume of traffic is greater 3500 KB over 10 minutes",
"MetricName": "testBytesTransferred",
"Namespace": "test/BytesTransferred",
"Statistic": "Average",
"Period": "300",
"EvaluationPeriods": "2",
"Threshold": "3500",
"AlarmActions": [{"Ref": "AlarmNotificationTopic"}],
"ComparisonOperator": "GreaterThanThreshold"
}
},
"AlarmNotificationTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"Subscription": [{"Endpoint": {"Ref": "OperatorEmail"}, "Protocol": "email"}]
}
}
},
"Outputs": {
"InstanceId": {
"Description": "The instance ID of the web server",
"Value": {"Ref": "WebServerHost"}
},
"WebsiteURL": {
"Value": {"Fn::Sub": "http://${WebServerHost.PublicDnsName}"},
"Description": "URL for the web server"
},
"PublicIP": {
"Description": "Public IP address of the web server",
"Value": {"Fn::GetAtt": ["WebServerHost","PublicIp"]
}
},
"CloudWatchLogGroupName": {
"Description": "The name of the CloudWatch log group",
"Value": {"Ref": "WebServerLogGroup"}
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: 2010-09-09
Description: Sample template that sets up and configures CloudWatch Logs on Amazon Linux 2023 instance.
Parameters:
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instances
Type: AWS::EC2::KeyPair::KeyName
ConstraintDescription: must be the name of an existing EC2 KeyPair.
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})'
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
OperatorEmail:
Description: Email address to notify when CloudWatch alarms are triggered (404 errors or high bandwidth usage)
Type: String
Resources:
LogRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: LogRolePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:PutLogEvents'
- 'logs:DescribeLogStreams'
- 'logs:DescribeLogGroups'
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
Resource: '*'
LogRoleInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref LogRole
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP access via port 80 and SSH access via port 22
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: !Ref SSHLocation
WebServerHost:
Type: AWS::EC2::Instance
Metadata:
Comment: Install a simple PHP application on Amazon Linux 2023
'AWS::CloudFormation::Init':
config:
packages:
dnf:
httpd: []
php: []
php-fpm: []
files:
/etc/amazon-cloudwatch-agent/amazon-cloudwatch-agent.json:
content: !Sub |
{
"logs": {
"logs_collected": {
"files": {
"collect_list": [
{
"file_path": "/var/log/httpd/access_log",
"log_group_name": "${WebServerLogGroup}",
"log_stream_name": "{instance_id}/apache.log",
"timestamp_format": "%d/%b/%Y:%H:%M:%S %z"
}
]
}
}
}
}
mode: '000644'
owner: root
group: root
/var/www/html/index.php:
content: |
AWS CloudFormation sample PHP application on Amazon Linux 2023';
?>
mode: '000644'
owner: apache
group: apache
/etc/cfn/cfn-hup.conf:
content: !Sub |
[main]
stack=${AWS::StackId}
region=${AWS::Region}
mode: '000400'
owner: root
group: root
/etc/cfn/hooks.d/cfn-auto-reloader.conf:
content: !Sub |
[cfn-auto-reloader-hook]
triggers=post.update
path=Resources.WebServerHost.Metadata.AWS::CloudFormation::Init
action=/opt/aws/bin/cfn-init -s ${AWS::StackId} -r WebServerHost --region ${AWS::Region}
runas=root
services:
systemd:
httpd:
enabled: 'true'
ensureRunning: 'true'
php-fpm:
enabled: 'true'
ensureRunning: 'true'
CreationPolicy:
ResourceSignal:
Timeout: PT5M
Properties:
ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64}}'
KeyName: !Ref KeyName
InstanceType: t3.micro
SecurityGroupIds:
- !Ref WebServerSecurityGroup
IamInstanceProfile: !Ref LogRoleInstanceProfile
UserData: !Base64
Fn::Sub: |
#!/bin/bash
dnf update -y aws-cfn-bootstrap
dnf install -y amazon-cloudwatch-agent
/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource WebServerHost --region ${AWS::Region}
# Verify Apache log directory exists and create if needed
mkdir -p /var/log/httpd
# Start CloudWatch agent
/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/etc/amazon-cloudwatch-agent/amazon-cloudwatch-agent.json -s
# Signal success
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource WebServerHost --region ${AWS::Region}
echo "Done"
WebServerLogGroup:
Type: AWS::Logs::LogGroup
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Properties:
RetentionInDays: 7
404MetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref WebServerLogGroup
FilterPattern: >-
[ip, identity, user_id, timestamp, request, status_code = 404, size, ...]
MetricTransformations:
- MetricValue: '1'
MetricNamespace: test/404s
MetricName: test404Count
BytesTransferredMetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref WebServerLogGroup
FilterPattern: '[ip, identity, user_id, timestamp, request, status_code, size, ...]'
MetricTransformations:
- MetricValue: $size
MetricNamespace: test/BytesTransferred
MetricName: testBytesTransferred
404Alarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription: The number of 404s is greater than 2 over 2 minutes
MetricName: test404Count
Namespace: test/404s
Statistic: Sum
Period: '60'
EvaluationPeriods: '2'
Threshold: '2'
AlarmActions:
- !Ref AlarmNotificationTopic
ComparisonOperator: GreaterThanThreshold
BandwidthAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription: The average volume of traffic is greater 3500 KB over 10 minutes
MetricName: testBytesTransferred
Namespace: test/BytesTransferred
Statistic: Average
Period: '300'
EvaluationPeriods: '2'
Threshold: '3500'
AlarmActions:
- !Ref AlarmNotificationTopic
ComparisonOperator: GreaterThanThreshold
AlarmNotificationTopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint: !Ref OperatorEmail
Protocol: email
Outputs:
InstanceId:
Description: The instance ID of the web server
Value: !Ref WebServerHost
WebsiteURL:
Value: !Sub 'http://${WebServerHost.PublicDnsName}'
Description: URL for the web server
PublicIP:
Description: Public IP address of the web server
Value: !GetAtt WebServerHost.PublicIp
CloudWatchLogGroupName:
Description: The name of the CloudWatch log group
Value: !Ref WebServerLogGroup
```
## 从 Windows 实例将日志发送到 CloudWatch Logs
以下模板为 Windows 2012R2 实例配置 CloudWatch Logs。
Windows 上的 CloudWatch Logs 代理(Windows 2012R2 和 Windows 2016 AMI 上的 SSM 代理)仅在启动之后才会发送日志,因此不会发送启动之前生成的任何日志。针对此问题,该模板帮助确保在任何日志写入之前启动代理,方法为:
+ 将代理安装程序配置为 cfn-init `config` 中的第一个 `configSets` 项。
+ 使用 `waitAfterCompletion` 在启动代理的命令之后插入一个暂停。
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Sample template that sets up and configures CloudWatch Logs on Windows 2012R2 instance.",
"Parameters": {
"KeyPair": {
"Description": "Name of an existing EC2 KeyPair to enable RDP access to the instances",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription": "must be the name of an existing EC2 KeyPair."
},
"RDPLocation": {
"Description": "The IP address range that can be used to RDP to the EC2 instances",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
},
"OperatorEmail": {
"Description": "Email address to notify when CloudWatch alarms are triggered (404 errors)",
"Type": "String"
}
},
"Resources": {
"WebServerSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable HTTP access via port 80 and RDP access via port 3389",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "3389",
"ToPort": "3389",
"CidrIp": {"Ref": "RDPLocation"}
}
]
}
},
"LogRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
],
"Path": "/",
"Policies": [
{
"PolicyName": "LogRolePolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:Create*",
"logs:PutLogEvents",
"s3:GetObject"
],
"Resource": [
"arn:aws:logs:*:*:*",
"arn:aws:s3:::*"
]
}
]
}
}
]
}
},
"LogRoleInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [{"Ref": "LogRole"}]
}
},
"WebServerHost": {
"Type": "AWS::EC2::Instance",
"CreationPolicy": {
"ResourceSignal": {
"Timeout": "PT15M"
}
},
"Metadata": {
"AWS::CloudFormation::Init": {
"configSets": {
"config": [
"00-ConfigureCWLogs",
"01-InstallWebServer",
"02-ConfigureApplication",
"03-Finalize"
]
},
"00-ConfigureCWLogs": {
"files": {
"C:\\Program Files\\Amazon\\SSM\\Plugins\\awsCloudWatch\\AWS.EC2.Windows.CloudWatch.json": {
"content": {
"EngineConfiguration": {
"Components": [
{
"FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "ApplicationEventLog",
"Parameters": {
"Levels": "7",
"LogName": "Application"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "SystemEventLog",
"Parameters": {
"Levels": "7",
"LogName": "System"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "SecurityEventLog",
"Parameters": {
"Levels": "7",
"LogName": "Security"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "EC2ConfigLog",
"Parameters": {
"CultureName": "en-US",
"Encoding": "ASCII",
"Filter": "EC2ConfigLog.txt",
"LogDirectoryPath": "C:\\Program Files\\Amazon\\Ec2ConfigService\\Logs",
"TimeZoneKind": "UTC",
"TimestampFormat": "yyyy-MM-ddTHH:mm:ss.fffZ:"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "CfnInitLog",
"Parameters": {
"CultureName": "en-US",
"Encoding": "ASCII",
"Filter": "cfn-init.log",
"LogDirectoryPath": "C:\\cfn\\log",
"TimeZoneKind": "Local",
"TimestampFormat": "yyyy-MM-dd HH:mm:ss,fff"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "IISLogs",
"Parameters": {
"CultureName": "en-US",
"Encoding": "UTF-8",
"Filter": "",
"LineCount": "3",
"LogDirectoryPath": "C:\\inetpub\\logs\\LogFiles\\W3SVC1",
"TimeZoneKind": "UTC",
"TimestampFormat": "yyyy-MM-dd HH:mm:ss"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.PerformanceCounterComponent.PerformanceCounterInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "MemoryPerformanceCounter",
"Parameters": {
"CategoryName": "Memory",
"CounterName": "Available MBytes",
"DimensionName": "",
"DimensionValue": "",
"InstanceName": "",
"MetricName": "Memory",
"Unit": "Megabytes"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchApplicationEventLog",
"Parameters": {
"AccessKey": "",
"LogGroup": {"Ref": "LogGroup"},
"LogStream": "{instance_id}/ApplicationEventLog",
"Region": {"Ref": "AWS::Region"},
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchSystemEventLog",
"Parameters": {
"AccessKey": "",
"LogGroup": {"Ref": "LogGroup"},
"LogStream": "{instance_id}/SystemEventLog",
"Region": {"Ref": "AWS::Region"},
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchSecurityEventLog",
"Parameters": {
"AccessKey": "",
"LogGroup": {"Ref": "LogGroup"},
"LogStream": "{instance_id}/SecurityEventLog",
"Region": {"Ref": "AWS::Region"},
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchEC2ConfigLog",
"Parameters": {
"AccessKey": "",
"LogGroup": {"Ref": "LogGroup"},
"LogStream": "{instance_id}/EC2ConfigLog",
"Region": {"Ref": "AWS::Region"},
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchCfnInitLog",
"Parameters": {
"AccessKey": "",
"LogGroup": {"Ref": "LogGroup"},
"LogStream": "{instance_id}/CfnInitLog",
"Region": {"Ref": "AWS::Region"},
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchIISLogs",
"Parameters": {
"AccessKey": "",
"LogGroup": {"Ref": "LogGroup"},
"LogStream": "{instance_id}/IISLogs",
"Region": {"Ref": "AWS::Region"},
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatch.CloudWatchOutputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatch",
"Parameters": {
"AccessKey": "",
"NameSpace": "Windows/Default",
"Region": {"Ref": "AWS::Region"},
"SecretKey": ""
}
}
],
"Flows": {
"Flows": [
"ApplicationEventLog,CloudWatchApplicationEventLog",
"SystemEventLog,CloudWatchSystemEventLog",
"SecurityEventLog,CloudWatchSecurityEventLog",
"EC2ConfigLog,CloudWatchEC2ConfigLog",
"CfnInitLog,CloudWatchCfnInitLog",
"IISLogs,CloudWatchIISLogs",
"MemoryPerformanceCounter,CloudWatch"
]
},
"PollInterval": "00:00:05"
},
"IsEnabled": true
}
}
},
"commands": {
"0-enableSSM": {
"command": "powershell.exe -Command \"Set-Service -Name AmazonSSMAgent -StartupType Automatic\" ",
"waitAfterCompletion": "0"
},
"1-restartSSM": {
"command": "powershell.exe -Command \"Restart-Service AmazonSSMAgent \"",
"waitAfterCompletion": "30"
}
}
},
"01-InstallWebServer": {
"commands": {
"01_install_webserver": {
"command": "powershell.exe -Command \"Install-WindowsFeature Web-Server -IncludeAllSubFeature\"",
"waitAfterCompletion": "0"
}
}
},
"02-ConfigureApplication": {
"files": {
"c:\\Inetpub\\wwwroot\\index.htm": {
"content": " Test Application Page Congratulations!! Your IIS server is configured.
"
}
}
},
"03-Finalize": {
"commands": {
"00_signal_success": {
"command": {
"Fn::Sub": "cfn-signal.exe -e 0 --resource WebServerHost --stack ${AWS::StackName} --region ${AWS::Region}"
},
"waitAfterCompletion": "0"
}
}
}
}
},
"Properties": {
"KeyName": {
"Ref": "KeyPair"
},
"ImageId": "{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2012-R2_RTM-English-64Bit-Base}}",
"InstanceType": "t2.xlarge",
"SecurityGroupIds": [{"Ref": "WebServerSecurityGroup"}],
"IamInstanceProfile": {"Ref": "LogRoleInstanceProfile"},
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"\n"
]
]
}
}
}
},
"LogGroup": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"RetentionInDays": 7
}
},
"404MetricFilter": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"LogGroupName": {"Ref": "LogGroup"},
"FilterPattern": "[timestamps, serverip, method, uri, query, port, dash, clientip, useragent, status_code = 404, ...]",
"MetricTransformations": [
{
"MetricValue": "1",
"MetricNamespace": "test/404s",
"MetricName": "test404Count"
}
]
}
},
"404Alarm": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "The number of 404s is greater than 2 over 2 minutes",
"MetricName": "test404Count",
"Namespace": "test/404s",
"Statistic": "Sum",
"Period": "60",
"EvaluationPeriods": "2",
"Threshold": "2",
"AlarmActions": [{"Ref": "AlarmNotificationTopic"}],
"ComparisonOperator": "GreaterThanThreshold"
}
},
"AlarmNotificationTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"Subscription": [{"Endpoint": {"Ref": "OperatorEmail"}, "Protocol": "email"}]
}
}
},
"Outputs": {
"InstanceId": {
"Description": "The instance ID of the web server",
"Value": {"Ref": "WebServerHost"}
},
"WebsiteURL": {
"Value": {"Fn::Sub": "http://${WebServerHost.PublicDnsName}"},
"Description": "URL for the web server"
},
"PublicIP": {
"Description": "Public IP address of the web server",
"Value": {"Fn::GetAtt": ["WebServerHost","PublicIp"]}
},
"CloudWatchLogGroupName": {
"Description": "The name of the CloudWatch log group",
"Value": {"Ref": "LogGroup"}
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: 2010-09-09
Description: >-
Sample template that sets up and configures CloudWatch Logs on Windows 2012R2 instance.
Parameters:
KeyPair:
Description: Name of an existing EC2 KeyPair to enable RDP access to the instances
Type: AWS::EC2::KeyPair::KeyName
ConstraintDescription: must be the name of an existing EC2 KeyPair.
RDPLocation:
Description: The IP address range that can be used to RDP to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})'
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
OperatorEmail:
Description: Email address to notify when CloudWatch alarms are triggered (404 errors)
Type: String
Resources:
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP access via port 80 and RDP access via port 3389
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '3389'
ToPort: '3389'
CidrIp: !Ref RDPLocation
LogRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore'
Path: /
Policies:
- PolicyName: LogRolePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:Create*'
- 'logs:PutLogEvents'
- 's3:GetObject'
Resource:
- 'arn:aws:logs:*:*:*'
- 'arn:aws:s3:::*'
LogRoleInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref LogRole
WebServerHost:
Type: AWS::EC2::Instance
CreationPolicy:
ResourceSignal:
Timeout: PT15M
Metadata:
'AWS::CloudFormation::Init':
configSets:
config:
- 00-ConfigureCWLogs
- 01-InstallWebServer
- 02-ConfigureApplication
- 03-Finalize
00-ConfigureCWLogs:
files:
'C:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWS.EC2.Windows.CloudWatch.json':
content: !Sub |
{
"EngineConfiguration": {
"Components": [
{
"FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "ApplicationEventLog",
"Parameters": {
"Levels": "7",
"LogName": "Application"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "SystemEventLog",
"Parameters": {
"Levels": "7",
"LogName": "System"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "SecurityEventLog",
"Parameters": {
"Levels": "7",
"LogName": "Security"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "EC2ConfigLog",
"Parameters": {
"CultureName": "en-US",
"Encoding": "ASCII",
"Filter": "EC2ConfigLog.txt",
"LogDirectoryPath": "C:\\Program Files\\Amazon\\Ec2ConfigService\\Logs",
"TimeZoneKind": "UTC",
"TimestampFormat": "yyyy-MM-ddTHH:mm:ss.fffZ:"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "CfnInitLog",
"Parameters": {
"CultureName": "en-US",
"Encoding": "ASCII",
"Filter": "cfn-init.log",
"LogDirectoryPath": "C:\\cfn\\log",
"TimeZoneKind": "Local",
"TimestampFormat": "yyyy-MM-dd HH:mm:ss,fff"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "IISLogs",
"Parameters": {
"CultureName": "en-US",
"Encoding": "UTF-8",
"Filter": "",
"LineCount": "3",
"LogDirectoryPath": "C:\\inetpub\\logs\\LogFiles\\W3SVC1",
"TimeZoneKind": "UTC",
"TimestampFormat": "yyyy-MM-dd HH:mm:ss"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.PerformanceCounterComponent.PerformanceCounterInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "MemoryPerformanceCounter",
"Parameters": {
"CategoryName": "Memory",
"CounterName": "Available MBytes",
"DimensionName": "",
"DimensionValue": "",
"InstanceName": "",
"MetricName": "Memory",
"Unit": "Megabytes"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchApplicationEventLog",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/ApplicationEventLog",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchSystemEventLog",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/SystemEventLog",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchSecurityEventLog",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/SecurityEventLog",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchEC2ConfigLog",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/EC2ConfigLog",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchCfnInitLog",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/CfnInitLog",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchIISLogs",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/IISLogs",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatch.CloudWatchOutputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatch",
"Parameters": {
"AccessKey": "",
"NameSpace": "Windows/Default",
"Region": "${AWS::Region}",
"SecretKey": ""
}
}
],
"Flows": {
"Flows": [
"ApplicationEventLog,CloudWatchApplicationEventLog",
"SystemEventLog,CloudWatchSystemEventLog",
"SecurityEventLog,CloudWatchSecurityEventLog",
"EC2ConfigLog,CloudWatchEC2ConfigLog",
"CfnInitLog,CloudWatchCfnInitLog",
"IISLogs,CloudWatchIISLogs",
"MemoryPerformanceCounter,CloudWatch"
]
},
"PollInterval": "00:00:05"
},
"IsEnabled": true
}
commands:
0-enableSSM:
command: >-
powershell.exe -Command "Set-Service -Name AmazonSSMAgent
-StartupType Automatic"
waitAfterCompletion: '0'
1-restartSSM:
command: powershell.exe -Command "Restart-Service AmazonSSMAgent "
waitAfterCompletion: '30'
01-InstallWebServer:
commands:
01_install_webserver:
command: >-
powershell.exe -Command "Install-WindowsFeature Web-Server
-IncludeAllSubFeature"
waitAfterCompletion: '0'
02-ConfigureApplication:
files:
'c:\Inetpub\wwwroot\index.htm':
content: >-
Test Application Page
Congratulations !! Your IIS server is
configured.
03-Finalize:
commands:
00_signal_success:
command: !Sub >-
cfn-signal.exe -e 0 --resource WebServerHost --stack
${AWS::StackName} --region ${AWS::Region}
waitAfterCompletion: '0'
Properties:
KeyName: !Ref KeyPair
ImageId: "{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2012-R2_RTM-English-64Bit-Base}}"
InstanceType: t2.xlarge
SecurityGroupIds:
- !Ref WebServerSecurityGroup
IamInstanceProfile: !Ref LogRoleInstanceProfile
UserData: !Base64
'Fn::Sub': >
LogGroup:
Type: AWS::Logs::LogGroup
Properties:
RetentionInDays: 7
404MetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref LogGroup
FilterPattern: >-
[timestamps, serverip, method, uri, query, port, dash, clientip,
useragent, status_code = 404, ...]
MetricTransformations:
- MetricValue: '1'
MetricNamespace: test/404s
MetricName: test404Count
404Alarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription: The number of 404s is greater than 2 over 2 minutes
MetricName: test404Count
Namespace: test/404s
Statistic: Sum
Period: '60'
EvaluationPeriods: '2'
Threshold: '2'
AlarmActions:
- !Ref AlarmNotificationTopic
ComparisonOperator: GreaterThanThreshold
AlarmNotificationTopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint: !Ref OperatorEmail
Protocol: email
Outputs:
InstanceId:
Description: The instance ID of the web server
Value: !Ref WebServerHost
WebsiteURL:
Value: !Sub 'http://${WebServerHost.PublicDnsName}'
Description: URL for the web server
PublicIP:
Description: Public IP address of the web server
Value: !GetAtt
- WebServerHost
- PublicIp
CloudWatchLogGroupName:
Description: The name of the CloudWatch log group
Value: !Ref LogGroup
```
## 另请参阅
有关 CloudWatch Logs 资源的更多信息,请参阅 [AWS::Logs::LogGroup](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-logs-loggroup.html) 或 [AWs::Logs::MetricFilter](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-logs-metricfilter.html)。
# Amazon DynamoDB 模板代码段
**Topics**
+ [
## 具有 Amazon DynamoDB 表的 Application Auto Scaling
](#quickref-dynamodb-application-autoscaling)
+ [
## 另请参阅
](#w2aac11c41c39b7)
## 具有 Amazon DynamoDB 表的 Application Auto Scaling
此示例为 `AWS::DynamoDB::Table` 资源设置 Application Auto Scaling。此模板定义扩展表的 `TargetTrackingScaling` 吞吐量的 `WriteCapacityUnits` 扩展策略。
### JSON
```
{
"Resources": {
"DDBTable": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "ArtistId",
"AttributeType": "S"
},
{
"AttributeName": "Concert",
"AttributeType": "S"
},
{
"AttributeName": "TicketSales",
"AttributeType": "S"
}
],
"KeySchema": [
{
"AttributeName": "ArtistId",
"KeyType": "HASH"
},
{
"AttributeName": "Concert",
"KeyType": "RANGE"
}
],
"GlobalSecondaryIndexes": [
{
"IndexName": "GSI",
"KeySchema": [
{
"AttributeName": "TicketSales",
"KeyType": "HASH"
}
],
"Projection": {
"ProjectionType": "KEYS_ONLY"
},
"ProvisionedThroughput": {
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5
}
}
],
"ProvisionedThroughput": {
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5
}
}
},
"WriteCapacityScalableTarget": {
"Type": "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties": {
"MaxCapacity": 15,
"MinCapacity": 5,
"ResourceId": {
"Fn::Join": [
"/",
[
"table",
{
"Ref": "DDBTable"
}
]
]
},
"RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable" },
"ScalableDimension": "dynamodb:table:WriteCapacityUnits",
"ServiceNamespace": "dynamodb"
}
},
"WriteScalingPolicy": {
"Type": "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties": {
"PolicyName": "WriteAutoScalingPolicy",
"PolicyType": "TargetTrackingScaling",
"ScalingTargetId": {
"Ref": "WriteCapacityScalableTarget"
},
"TargetTrackingScalingPolicyConfiguration": {
"TargetValue": 50,
"ScaleInCooldown": 60,
"ScaleOutCooldown": 60,
"PredefinedMetricSpecification": {
"PredefinedMetricType": "DynamoDBWriteCapacityUtilization"
}
}
}
}
}
}
```
### YAML
```
Resources:
DDBTable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeName: "ArtistId"
AttributeType: "S"
- AttributeName: "Concert"
AttributeType: "S"
- AttributeName: "TicketSales"
AttributeType: "S"
KeySchema:
- AttributeName: "ArtistId"
KeyType: "HASH"
- AttributeName: "Concert"
KeyType: "RANGE"
GlobalSecondaryIndexes:
- IndexName: "GSI"
KeySchema:
- AttributeName: "TicketSales"
KeyType: "HASH"
Projection:
ProjectionType: "KEYS_ONLY"
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
WriteCapacityScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 15
MinCapacity: 5
ResourceId: !Join
- /
- - table
- !Ref DDBTable
RoleARN:
Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable'
ScalableDimension: dynamodb:table:WriteCapacityUnits
ServiceNamespace: dynamodb
WriteScalingPolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: WriteAutoScalingPolicy
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref WriteCapacityScalableTarget
TargetTrackingScalingPolicyConfiguration:
TargetValue: 50.0
ScaleInCooldown: 60
ScaleOutCooldown: 60
PredefinedMetricSpecification:
PredefinedMetricType: DynamoDBWriteCapacityUtilization
```
## 另请参阅
有关更多信息,请参阅 Amazon 数据库博客文章 [How to use Amazon CloudFormation to configure auto scaling for DynamoDB tables and indexes](https://www.amazonaws.cn/blogs/database/how-to-use-aws-cloudformation-to-configure-auto-scaling-for-amazon-dynamodb-tables-and-indexes/)。
有关 DynamoDB 资源的更多信息,请参阅 [AWS::DynamoDB::Table](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-table.html)。
# Amazon EC2 CloudFormation 模板代码段
Amazon EC2 在 Amazon Web Services 云 中提供了可扩展的计算容量。您可以使用 Amazon EC2 启动所需数量的虚拟服务器,配置安全性和联网以及管理存储。这些虚拟服务器(称为实例)可以运行各种操作系统和应用程序,并且可以根据您的具体要求进行自定义。您可以利用 Amazon EC2 进行扩展或缩减,以便应对需求变化或使用高峰。
您可以使用 CloudFormation 模板定义和预置 Amazon EC2 实例作为基础设施的一部分。模板可以让您轻松地以可重复且一致的方式管理和自动部署 Amazon EC2 资源。
以下示例模板代码段描述了 Amazon EC2 的 CloudFormation 资源或组件。这些代码段旨在集成到模板中,不打算独立运行。
**Topics**
+ [配置 EC2 实例](quickref-ec2-instance-config.md)
+ [创建启动模板](quickref-ec2-launch-templates.md)
+ [管理安全组](quickref-ec2-sg.md)
+ [分配弹性 IP](quickref-ec2-elastic-ip.md)
+ [配置 VPC 资源](quickref-ec2-vpc.md)
# 使用 CloudFormation 配置 Amazon EC2 实例
以下代码段演示了如何使用 CloudFormation 配置 Amazon EC2 实例。
**Topics**
+ [
## Amazon EC2 的常规配置
](#quickref-ec2-instance-config-general)
+ [
## 指定实例的块设备映射
](#scenario-ec2-bdm)
## Amazon EC2 的常规配置
以下代码段演示了如何使用 CloudFormation 对 Amazon EC2 实例进行常规配置。
**Topics**
+ [
### 在指定的可用区中创建 Amazon EC2 实例
](#scenario-ec2-instance)
+ [
### 使用 EBS 卷和用户数据配置标记的 Amazon EC2 实例
](#scenario-ec2-instance-with-vol-and-tags)
+ [
### 在用户数据中定义 DynamoDB 表名用于启动 Amazon EC2 实例
](#scenario-ec2-with-sdb-domain)
+ [
### 使用 `DeletionPolicy` 创建 Amazon EBS 卷
](#scenario-ec2-volume)
### 在指定的可用区中创建 Amazon EC2 实例
以下代码段使用 [AWS::EC2::Instance](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) 资源在指定的可用区中创建 Amazon EC2 实例。可用区的代码由其区域代码后跟一个字母标识符组成。您可以在单个可用区中启动实例。
#### JSON
```
1. "Ec2Instance": {
2. "Type": "AWS::EC2::Instance",
3. "Properties": {
4. "AvailabilityZone": "aa-example-1a",
5. "ImageId": "ami-1234567890abcdef0"
6. }
7. }
```
#### YAML
```
1. Ec2Instance:
2. Type: AWS::EC2::Instance
3. Properties:
4. AvailabilityZone: aa-example-1a
5. ImageId: ami-1234567890abcdef0
```
### 使用 EBS 卷和用户数据配置标记的 Amazon EC2 实例
以下代码段使用标记、EBS 卷和用户数据创建了一个 Amazon EC2 实例。该实例使用 [AWS::EC2::Instance](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) 资源。必须在同一个模板中定义 [AWS::EC2::SecurityGroup](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) 资源、[AWS::SNS::Topic](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html) 资源和 [AWS::EC2::Volume](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) 资源。必须在模板的 `Parameters` 部分中定义 `KeyName`。
标签可帮助您按用途、拥有者或环境等首选项对 Amazon 资源进行分类。用户数据允许在启动期间向实例预置自定义脚本或数据。这些数据有助于实现任务自动化、软件配置、软件包安装以及初始化期间对实例执行的其他操作。
有关标记资源的更多信息,请参阅《Amazon EC2 用户指南》**中的[标记 Amazon EC2 资源](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html)。
有关用户数据的信息,请参阅《Amazon EC2 用户指南》中的[使用实例元数据管理 EC2 实例](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)。**
#### JSON
```
1. "Ec2Instance": {
2. "Type": "AWS::EC2::Instance",
3. "Properties": {
4. "KeyName": { "Ref": "KeyName" },
5. "SecurityGroups": [ { "Ref": "Ec2SecurityGroup" } ],
6. "UserData": {
7. "Fn::Base64": {
8. "Fn::Join": [ ":", [
9. "PORT=80",
10. "TOPIC=",
11. { "Ref": "MySNSTopic" }
12. ]
13. ]
14. }
15. },
16. "InstanceType": "aa.size",
17. "AvailabilityZone": "aa-example-1a",
18. "ImageId": "ami-1234567890abcdef0",
19. "Volumes": [
20. {
21. "VolumeId": { "Ref": "MyVolumeResource" },
22. "Device": "/dev/sdk"
23. }
24. ],
25. "Tags": [ { "Key": "Name", "Value": "MyTag" } ]
26. }
27. }
```
#### YAML
```
1. Ec2Instance:
2. Type: AWS::EC2::Instance
3. Properties:
4. KeyName: !Ref KeyName
5. SecurityGroups:
6. - !Ref Ec2SecurityGroup
7. UserData:
8. Fn::Base64:
9. Fn::Join:
10. - ":"
11. - - "PORT=80"
12. - "TOPIC="
13. - !Ref MySNSTopic
14. InstanceType: aa.size
15. AvailabilityZone: aa-example-1a
16. ImageId: ami-1234567890abcdef0
17. Volumes:
18. - VolumeId: !Ref MyVolumeResource
19. Device: "/dev/sdk"
20. Tags:
21. - Key: Name
22. Value: MyTag
```
### 在用户数据中定义 DynamoDB 表名用于启动 Amazon EC2 实例
以下代码段创建了一个 Amazon EC2 实例,并在用户数据中定义了一个 DynamoDB 表名,以便在启动时传递给实例。该实例使用 [AWS::EC2::Instance](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) 资源。您可以在用户数据中定义参数或动态值,以便在启动时传递 EC2 实例。
有关用户数据的更多信息,请参阅《Amazon EC2 用户指南》中的[使用实例元数据管理 EC2 实例](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)。**
#### JSON
```
1. "Ec2Instance": {
2. "Type": "AWS::EC2::Instance",
3. "Properties": {
4. "UserData": {
5. "Fn::Base64": {
6. "Fn::Join": [
7. "",
8. [
9. "TableName=",
10. {
11. "Ref": "DynamoDBTableName"
12. }
13. ]
14. ]
15. }
16. },
17. "AvailabilityZone": "aa-example-1a",
18. "ImageId": "ami-1234567890abcdef0"
19. }
20. }
```
#### YAML
```
1. Ec2Instance:
2. Type: AWS::EC2::Instance
3. Properties:
4. UserData:
5. Fn::Base64:
6. Fn::Join:
7. - ''
8. - - 'TableName='
9. - Ref: DynamoDBTableName
10. AvailabilityZone: aa-example-1a
11. ImageId: ami-1234567890abcdef0
```
### 使用 `DeletionPolicy` 创建 Amazon EBS 卷
以下代码段使用 Amazon EC2 [AWS::EC2::Volume](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) 资源创建 Amazon EBS 卷。您可以使用 `Size` 或 `SnapshotID` 属性来定义卷,但不能同时使用两者。`DeletionPolicy` 属性设置为在删除堆栈时创建卷的快照。
有关 `DeletionPolicy` 属性的更多信息,请参阅 [DeletionPolicy 属性](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-attribute-deletionpolicy.html)。
有关创建 Amazon EBS 卷的更多信息,请参阅[创建 Amazon EBS 卷](https://docs.amazonaws.cn/ebs/latest/userguide/ebs-creating-volume.html)。
#### JSON
此代码段会创建具有指定**大小**的 Amazon EBS 卷。大小虽设置为 10,但可按需加以调整。[AWS::EC2::Volume](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) 资源允许指定大小或快照 ID,但不允许同时指定这两者。
```
1. "MyEBSVolume": {
2. "Type": "AWS::EC2::Volume",
3. "Properties": {
4. "Size": "10",
5. "AvailabilityZone": {
6. "Ref": "AvailabilityZone"
7. }
8. },
9. "DeletionPolicy": "Snapshot"
10. }
```
此代码段使用提供的**快照 ID** 创建一个 Amazon EBS 卷。[AWS::EC2::Volume](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) 资源允许指定大小或快照 ID,但不允许同时指定这两者。
```
1. "MyEBSVolume": {
2. "Type": "AWS::EC2::Volume",
3. "Properties": {
4. "SnapshotId" : "snap-1234567890abcdef0",
5. "AvailabilityZone": {
6. "Ref": "AvailabilityZone"
7. }
8. },
9. "DeletionPolicy": "Snapshot"
10. }
```
#### YAML
此代码段会创建具有指定**大小**的 Amazon EBS 卷。大小虽设置为 10,但可按需加以调整。[AWS::EC2::Volume](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) 资源允许指定大小或快照 ID,但不允许同时指定这两者。
```
1. MyEBSVolume:
2. Type: AWS::EC2::Volume
3. Properties:
4. Size: 10
5. AvailabilityZone:
6. Ref: AvailabilityZone
7. DeletionPolicy: Snapshot
```
此代码段使用提供的**快照 ID** 创建一个 Amazon EBS 卷。[AWS::EC2::Volume](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) 资源允许指定大小或快照 ID,但不允许同时指定这两者。
```
1. MyEBSVolume:
2. Type: AWS::EC2::Volume
3. Properties:
4. SnapshotId: snap-1234567890abcdef0
5. AvailabilityZone:
6. Ref: AvailabilityZone
7. DeletionPolicy: Snapshot
```
## 指定实例的块设备映射
块设备映射定义了挂载到某个实例的块设备(包含实例存储卷和 EBS 卷)。您可以在创建 AMI 时指定块设备映射,以便让从该 AMI 启动的所有实例都可使用该映射。另外,您可以在启动实例时指定块设备映射,这样该映射会覆盖您从启动实例的 AMI 中指定的块设备映射。
您可以使用以下模板代码段中 [AWS::EC2::Instance](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) 资源的 `BlockDeviceMappings` 属性,为 EBS 或实例存储卷指定块设备映射。
有关块设备映射的更多信息,请参阅《Amazon EC2 用户指南》**中的 [Amazon EC2 实例上卷的块设备映射](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html)。
**Topics**
+ [
### 为两个 EBS 卷指定块设备映射
](#w2aac11c41c43c13b9c11)
+ [
### 为实例存储卷指定块设备映射
](#w2aac11c41c43c13b9c13)
### 为两个 EBS 卷指定块设备映射
#### JSON
```
"Ec2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}",
"KeyName": { "Ref": "KeyName" },
"InstanceType": { "Ref": "InstanceType" },
"SecurityGroups": [{ "Ref": "Ec2SecurityGroup" }],
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": { "VolumeSize": "50" }
},
{
"DeviceName": "/dev/sdm",
"Ebs": { "VolumeSize": "100" }
}
]
}
}
}
```
#### YAML
```
EC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}'
KeyName: !Ref KeyName
InstanceType: !Ref InstanceType
SecurityGroups:
- !Ref Ec2SecurityGroup
BlockDeviceMappings:
-
DeviceName: /dev/sda1
Ebs:
VolumeSize: 50
-
DeviceName: /dev/sdm
Ebs:
VolumeSize: 100
```
### 为实例存储卷指定块设备映射
#### JSON
```
"Ec2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}",
"KeyName" : { "Ref" : "KeyName" },
"InstanceType": { "Ref": "InstanceType" },
"SecurityGroups" : [{ "Ref" : "Ec2SecurityGroup" }],
"BlockDeviceMappings" : [
{
"DeviceName" : "/dev/sdc",
"VirtualName" : "ephemeral0"
}
]
}
}
```
#### YAML
```
EC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}'
KeyName: !Ref KeyName
InstanceType: !Ref InstanceType
SecurityGroups:
- !Ref Ec2SecurityGroup
BlockDeviceMappings:
- DeviceName: /dev/sdc
VirtualName: ephemeral0
```
# 使用 CloudFormation 创建启动模板
本节提供了使用 CloudFormation 创建 Amazon EC2 启动模板的示例。启动模板允许您创建用于在 Amazon 中配置和预置 Amazon EC2 实例的模板。通过启动模板,您可以存储启动参数,而无需在每次启动实例时都指定这些参数。有关更多示例,请参阅 `AWS::EC2::LaunchTemplate` 资源中的[示例](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html#aws-resource-ec2-launchtemplate--examples)部分。
有关启动模板的更多信息,请参阅《Amazon EC2 用户指南》**中的[在 Amazon EC2 启动模板中存储实例启动参数](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/ec2-launch-templates.html)。
有关创建启动模板用于自动扩缩组的信息,请参阅《Amazon EC2 Auto Scaling User Guide》**中的 [Auto Scaling launch templates](https://docs.amazonaws.cn/autoscaling/ec2/userguide/launch-templates.html)。
**Topics**
+ [
## 创建指定安全组、标签、用户数据和 IAM 角色的启动模板
](#scenario-as-launch-template)
## 创建指定安全组、标签、用户数据和 IAM 角色的启动模板
此代码段显示 [AWS::EC2::LaunchTemplate](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) 资源,其中包含启动实例的配置信息。您可以为 `ImageId`、`InstanceType`、`SecurityGroups`、`UserData` 和 `TagSpecifications` 属性指定值。`SecurityGroups` 属性会指定一个现有 EC2 安全组和一个新安全组。`Ref` 函数会获取在堆栈模板中其他位置声明的 [AWS::EC2::SecurityGroup](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) 资源 `myNewEC2SecurityGroup` 的 ID。
启动模板包括自定义用户数据的部分。在本节中,您可以传入实例启动时运行的配置任务和脚本。在此示例中,用户数据安装 Amazon Systems Manager 代理并启动该代理。
启动模板还包含一个 IAM 角色,该角色允许在实例上运行的应用程序代表您执行操作。此示例显示启动模板的 [AWS::IAM::Role](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-role.html) 资源,其使用 `IamInstanceProfile` 属性来指定 IAM 角色。`Ref` 函数会获取 [AWS::IAM::InstanceProfile](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-instanceprofile.html) 资源 `myInstanceProfile` 的名称。要配置 IAM 角色的权限,请指定 `ManagedPolicyArns` 属性的值。
### JSON
```
1. {
2. "Resources":{
3. "myLaunchTemplate":{
4. "Type":"AWS::EC2::LaunchTemplate",
5. "Properties":{
6. "LaunchTemplateName":{ "Fn::Sub": "${AWS::StackName}-launch-template" },
7. "LaunchTemplateData":{
8. "ImageId":"ami-02354e95b3example",
9. "InstanceType":"t3.micro",
10. "IamInstanceProfile":{
11. "Name":{
12. "Ref":"myInstanceProfile"
13. }
14. },
15. "SecurityGroupIds":[
16. {
17. "Ref":"myNewEC2SecurityGroup"
18. },
19. "sg-083cd3bfb8example"
20. ],
21. "UserData":{
22. "Fn::Base64":{
23. "Fn::Join": [
24. "", [
25. "#!/bin/bash\n",
26. "cd /tmp\n",
27. "yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm\n",
28. "systemctl enable amazon-ssm-agent\n",
29. "systemctl start amazon-ssm-agent\n"
30. ]
31. ]
32. }
33. },
34. "TagSpecifications":[
35. {
36. "ResourceType":"instance",
37. "Tags":[
38. {
39. "Key":"environment",
40. "Value":"development"
41. }
42. ]
43. },
44. {
45. "ResourceType":"volume",
46. "Tags":[
47. {
48. "Key":"environment",
49. "Value":"development"
50. }
51. ]
52. }
53. ]
54. }
55. }
56. },
57. "myInstanceRole":{
58. "Type":"AWS::IAM::Role",
59. "Properties":{
60. "RoleName":"InstanceRole",
61. "AssumeRolePolicyDocument":{
62. "Version": "2012-10-17",
63. "Statement":[
64. {
65. "Effect":"Allow",
66. "Principal":{
67. "Service":[
68. "ec2.amazonaws.com"
69. ]
70. },
71. "Action":[
72. "sts:AssumeRole"
73. ]
74. }
75. ]
76. },
77. "ManagedPolicyArns":[
78. "arn:aws:iam::aws:policy/myCustomerManagedPolicy"
79. ]
80. }
81. },
82. "myInstanceProfile":{
83. "Type":"AWS::IAM::InstanceProfile",
84. "Properties":{
85. "Path":"/",
86. "Roles":[
87. {
88. "Ref":"myInstanceRole"
89. }
90. ]
91. }
92. }
93. }
94. }
```
### YAML
```
1. ---
2. Resources:
3. myLaunchTemplate:
4. Type: AWS::EC2::LaunchTemplate
5. Properties:
6. LaunchTemplateName: !Sub ${AWS::StackName}-launch-template
7. LaunchTemplateData:
8. ImageId: ami-02354e95b3example
9. InstanceType: t3.micro
10. IamInstanceProfile:
11. Name: !Ref myInstanceProfile
12. SecurityGroupIds:
13. - !Ref myNewEC2SecurityGroup
14. - sg-083cd3bfb8example
15. UserData:
16. Fn::Base64: !Sub |
17. #!/bin/bash
18. cd /tmp
19. yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
20. systemctl enable amazon-ssm-agent
21. systemctl start amazon-ssm-agent
22. TagSpecifications:
23. - ResourceType: instance
24. Tags:
25. - Key: environment
26. Value: development
27. - ResourceType: volume
28. Tags:
29. - Key: environment
30. Value: development
31. myInstanceRole:
32. Type: AWS::IAM::Role
33. Properties:
34. RoleName: InstanceRole
35. AssumeRolePolicyDocument:
36. Version: '2012-10-17'
37. Statement:
38. - Effect: 'Allow'
39. Principal:
40. Service:
41. - 'ec2.amazonaws.com'
42. Action:
43. - 'sts:AssumeRole'
44. ManagedPolicyArns:
45. - 'arn:aws:iam::aws:policy/myCustomerManagedPolicy'
46. myInstanceProfile:
47. Type: AWS::IAM::InstanceProfile
48. Properties:
49. Path: '/'
50. Roles:
51. - !Ref myInstanceRole
```
# 使用 CloudFormation 管理安全组
以下代码段演示了如何使用 CloudFormation 管理安全组和 Amazon EC2 实例,从而控制对 Amazon 资源的访问权限。
**Topics**
+ [
## 将 Amazon EC2 实例与安全组关联
](#quickref-ec2-instances-associate-security-group)
+ [
## 使用入口规则创建安全组
](#quickref-ec2-instances-ingress)
+ [
## 使用安全组入口规则创建弹性负载均衡器
](#scenario-ec2-security-group-elbingress)
## 将 Amazon EC2 实例与安全组关联
以下示例代码段演示了如何使用 CloudFormation 将 Amazon EC2 实例与默认的 Amazon VPC 安全组关联起来。
**Topics**
+ [
### 将 Amazon EC2 实例与默认 VPC 安全组关联
](#using-cfn-getatt-default-values)
+ [
### 创建带有附加卷和安全组的 Amazon EC2 实例
](#scenario-ec2-volumeattachment)
### 将 Amazon EC2 实例与默认 VPC 安全组关联
以下代码段创建了一个 Amazon VPC、一个 VPC 内的子网和一个 Amazon EC2 实例。VPC 是使用 [AWS::EC2::VPC](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-vpc.html) 资源创建的。VPC 的 IP 地址范围在较大的模板中定义并由 `MyVPCCIDRRange` 参数引用。
子网是使用 [AWS::EC2:: Subnet](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-subnet.html) 资源在 VPC 中创建的。子网与 VPC 关联,后者被引用为 `MyVPC`。
使用 [AWS::EC2::Instance](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) 资源在 VPC 和子网内启动 EC2 实例。此资源指定用于启动实例的亚马逊机器映像(AMI)、实例将在其中运行的子网以及要与该实例关联的安全组。`ImageId` 使用 Systems Manager 参数动态检索最新的 Amazon Linux 2 AMI。
安全组 ID 是使用 `Fn::GetAtt` 函数获取的,该函数从 `MyVPC` 资源中检索默认安全组。
该实例位于代码段中定义的 `MySubnet` 资源中。
使用 CloudFormation 创建 VPC 时,Amazon 会在 VPC 中自动创建默认资源,包括默认安全组。但是,当您在 CloudFormation 模板中定义 VPC 时,可能无法在创建模板时访问这些默认资源的 ID。要访问和使用模板中指定的默认资源,您可以使用内置函数,例如 `Fn::GetAtt`。此函数允许您使用由 CloudFormation 自动创建的默认资源。
#### JSON
```
"MyVPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": {
"Ref": "MyVPCCIDRRange"
},
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "default"
}
},
"MySubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": {
"Ref": "MyVPCCIDRRange"
},
"VpcId": {
"Ref": "MyVPC"
}
}
},
"MyInstance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}",
"SecurityGroupIds": [
{
"Fn::GetAtt": [
"MyVPC",
"DefaultSecurityGroup"
]
}
],
"SubnetId": {
"Ref": "MySubnet"
}
}
}
```
#### YAML
```
MyVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock:
Ref: MyVPCCIDRRange
EnableDnsSupport: false
EnableDnsHostnames: false
InstanceTenancy: default
MySubnet:
Type: AWS::EC2::Subnet
Properties:
CidrBlock:
Ref: MyVPCCIDRRange
VpcId:
Ref: MyVPC
MyInstance:
Type: AWS::EC2::Instance
Properties:
ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}'
SecurityGroupIds:
- Fn::GetAtt:
- MyVPC
- DefaultSecurityGroup
SubnetId:
Ref: MySubnet
```
### 创建带有附加卷和安全组的 Amazon EC2 实例
以下代码段使用从指定 AMI 启动的 [AWS::EC2::Instance](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) 资源创建 Amazon EC2 实例。该实例与一个安全组关联,该安全组使用 [AWS::EC2::SecurityGroup](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) 资源允许来自指定 IP 地址端口 22 上的传入 SSH 流量。它使用 [AWS::EC2::Volume](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) 资源创建一个 100GB 的 Amazon EBS 卷。根据 `GetAtt` 函数的指定,这个卷在与实例相同的可用区中创建,并安装到 `/dev/sdh` 设备上的实例。
有关创建 Amazon EBS 卷的更多信息,请参阅[创建 Amazon EBS 卷](https://docs.amazonaws.cn/ebs/latest/userguide/ebs-creating-volume.html)。
#### JSON
```
1. "Ec2Instance": {
2. "Type": "AWS::EC2::Instance",
3. "Properties": {
4. "SecurityGroups": [
5. {
6. "Ref": "InstanceSecurityGroup"
7. }
8. ],
9. "ImageId": "ami-1234567890abcdef0"
10. }
11. },
12. "InstanceSecurityGroup": {
13. "Type": "AWS::EC2::SecurityGroup",
14. "Properties": {
15. "GroupDescription": "Enable SSH access via port 22",
16. "SecurityGroupIngress": [
17. {
18. "IpProtocol": "tcp",
19. "FromPort": "22",
20. "ToPort": "22",
21. "CidrIp": "192.0.2.0/24"
22. }
23. ]
24. }
25. },
26. "NewVolume": {
27. "Type": "AWS::EC2::Volume",
28. "Properties": {
29. "Size": "100",
30. "AvailabilityZone": {
31. "Fn::GetAtt": [
32. "Ec2Instance",
33. "AvailabilityZone"
34. ]
35. }
36. }
37. },
38. "MountPoint": {
39. "Type": "AWS::EC2::VolumeAttachment",
40. "Properties": {
41. "InstanceId": {
42. "Ref": "Ec2Instance"
43. },
44. "VolumeId": {
45. "Ref": "NewVolume"
46. },
47. "Device": "/dev/sdh"
48. }
49. }
```
#### YAML
```
1. Ec2Instance:
2. Type: AWS::EC2::Instance
3. Properties:
4. SecurityGroups:
5. - !Ref InstanceSecurityGroup
6. ImageId: ami-1234567890abcdef0
7. InstanceSecurityGroup:
8. Type: AWS::EC2::SecurityGroup
9. Properties:
10. GroupDescription: Enable SSH access via port 22
11. SecurityGroupIngress:
12. - IpProtocol: tcp
13. FromPort: 22
14. ToPort: 22
15. CidrIp: 192.0.2.0/24
16. NewVolume:
17. Type: AWS::EC2::Volume
18. Properties:
19. Size: 100
20. AvailabilityZone: !GetAtt [Ec2Instance, AvailabilityZone]
21. MountPoint:
22. Type: AWS::EC2::VolumeAttachment
23. Properties:
24. InstanceId: !Ref Ec2Instance
25. VolumeId: !Ref NewVolume
26. Device: /dev/sdh
```
## 使用入口规则创建安全组
以下示例代码段演示了如何使用 CloudFormation 配置具有特定入口规则的安全组。
**Topics**
+ [
### 使用入口规则创建安全组以允许 SSH 和 HTTP 访问
](#scenario-ec2-security-group-rule)
+ [
### 使用入口规则创建安全组以允许来自指定 CIDR 范围的 HTTP 和 SSH 访问
](#scenario-ec2-security-group-two-ports)
+ [
### 使用入口规则创建交叉引用安全组
](#scenario-ec2-security-group-ingress)
### 使用入口规则创建安全组以允许 SSH 和 HTTP 访问
以下代码段描述了两个使用 [AWS::EC2::SecurityGroup](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) 资源的安全组入口规则。第一个入口规则允许从名为 `MyAdminSecurityGroup` 的现有安全组访问 SSH(端口 22),该安全组由账号为 `1111-2222-3333` 的 Amazon 账户所有。第二个入口规则允许从名为 `MySecurityGroupCreatedInCFN` 的另一个安全组访问 HTTP(端口 80),该安全组是在同一个模板中创建的。`Ref` 函数用于引用在同一模板中创建的安全组的逻辑名称。
在第一个入口规则中,必须为 `SourceSecurityGroupName` 和 `SourceSecurityGroupOwnerId` 属性添加一个值。在第二个入口规则中,`MySecurityGroupCreatedInCFNTemplate` 引用了在同一个模板中创建的另一个安全组。验证逻辑名称 `MySecurityGroupCreatedInCFNTemplate` 是否与您在较大模板中指定的安全组资源的实际逻辑名称相匹配。
有关安全组的更多信息,请参阅《Amazon EC2 用户指南》**中的 [Amazon EC2 实例的 Amazon EC2 安全组](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/ec2-security-groups.html)。
#### JSON
```
1. "SecurityGroup": {
2. "Type": "AWS::EC2::SecurityGroup",
3. "Properties": {
4. "GroupDescription": "Allow connections from specified source security group",
5. "SecurityGroupIngress": [
6. {
7. "IpProtocol": "tcp",
8. "FromPort": "22",
9. "ToPort": "22",
10. "SourceSecurityGroupName": "MyAdminSecurityGroup",
11. "SourceSecurityGroupOwnerId": "1111-2222-3333"
12. },
13. {
14. "IpProtocol": "tcp",
15. "FromPort": "80",
16. "ToPort": "80",
17. "SourceSecurityGroupName": {
18. "Ref": "MySecurityGroupCreatedInCFNTemplate"
19. }
20. }
21. ]
22. }
23. }
```
#### YAML
```
1. SecurityGroup:
2. Type: AWS::EC2::SecurityGroup
3. Properties:
4. GroupDescription: Allow connections from specified source security group
5. SecurityGroupIngress:
6. - IpProtocol: tcp
7. FromPort: '22'
8. ToPort: '22'
9. SourceSecurityGroupName: MyAdminSecurityGroup
10. SourceSecurityGroupOwnerId: '1111-2222-3333'
11. - IpProtocol: tcp
12. FromPort: '80'
13. ToPort: '80'
14. SourceSecurityGroupName:
15. Ref: MySecurityGroupCreatedInCFNTemplate
```
### 使用入口规则创建安全组以允许来自指定 CIDR 范围的 HTTP 和 SSH 访问
以下代码段为具有两个入站规则的 Amazon EC2 实例创建了一个安全组。入站规则允许来自指定 CIDR 范围指定端口上的传入 TCP 流量。[AWS::EC2::SecurityGroup](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) 资源用于指定规则。您必须为每个规则指定一个协议。对于 TCP,您必须指定端口或端口范围。如果未指定源安全组或 CIDR 范围,堆栈虽会成功启动,但规则不会应用于安全组。
有关安全组的更多信息,请参阅《Amazon EC2 用户指南》**中的 [Amazon EC2 实例的 Amazon EC2 安全组](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/ec2-security-groups.html)。
#### JSON
```
1. "ServerSecurityGroup": {
2. "Type": "AWS::EC2::SecurityGroup",
3. "Properties": {
4. "GroupDescription": "Allow connections from specified CIDR ranges",
5. "SecurityGroupIngress": [
6. {
7. "IpProtocol": "tcp",
8. "FromPort": "80",
9. "ToPort": "80",
10. "CidrIp": "192.0.2.0/24"
11. },
12. {
13. "IpProtocol": "tcp",
14. "FromPort": "22",
15. "ToPort": "22",
16. "CidrIp": "192.0.2.0/24"
17. }
18. ]
19. }
20. }
```
#### YAML
```
1. ServerSecurityGroup:
2. Type: AWS::EC2::SecurityGroup
3. Properties:
4. GroupDescription: Allow connections from specified CIDR ranges
5. SecurityGroupIngress:
6. - IpProtocol: tcp
7. FromPort: 80
8. ToPort: 80
9. CidrIp: 192.0.2.0/24
10. - IpProtocol: tcp
11. FromPort: 22
12. ToPort: 22
13. CidrIp: 192.0.2.0/24
```
### 使用入口规则创建交叉引用安全组
以下代码段使用 [AWS::EC2::SecurityGroup](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) 资源创建两个 Amazon EC2 安全组:`SGroup1` 和 `SGroup2`。允许在两个安全组之间通信的入口规则是使用 [AWS::EC2::SecurityGroupIngress](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroupingress.html) 资源创建的。`SGroup1Ingress` 为 `SGroup1` 建立了一个入口规则,允许来自源安全组 `SGroup2` 端口 80 上的传入 TCP 流量。`SGroup2Ingress` 为 `SGroup2` 建立了一个入口规则,允许来自源安全组 `SGroup1` 端口 80 上的传入 TCP 流量。
#### JSON
```
1. "SGroup1": {
2. "Type": "AWS::EC2::SecurityGroup",
3. "Properties": {
4. "GroupDescription": "EC2 instance access"
5. }
6. },
7. "SGroup2": {
8. "Type": "AWS::EC2::SecurityGroup",
9. "Properties": {
10. "GroupDescription": "EC2 instance access"
11. }
12. },
13. "SGroup1Ingress": {
14. "Type": "AWS::EC2::SecurityGroupIngress",
15. "Properties": {
16. "GroupName": {
17. "Ref": "SGroup1"
18. },
19. "IpProtocol": "tcp",
20. "ToPort": "80",
21. "FromPort": "80",
22. "SourceSecurityGroupName": {
23. "Ref": "SGroup2"
24. }
25. }
26. },
27. "SGroup2Ingress": {
28. "Type": "AWS::EC2::SecurityGroupIngress",
29. "Properties": {
30. "GroupName": {
31. "Ref": "SGroup2"
32. },
33. "IpProtocol": "tcp",
34. "ToPort": "80",
35. "FromPort": "80",
36. "SourceSecurityGroupName": {
37. "Ref": "SGroup1"
38. }
39. }
40. }
```
#### YAML
```
1. SGroup1:
2. Type: AWS::EC2::SecurityGroup
3. Properties:
4. GroupDescription: EC2 Instance access
5. SGroup2:
6. Type: AWS::EC2::SecurityGroup
7. Properties:
8. GroupDescription: EC2 Instance access
9. SGroup1Ingress:
10. Type: AWS::EC2::SecurityGroupIngress
11. Properties:
12. GroupName: !Ref SGroup1
13. IpProtocol: tcp
14. ToPort: 80
15. FromPort: 80
16. SourceSecurityGroupName: !Ref SGroup2
17. SGroup2Ingress:
18. Type: AWS::EC2::SecurityGroupIngress
19. Properties:
20. GroupName: !Ref SGroup2
21. IpProtocol: tcp
22. ToPort: 80
23. FromPort: 80
24. SourceSecurityGroupName: !Ref SGroup1
```
## 使用安全组入口规则创建弹性负载均衡器
以下模板在指定的可用区中创建了 [AWS::ElasticLoadBalancing::LoadBalancer](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancing-loadbalancer.html) 资源。[AWS::ElasticLoadBalancing::LoadBalancer](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancing-loadbalancer.html) 资源配置为在端口 80 上侦听 HTTP 流量,并将请求定向到端口 80 上的实例。弹性负载均衡器负责对实例间传入的 HTTP 流量进行负载均衡。
此外,此模板将生成一个与负载均衡器关联的 [AWS::EC2::SecurityGroup](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) 资源。此安全组是使用单个入口规则(描述为 `ELB ingress group`)创建的,该规则允许端口 80 上的传入 TCP 流量。此入口规则的来源是使用从负载均衡器资源检索属性的 `Fn::GetAtt` 函数定义的。`SourceSecurityGroupOwnerId` 使用 `Fn::GetAtt` 来获取负载均衡器源安全组的 `OwnerAlias`。`SourceSecurityGroupName` 使用 `Fn::Getatt` 来获取 ELB 源安全组的 `GroupName`。
此设置可确保 ELB 和实例之间的安全通信。
有关负载均衡的更多信息,请参阅 [Elastic Load Balancing 用户指南](https://docs.amazonaws.cn/elasticloadbalancing/latest/userguide/)。
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyELB": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"AvailabilityZones": [
"aa-example-1a"
],
"Listeners": [
{
"LoadBalancerPort": "80",
"InstancePort": "80",
"Protocol": "HTTP"
}
]
}
},
"MyELBIngressGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "ELB ingress group",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"SourceSecurityGroupOwnerId": {
"Fn::GetAtt": [
"MyELB",
"SourceSecurityGroup.OwnerAlias"
]
},
"SourceSecurityGroupName": {
"Fn::GetAtt": [
"MyELB",
"SourceSecurityGroup.GroupName"
]
}
}
]
}
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
MyELB:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- aa-example-1a
Listeners:
- LoadBalancerPort: '80'
InstancePort: '80'
Protocol: HTTP
MyELBIngressGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: ELB ingress group
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
SourceSecurityGroupOwnerId:
Fn::GetAtt:
- MyELB
- SourceSecurityGroup.OwnerAlias
SourceSecurityGroupName:
Fn::GetAtt:
- MyELB
- SourceSecurityGroup.GroupName
```
# 分配弹性 IP 地址并将其与 CloudFormation 关联
以下模板代码段展示了与 Amazon EC2 中的弹性 IP 地址(EIP)相关的示例。这些示例涵盖您实例的 EIP 分配、关联和管理。
**Topics**
+ [
## 分配弹性 IP 地址并将其与 Amazon EC2 实例关联
](#scenario-ec2-eip)
+ [
## 通过指定 IP 地址将弹性 IP 地址与 Amazon EC2 实例关联
](#scenario-ec2-eip-association)
+ [
## 通过指定 IP 地址的分配 ID 将弹性 IP 地址与 Amazon EC2 实例关联
](#scenario-ec2-eip-association-vpc)
## 分配弹性 IP 地址并将其与 Amazon EC2 实例关联
以下代码段分配一个 Amazon EC2 弹性 IP(EIP)地址并将其与使用 [AWS::EC2::EIP](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eip.html) 资源的 Amazon EC2 实例关联。使用[自带 IP 地址(BYOIP)](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/ec2-byoip.html),您可以从 Amazon 拥有的地址池或从公共 IPv4 地址范围(您引入到 Amazon 中以与 Amazon 资源一起使用的地址范围)创建的地址池中分配 EIP 地址。在本示例中,EIP 是从 Amazon 拥有的地址池中分配的。
有关弹性 IP 地址的更多信息,请参阅《Amazon EC2 用户指南》**中的[弹性 IP 地址](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html)。
### JSON
```
1. "ElasticIP": {
2. "Type": "AWS::EC2::EIP",
3. "Properties": {
4. "InstanceId": {
5. "Ref": "Ec2Instance"
6. }
7. }
8. }
```
### YAML
```
1. ElasticIP:
2. Type: AWS::EC2::EIP
3. Properties:
4. InstanceId: !Ref EC2Instance
```
## 通过指定 IP 地址将弹性 IP 地址与 Amazon EC2 实例关联
以下代码段使用 [AWS::EC2::EIPAssociation](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eipassociation.html) 资源将现有的 Amazon EC2 弹性 IP 地址与 EC2 实例关联。您必须先分配一个弹性 IP 地址,才能在自己的账户中使用。弹性 IP 地址可以与单个实例关联。
### JSON
```
1. "IPAssoc": {
2. "Type": "AWS::EC2::EIPAssociation",
3. "Properties": {
4. "InstanceId": {
5. "Ref": "Ec2Instance"
6. },
7. "EIP": "192.0.2.0"
8. }
9. }
```
### YAML
```
1. IPAssoc:
2. Type: AWS::EC2::EIPAssociation
3. Properties:
4. InstanceId: !Ref EC2Instance
5. EIP: 192.0.2.0
```
## 通过指定 IP 地址的分配 ID 将弹性 IP 地址与 Amazon EC2 实例关联
以下代码段使用 [AWS::EC2::EIPAssociation](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eipassociation.html) 资源指定分配 ID,将现有的弹性 IP 地址与 Amazon EC2 实例关联。分配弹性 IP 地址时,即会为弹性 IP 地址分配一个分配 ID。
### JSON
```
1. "IPAssoc": {
2. "Type": "AWS::EC2::EIPAssociation",
3. "Properties": {
4. "InstanceId": {
5. "Ref": "Ec2Instance"
6. },
7. "AllocationId": "eipalloc-1234567890abcdef0"
8. }
9. }
```
### YAML
```
1. IPAssoc:
2. Type: AWS::EC2::EIPAssociation
3. Properties:
4. InstanceId: !Ref EC2Instance
5. AllocationId: eipalloc-1234567890abcdef0
```
# 使用 CloudFormation 配置 Amazon VPC 资源
本节提供使用 CloudFormation 配置 Amazon VPC 资源的示例。VPC 允许您在 Amazon 中创建一个虚拟网络,这些代码段展示了如何配置 VPC 各个方面来满足自己的网络要求。
**Topics**
+ [
## 在 VPC 中启用 IPv6 仅出口互联网访问
](#quickref-ec2-route-egressonlyinternetgateway)
+ [
## 弹性网络接口 (ENI) 模板代码段
](#cfn-template-snippets-eni)
## 在 VPC 中启用 IPv6 仅出口互联网访问
仅出口互联网网关允许 VPC 中的实例访问互联网并阻止互联网上的资源与实例通信。以下代码段支持在 VPC 中启用 IPv6 仅出口互联网访问。它使用 [AWS::EC2::VPC](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-vpc.html) 资源创建 IPv4 地址范围为 `10.0.0/16` 的 VPC。将路由表与使用 [AWS::EC2::RouteTable](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-routetable.html) 资源的 VPC 资源关联起来。路由表会管理 VPC 内实例的路由。[AWS::EC2::EgressOnlyInternetGateway](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-egressonlyinternetgateway.html) 用于创建仅出口互联网网关,为来自 VPC 中实例的出站流量启用 IPv6 通信,同时阻止入站流量。[AWS::EC2::Route](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-route.html) 资源用于在路由表中创建 IPv6 路由,该路由会将所有出站 IPv6 流量 (`::/0`) 定向到仅出口互联网网关。
有关仅出口互联网网关的更多信息,请参阅《Amazon VPC 用户指南》**中的[使用仅出口互联网网关允许出站 IPv6 流量](https://docs.amazonaws.cn/vpc/latest/userguide/egress-only-internet-gateway.html)。
### JSON
```
"DefaultIpv6Route": {
"Type": "AWS::EC2::Route",
"Properties": {
"DestinationIpv6CidrBlock": "::/0",
"EgressOnlyInternetGatewayId": {
"Ref": "EgressOnlyInternetGateway"
},
"RouteTableId": {
"Ref": "RouteTable"
}
}
},
"EgressOnlyInternetGateway": {
"Type": "AWS::EC2::EgressOnlyInternetGateway",
"Properties": {
"VpcId": {
"Ref": "VPC"
}
}
},
"RouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
}
}
},
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16"
}
}
```
### YAML
```
DefaultIpv6Route:
Type: AWS::EC2::Route
Properties:
DestinationIpv6CidrBlock: "::/0"
EgressOnlyInternetGatewayId:
Ref: "EgressOnlyInternetGateway"
RouteTableId:
Ref: "RouteTable"
EgressOnlyInternetGateway:
Type: AWS::EC2::EgressOnlyInternetGateway
Properties:
VpcId:
Ref: "VPC"
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: "VPC"
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: "10.0.0.0/16"
```
## 弹性网络接口 (ENI) 模板代码段
### 创建带有附加弹性网络接口(ENI)的 Amazon EC2 实例
以下示例代码段使用 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) 资源在指定的 Amazon VPC 和子网中创建 Amazon EC2 实例。它将两个网络接口(ENI)连接到实例,通过附加的 ENI 将弹性 IP 地址关联到实例,并针对 SSH 和 HTTP 访问配置安全组。创建实例时,用户数据作为启动配置的一部分提供给实例。用户数据包括以 `base64` 格式编码的脚本,可确保将其传递到实例。当实例启动时,脚本会作为引导过程的一部分自动运行。它会安装 `ec2-net-utils`、配置网络接口并启动 HTTP 服务。
为了根据所选区域确定合适的亚马逊机器映像(AMI),该代码段使用了一个可在 `RegionMap` 映射中查找值的 `Fn::FindInMap` 函数。此映射必须在较大的模板中定义。这两个网络接口是使用 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-networkinterface.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-networkinterface.html) 资源创建的。使用分配给 `vpc` 域的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eip.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eip.html) 资源指定弹性 IP 地址。这些弹性 IP 地址与使用 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eipassociation.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eipassociation.html) 资源的网络接口关联。
`Outputs` 部分定义了您想在堆栈创建后访问的值或资源。在此代码段中,定义的输出是 `InstancePublicIp`,表示堆栈创建的 EC2 实例的公有 IP 地址。您可以使用 Amazon CloudFormation 控制台的**输出**选项卡或使用 [describe-stacks](https://docs.amazonaws.cn/cli/latest/reference/cloudformation/describe-stacks.html) 命令来检索此输出。
有关弹性网络接口的更多信息,请参阅[弹性网络接口](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/using-eni.html)。
#### JSON
```
"Resources": {
"ControlPortAddress": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
}
},
"AssociateControlPort": {
"Type": "AWS::EC2::EIPAssociation",
"Properties": {
"AllocationId": {
"Fn::GetAtt": [
"ControlPortAddress",
"AllocationId"
]
},
"NetworkInterfaceId": {
"Ref": "controlXface"
}
}
},
"WebPortAddress": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
}
},
"AssociateWebPort": {
"Type": "AWS::EC2::EIPAssociation",
"Properties": {
"AllocationId": {
"Fn::GetAtt": [
"WebPortAddress",
"AllocationId"
]
},
"NetworkInterfaceId": {
"Ref": "webXface"
}
}
},
"SSHSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "VpcId"
},
"GroupDescription": "Enable SSH access via port 22",
"SecurityGroupIngress": [
{
"CidrIp": "0.0.0.0/0",
"FromPort": 22,
"IpProtocol": "tcp",
"ToPort": 22
}
]
}
},
"WebSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "VpcId"
},
"GroupDescription": "Enable HTTP access via user-defined port",
"SecurityGroupIngress": [
{
"CidrIp": "0.0.0.0/0",
"FromPort": 80,
"IpProtocol": "tcp",
"ToPort": 80
}
]
}
},
"controlXface": {
"Type": "AWS::EC2::NetworkInterface",
"Properties": {
"SubnetId": {
"Ref": "SubnetId"
},
"Description": "Interface for controlling traffic such as SSH",
"GroupSet": [
{
"Fn::GetAtt": [
"SSHSecurityGroup",
"GroupId"
]
}
],
"SourceDestCheck": true,
"Tags": [
{
"Key": "Network",
"Value": "Control"
}
]
}
},
"webXface": {
"Type": "AWS::EC2::NetworkInterface",
"Properties": {
"SubnetId": {
"Ref": "SubnetId"
},
"Description": "Interface for web traffic",
"GroupSet": [
{
"Fn::GetAtt": [
"WebSecurityGroup",
"GroupId"
]
}
],
"SourceDestCheck": true,
"Tags": [
{
"Key": "Network",
"Value": "Web"
}
]
}
},
"Ec2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": {
"Fn::FindInMap": [
"RegionMap",
{
"Ref": "AWS::Region"
},
"AMI"
]
},
"KeyName": {
"Ref": "KeyName"
},
"NetworkInterfaces": [
{
"NetworkInterfaceId": {
"Ref": "controlXface"
},
"DeviceIndex": "0"
},
{
"NetworkInterfaceId": {
"Ref": "webXface"
},
"DeviceIndex": "1"
}
],
"Tags": [
{
"Key": "Role",
"Value": "Test Instance"
}
],
"UserData": {
"Fn::Base64": {
"Fn::Sub": "#!/bin/bash -xe\nyum install ec2-net-utils -y\nec2ifup eth1\nservice httpd start\n"
}
}
}
}
},
"Outputs": {
"InstancePublicIp": {
"Description": "Public IP Address of the EC2 Instance",
"Value": {
"Fn::GetAtt": [
"Ec2Instance",
"PublicIp"
]
}
}
}
```
#### YAML
```
Resources:
ControlPortAddress:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
AssociateControlPort:
Type: AWS::EC2::EIPAssociation
Properties:
AllocationId:
Fn::GetAtt:
- ControlPortAddress
- AllocationId
NetworkInterfaceId:
Ref: controlXface
WebPortAddress:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
AssociateWebPort:
Type: AWS::EC2::EIPAssociation
Properties:
AllocationId:
Fn::GetAtt:
- WebPortAddress
- AllocationId
NetworkInterfaceId:
Ref: webXface
SSHSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId:
Ref: VpcId
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
FromPort: 22
IpProtocol: tcp
ToPort: 22
WebSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId:
Ref: VpcId
GroupDescription: Enable HTTP access via user-defined port
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
FromPort: 80
IpProtocol: tcp
ToPort: 80
controlXface:
Type: AWS::EC2::NetworkInterface
Properties:
SubnetId:
Ref: SubnetId
Description: Interface for controlling traffic such as SSH
GroupSet:
- Fn::GetAtt:
- SSHSecurityGroup
- GroupId
SourceDestCheck: true
Tags:
- Key: Network
Value: Control
webXface:
Type: AWS::EC2::NetworkInterface
Properties:
SubnetId:
Ref: SubnetId
Description: Interface for web traffic
GroupSet:
- Fn::GetAtt:
- WebSecurityGroup
- GroupId
SourceDestCheck: true
Tags:
- Key: Network
Value: Web
Ec2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId:
Fn::FindInMap:
- RegionMap
- Ref: AWS::Region
- AMI
KeyName:
Ref: KeyName
NetworkInterfaces:
- NetworkInterfaceId:
Ref: controlXface
DeviceIndex: "0"
- NetworkInterfaceId:
Ref: webXface
DeviceIndex: "1"
Tags:
- Key: Role
Value: Test Instance
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
yum install ec2-net-utils -y
ec2ifup eth1
service httpd start
Outputs:
InstancePublicIp:
Description: Public IP Address of the EC2 Instance
Value:
Fn::GetAtt:
- Ec2Instance
- PublicIp
```
# Amazon Elastic Container Service 示例模板
Amazon Elastic Container Service (Amazon ECS) 是一项容器管理服务,可让您轻松地在 Amazon Elastic Compute Cloud (Amazon EC2) 实例集群上运行、停止和管理 Docker 容器。
## 使用 AL2023 Amazon ECS-Optimized-AMI 创建集群
定义一个集群,该集群使用在 Amazon EC2 上启动 AL2023 实例的容量提供程序。
**重要**
有关最新的 AMI ID,请参阅《Amazon Elastic Container Service 开发人员指南》中的 [Amazon ECS 优化的 AMI](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/ecs-optimized_AMI.html)。
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "EC2 ECS cluster that starts out empty, with no EC2 instances yet. An ECS capacity provider automatically launches more EC2 instances as required on the fly when you request ECS to launch services or standalone tasks.",
"Parameters": {
"InstanceType": {
"Type": "String",
"Description": "EC2 instance type",
"Default": "t2.medium",
"AllowedValues": [
"t1.micro",
"t2.2xlarge",
"t2.large",
"t2.medium",
"t2.micro",
"t2.nano",
"t2.small",
"t2.xlarge",
"t3.2xlarge",
"t3.large",
"t3.medium",
"t3.micro",
"t3.nano",
"t3.small",
"t3.xlarge"
]
},
"DesiredCapacity": {
"Type": "Number",
"Default": "0",
"Description": "Number of EC2 instances to launch in your ECS cluster."
},
"MaxSize": {
"Type": "Number",
"Default": "100",
"Description": "Maximum number of EC2 instances that can be launched in your ECS cluster."
},
"ECSAMI": {
"Description": "The Amazon Machine Image ID used for the cluster",
"Type": "AWS::SSM::Parameter::Value",
"Default": "/aws/service/ecs/optimized-ami/amazon-linux-2023/recommended/image_id"
},
"VpcId": {
"Type": "AWS::EC2::VPC::Id",
"Description": "VPC ID where the ECS cluster is launched",
"Default": "vpc-1234567890abcdef0"
},
"SubnetIds": {
"Type": "List",
"Description": "List of subnet IDs where the EC2 instances will be launched",
"Default": "subnet-021345abcdef67890"
}
},
"Resources": {
"ECSCluster": {
"Type": "AWS::ECS::Cluster",
"Properties": {
"ClusterSettings": [
{
"Name": "containerInsights",
"Value": "enabled"
}
]
}
},
"ECSAutoScalingGroup": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"DependsOn": [
"ECSCluster",
"EC2Role"
],
"Properties": {
"VPCZoneIdentifier": {
"Ref": "SubnetIds"
},
"LaunchTemplate": {
"LaunchTemplateId": {
"Ref": "ContainerInstances"
},
"Version": {
"Fn::GetAtt": [
"ContainerInstances",
"LatestVersionNumber"
]
}
},
"MinSize": 0,
"MaxSize": {
"Ref": "MaxSize"
},
"DesiredCapacity": {
"Ref": "DesiredCapacity"
},
"NewInstancesProtectedFromScaleIn": true
},
"UpdatePolicy": {
"AutoScalingReplacingUpdate": {
"WillReplace": "true"
}
}
},
"ContainerInstances": {
"Type": "AWS::EC2::LaunchTemplate",
"Properties": {
"LaunchTemplateName": "asg-launch-template",
"LaunchTemplateData": {
"ImageId": {
"Ref": "ECSAMI"
},
"InstanceType": {
"Ref": "InstanceType"
},
"IamInstanceProfile": {
"Name": {
"Ref": "EC2InstanceProfile"
}
},
"SecurityGroupIds": [
{
"Ref": "ContainerHostSecurityGroup"
}
],
"UserData": {
"Fn::Base64": {
"Fn::Sub": "#!/bin/bash -xe\n echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config\n yum install -y aws-cfn-bootstrap\n /opt/aws/bin/cfn-init -v --stack ${AWS::StackId} --resource ContainerInstances --configsets full_install --region ${AWS::Region} &\n"
}
},
"MetadataOptions": {
"HttpEndpoint": "enabled",
"HttpTokens": "required"
}
}
}
},
"EC2InstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "EC2Role"
}
]
}
},
"CapacityProvider": {
"Type": "AWS::ECS::CapacityProvider",
"Properties": {
"AutoScalingGroupProvider": {
"AutoScalingGroupArn": {
"Ref": "ECSAutoScalingGroup"
},
"ManagedScaling": {
"InstanceWarmupPeriod": 60,
"MinimumScalingStepSize": 1,
"MaximumScalingStepSize": 100,
"Status": "ENABLED",
"TargetCapacity": 100
},
"ManagedTerminationProtection": "ENABLED"
}
}
},
"CapacityProviderAssociation": {
"Type": "AWS::ECS::ClusterCapacityProviderAssociations",
"Properties": {
"CapacityProviders": [
{
"Ref": "CapacityProvider"
}
],
"Cluster": {
"Ref": "ECSCluster"
},
"DefaultCapacityProviderStrategy": [
{
"Base": 0,
"CapacityProvider": {
"Ref": "CapacityProvider"
},
"Weight": 1
}
]
}
},
"ContainerHostSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Access to the EC2 hosts that run containers",
"VpcId": {
"Ref": "VpcId"
}
}
},
"EC2Role": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
]
}
},
"ECSTaskExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ecs-tasks.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
],
"Condition": {
"ArnLike": {
"aws:SourceArn": {
"Fn::Sub": "arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:*"
}
},
"StringEquals": {
"aws:SourceAccount": {
"Fn::Sub": "${AWS::AccountId}"
}
}
}
}
]
},
"Path": "/",
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
]
}
}
},
"Outputs": {
"ClusterName": {
"Description": "The ECS cluster into which to launch resources",
"Value": "ECSCluster"
},
"ECSTaskExecutionRole": {
"Description": "The role used to start up a task",
"Value": "ECSTaskExecutionRole"
},
"CapacityProvider": {
"Description": "The cluster capacity provider that the service should use to request capacity when it wants to start up a task",
"Value": "CapacityProvider"
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: 2010-09-09
Description: EC2 ECS cluster that starts out empty, with no EC2 instances yet.
An ECS capacity provider automatically launches more EC2 instances as required
on the fly when you request ECS to launch services or standalone tasks.
Parameters:
InstanceType:
Type: String
Description: EC2 instance type
Default: "t2.medium"
AllowedValues:
- t1.micro
- t2.2xlarge
- t2.large
- t2.medium
- t2.micro
- t2.nano
- t2.small
- t2.xlarge
- t3.2xlarge
- t3.large
- t3.medium
- t3.micro
- t3.nano
- t3.small
- t3.xlarge
DesiredCapacity:
Type: Number
Default: "0"
Description: Number of EC2 instances to launch in your ECS cluster.
MaxSize:
Type: Number
Default: "100"
Description: Maximum number of EC2 instances that can be launched in your ECS cluster.
ECSAMI:
Description: The Amazon Machine Image ID used for the cluster
Type: AWS::SSM::Parameter::Value
Default: /aws/service/ecs/optimized-ami/amazon-linux-2023/recommended/image_id
VpcId:
Type: AWS::EC2::VPC::Id
Description: VPC ID where the ECS cluster is launched
Default: vpc-1234567890abcdef0
SubnetIds:
Type: List
Description: List of subnet IDs where the EC2 instances will be launched
Default: "subnet-021345abcdef67890"
Resources:
# This is authorizes ECS to manage resources on your
# account on your behalf. This role is likely already created on your account
# ECSRole:
# Type: AWS::IAM::ServiceLinkedRole
# Properties:
# AWSServiceName: 'ecs.amazonaws.com'
# ECS Resources
ECSCluster:
Type: AWS::ECS::Cluster
Properties:
ClusterSettings:
- Name: containerInsights
Value: enabled
# Autoscaling group. This launches the actual EC2 instances that will register
# themselves as members of the cluster, and run the docker containers.
ECSAutoScalingGroup:
Type: AWS::AutoScaling::AutoScalingGroup
DependsOn:
# This is to ensure that the ASG gets deleted first before these
# resources, when it comes to stack teardown.
- ECSCluster
- EC2Role
Properties:
VPCZoneIdentifier:
Ref: SubnetIds
LaunchTemplate:
LaunchTemplateId: !Ref ContainerInstances
Version: !GetAtt ContainerInstances.LatestVersionNumber
MinSize: 0
MaxSize:
Ref: MaxSize
DesiredCapacity:
Ref: DesiredCapacity
NewInstancesProtectedFromScaleIn: true
UpdatePolicy:
AutoScalingReplacingUpdate:
WillReplace: "true"
# The config for each instance that is added to the cluster
ContainerInstances:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: "asg-launch-template"
LaunchTemplateData:
ImageId:
Ref: ECSAMI
InstanceType:
Ref: InstanceType
IamInstanceProfile:
Name: !Ref EC2InstanceProfile
SecurityGroupIds:
- !Ref ContainerHostSecurityGroup
# This injected configuration file is how the EC2 instance
# knows which ECS cluster on your AWS account it should be joining
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config
yum install -y aws-cfn-bootstrap
/opt/aws/bin/cfn-init -v --stack ${AWS::StackId} --resource ContainerInstances --configsets full_install --region ${AWS::Region} &
# Disable IMDSv1, and require IMDSv2
MetadataOptions:
HttpEndpoint: enabled
HttpTokens: required
EC2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref EC2Role
# Create an ECS capacity provider to attach the ASG to the ECS cluster
# so that it autoscales as we launch more containers
CapacityProvider:
Type: AWS::ECS::CapacityProvider
Properties:
AutoScalingGroupProvider:
AutoScalingGroupArn: !Ref ECSAutoScalingGroup
ManagedScaling:
InstanceWarmupPeriod: 60
MinimumScalingStepSize: 1
MaximumScalingStepSize: 100
Status: ENABLED
# Percentage of cluster reservation to try to maintain
TargetCapacity: 100
ManagedTerminationProtection: ENABLED
# Create a cluster capacity provider assocation so that the cluster
# will use the capacity provider
CapacityProviderAssociation:
Type: AWS::ECS::ClusterCapacityProviderAssociations
Properties:
CapacityProviders:
- !Ref CapacityProvider
Cluster: !Ref ECSCluster
DefaultCapacityProviderStrategy:
- Base: 0
CapacityProvider: !Ref CapacityProvider
Weight: 1
# A security group for the EC2 hosts that will run the containers.
# This can be used to limit incoming traffic to or outgoing traffic
# from the container's host EC2 instance.
ContainerHostSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Access to the EC2 hosts that run containers
VpcId:
Ref: VpcId
# Role for the EC2 hosts. This allows the ECS agent on the EC2 hosts
# to communciate with the ECS control plane, as well as download the docker
# images from ECR to run on your host.
EC2Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: /
ManagedPolicyArns:
# See reference: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonEC2ContainerServiceforEC2Role
- arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
# This managed policy allows us to connect to the instance using SSM
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
# This is a role which is used within Fargate to allow the Fargate agent
# to download images, and upload logs.
ECSTaskExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- sts:AssumeRole
Condition:
ArnLike:
aws:SourceArn: !Sub arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:*
StringEquals:
aws:SourceAccount: !Sub ${AWS::AccountId}
Path: /
# This role enables all features of ECS. See reference:
# https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonECSTaskExecutionRolePolicy
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
Outputs:
ClusterName:
Description: The ECS cluster into which to launch resources
Value: ECSCluster
ECSTaskExecutionRole:
Description: The role used to start up a task
Value: ECSTaskExecutionRole
CapacityProvider:
Description: The cluster capacity provider that the service should use to
request capacity when it wants to start up a task
Value: CapacityProvider
```
## 部署服务
以下模板定义了一项服务,该服务使用容量提供程序请求运行 AL2023 容量。容器将在 AL2023 实例上线时随之启动:
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "An example service that deploys in AWS VPC networking mode on EC2 capacity. Service uses a capacity provider to request EC2 instances to run on. Service runs with networking in private subnets, but still accessible to the internet via a load balancer hosted in public subnets.",
"Parameters": {
"VpcId": {
"Type": "String",
"Description": "The VPC that the service is running inside of"
},
"PublicSubnetIds": {
"Type": "List",
"Description": "List of public subnet ID's to put the load balancer in"
},
"PrivateSubnetIds": {
"Type": "List",
"Description": "List of private subnet ID's that the AWS VPC tasks are in"
},
"ClusterName": {
"Type": "String",
"Description": "The name of the ECS cluster into which to launch capacity."
},
"ECSTaskExecutionRole": {
"Type": "String",
"Description": "The role used to start up an ECS task"
},
"CapacityProvider": {
"Type": "String",
"Description": "The cluster capacity provider that the service should use to request capacity when it wants to start up a task"
},
"ServiceName": {
"Type": "String",
"Default": "web",
"Description": "A name for the service"
},
"ImageUrl": {
"Type": "String",
"Default": "public.ecr.aws/docker/library/nginx:latest",
"Description": "The url of a docker image that contains the application process that will handle the traffic for this service"
},
"ContainerCpu": {
"Type": "Number",
"Default": 256,
"Description": "How much CPU to give the container. 1024 is 1 CPU"
},
"ContainerMemory": {
"Type": "Number",
"Default": 512,
"Description": "How much memory in megabytes to give the container"
},
"ContainerPort": {
"Type": "Number",
"Default": 80,
"Description": "What port that the application expects traffic on"
},
"DesiredCount": {
"Type": "Number",
"Default": 2,
"Description": "How many copies of the service task to run"
}
},
"Resources": {
"TaskDefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"Family": {
"Ref": "ServiceName"
},
"Cpu": {
"Ref": "ContainerCpu"
},
"Memory": {
"Ref": "ContainerMemory"
},
"NetworkMode": "awsvpc",
"RequiresCompatibilities": [
"EC2"
],
"ExecutionRoleArn": {
"Ref": "ECSTaskExecutionRole"
},
"ContainerDefinitions": [
{
"Name": {
"Ref": "ServiceName"
},
"Cpu": {
"Ref": "ContainerCpu"
},
"Memory": {
"Ref": "ContainerMemory"
},
"Image": {
"Ref": "ImageUrl"
},
"PortMappings": [
{
"ContainerPort": {
"Ref": "ContainerPort"
},
"HostPort": {
"Ref": "ContainerPort"
}
}
],
"LogConfiguration": {
"LogDriver": "awslogs",
"Options": {
"mode": "non-blocking",
"max-buffer-size": "25m",
"awslogs-group": {
"Ref": "LogGroup"
},
"awslogs-region": {
"Ref": "AWS::Region"
},
"awslogs-stream-prefix": {
"Ref": "ServiceName"
}
}
}
}
]
}
},
"Service": {
"Type": "AWS::ECS::Service",
"DependsOn": "PublicLoadBalancerListener",
"Properties": {
"ServiceName": {
"Ref": "ServiceName"
},
"Cluster": {
"Ref": "ClusterName"
},
"PlacementStrategies": [
{
"Field": "attribute:ecs.availability-zone",
"Type": "spread"
},
{
"Field": "cpu",
"Type": "binpack"
}
],
"CapacityProviderStrategy": [
{
"Base": 0,
"CapacityProvider": {
"Ref": "CapacityProvider"
},
"Weight": 1
}
],
"NetworkConfiguration": {
"AwsvpcConfiguration": {
"SecurityGroups": [
{
"Ref": "ServiceSecurityGroup"
}
],
"Subnets": {
"Ref": "PrivateSubnetIds"
}
}
},
"DeploymentConfiguration": {
"MaximumPercent": 200,
"MinimumHealthyPercent": 75
},
"DesiredCount": {
"Ref": "DesiredCount"
},
"TaskDefinition": {
"Ref": "TaskDefinition"
},
"LoadBalancers": [
{
"ContainerName": {
"Ref": "ServiceName"
},
"ContainerPort": {
"Ref": "ContainerPort"
},
"TargetGroupArn": {
"Ref": "ServiceTargetGroup"
}
}
]
}
},
"ServiceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security group for service",
"VpcId": {
"Ref": "VpcId"
}
}
},
"ServiceTargetGroup": {
"Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties": {
"HealthCheckIntervalSeconds": 6,
"HealthCheckPath": "/",
"HealthCheckProtocol": "HTTP",
"HealthCheckTimeoutSeconds": 5,
"HealthyThresholdCount": 2,
"TargetType": "ip",
"Port": {
"Ref": "ContainerPort"
},
"Protocol": "HTTP",
"UnhealthyThresholdCount": 10,
"VpcId": {
"Ref": "VpcId"
},
"TargetGroupAttributes": [
{
"Key": "deregistration_delay.timeout_seconds",
"Value": 0
}
]
}
},
"PublicLoadBalancerSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Access to the public facing load balancer",
"VpcId": {
"Ref": "VpcId"
},
"SecurityGroupIngress": [
{
"CidrIp": "0.0.0.0/0",
"IpProtocol": -1
}
]
}
},
"PublicLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Scheme": "internet-facing",
"LoadBalancerAttributes": [
{
"Key": "idle_timeout.timeout_seconds",
"Value": "30"
}
],
"Subnets": {
"Ref": "PublicSubnetIds"
},
"SecurityGroups": [
{
"Ref": "PublicLoadBalancerSG"
}
]
}
},
"PublicLoadBalancerListener": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"DefaultActions": [
{
"Type": "forward",
"ForwardConfig": {
"TargetGroups": [
{
"TargetGroupArn": {
"Ref": "ServiceTargetGroup"
},
"Weight": 100
}
]
}
}
],
"LoadBalancerArn": {
"Ref": "PublicLoadBalancer"
},
"Port": 80,
"Protocol": "HTTP"
}
},
"ServiceIngressfromLoadBalancer": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"Description": "Ingress from the public ALB",
"GroupId": {
"Ref": "ServiceSecurityGroup"
},
"IpProtocol": -1,
"SourceSecurityGroupId": {
"Ref": "PublicLoadBalancerSG"
}
}
},
"LogGroup": {
"Type": "AWS::Logs::LogGroup"
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Description: >-
An example service that deploys in AWS VPC networking mode on EC2 capacity.
Service uses a capacity provider to request EC2 instances to run on. Service
runs with networking in private subnets, but still accessible to the internet
via a load balancer hosted in public subnets.
Parameters:
VpcId:
Type: String
Description: The VPC that the service is running inside of
PublicSubnetIds:
Type: 'List'
Description: List of public subnet ID's to put the load balancer in
PrivateSubnetIds:
Type: 'List'
Description: List of private subnet ID's that the AWS VPC tasks are in
ClusterName:
Type: String
Description: The name of the ECS cluster into which to launch capacity.
ECSTaskExecutionRole:
Type: String
Description: The role used to start up an ECS task
CapacityProvider:
Type: String
Description: >-
The cluster capacity provider that the service should use to request
capacity when it wants to start up a task
ServiceName:
Type: String
Default: web
Description: A name for the service
ImageUrl:
Type: String
Default: 'public.ecr.aws/docker/library/nginx:latest'
Description: >-
The url of a docker image that contains the application process that will
handle the traffic for this service
ContainerCpu:
Type: Number
Default: 256
Description: How much CPU to give the container. 1024 is 1 CPU
ContainerMemory:
Type: Number
Default: 512
Description: How much memory in megabytes to give the container
ContainerPort:
Type: Number
Default: 80
Description: What port that the application expects traffic on
DesiredCount:
Type: Number
Default: 2
Description: How many copies of the service task to run
Resources:
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
Family: !Ref ServiceName
Cpu: !Ref ContainerCpu
Memory: !Ref ContainerMemory
NetworkMode: awsvpc
RequiresCompatibilities:
- EC2
ExecutionRoleArn: !Ref ECSTaskExecutionRole
ContainerDefinitions:
- Name: !Ref ServiceName
Cpu: !Ref ContainerCpu
Memory: !Ref ContainerMemory
Image: !Ref ImageUrl
PortMappings:
- ContainerPort: !Ref ContainerPort
HostPort: !Ref ContainerPort
LogConfiguration:
LogDriver: awslogs
Options:
mode: non-blocking
max-buffer-size: 25m
awslogs-group: !Ref LogGroup
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: !Ref ServiceName
Service:
Type: AWS::ECS::Service
DependsOn: PublicLoadBalancerListener
Properties:
ServiceName: !Ref ServiceName
Cluster: !Ref ClusterName
PlacementStrategies:
- Field: 'attribute:ecs.availability-zone'
Type: spread
- Field: cpu
Type: binpack
CapacityProviderStrategy:
- Base: 0
CapacityProvider: !Ref CapacityProvider
Weight: 1
NetworkConfiguration:
AwsvpcConfiguration:
SecurityGroups:
- !Ref ServiceSecurityGroup
Subnets: !Ref PrivateSubnetIds
DeploymentConfiguration:
MaximumPercent: 200
MinimumHealthyPercent: 75
DesiredCount: !Ref DesiredCount
TaskDefinition: !Ref TaskDefinition
LoadBalancers:
- ContainerName: !Ref ServiceName
ContainerPort: !Ref ContainerPort
TargetGroupArn: !Ref ServiceTargetGroup
ServiceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for service
VpcId: !Ref VpcId
ServiceTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 6
HealthCheckPath: /
HealthCheckProtocol: HTTP
HealthCheckTimeoutSeconds: 5
HealthyThresholdCount: 2
TargetType: ip
Port: !Ref ContainerPort
Protocol: HTTP
UnhealthyThresholdCount: 10
VpcId: !Ref VpcId
TargetGroupAttributes:
- Key: deregistration_delay.timeout_seconds
Value: 0
PublicLoadBalancerSG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Access to the public facing load balancer
VpcId: !Ref VpcId
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
IpProtocol: -1
PublicLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Scheme: internet-facing
LoadBalancerAttributes:
- Key: idle_timeout.timeout_seconds
Value: '30'
Subnets: !Ref PublicSubnetIds
SecurityGroups:
- !Ref PublicLoadBalancerSG
PublicLoadBalancerListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- Type: forward
ForwardConfig:
TargetGroups:
- TargetGroupArn: !Ref ServiceTargetGroup
Weight: 100
LoadBalancerArn: !Ref PublicLoadBalancer
Port: 80
Protocol: HTTP
ServiceIngressfromLoadBalancer:
Type: AWS::EC2::SecurityGroupIngress
Properties:
Description: Ingress from the public ALB
GroupId: !Ref ServiceSecurityGroup
IpProtocol: -1
SourceSecurityGroupId: !Ref PublicLoadBalancerSG
LogGroup:
Type: AWS::Logs::LogGroup
```
# Amazon Elastic File System 示例模板
Amazon Elastic File System (Amazon EFS) 是适用于 Amazon Elastic Compute Cloud (Amazon EC2) 实例的文件存储服务。借助 Amazon EFS,您的应用程序在需要存储时可获得存储,因为存储容量会在您添加和删除文件时自动增加和缩小。
以下示例模板部署 EC2 实例(位于自动扩缩组中),这些实例与 Amazon EFS 文件系统相关联。为了将实例与文件系统关联,这些实例运行 cfn-init 帮助程序脚本,以便下载和安装 `nfs-utils` yum 软件包,创建新目录,然后使用文件系统的 DNS 名称来在该目录下挂载文件系统。文件系统的 DNS 名称将解析为 Amazon EC2 实例的可用区中的挂载目标的 IP 地址。有关 DNS 名称结构的更多信息,请参阅《Amazon Elastic File System 用户指南》中的[挂载文件系统](https://docs.amazonaws.cn/efs/latest/ug/mounting-fs.html)。
要测量网络文件系统活动,模板应包含自定义 Amazon CloudWatch 指标。模板还创建 VPC、子网和安全组。要允许实例与文件系统通信,VPC 必须已启用 DNS,而且挂载目标和 EC2 实例必须位于子网指定的同一可用区 (AZ) 中。
挂载目标的安全组支持至 TCP 端口 2049 的网络连接,NFSv4 客户端挂载文件系统需要此连接。有关 EC2 实例和挂载目标的安全组的更多信息,请参阅[《Amazon Elastic File System 用户指南》](https://docs.amazonaws.cn/efs/latest/ug/)中的[安全性](https://docs.amazonaws.cn/efs/latest/ug/security-considerations.html)。
**注意**
如果更新挂载目标导致了挂载目标被替换,则使用关联文件系统的实例或应用程序可能会中断。这可能会导致未提交的写入丢失。为了避免中断,请在您更新挂载目标时通过将所需容量设置为零来停止实例。这使得实例可以在删除挂载目标之前卸载文件系统。挂载更新完成之后,通过设置所需容量在后续更新中启动您的实例。
## JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "This template creates an Amazon EFS file system and mount target and associates it with Amazon EC2 instances in an Auto Scaling group. **WARNING** This template creates Amazon EC2 instances and related resources. You will be billed for the AWS resources used if you create a stack from this template.",
"Parameters": {
"InstanceType" : {
"Description" : "WebServer EC2 instance type",
"Type" : "String",
"Default" : "t2.small",
"AllowedValues" : [
"t1.micro",
"t2.nano",
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"m1.small",
"m1.medium",
"m1.large",
"m1.xlarge",
"m2.xlarge",
"m2.2xlarge",
"m2.4xlarge",
"m3.medium",
"m3.large",
"m3.xlarge",
"m3.2xlarge",
"m4.large",
"m4.xlarge",
"m4.2xlarge",
"m4.4xlarge",
"m4.10xlarge",
"c1.medium",
"c1.xlarge",
"c3.large",
"c3.xlarge",
"c3.2xlarge",
"c3.4xlarge",
"c3.8xlarge",
"c4.large",
"c4.xlarge",
"c4.2xlarge",
"c4.4xlarge",
"c4.8xlarge",
"g2.2xlarge",
"g2.8xlarge",
"r3.large",
"r3.xlarge",
"r3.2xlarge",
"r3.4xlarge",
"r3.8xlarge",
"i2.xlarge",
"i2.2xlarge",
"i2.4xlarge",
"i2.8xlarge",
"d2.xlarge",
"d2.2xlarge",
"d2.4xlarge",
"d2.8xlarge",
"hi1.4xlarge",
"hs1.8xlarge",
"cr1.8xlarge",
"cc2.8xlarge",
"cg1.4xlarge"
],
"ConstraintDescription" : "must be a valid EC2 instance type."
},
"KeyName": {
"Type": "AWS::EC2::KeyPair::KeyName",
"Description": "Name of an existing EC2 key pair to enable SSH access to the EC2 instances"
},
"AsgMaxSize": {
"Type": "Number",
"Description": "Maximum size and initial desired capacity of Auto Scaling Group",
"Default": "2"
},
"SSHLocation" : {
"Description" : "The IP address range that can be used to connect to the EC2 instances by using SSH",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
},
"VolumeName" : {
"Description" : "The name to be used for the EFS volume",
"Type": "String",
"MinLength": "1",
"Default": "myEFSvolume"
},
"MountPoint" : {
"Description" : "The Linux mount point for the EFS volume",
"Type": "String",
"MinLength": "1",
"Default": "myEFSvolume"
}
},
"Mappings" : {
"AWSInstanceType2Arch" : {
"t1.micro" : { "Arch" : "HVM64" },
"t2.nano" : { "Arch" : "HVM64" },
"t2.micro" : { "Arch" : "HVM64" },
"t2.small" : { "Arch" : "HVM64" },
"t2.medium" : { "Arch" : "HVM64" },
"t2.large" : { "Arch" : "HVM64" },
"m1.small" : { "Arch" : "HVM64" },
"m1.medium" : { "Arch" : "HVM64" },
"m1.large" : { "Arch" : "HVM64" },
"m1.xlarge" : { "Arch" : "HVM64" },
"m2.xlarge" : { "Arch" : "HVM64" },
"m2.2xlarge" : { "Arch" : "HVM64" },
"m2.4xlarge" : { "Arch" : "HVM64" },
"m3.medium" : { "Arch" : "HVM64" },
"m3.large" : { "Arch" : "HVM64" },
"m3.xlarge" : { "Arch" : "HVM64" },
"m3.2xlarge" : { "Arch" : "HVM64" },
"m4.large" : { "Arch" : "HVM64" },
"m4.xlarge" : { "Arch" : "HVM64" },
"m4.2xlarge" : { "Arch" : "HVM64" },
"m4.4xlarge" : { "Arch" : "HVM64" },
"m4.10xlarge" : { "Arch" : "HVM64" },
"c1.medium" : { "Arch" : "HVM64" },
"c1.xlarge" : { "Arch" : "HVM64" },
"c3.large" : { "Arch" : "HVM64" },
"c3.xlarge" : { "Arch" : "HVM64" },
"c3.2xlarge" : { "Arch" : "HVM64" },
"c3.4xlarge" : { "Arch" : "HVM64" },
"c3.8xlarge" : { "Arch" : "HVM64" },
"c4.large" : { "Arch" : "HVM64" },
"c4.xlarge" : { "Arch" : "HVM64" },
"c4.2xlarge" : { "Arch" : "HVM64" },
"c4.4xlarge" : { "Arch" : "HVM64" },
"c4.8xlarge" : { "Arch" : "HVM64" },
"g2.2xlarge" : { "Arch" : "HVMG2" },
"g2.8xlarge" : { "Arch" : "HVMG2" },
"r3.large" : { "Arch" : "HVM64" },
"r3.xlarge" : { "Arch" : "HVM64" },
"r3.2xlarge" : { "Arch" : "HVM64" },
"r3.4xlarge" : { "Arch" : "HVM64" },
"r3.8xlarge" : { "Arch" : "HVM64" },
"i2.xlarge" : { "Arch" : "HVM64" },
"i2.2xlarge" : { "Arch" : "HVM64" },
"i2.4xlarge" : { "Arch" : "HVM64" },
"i2.8xlarge" : { "Arch" : "HVM64" },
"d2.xlarge" : { "Arch" : "HVM64" },
"d2.2xlarge" : { "Arch" : "HVM64" },
"d2.4xlarge" : { "Arch" : "HVM64" },
"d2.8xlarge" : { "Arch" : "HVM64" },
"hi1.4xlarge" : { "Arch" : "HVM64" },
"hs1.8xlarge" : { "Arch" : "HVM64" },
"cr1.8xlarge" : { "Arch" : "HVM64" },
"cc2.8xlarge" : { "Arch" : "HVM64" }
},
"AWSRegionArch2AMI" : {
"us-east-1" : {"HVM64" : "ami-0ff8a91507f77f867", "HVMG2" : "ami-0a584ac55a7631c0c"},
"us-west-2" : {"HVM64" : "ami-a0cfeed8", "HVMG2" : "ami-0e09505bc235aa82d"},
"us-west-1" : {"HVM64" : "ami-0bdb828fd58c52235", "HVMG2" : "ami-066ee5fd4a9ef77f1"},
"eu-west-1" : {"HVM64" : "ami-047bb4163c506cd98", "HVMG2" : "ami-0a7c483d527806435"},
"eu-west-2" : {"HVM64" : "ami-f976839e", "HVMG2" : "NOT_SUPPORTED"},
"eu-west-3" : {"HVM64" : "ami-0ebc281c20e89ba4b", "HVMG2" : "NOT_SUPPORTED"},
"eu-central-1" : {"HVM64" : "ami-0233214e13e500f77", "HVMG2" : "ami-06223d46a6d0661c7"},
"ap-northeast-1" : {"HVM64" : "ami-06cd52961ce9f0d85", "HVMG2" : "ami-053cdd503598e4a9d"},
"ap-northeast-2" : {"HVM64" : "ami-0a10b2721688ce9d2", "HVMG2" : "NOT_SUPPORTED"},
"ap-northeast-3" : {"HVM64" : "ami-0d98120a9fb693f07", "HVMG2" : "NOT_SUPPORTED"},
"ap-southeast-1" : {"HVM64" : "ami-08569b978cc4dfa10", "HVMG2" : "ami-0be9df32ae9f92309"},
"ap-southeast-2" : {"HVM64" : "ami-09b42976632b27e9b", "HVMG2" : "ami-0a9ce9fecc3d1daf8"},
"ap-south-1" : {"HVM64" : "ami-0912f71e06545ad88", "HVMG2" : "ami-097b15e89dbdcfcf4"},
"us-east-2" : {"HVM64" : "ami-0b59bfac6be064b78", "HVMG2" : "NOT_SUPPORTED"},
"ca-central-1" : {"HVM64" : "ami-0b18956f", "HVMG2" : "NOT_SUPPORTED"},
"sa-east-1" : {"HVM64" : "ami-07b14488da8ea02a0", "HVMG2" : "NOT_SUPPORTED"},
"cn-north-1" : {"HVM64" : "ami-0a4eaf6c4454eda75", "HVMG2" : "NOT_SUPPORTED"},
"cn-northwest-1" : {"HVM64" : "ami-6b6a7d09", "HVMG2" : "NOT_SUPPORTED"}
}
},
"Resources": {
"CloudWatchPutMetricsRole" : {
"Type" : "AWS::IAM::Role",
"Properties" : {
"AssumeRolePolicyDocument" : {
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
"Service" : [ "ec2.amazonaws.com" ]
},
"Action" : [ "sts:AssumeRole" ]
} ]
},
"Path" : "/"
}
},
"CloudWatchPutMetricsRolePolicy" : {
"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyName" : "CloudWatch_PutMetricData",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudWatchPutMetricData",
"Effect": "Allow",
"Action": ["cloudwatch:PutMetricData"],
"Resource": ["*"]
}
]
},
"Roles" : [ { "Ref" : "CloudWatchPutMetricsRole" } ]
}
},
"CloudWatchPutMetricsInstanceProfile" : {
"Type" : "AWS::IAM::InstanceProfile",
"Properties" : {
"Path" : "/",
"Roles" : [ { "Ref" : "CloudWatchPutMetricsRole" } ]
}
},
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"EnableDnsSupport" : "true",
"EnableDnsHostnames" : "true",
"CidrBlock": "10.0.0.0/16",
"Tags": [ {"Key": "Application", "Value": { "Ref": "AWS::StackId"} } ]
}
},
"InternetGateway" : {
"Type" : "AWS::EC2::InternetGateway",
"Properties" : {
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackName" } },
{ "Key" : "Network", "Value" : "Public" }
]
}
},
"GatewayToInternet" : {
"Type" : "AWS::EC2::VPCGatewayAttachment",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"InternetGatewayId" : { "Ref" : "InternetGateway" }
}
},
"RouteTable":{
"Type":"AWS::EC2::RouteTable",
"Properties":{
"VpcId": {"Ref":"VPC"}
}
},
"SubnetRouteTableAssoc": {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"RouteTableId" : {"Ref":"RouteTable"},
"SubnetId" : {"Ref":"Subnet"}
}
},
"InternetGatewayRoute": {
"Type":"AWS::EC2::Route",
"Properties":{
"DestinationCidrBlock":"0.0.0.0/0",
"RouteTableId":{"Ref":"RouteTable"},
"GatewayId":{"Ref":"InternetGateway"}
}
},
"Subnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": { "Ref": "VPC" },
"CidrBlock": "10.0.0.0/24",
"Tags": [ { "Key": "Application", "Value": { "Ref": "AWS::StackId" } } ]
}
},
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": { "Ref": "VPC" },
"GroupDescription": "Enable SSH access via port 22",
"SecurityGroupIngress": [
{ "IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "CidrIp": { "Ref": "SSHLocation" } },
{ "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIp": "0.0.0.0/0" }
]
}
},
"MountTargetSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": { "Ref": "VPC" },
"GroupDescription": "Security group for mount target",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 2049,
"ToPort": 2049,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"FileSystem": {
"Type": "AWS::EFS::FileSystem",
"Properties": {
"PerformanceMode": "generalPurpose",
"FileSystemTags": [
{
"Key": "Name",
"Value": { "Ref" : "VolumeName" }
}
]
}
},
"MountTarget": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": { "Ref": "FileSystem" },
"SubnetId": { "Ref": "Subnet" },
"SecurityGroups": [ { "Ref": "MountTargetSecurityGroup" } ]
}
},
"LaunchConfiguration": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Metadata" : {
"AWS::CloudFormation::Init" : {
"configSets" : {
"MountConfig" : [ "setup", "mount" ]
},
"setup" : {
"packages" : {
"yum" : {
"nfs-utils" : []
}
},
"files" : {
"/home/ec2-user/post_nfsstat" : {
"content" : { "Fn::Join" : [ "", [
"#!/bin/bash\n",
"\n",
"INPUT=\"$(cat)\"\n",
"CW_JSON_OPEN='{ \"Namespace\": \"EFS\", \"MetricData\": [ '\n",
"CW_JSON_CLOSE=' ] }'\n",
"CW_JSON_METRIC=''\n",
"METRIC_COUNTER=0\n",
"\n",
"for COL in 1 2 3 4 5 6; do\n",
"\n",
" COUNTER=0\n",
" METRIC_FIELD=$COL\n",
" DATA_FIELD=$(($COL+($COL-1)))\n",
"\n",
" while read line; do\n",
" if [[ COUNTER -gt 0 ]]; then\n",
"\n",
" LINE=`echo $line | tr -s ' ' `\n",
" AWS_COMMAND=\"aws cloudwatch put-metric-data --region ", { "Ref": "AWS::Region" }, "\"\n",
" MOD=$(( $COUNTER % 2))\n",
"\n",
" if [ $MOD -eq 1 ]; then\n",
" METRIC_NAME=`echo $LINE | cut -d ' ' -f $METRIC_FIELD`\n",
" else\n",
" METRIC_VALUE=`echo $LINE | cut -d ' ' -f $DATA_FIELD`\n",
" fi\n",
"\n",
" if [[ -n \"$METRIC_NAME\" && -n \"$METRIC_VALUE\" ]]; then\n",
" INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)\n",
" CW_JSON_METRIC=\"$CW_JSON_METRIC { \\\"MetricName\\\": \\\"$METRIC_NAME\\\", \\\"Dimensions\\\": [{\\\"Name\\\": \\\"InstanceId\\\", \\\"Value\\\": \\\"$INSTANCE_ID\\\"} ], \\\"Value\\\": $METRIC_VALUE },\"\n",
" unset METRIC_NAME\n",
" unset METRIC_VALUE\n",
"\n",
" METRIC_COUNTER=$((METRIC_COUNTER+1))\n",
" if [ $METRIC_COUNTER -eq 20 ]; then\n",
" # 20 is max metric collection size, so we have to submit here\n",
" aws cloudwatch put-metric-data --region ", { "Ref": "AWS::Region" }, " --cli-input-json \"`echo $CW_JSON_OPEN ${CW_JSON_METRIC%?} $CW_JSON_CLOSE`\"\n",
"\n",
" # reset\n",
" METRIC_COUNTER=0\n",
" CW_JSON_METRIC=''\n",
" fi\n",
" fi \n",
"\n",
"\n",
"\n",
" COUNTER=$((COUNTER+1))\n",
" fi\n",
"\n",
" if [[ \"$line\" == \"Client nfs v4:\" ]]; then\n",
" # the next line is the good stuff \n",
" COUNTER=$((COUNTER+1))\n",
" fi\n",
" done <<< \"$INPUT\"\n",
"done\n",
"\n",
"# submit whatever is left\n",
"aws cloudwatch put-metric-data --region ", { "Ref": "AWS::Region" }, " --cli-input-json \"`echo $CW_JSON_OPEN ${CW_JSON_METRIC%?} $CW_JSON_CLOSE`\""
] ] },
"mode": "000755",
"owner": "ec2-user",
"group": "ec2-user"
},
"/home/ec2-user/crontab" : {
"content" : { "Fn::Join" : [ "", [
"* * * * * /usr/sbin/nfsstat | /home/ec2-user/post_nfsstat\n"
] ] },
"owner": "ec2-user",
"group": "ec2-user"
}
},
"commands" : {
"01_createdir" : {
"command" : {"Fn::Join" : [ "", [ "mkdir /", { "Ref" : "MountPoint" }]]}
}
}
},
"mount" : {
"commands" : {
"01_mount" : {
"command" : { "Fn::Sub": "sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 ${FileSystem}.efs.${AWS::Region}.amazonaws.com:/ /${MountPoint}"}
},
"02_permissions" : {
"command" : {"Fn::Join" : [ "", [ "chown ec2-user:ec2-user /", { "Ref" : "MountPoint" }]]}
}
}
}
}
},
"Properties": {
"AssociatePublicIpAddress" : true,
"ImageId": {
"Fn::FindInMap": [ "AWSRegionArch2AMI", { "Ref": "AWS::Region" }, {
"Fn::FindInMap": [ "AWSInstanceType2Arch", { "Ref": "InstanceType" }, "Arch" ]
} ]
},
"InstanceType": { "Ref": "InstanceType" },
"KeyName": { "Ref": "KeyName" },
"SecurityGroups": [ { "Ref": "InstanceSecurityGroup" } ],
"IamInstanceProfile" : { "Ref" : "CloudWatchPutMetricsInstanceProfile" },
"UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
"#!/bin/bash -xe\n",
"yum install -y aws-cfn-bootstrap\n",
"/opt/aws/bin/cfn-init -v ",
" --stack ", { "Ref" : "AWS::StackName" },
" --resource LaunchConfiguration ",
" --configsets MountConfig ",
" --region ", { "Ref" : "AWS::Region" }, "\n",
"crontab /home/ec2-user/crontab\n",
"/opt/aws/bin/cfn-signal -e $? ",
" --stack ", { "Ref" : "AWS::StackName" },
" --resource AutoScalingGroup ",
" --region ", { "Ref" : "AWS::Region" }, "\n"
]]}}
}
},
"AutoScalingGroup": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"DependsOn": ["MountTarget", "GatewayToInternet"],
"CreationPolicy" : {
"ResourceSignal" : {
"Timeout" : "PT15M",
"Count" : { "Ref": "AsgMaxSize" }
}
},
"Properties": {
"VPCZoneIdentifier": [ { "Ref": "Subnet" } ],
"LaunchConfigurationName": { "Ref": "LaunchConfiguration" },
"MinSize": "1",
"MaxSize": { "Ref": "AsgMaxSize" },
"DesiredCapacity": { "Ref": "AsgMaxSize" },
"Tags": [ {
"Key": "Name",
"Value": "EFS FileSystem Mounted Instance",
"PropagateAtLaunch": "true"
} ]
}
}
},
"Outputs" : {
"MountTargetID" : {
"Description" : "Mount target ID",
"Value" : { "Ref" : "MountTarget" }
},
"FileSystemID" : {
"Description" : "File system ID",
"Value" : { "Ref" : "FileSystem" }
}
}
}
```
## YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Description: This template creates an Amazon EFS file system and mount target and
associates it with Amazon EC2 instances in an Auto Scaling group. **WARNING** This
template creates Amazon EC2 instances and related resources. You will be billed
for the AWS resources used if you create a stack from this template.
Parameters:
InstanceType:
Description: WebServer EC2 instance type
Type: String
Default: t2.small
AllowedValues:
- t1.micro
- t2.nano
- t2.micro
- t2.small
- t2.medium
- t2.large
- m1.small
- m1.medium
- m1.large
- m1.xlarge
- m2.xlarge
- m2.2xlarge
- m2.4xlarge
- m3.medium
- m3.large
- m3.xlarge
- m3.2xlarge
- m4.large
- m4.xlarge
- m4.2xlarge
- m4.4xlarge
- m4.10xlarge
- c1.medium
- c1.xlarge
- c3.large
- c3.xlarge
- c3.2xlarge
- c3.4xlarge
- c3.8xlarge
- c4.large
- c4.xlarge
- c4.2xlarge
- c4.4xlarge
- c4.8xlarge
- g2.2xlarge
- g2.8xlarge
- r3.large
- r3.xlarge
- r3.2xlarge
- r3.4xlarge
- r3.8xlarge
- i2.xlarge
- i2.2xlarge
- i2.4xlarge
- i2.8xlarge
- d2.xlarge
- d2.2xlarge
- d2.4xlarge
- d2.8xlarge
- hi1.4xlarge
- hs1.8xlarge
- cr1.8xlarge
- cc2.8xlarge
- cg1.4xlarge
ConstraintDescription: must be a valid EC2 instance type.
KeyName:
Type: AWS::EC2::KeyPair::KeyName
Description: Name of an existing EC2 key pair to enable SSH access to the ECS
instances
AsgMaxSize:
Type: Number
Description: Maximum size and initial desired capacity of Auto Scaling Group
Default: '2'
SSHLocation:
Description: The IP address range that can be used to connect to the EC2 instances
by using SSH
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
VolumeName:
Description: The name to be used for the EFS volume
Type: String
MinLength: '1'
Default: myEFSvolume
MountPoint:
Description: The Linux mount point for the EFS volume
Type: String
MinLength: '1'
Default: myEFSvolume
Mappings:
AWSInstanceType2Arch:
t1.micro:
Arch: HVM64
t2.nano:
Arch: HVM64
t2.micro:
Arch: HVM64
t2.small:
Arch: HVM64
t2.medium:
Arch: HVM64
t2.large:
Arch: HVM64
m1.small:
Arch: HVM64
m1.medium:
Arch: HVM64
m1.large:
Arch: HVM64
m1.xlarge:
Arch: HVM64
m2.xlarge:
Arch: HVM64
m2.2xlarge:
Arch: HVM64
m2.4xlarge:
Arch: HVM64
m3.medium:
Arch: HVM64
m3.large:
Arch: HVM64
m3.xlarge:
Arch: HVM64
m3.2xlarge:
Arch: HVM64
m4.large:
Arch: HVM64
m4.xlarge:
Arch: HVM64
m4.2xlarge:
Arch: HVM64
m4.4xlarge:
Arch: HVM64
m4.10xlarge:
Arch: HVM64
c1.medium:
Arch: HVM64
c1.xlarge:
Arch: HVM64
c3.large:
Arch: HVM64
c3.xlarge:
Arch: HVM64
c3.2xlarge:
Arch: HVM64
c3.4xlarge:
Arch: HVM64
c3.8xlarge:
Arch: HVM64
c4.large:
Arch: HVM64
c4.xlarge:
Arch: HVM64
c4.2xlarge:
Arch: HVM64
c4.4xlarge:
Arch: HVM64
c4.8xlarge:
Arch: HVM64
g2.2xlarge:
Arch: HVMG2
g2.8xlarge:
Arch: HVMG2
r3.large:
Arch: HVM64
r3.xlarge:
Arch: HVM64
r3.2xlarge:
Arch: HVM64
r3.4xlarge:
Arch: HVM64
r3.8xlarge:
Arch: HVM64
i2.xlarge:
Arch: HVM64
i2.2xlarge:
Arch: HVM64
i2.4xlarge:
Arch: HVM64
i2.8xlarge:
Arch: HVM64
d2.xlarge:
Arch: HVM64
d2.2xlarge:
Arch: HVM64
d2.4xlarge:
Arch: HVM64
d2.8xlarge:
Arch: HVM64
hi1.4xlarge:
Arch: HVM64
hs1.8xlarge:
Arch: HVM64
cr1.8xlarge:
Arch: HVM64
cc2.8xlarge:
Arch: HVM64
AWSRegionArch2AMI:
us-east-1:
HVM64: ami-0ff8a91507f77f867
HVMG2: ami-0a584ac55a7631c0c
us-west-2:
HVM64: ami-a0cfeed8
HVMG2: ami-0e09505bc235aa82d
us-west-1:
HVM64: ami-0bdb828fd58c52235
HVMG2: ami-066ee5fd4a9ef77f1
eu-west-1:
HVM64: ami-047bb4163c506cd98
HVMG2: ami-0a7c483d527806435
eu-west-2:
HVM64: ami-f976839e
HVMG2: NOT_SUPPORTED
eu-west-3:
HVM64: ami-0ebc281c20e89ba4b
HVMG2: NOT_SUPPORTED
eu-central-1:
HVM64: ami-0233214e13e500f77
HVMG2: ami-06223d46a6d0661c7
ap-northeast-1:
HVM64: ami-06cd52961ce9f0d85
HVMG2: ami-053cdd503598e4a9d
ap-northeast-2:
HVM64: ami-0a10b2721688ce9d2
HVMG2: NOT_SUPPORTED
ap-northeast-3:
HVM64: ami-0d98120a9fb693f07
HVMG2: NOT_SUPPORTED
ap-southeast-1:
HVM64: ami-08569b978cc4dfa10
HVMG2: ami-0be9df32ae9f92309
ap-southeast-2:
HVM64: ami-09b42976632b27e9b
HVMG2: ami-0a9ce9fecc3d1daf8
ap-south-1:
HVM64: ami-0912f71e06545ad88
HVMG2: ami-097b15e89dbdcfcf4
us-east-2:
HVM64: ami-0b59bfac6be064b78
HVMG2: NOT_SUPPORTED
ca-central-1:
HVM64: ami-0b18956f
HVMG2: NOT_SUPPORTED
sa-east-1:
HVM64: ami-07b14488da8ea02a0
HVMG2: NOT_SUPPORTED
cn-north-1:
HVM64: ami-0a4eaf6c4454eda75
HVMG2: NOT_SUPPORTED
cn-northwest-1:
HVM64: ami-6b6a7d09
HVMG2: NOT_SUPPORTED
Resources:
CloudWatchPutMetricsRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
CloudWatchPutMetricsRolePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: CloudWatch_PutMetricData
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: CloudWatchPutMetricData
Effect: Allow
Action:
- cloudwatch:PutMetricData
Resource:
- "*"
Roles:
- Ref: CloudWatchPutMetricsRole
CloudWatchPutMetricsInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- Ref: CloudWatchPutMetricsRole
VPC:
Type: AWS::EC2::VPC
Properties:
EnableDnsSupport: 'true'
EnableDnsHostnames: 'true'
CidrBlock: 10.0.0.0/16
Tags:
- Key: Application
Value:
Ref: AWS::StackId
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Application
Value:
Ref: AWS::StackName
- Key: Network
Value: Public
GatewayToInternet:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: VPC
InternetGatewayId:
Ref: InternetGateway
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: VPC
SubnetRouteTableAssoc:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: RouteTable
SubnetId:
Ref: Subnet
InternetGatewayRoute:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: 0.0.0.0/0
RouteTableId:
Ref: RouteTable
GatewayId:
Ref: InternetGateway
Subnet:
Type: AWS::EC2::Subnet
Properties:
VpcId:
Ref: VPC
CidrBlock: 10.0.0.0/24
Tags:
- Key: Application
Value:
Ref: AWS::StackId
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId:
Ref: VPC
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp:
Ref: SSHLocation
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
MountTargetSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId:
Ref: VPC
GroupDescription: Security group for mount target
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 2049
ToPort: 2049
CidrIp: 0.0.0.0/0
FileSystem:
Type: AWS::EFS::FileSystem
Properties:
PerformanceMode: generalPurpose
FileSystemTags:
- Key: Name
Value:
Ref: VolumeName
MountTarget:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId:
Ref: FileSystem
SubnetId:
Ref: Subnet
SecurityGroups:
- Ref: MountTargetSecurityGroup
LaunchConfiguration:
Type: AWS::AutoScaling::LaunchConfiguration
Metadata:
AWS::CloudFormation::Init:
configSets:
MountConfig:
- setup
- mount
setup:
packages:
yum:
nfs-utils: []
files:
"/home/ec2-user/post_nfsstat":
content: !Sub |
#!/bin/bash
INPUT="$(cat)"
CW_JSON_OPEN='{ "Namespace": "EFS", "MetricData": [ '
CW_JSON_CLOSE=' ] }'
CW_JSON_METRIC=''
METRIC_COUNTER=0
for COL in 1 2 3 4 5 6; do
COUNTER=0
METRIC_FIELD=$COL
DATA_FIELD=$(($COL+($COL-1)))
while read line; do
if [[ COUNTER -gt 0 ]]; then
LINE=`echo $line | tr -s ' ' `
AWS_COMMAND="aws cloudwatch put-metric-data --region ${AWS::Region}"
MOD=$(( $COUNTER % 2))
if [ $MOD -eq 1 ]; then
METRIC_NAME=`echo $LINE | cut -d ' ' -f $METRIC_FIELD`
else
METRIC_VALUE=`echo $LINE | cut -d ' ' -f $DATA_FIELD`
fi
if [[ -n "$METRIC_NAME" && -n "$METRIC_VALUE" ]]; then
INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
CW_JSON_METRIC="$CW_JSON_METRIC { \"MetricName\": \"$METRIC_NAME\", \"Dimensions\": [{\"Name\": \"InstanceId\", \"Value\": \"$INSTANCE_ID\"} ], \"Value\": $METRIC_VALUE },"
unset METRIC_NAME
unset METRIC_VALUE
METRIC_COUNTER=$((METRIC_COUNTER+1))
if [ $METRIC_COUNTER -eq 20 ]; then
# 20 is max metric collection size, so we have to submit here
aws cloudwatch put-metric-data --region ${AWS::Region} --cli-input-json "`echo $CW_JSON_OPEN ${!CW_JSON_METRIC%?} $CW_JSON_CLOSE`"
# reset
METRIC_COUNTER=0
CW_JSON_METRIC=''
fi
fi
COUNTER=$((COUNTER+1))
fi
if [[ "$line" == "Client nfs v4:" ]]; then
# the next line is the good stuff
COUNTER=$((COUNTER+1))
fi
done <<< "$INPUT"
done
# submit whatever is left
aws cloudwatch put-metric-data --region ${AWS::Region} --cli-input-json "`echo $CW_JSON_OPEN ${!CW_JSON_METRIC%?} $CW_JSON_CLOSE`"
mode: '000755'
owner: ec2-user
group: ec2-user
"/home/ec2-user/crontab":
content: "* * * * * /usr/sbin/nfsstat | /home/ec2-user/post_nfsstat\n"
owner: ec2-user
group: ec2-user
commands:
01_createdir:
command: !Sub "mkdir /${MountPoint}"
mount:
commands:
01_mount:
command: !Sub >
mount -t nfs4 -o nfsvers=4.1 ${FileSystem}.efs.${AWS::Region}.amazonaws.com:/ /${MountPoint}
02_permissions:
command: !Sub "chown ec2-user:ec2-user /${MountPoint}"
Properties:
AssociatePublicIpAddress: true
ImageId:
Fn::FindInMap:
- AWSRegionArch2AMI
- Ref: AWS::Region
- Fn::FindInMap:
- AWSInstanceType2Arch
- Ref: InstanceType
- Arch
InstanceType:
Ref: InstanceType
KeyName:
Ref: KeyName
SecurityGroups:
- Ref: InstanceSecurityGroup
IamInstanceProfile:
Ref: CloudWatchPutMetricsInstanceProfile
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
yum install -y aws-cfn-bootstrap
/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource LaunchConfiguration --configsets MountConfig --region ${AWS::Region}
crontab /home/ec2-user/crontab
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource AutoScalingGroup --region ${AWS::Region}
AutoScalingGroup:
Type: AWS::AutoScaling::AutoScalingGroup
DependsOn:
- MountTarget
- GatewayToInternet
CreationPolicy:
ResourceSignal:
Timeout: PT15M
Count:
Ref: AsgMaxSize
Properties:
VPCZoneIdentifier:
- Ref: Subnet
LaunchConfigurationName:
Ref: LaunchConfiguration
MinSize: '1'
MaxSize:
Ref: AsgMaxSize
DesiredCapacity:
Ref: AsgMaxSize
Tags:
- Key: Name
Value: EFS FileSystem Mounted Instance
PropagateAtLaunch: 'true'
Outputs:
MountTargetID:
Description: Mount target ID
Value:
Ref: MountTarget
FileSystemID:
Description: File system ID
Value:
Ref: FileSystem
```
# Elastic Beanstalk 模板代码段
通过 Elastic Beanstalk,您可以迅速在 Amazon 中部署和管理应用程序,而无需为运行这些应用程序的基础设施操心。以下示例模板可以帮助您在 Amazon CloudFormation 模板中描述 Elastic Beanstalk 资源。
## Elastic Beanstalk 示例 PHP
下面的示例模板部署一个存储在 Amazon S3 存储桶中的示例 PHP Web 应用程序。该环境也是一种自动扩缩的负载均衡环境,至少包含两个、最多包含六个 Amazon EC2 实例。它显示了一个使用传统启动配置的 Elastic Beanstalk 环境。有关改用启动模板的信息,请参阅《*Amazon Elastic Beanstalk开发者指南*》中的[启动模板](https://docs.amazonaws.cn/elasticbeanstalk/latest/dg/environments-cfg-autoscaling-launch-templates.html)。
使用解决方案堆栈名称替换 `solution-stack`(平台版本)。如需可用解决方案堆栈的列表,请使用 Amazon CLI 命令 **aws elasticbeanstalk list-available-solution-stacks**。
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"sampleApplication": {
"Type": "AWS::ElasticBeanstalk::Application",
"Properties": {
"Description": "AWS Elastic Beanstalk Sample Application"
}
},
"sampleApplicationVersion": {
"Type": "AWS::ElasticBeanstalk::ApplicationVersion",
"Properties": {
"ApplicationName": {
"Ref": "sampleApplication"
},
"Description": "AWS ElasticBeanstalk Sample Application Version",
"SourceBundle": {
"S3Bucket": {
"Fn::Sub": "elasticbeanstalk-samples-${AWS::Region}"
},
"S3Key": "php-newsample-app.zip"
}
}
},
"sampleConfigurationTemplate": {
"Type": "AWS::ElasticBeanstalk::ConfigurationTemplate",
"Properties": {
"ApplicationName": {
"Ref": "sampleApplication"
},
"Description": "AWS ElasticBeanstalk Sample Configuration Template",
"OptionSettings": [
{
"Namespace": "aws:autoscaling:asg",
"OptionName": "MinSize",
"Value": "2"
},
{
"Namespace": "aws:autoscaling:asg",
"OptionName": "MaxSize",
"Value": "6"
},
{
"Namespace": "aws:elasticbeanstalk:environment",
"OptionName": "EnvironmentType",
"Value": "LoadBalanced"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "IamInstanceProfile",
"Value": {
"Ref": "MyInstanceProfile"
}
}
],
"SolutionStackName": "solution-stack"
}
},
"sampleEnvironment": {
"Type": "AWS::ElasticBeanstalk::Environment",
"Properties": {
"ApplicationName": {
"Ref": "sampleApplication"
},
"Description": "AWS ElasticBeanstalk Sample Environment",
"TemplateName": {
"Ref": "sampleConfigurationTemplate"
},
"VersionLabel": {
"Ref": "sampleApplicationVersion"
}
}
},
"MyInstanceRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Description": "Beanstalk EC2 role",
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier",
"arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker",
"arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier"
]
}
},
"MyInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Roles": [
{
"Ref": "MyInstanceRole"
}
]
}
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
sampleApplication:
Type: AWS::ElasticBeanstalk::Application
Properties:
Description: AWS Elastic Beanstalk Sample Application
sampleApplicationVersion:
Type: AWS::ElasticBeanstalk::ApplicationVersion
Properties:
ApplicationName:
Ref: sampleApplication
Description: AWS ElasticBeanstalk Sample Application Version
SourceBundle:
S3Bucket: !Sub "elasticbeanstalk-samples-${AWS::Region}"
S3Key: php-newsample-app.zip
sampleConfigurationTemplate:
Type: AWS::ElasticBeanstalk::ConfigurationTemplate
Properties:
ApplicationName:
Ref: sampleApplication
Description: AWS ElasticBeanstalk Sample Configuration Template
OptionSettings:
- Namespace: aws:autoscaling:asg
OptionName: MinSize
Value: '2'
- Namespace: aws:autoscaling:asg
OptionName: MaxSize
Value: '6'
- Namespace: aws:elasticbeanstalk:environment
OptionName: EnvironmentType
Value: LoadBalanced
- Namespace: aws:autoscaling:launchconfiguration
OptionName: IamInstanceProfile
Value: !Ref MyInstanceProfile
SolutionStackName: solution-stack
sampleEnvironment:
Type: AWS::ElasticBeanstalk::Environment
Properties:
ApplicationName:
Ref: sampleApplication
Description: AWS ElasticBeanstalk Sample Environment
TemplateName:
Ref: sampleConfigurationTemplate
VersionLabel:
Ref: sampleApplicationVersion
MyInstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Description: Beanstalk EC2 role
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier
- arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker
- arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier
MyInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Roles:
- !Ref MyInstanceRole
```
# Elastic Load Balancing 模板代码段
要创建应用程序负载均衡器、网络负载均衡器或网关负载均衡器,请使用以 `AWS::ElasticLoadBalancingV2` 开头的 V2 资源类型。要创建经典负载均衡器,请使用以 `AWS::ElasticLoadBalancing` 开头的资源类型。
**Topics**
+ [
## ELBv2 资源
](#scenario-elbv2-load-balancer)
+ [
## 经典负载均衡器资源
](#scenario-elb-load-balancer)
## ELBv2 资源
此示例定义了一个应用程序负载均衡器,该负载均衡器具有 HTTP 侦听器和用于将流量转发到目标组的默认操作。负载均衡器使用默认运行状况检查设置。目标组有两个注册的 EC2 实例。
------
#### [ YAML ]
```
Resources:
myLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: my-alb
Type: application
Scheme: internal
Subnets:
- !Ref subnet-AZ1
- !Ref subnet-AZ2
SecurityGroups:
- !Ref mySecurityGroup
myHTTPlistener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
LoadBalancerArn: !Ref myLoadBalancer
Protocol: HTTP
Port: 80
DefaultActions:
- Type: "forward"
TargetGroupArn: !Ref myTargetGroup
myTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
Name: "my-target-group"
Protocol: HTTP
Port: 80
TargetType: instance
VpcId: !Ref myVPC
Targets:
- Id: !GetAtt Instance1.InstanceId
Port: 80
- Id: !GetAtt Instance2.InstanceId
Port: 80
```
------
#### [ JSON ]
```
{
"Resources": {
"myLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Name": "my-alb",
"Type": "application",
"Scheme": "internal",
"Subnets": [
{
"Ref": "subnet-AZ1"
},
{
"Ref": "subnet-AZ2"
}
],
"SecurityGroups": [
{
"Ref": "mySecurityGroup"
}
]
}
},
"myHTTPlistener": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"LoadBalancerArn": {
"Ref": "myLoadBalancer"
},
"Protocol": "HTTP",
"Port": 80,
"DefaultActions": [
{
"Type": "forward",
"TargetGroupArn": {
"Ref": "myTargetGroup"
}
}
]
}
},
"myTargetGroup": {
"Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties": {
"Name": "my-target-group",
"Protocol": "HTTP",
"Port": 80,
"TargetType": "instance",
"VpcId": {
"Ref": "myVPC"
},
"Targets": [
{
"Id": {
"Fn::GetAtt": [
"Instance1",
"InstanceId"
]
},
"Port": 80
},
{
"Id": {
"Fn::GetAtt": [
"Instance2",
"InstanceId"
]
},
"Port": 80
}
]
}
}
}
}
```
------
## 经典负载均衡器资源
此示例定义了一个经典负载均衡器,该负载均衡器具有 HTTP 侦听器且没有注册的 EC2 实例。负载均衡器使用默认运行状况检查设置。
------
#### [ YAML ]
```
myLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- "cn-north-1a"
Listeners:
- LoadBalancerPort: '80'
InstancePort: '80'
Protocol: HTTP
```
------
#### [ JSON ]
```
"myLoadBalancer" : {
"Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties" : {
"AvailabilityZones" : [ "cn-north-1a" ],
"Listeners" : [ {
"LoadBalancerPort" : "80",
"InstancePort" : "80",
"Protocol" : "HTTP"
} ]
}
}
```
------
此示例定义了一个经典负载均衡器,该负载均衡器具有 HTTP 侦听器、两个注册的 EC2 实例和自定义运行状况检查设置。
------
#### [ YAML ]
```
myClassicLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- "cn-north-1a"
Instances:
- Ref: Instance1
- Ref: Instance2
Listeners:
- LoadBalancerPort: '80'
InstancePort: '80'
Protocol: HTTP
HealthCheck:
Target: HTTP:80/
HealthyThreshold: '3'
UnhealthyThreshold: '5'
Interval: '30'
Timeout: '5'
```
------
#### [ JSON ]
```
"myClassicLoadBalancer" : {
"Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties" : {
"AvailabilityZones" : [ "cn-north-1a" ],
"Instances" : [
{ "Ref" : "Instance1" },
{ "Ref" : "Instance2" }
],
"Listeners" : [ {
"LoadBalancerPort" : "80",
"InstancePort" : "80",
"Protocol" : "HTTP"
} ],
"HealthCheck" : {
"Target" : "HTTP:80/",
"HealthyThreshold" : "3",
"UnhealthyThreshold" : "5",
"Interval" : "30",
"Timeout" : "5"
}
}
}
```
------
# Amazon Identity and Access Management 模板代码段
本部分包含 Amazon Identity and Access Management 模板代码段。
**Topics**
+ [
## 声明 IAM 用户资源
](#scenario-iam-user)
+ [
## 声明 IAM 访问密钥资源
](#scenario-iam-accesskey)
+ [
## 声明 IAM 组资源
](#scenario-iam-group)
+ [
## 将用户添加到组中
](#scenario-iam-addusertogroup)
+ [
## 声明 IAM policy
](#scenario-iam-policy)
+ [
## 声明 Amazon S3 存储桶策略
](#scenario-bucket-policy)
+ [
## 声明 Amazon SNS 主题策略
](#scenario-sns-policy)
+ [
## 声明 Amazon SQS 策略
](#scenario-sqs-policy)
+ [
## IAM 角色模板示例
](#scenarios-iamroles)
**重要**
使用包含 IAM 资源的模板创建或更新堆栈时,您必须确认 IAM 功能的使用。有关更多信息,请参阅 [确认 CloudFormation 模板中的 IAM 资源](control-access-with-iam.md#using-iam-capabilities)。
## 声明 IAM 用户资源
此代码段显示如何声明 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html) 资源以创建 IAM 用户。此用户使用路径 `"/"` 和密码为 `myP@ssW0rd` 的登录配置文件进行声明。
名为 `giveaccesstoqueueonly` 的策略文档为用户授予权限以对 Amazon SQS 队列资源 `myqueue` 执行所有 Amazon SQS 操作,并拒绝对所有其他 Amazon SQS 队列资源进行访问。`Fn::GetAtt` 函数将获取 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html) 资源 `myqueue` 的 Arn 属性。
可以在用户中添加名为 `giveaccesstotopiconly` 的策略文档,以便为用户授予权限以对 Amazon SNS 主题资源 `mytopic` 执行所有 Amazon SNS 操作,并拒绝对所有其他 Amazon SNS 资源进行访问。`Ref` 函数将获取 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html) 资源 `mytopic` 的 ARN。
### JSON
```
"myuser" : {
"Type" : "AWS::IAM::User",
"Properties" : {
"Path" : "/",
"LoginProfile" : {
"Password" : "myP@ssW0rd"
},
"Policies" : [ {
"PolicyName" : "giveaccesstoqueueonly",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [ "sqs:*" ],
"Resource" : [ {
"Fn::GetAtt" : [ "myqueue", "Arn" ]
} ]
}, {
"Effect" : "Deny",
"Action" : [ "sqs:*" ],
"NotResource" : [ {
"Fn::GetAtt" : [ "myqueue", "Arn" ]
} ]
}
] }
}, {
"PolicyName" : "giveaccesstotopiconly",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [ "sns:*" ],
"Resource" : [ { "Ref" : "mytopic" } ]
}, {
"Effect" : "Deny",
"Action" : [ "sns:*" ],
"NotResource" : [ { "Ref" : "mytopic" } ]
} ]
}
} ]
}
}
```
### YAML
```
myuser:
Type: AWS::IAM::User
Properties:
Path: "/"
LoginProfile:
Password: myP@ssW0rd
Policies:
- PolicyName: giveaccesstoqueueonly
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:*
Resource:
- !GetAtt myqueue.Arn
- Effect: Deny
Action:
- sqs:*
NotResource:
- !GetAtt myqueue.Arn
- PolicyName: giveaccesstotopiconly
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sns:*
Resource:
- !Ref mytopic
- Effect: Deny
Action:
- sns:*
NotResource:
- !Ref mytopic
```
## 声明 IAM 访问密钥资源
###
此代码段显示的是 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-accesskey.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-accesskey.html) 资源。`myaccesskey` 资源创建访问密钥并将其分配给在模板中声明为 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html) 资源的 IAM 用户。
#### JSON
```
"myaccesskey" : {
"Type" : "AWS::IAM::AccessKey",
"Properties" : {
"UserName" : { "Ref" : "myuser" }
}
}
```
#### YAML
```
myaccesskey:
Type: AWS::IAM::AccessKey
Properties:
UserName:
!Ref myuser
```
###
您可使用 `AWS::IAM::AccessKey` 函数获取 `Fn::GetAtt` 资源的私有密钥。检索密钥的一种方式是将其放入 `Output` 值中。您可使用 `Ref` 函数获取访问密钥。以下 `Output` 值声明获取 `myaccesskey` 的访问密钥和私有密钥。
#### JSON
```
"AccessKeyformyaccesskey" : {
"Value" : { "Ref" : "myaccesskey" }
},
"SecretKeyformyaccesskey" : {
"Value" : {
"Fn::GetAtt" : [ "myaccesskey", "SecretAccessKey" ]
}
}
```
#### YAML
```
AccessKeyformyaccesskey:
Value:
!Ref myaccesskey
SecretKeyformyaccesskey:
Value: !GetAtt myaccesskey.SecretAccessKey
```
###
您还可以将 Amazon 访问密钥和私有密钥传输给在模板中定义的 Amazon EC2 实例或自动扩缩组。以下 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) 声明使用 `UserData` 属性传递 `myaccesskey` 资源的访问密钥和私有密钥。
#### JSON
```
"myinstance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"AvailabilityZone" : "cn-north-1a",
"ImageId" : "ami-0ff8a91507f77f867",
"UserData" : {
"Fn::Base64" : {
"Fn::Join" : [
"", [
"ACCESS_KEY=", {
"Ref" : "myaccesskey"
},
"&",
"SECRET_KEY=",
{
"Fn::GetAtt" : [
"myaccesskey",
"SecretAccessKey"
]
}
]
]
}
}
}
}
```
#### YAML
```
myinstance:
Type: AWS::EC2::Instance
Properties:
AvailabilityZone: "cn-north-1a"
ImageId: ami-0ff8a91507f77f867
UserData:
Fn::Base64: !Sub "ACCESS_KEY=${myaccesskey}&SECRET_KEY=${myaccesskey.SecretAccessKey}"
```
## 声明 IAM 组资源
此代码段显示的是 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-group.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-group.html) 资源。该组有一个路径 (`"/myapplication/"`)。可以在组中添加名为 `myapppolicy` 的策略文档,以允许组的用户对 Amazon SQS 队列资源 myqueue 执行所有 Amazon SQS 操作,并拒绝对 `myqueue` 以外的所有其他 Amazon SQS 资源进行访问。
要分配一个策略给资源,IAM 需要该资源的 Amazon 资源名称(ARN)。在此代码段中,`Fn::GetAtt` 函数将获取 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html) 资源队列的 ARN。
### JSON
```
"mygroup" : {
"Type" : "AWS::IAM::Group",
"Properties" : {
"Path" : "/myapplication/",
"Policies" : [ {
"PolicyName" : "myapppolicy",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [ "sqs:*" ],
"Resource" : [ {
"Fn::GetAtt" : [ "myqueue", "Arn" ]
} ]
},
{
"Effect" : "Deny",
"Action" : [ "sqs:*" ],
"NotResource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ]
}
] }
} ]
}
}
```
### YAML
```
mygroup:
Type: AWS::IAM::Group
Properties:
Path: "/myapplication/"
Policies:
- PolicyName: myapppolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:*
Resource: !GetAtt myqueue.Arn
- Effect: Deny
Action:
- sqs:*
NotResource: !GetAtt myqueue.Arn
```
## 将用户添加到组中
[https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-usertogroupaddition.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-usertogroupaddition.html) 资源会将用户添加到组。在以下代码段中,`addUserToGroup` 资源将以下用户添加到名为 `myexistinggroup2` 的现有组中:现有用户 `existinguser1` 和在模板中声明为 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html) 资源的用户 `myuser`。
### JSON
```
"addUserToGroup" : {
"Type" : "AWS::IAM::UserToGroupAddition",
"Properties" : {
"GroupName" : "myexistinggroup2",
"Users" : [ "existinguser1", { "Ref" : "myuser" } ]
}
}
```
### YAML
```
addUserToGroup:
Type: AWS::IAM::UserToGroupAddition
Properties:
GroupName: myexistinggroup2
Users:
- existinguser1
- !Ref myuser
```
## 声明 IAM policy
此代码段显示如何创建策略并使用名为 `mypolicy` 的 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-policy.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-policy.html) 资源将该策略应用于多个组。`mypolicy` 资源包含一个 `PolicyDocument` 属性,该属性允许对 S3 存储桶 (由 ARN `GetObject` 表示) 中的对象执行 `PutObject`、`PutObjectAcl` 和 `arn:aws:s3:::myAWSBucket` 操作。`mypolicy` 资源将策略应用于名为 `myexistinggroup1` 的现有组以及在模板中声明为 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-group.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-group.html) 资源的组 `mygroup`。此示例显示如何使用 `Groups` 属性将策略应用于组;但您也可以使用 `Users` 属性将策略文档添加到用户列表。
### JSON
```
"mypolicy" : {
"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyName" : "mygrouppolicy",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [
"s3:GetObject" , "s3:PutObject" , "s3:PutObjectAcl" ],
"Resource" : "arn:aws:s3:::myAWSBucket/*"
} ]
},
"Groups" : [ "myexistinggroup1", { "Ref" : "mygroup" } ]
}
}
```
### YAML
```
mypolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: mygrouppolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
- s3:PutObjectAcl
Resource: arn:aws:s3:::myAWSBucket/*
Groups:
- myexistinggroup1
- !Ref mygroup
```
## 声明 Amazon S3 存储桶策略
此代码段说明如何创建策略并将其应用于使用 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucket.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucket.html) 资源的 Amazon S3 存储桶。`mybucketpolicy` 资源声明一个策略文档,以允许 `user1` IAM 用户对应用了该策略的 S3 存储桶中的所有对象执行 `GetObject` 操作。在此代码段中,`Fn::GetAtt` 函数将获取 `user1` 资源的 ARN。`mybucketpolicy` 资源将此策略应用于 `AWS::S3::BucketPolicy` 资源 mybucket。`Ref``mybucket` function 获取 资源的存储桶名称。
### JSON
```
"mybucketpolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyPolicy",
"Version": "2012-10-17",
"Statement" : [ {
"Sid" : "ReadAccess",
"Action" : [ "s3:GetObject" ],
"Effect" : "Allow",
"Resource" : { "Fn::Join" : [
"", [ "arn:aws:s3:::", { "Ref" : "mybucket" } , "/*" ]
] },
"Principal" : {
"AWS" : { "Fn::GetAtt" : [ "user1", "Arn" ] }
}
} ]
},
"Bucket" : { "Ref" : "mybucket" }
}
}
```
### YAML
```
mybucketpolicy:
Type: AWS::S3::BucketPolicy
Properties:
PolicyDocument:
Id: MyPolicy
Version: '2012-10-17'
Statement:
- Sid: ReadAccess
Action:
- s3:GetObject
Effect: Allow
Resource: !Sub "arn:aws:s3:::${mybucket}/*"
Principal:
AWS: !GetAtt user1.Arn
Bucket: !Ref mybucket
```
## 声明 Amazon SNS 主题策略
此代码段说明如何创建策略并将其应用于使用 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topicpolicy.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topicpolicy.html) 资源的 Amazon SNS 主题。`mysnspolicy` 资源包含一个 `PolicyDocument` 属性,该属性允许 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html) 资源 `myuser` 对 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html) 资源 `mytopic` 执行 `Publish` 操作。在此代码段中,`Fn::GetAtt` 函数将获取 `myuser` 资源的 ARN,而 `Ref` 函数将获取 `mytopic` 资源的 ARN。
### JSON
```
"mysnspolicy" : {
"Type" : "AWS::SNS::TopicPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyTopicPolicy",
"Version": "2012-10-17",
"Statement" : [ {
"Sid" : "My-statement-id",
"Effect" : "Allow",
"Principal" : {
"AWS" : { "Fn::GetAtt" : [ "myuser", "Arn" ] }
},
"Action" : "sns:Publish",
"Resource" : "*"
} ]
},
"Topics" : [ { "Ref" : "mytopic" } ]
}
}
```
### YAML
```
mysnspolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: MyTopicPolicy
Version: '2012-10-17'
Statement:
- Sid: My-statement-id
Effect: Allow
Principal:
AWS: !GetAtt myuser.Arn
Action: sns:Publish
Resource: "*"
Topics:
- !Ref mytopic
```
## 声明 Amazon SQS 策略
该代码段说明如何使用 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queuepolicy.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queuepolicy.html) 资源创建策略并将其应用于 Amazon SQS 队列。`PolicyDocument` 属性可使现有用户 `myapp`(由其 ARN 指定)对现有队列(按其 URL 指定)和 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html) 资源 myqueue 执行 `SendMessage` 操作。[Ref](resources-section-structure.md#resource-properties-ref) 函数获取 资源的 URL。`myqueue`
### JSON
```
"mysqspolicy" : {
"Type" : "AWS::SQS::QueuePolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyQueuePolicy",
"Version": "2012-10-17",
"Statement" : [ {
"Sid" : "Allow-User-SendMessage",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::123456789012:user/myapp"
},
"Action" : [ "sqs:SendMessage" ],
"Resource" : "*"
} ]
},
"Queues" : [
"https://sqs.us-east-2aws-region.amazonaws.com/123456789012/myexistingqueue",
{ "Ref" : "myqueue" }
]
}
}
```
### YAML
```
mysqspolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Id: MyQueuePolicy
Version: '2012-10-17'
Statement:
- Sid: Allow-User-SendMessage
Effect: Allow
Principal:
AWS: arn:aws:iam::123456789012:user/myapp
Action:
- sqs:SendMessage
Resource: "*"
Queues:
- https://sqs.aws-region.amazonaws.com/123456789012/myexistingqueue
- !Ref myqueue
```
## IAM 角色模板示例
本部分提供 EC2 实例 IAM 角色的 CloudFormation 模板示例。
有关更多信息,请参阅《Amazon EC2 用户指南》**中的[适用于 Amazon EC2 的 IAM 角色](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)。
### 带 EC2 的 IAM 角色
在此示例中,实例配置文件由 EC2 实例的 `IamInstanceProfile` 属性引用。实例策略和角色策略都引用 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-role.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-role.html)。
#### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myEC2Instance": {
"Type": "AWS::EC2::Instance",
"Version": "2009-05-15",
"Properties": {
"ImageId": "ami-0ff8a91507f77f867",
"InstanceType": "m1.small",
"Monitoring": "true",
"DisableApiTermination": "false",
"IamInstanceProfile": {
"Ref": "RootInstanceProfile"
}
}
},
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "ec2.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
},
"Path": "/"
}
},
"RolePolicies": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]
},
"Roles": [ { "Ref": "RootRole" } ]
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ { "Ref": "RootRole" } ]
}
}
}
}
```
#### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myEC2Instance:
Type: AWS::EC2::Instance
Version: '2009-05-15'
Properties:
ImageId: ami-0ff8a91507f77f867
InstanceType: m1.small
Monitoring: 'true'
DisableApiTermination: 'false'
IamInstanceProfile:
!Ref RootInstanceProfile
RootRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
RolePolicies:
Type: AWS::IAM::Policy
Properties:
PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: "*"
Resource: "*"
Roles:
- !Ref RootRole
RootInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- !Ref RootRole
```
### 带自动扩缩组的 IAM 角色
在此示例中,实例配置文件由 Amazon EC2 Auto Scaling 启动配置的 `IamInstanceProfile` 属性引用。
#### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myLCOne": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Version": "2009-05-15",
"Properties": {
"ImageId": "ami-0ff8a91507f77f867",
"InstanceType": "m1.small",
"InstanceMonitoring": "true",
"IamInstanceProfile": { "Ref": "RootInstanceProfile" }
}
},
"myASGrpOne": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"Version": "2009-05-15",
"Properties": {
"AvailabilityZones": [ "cn-north-1a" ],
"LaunchConfigurationName": { "Ref": "myLCOne" },
"MinSize": "0",
"MaxSize": "0",
"HealthCheckType": "EC2",
"HealthCheckGracePeriod": "120"
}
},
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "ec2.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
},
"Path": "/"
}
},
"RolePolicies": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]
},
"Roles": [ { "Ref": "RootRole" } ]
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ { "Ref": "RootRole" } ]
}
}
}
}
```
#### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myLCOne:
Type: AWS::AutoScaling::LaunchConfiguration
Version: '2009-05-15'
Properties:
ImageId: ami-0ff8a91507f77f867
InstanceType: m1.small
InstanceMonitoring: 'true'
IamInstanceProfile:
!Ref RootInstanceProfile
myASGrpOne:
Type: AWS::AutoScaling::AutoScalingGroup
Version: '2009-05-15'
Properties:
AvailabilityZones:
- "cn-north-1a"
LaunchConfigurationName:
!Ref myLCOne
MinSize: '0'
MaxSize: '0'
HealthCheckType: EC2
HealthCheckGracePeriod: '120'
RootRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
RolePolicies:
Type: AWS::IAM::Policy
Properties:
PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: "*"
Resource: "*"
Roles:
- !Ref RootRole
RootInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- !Ref RootRole
```
# Amazon Lambda 模板
以下模板使用 Amazon Lambda(Lambda)函数和自定义资源向现有安全组列表附加新的安全组。当您需要动态构建安全组列表以使列表同时包含新安全组及现有安全组时,此函数非常有用。例如,您可以将现有安全组列表作为参数值传递,向此列表追加一个新值,然后将您所有的值关联到一个 EC2 实例。有关 Lambda 函数资源类型的更多信息,请参阅 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html)。
在此示例中,当 CloudFormation 创建 `AllSecurityGroups` 自定义资源时,CloudFormation 会调用 `AppendItemToListFunction` Lambda 函数。CloudFormation 将现有的安全组列表以及一个新的安全组(`NewSecurityGroup`)传递给该函数,而该函数会将新的安全组附加到列表中,然后返回修改后的列表。CloudFormation 使用修改后的列表将所有安全组与 `MyEC2Instance` 资源关联起来。
## JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"ExistingSecurityGroups": {
"Type": "List"
},
"ExistingVPC": {
"Type": "AWS::EC2::VPC::Id",
"Description": "The VPC ID that includes the security groups in the ExistingSecurityGroups parameter."
},
"InstanceType": {
"Type": "String",
"Default": "t2.micro",
"AllowedValues": [
"t2.micro",
"t3.micro"
]
}
},
"Resources": {
"SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow HTTP traffic to the host",
"VpcId": {
"Ref": "ExistingVPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"AllSecurityGroups": {
"Type": "Custom::Split",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"AppendItemToListFunction",
"Arn"
]
},
"List": {
"Ref": "ExistingSecurityGroups"
},
"AppendedItem": {
"Ref": "SecurityGroup"
}
}
},
"AppendItemToListFunction": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Handler": "index.handler",
"Role": {
"Fn::GetAtt": [
"LambdaExecutionRole",
"Arn"
]
},
"Code": {
"ZipFile": {
"Fn::Join": [
"",
[
"var response = require('cfn-response');",
"exports.handler = function(event, context) {",
" var responseData = {Value: event.ResourceProperties.List};",
" responseData.Value.push(event.ResourceProperties.AppendedItem);",
" response.send(event, context, response.SUCCESS, responseData);",
"};"
]
]
}
},
"Runtime": "nodejs20.x"
}
},
"MyEC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}",
"SecurityGroupIds": {
"Fn::GetAtt": [
"AllSecurityGroups",
"Value"
]
},
"InstanceType": {
"Ref": "InstanceType"
}
}
},
"LambdaExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:*:*:*"
}
]
}
}
]
}
}
},
"Outputs": {
"AllSecurityGroups": {
"Description": "Security Groups that are associated with the EC2 instance",
"Value": {
"Fn::Join": [
", ",
{
"Fn::GetAtt": [
"AllSecurityGroups",
"Value"
]
}
]
}
}
}
}
```
## YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
ExistingSecurityGroups:
Type: List
ExistingVPC:
Type: AWS::EC2::VPC::Id
Description: The VPC ID that includes the security groups in the ExistingSecurityGroups parameter.
InstanceType:
Type: String
Default: t2.micro
AllowedValues:
- t2.micro
- t3.micro
Resources:
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow HTTP traffic to the host
VpcId: !Ref ExistingVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
AllSecurityGroups:
Type: Custom::Split
Properties:
ServiceToken: !GetAtt AppendItemToListFunction.Arn
List: !Ref ExistingSecurityGroups
AppendedItem: !Ref SecurityGroup
AppendItemToListFunction:
Type: AWS::Lambda::Function
Properties:
Handler: index.handler
Role: !GetAtt LambdaExecutionRole.Arn
Code:
ZipFile: !Join
- ''
- - var response = require('cfn-response');
- exports.handler = function(event, context) {
- ' var responseData = {Value: event.ResourceProperties.List};'
- ' responseData.Value.push(event.ResourceProperties.AppendedItem);'
- ' response.send(event, context, response.SUCCESS, responseData);'
- '};'
Runtime: nodejs20.x
MyEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}'
SecurityGroupIds: !GetAtt AllSecurityGroups.Value
InstanceType: !Ref InstanceType
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:*
Resource: arn:aws:logs:*:*:*
Outputs:
AllSecurityGroups:
Description: Security Groups that are associated with the EC2 instance
Value: !Join
- ', '
- !GetAtt AllSecurityGroups.Value
```
# Amazon Redshift 模板代码段
Amazon Redshift 是云中一种完全托管的 PB 级数据仓库服务。您可以使用 Amazon CloudFormation 预置和管理 Amazon Redshift 集群。
## Amazon Redshift 集群
下述示例模板根据在创建堆栈时指定的参数值创建 Amazon Redshift 集群。与 Amazon Redshift 集群关联的集群参数组可实现用户活动日志记录。该模板还在模板中定义的 Amazon VPC 中启动 Amazon Redshift 集群。VPC 包含一个 Internet 网关,以便您从 Internet 访问 Amazon Redshift 集群。然而,还必须启用集群与 Internet 网关之间的通信,这是通过路由表条目实现的。
**注意**
该模板包含 `IsMultiNodeCluster` 条件,以便仅当 `NumberOfNodes` 参数值设置为 `ClusterType` 时才声明 `multi-node` 参数。
该示例定义了 `MysqlRootPassword` 参数,并将其 `NoEcho` 属性设置为 `true`。如果您将 `NoEcho` 属性设置为 `true`,则对于描述堆栈或堆栈事件的任何调用,CloudFormation 返回使用星号 (\$1\$1\$1\$1\$1) 遮蔽的参数值,但存储在下面指定位置的信息除外。
**重要**
使用 `NoEcho` 属性不会遮蔽在以下各区段中存储的任何信息:
`Metadata` 模板区段。CloudFormation 不会转换、修改或编辑您在 `Metadata` 部分中包含的任何信息。有关更多信息,请参阅 [Metadata](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html)。
`Outputs` 模板区段。有关更多信息,请参阅 [Outputs](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html)。
资源定义的 `Metadata` 属性。有关更多信息,请参阅 [`Metadata` 属性](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-attribute-metadata.html)。
强烈建议您不要使用这些机制来包含敏感信息,例如密码。
**重要**
我们建议不要将敏感信息直接嵌入 CloudFormation 模板中,而应使用堆栈模板中的动态参数来引用在 CloudFormation 外部存储和管理的敏感信息,例如 Amazon Systems Manager Parameter Store 或 Amazon Secrets Manager 中的敏感信息。
有关更多信息,请参阅[请勿将凭证嵌入您的模板](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/security-best-practices.html#creds)最佳实践。
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters" : {
"DatabaseName" : {
"Description" : "The name of the first database to be created when the cluster is created",
"Type" : "String",
"Default" : "dev",
"AllowedPattern" : "([a-z]|[0-9])+"
},
"ClusterType" : {
"Description" : "The type of cluster",
"Type" : "String",
"Default" : "single-node",
"AllowedValues" : [ "single-node", "multi-node" ]
},
"NumberOfNodes" : {
"Description" : "The number of compute nodes in the cluster. For multi-node clusters, the NumberOfNodes parameter must be greater than 1",
"Type" : "Number",
"Default" : "1"
},
"NodeType" : {
"Description" : "The type of node to be provisioned",
"Type" : "String",
"Default" : "ds2.xlarge",
"AllowedValues" : [ "ds2.xlarge", "ds2.8xlarge", "dc1.large", "dc1.8xlarge" ]
},
"MasterUsername" : {
"Description" : "The user name that is associated with the master user account for the cluster that is being created",
"Type" : "String",
"Default" : "defaultuser",
"AllowedPattern" : "([a-z])([a-z]|[0-9])*"
},
"MasterUserPassword" : {
"Description" : "The password that is associated with the master user account for the cluster that is being created.",
"Type" : "String",
"NoEcho" : "true"
},
"InboundTraffic" : {
"Description" : "Allow inbound traffic to the cluster from this CIDR range.",
"Type" : "String",
"MinLength": "9",
"MaxLength": "18",
"Default" : "0.0.0.0/0",
"AllowedPattern" : "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription" : "must be a valid CIDR range of the form x.x.x.x/x."
},
"PortNumber" : {
"Description" : "The port number on which the cluster accepts incoming connections.",
"Type" : "Number",
"Default" : "5439"
}
},
"Conditions" : {
"IsMultiNodeCluster" : {
"Fn::Equals" : [{ "Ref" : "ClusterType" }, "multi-node" ]
}
},
"Resources" : {
"RedshiftCluster" : {
"Type" : "AWS::Redshift::Cluster",
"DependsOn" : "AttachGateway",
"Properties" : {
"ClusterType" : { "Ref" : "ClusterType" },
"NumberOfNodes" : { "Fn::If" : [ "IsMultiNodeCluster", { "Ref" : "NumberOfNodes" }, { "Ref" : "AWS::NoValue" }]},
"NodeType" : { "Ref" : "NodeType" },
"DBName" : { "Ref" : "DatabaseName" },
"MasterUsername" : { "Ref" : "MasterUsername" },
"MasterUserPassword" : { "Ref" : "MasterUserPassword" },
"ClusterParameterGroupName" : { "Ref" : "RedshiftClusterParameterGroup" },
"VpcSecurityGroupIds" : [ { "Ref" : "SecurityGroup" } ],
"ClusterSubnetGroupName" : { "Ref" : "RedshiftClusterSubnetGroup" },
"PubliclyAccessible" : "true",
"Port" : { "Ref" : "PortNumber" }
}
},
"RedshiftClusterParameterGroup" : {
"Type" : "AWS::Redshift::ClusterParameterGroup",
"Properties" : {
"Description" : "Cluster parameter group",
"ParameterGroupFamily" : "redshift-1.0",
"Parameters" : [{
"ParameterName" : "enable_user_activity_logging",
"ParameterValue" : "true"
}]
}
},
"RedshiftClusterSubnetGroup" : {
"Type" : "AWS::Redshift::ClusterSubnetGroup",
"Properties" : {
"Description" : "Cluster subnet group",
"SubnetIds" : [ { "Ref" : "PublicSubnet" } ]
}
},
"VPC" : {
"Type" : "AWS::EC2::VPC",
"Properties" : {
"CidrBlock" : "10.0.0.0/16"
}
},
"PublicSubnet" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"CidrBlock" : "10.0.0.0/24",
"VpcId" : { "Ref" : "VPC" }
}
},
"SecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Security group",
"SecurityGroupIngress" : [ {
"CidrIp" : { "Ref": "InboundTraffic" },
"FromPort" : { "Ref" : "PortNumber" },
"ToPort" : { "Ref" : "PortNumber" },
"IpProtocol" : "tcp"
} ],
"VpcId" : { "Ref" : "VPC" }
}
},
"myInternetGateway" : {
"Type" : "AWS::EC2::InternetGateway"
},
"AttachGateway" : {
"Type" : "AWS::EC2::VPCGatewayAttachment",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"InternetGatewayId" : { "Ref" : "myInternetGateway" }
}
},
"PublicRouteTable" : {
"Type" : "AWS::EC2::RouteTable",
"Properties" : {
"VpcId" : {
"Ref" : "VPC"
}
}
},
"PublicRoute" : {
"Type" : "AWS::EC2::Route",
"DependsOn" : "AttachGateway",
"Properties" : {
"RouteTableId" : {
"Ref" : "PublicRouteTable"
},
"DestinationCidrBlock" : "0.0.0.0/0",
"GatewayId" : {
"Ref" : "myInternetGateway"
}
}
},
"PublicSubnetRouteTableAssociation" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : {
"Ref" : "PublicSubnet"
},
"RouteTableId" : {
"Ref" : "PublicRouteTable"
}
}
}
},
"Outputs" : {
"ClusterEndpoint" : {
"Description" : "Cluster endpoint",
"Value" : { "Fn::Join" : [ ":", [ { "Fn::GetAtt" : [ "RedshiftCluster", "Endpoint.Address" ] }, { "Fn::GetAtt" : [ "RedshiftCluster", "Endpoint.Port" ] } ] ] }
},
"ClusterName" : {
"Description" : "Name of cluster",
"Value" : { "Ref" : "RedshiftCluster" }
},
"ParameterGroupName" : {
"Description" : "Name of parameter group",
"Value" : { "Ref" : "RedshiftClusterParameterGroup" }
},
"RedshiftClusterSubnetGroupName" : {
"Description" : "Name of cluster subnet group",
"Value" : { "Ref" : "RedshiftClusterSubnetGroup" }
},
"RedshiftClusterSecurityGroupName" : {
"Description" : "Name of cluster security group",
"Value" : { "Ref" : "SecurityGroup" }
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
DatabaseName:
Description: The name of the first database to be created when the cluster is
created
Type: String
Default: dev
AllowedPattern: "([a-z]|[0-9])+"
ClusterType:
Description: The type of cluster
Type: String
Default: single-node
AllowedValues:
- single-node
- multi-node
NumberOfNodes:
Description: The number of compute nodes in the cluster. For multi-node clusters,
the NumberOfNodes parameter must be greater than 1
Type: Number
Default: '1'
NodeType:
Description: The type of node to be provisioned
Type: String
Default: ds2.xlarge
AllowedValues:
- ds2.xlarge
- ds2.8xlarge
- dc1.large
- dc1.8xlarge
MasterUsername:
Description: The user name that is associated with the master user account for
the cluster that is being created
Type: String
Default: defaultuser
AllowedPattern: "([a-z])([a-z]|[0-9])*"
MasterUserPassword:
Description: The password that is associated with the master user account for
the cluster that is being created.
Type: String
NoEcho: 'true'
InboundTraffic:
Description: Allow inbound traffic to the cluster from this CIDR range.
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: must be a valid CIDR range of the form x.x.x.x/x.
PortNumber:
Description: The port number on which the cluster accepts incoming connections.
Type: Number
Default: '5439'
Conditions:
IsMultiNodeCluster:
Fn::Equals:
- Ref: ClusterType
- multi-node
Resources:
RedshiftCluster:
Type: AWS::Redshift::Cluster
DependsOn: AttachGateway
Properties:
ClusterType:
Ref: ClusterType
NumberOfNodes:
Fn::If:
- IsMultiNodeCluster
- Ref: NumberOfNodes
- Ref: AWS::NoValue
NodeType:
Ref: NodeType
DBName:
Ref: DatabaseName
MasterUsername:
Ref: MasterUsername
MasterUserPassword:
Ref: MasterUserPassword
ClusterParameterGroupName:
Ref: RedshiftClusterParameterGroup
VpcSecurityGroupIds:
- Ref: SecurityGroup
ClusterSubnetGroupName:
Ref: RedshiftClusterSubnetGroup
PubliclyAccessible: 'true'
Port:
Ref: PortNumber
RedshiftClusterParameterGroup:
Type: AWS::Redshift::ClusterParameterGroup
Properties:
Description: Cluster parameter group
ParameterGroupFamily: redshift-1.0
Parameters:
- ParameterName: enable_user_activity_logging
ParameterValue: 'true'
RedshiftClusterSubnetGroup:
Type: AWS::Redshift::ClusterSubnetGroup
Properties:
Description: Cluster subnet group
SubnetIds:
- Ref: PublicSubnet
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
PublicSubnet:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.0.0/24
VpcId:
Ref: VPC
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group
SecurityGroupIngress:
- CidrIp:
Ref: InboundTraffic
FromPort:
Ref: PortNumber
ToPort:
Ref: PortNumber
IpProtocol: tcp
VpcId:
Ref: VPC
myInternetGateway:
Type: AWS::EC2::InternetGateway
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: VPC
InternetGatewayId:
Ref: myInternetGateway
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: VPC
PublicRoute:
Type: AWS::EC2::Route
DependsOn: AttachGateway
Properties:
RouteTableId:
Ref: PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: myInternetGateway
PublicSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId:
Ref: PublicSubnet
RouteTableId:
Ref: PublicRouteTable
Outputs:
ClusterEndpoint:
Description: Cluster endpoint
Value: !Sub "${RedshiftCluster.Endpoint.Address}:${RedshiftCluster.Endpoint.Port}"
ClusterName:
Description: Name of cluster
Value:
Ref: RedshiftCluster
ParameterGroupName:
Description: Name of parameter group
Value:
Ref: RedshiftClusterParameterGroup
RedshiftClusterSubnetGroupName:
Description: Name of cluster subnet group
Value:
Ref: RedshiftClusterSubnetGroup
RedshiftClusterSecurityGroupName:
Description: Name of cluster security group
Value:
Ref: SecurityGroup
```
## 另请参阅
[AWS::Redshift::Cluster](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-redshift-cluster.html)
# Amazon RDS 模板代码段
**Topics**
+ [
## Amazon RDS 数据库实例资源
](#scenario-rds-instance)
+ [
## Amazon RDS Oracle Database 数据库实例资源
](#scenario-rds-oracleinstance)
+ [
## 适用于 CIDR 范围的 Amazon RDS DBSecurityGroup 资源
](#scenario-rds-security-group-cidr)
+ [
## 带 Amazon EC2 安全组的 Amazon RDS DBSecurityGroup
](#scenario-rds-security-group-ec2)
+ [
## 多 VPC 安全组
](#scenario-multiple-vpc-security-groups)
+ [
## VPC 安全组中的 Amazon RDS 数据库实例
](#w2aac11c41c76c15)
## Amazon RDS 数据库实例资源
此示例显示了使用托管主用户密码的 Amazon RDS 数据库实例资源。有关更多信息,请参阅《Amazon RDS 用户指南》**中的[使用 Amazon Secrets Manager 管理密码](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/rds-secrets-manager.html)和《Aurora 用户指南》**中的[使用 Amazon Secrets Manager 管理密码](https://docs.amazonaws.cn/AmazonRDS/latest/AuroraUserGuide/rds-secrets-manager.html)。由于没有指定可选的 `EngineVersion` 属性,因此会将默认引擎版本用于此数据库实例。有关默认引擎版本和其他默认设置的详细信息,请参阅 [CreateDBInstance](https://docs.amazonaws.cn/AmazonRDS/latest/APIReference/API_CreateDBInstance.html)。`DBSecurityGroups` 属性向名为 `MyDbSecurityByEC2SecurityGroup` 和 MyDbSecurityByCIDRIPGroup 的 `AWS::RDS::DBSecurityGroup` 资源授予网络入口权限。有关更多信息,请参阅 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html)。数据库实例资源还有一个设置为 `Snapshot` 的 `DeletionPolicy` 属性。如果设置了 `Snapshot` `DeletionPolicy`,则在堆栈删除期间,Amazon CloudFormation 会首先拍摄该数据库实例的快照,然后再将其删除。
### JSON
```
1. "MyDB" : {
2. "Type" : "AWS::RDS::DBInstance",
3. "Properties" : {
4. "DBSecurityGroups" : [
5. {"Ref" : "MyDbSecurityByEC2SecurityGroup"}, {"Ref" : "MyDbSecurityByCIDRIPGroup"} ],
6. "AllocatedStorage" : "5",
7. "DBInstanceClass" : "db.t2.small",
8. "Engine" : "MySQL",
9. "MasterUsername" : "MyName",
10. "ManageMasterUserPassword" : true,
11. "MasterUserSecret" : {
12. "KmsKeyId" : {"Ref" : "KMSKey"}
13. }
14. },
15. "DeletionPolicy" : "Snapshot"
16. }
```
### YAML
```
1. MyDB:
2. Type: AWS::RDS::DBInstance
3. Properties:
4. DBSecurityGroups:
5. - Ref: MyDbSecurityByEC2SecurityGroup
6. - Ref: MyDbSecurityByCIDRIPGroup
7. AllocatedStorage: '5'
8. DBInstanceClass: db.t2.small
9. Engine: MySQL
10. MasterUsername: MyName
11. ManageMasterUserPassword: true
12. MasterUserSecret:
13. KmsKeyId: !Ref KMSKey
14. DeletionPolicy: Snapshot
```
## Amazon RDS Oracle Database 数据库实例资源
此示例创建了使用托管主用户密码的 Oracle Database 数据库实例资源。有关更多信息,请参阅《Amazon RDS 用户指南》**中的[使用 Amazon Secrets Manager 管理密码](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/rds-secrets-manager.html)。此示例将 `Engine` 指定为 `oracle-ee` 并使用“自带许可”许可模式。有关 Oracle Database 数据库实例设置的详细信息,请参阅 [CreateDBInstance](https://docs.amazonaws.cn/AmazonRDS/latest/APIReference/API_CreateDBInstance.html)。DBSecurityGroups 属性授权对名为 MyDbSecurityByEC2SecurityGroup 和 MyDbSecurityByCIDRIPGroup 的 `AWS::RDS::DBSecurityGroup` 资源的网络访问。有关更多信息,请参阅 [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html)。数据库实例资源还有一个设置为 `Snapshot` 的 `DeletionPolicy` 属性。如果设置了 `Snapshot` `DeletionPolicy`,则在堆栈删除期间,Amazon CloudFormation 会首先拍摄该数据库实例的快照,然后再将其删除。
### JSON
```
1. "MyDB" : {
2. "Type" : "AWS::RDS::DBInstance",
3. "Properties" : {
4. "DBSecurityGroups" : [
5. {"Ref" : "MyDbSecurityByEC2SecurityGroup"}, {"Ref" : "MyDbSecurityByCIDRIPGroup"} ],
6. "AllocatedStorage" : "5",
7. "DBInstanceClass" : "db.t2.small",
8. "Engine" : "oracle-ee",
9. "LicenseModel" : "bring-your-own-license",
10. "MasterUsername" : "master",
11. "ManageMasterUserPassword" : true,
12. "MasterUserSecret" : {
13. "KmsKeyId" : {"Ref" : "KMSKey"}
14. }
15. },
16. "DeletionPolicy" : "Snapshot"
17. }
```
### YAML
```
1. MyDB:
2. Type: AWS::RDS::DBInstance
3. Properties:
4. DBSecurityGroups:
5. - Ref: MyDbSecurityByEC2SecurityGroup
6. - Ref: MyDbSecurityByCIDRIPGroup
7. AllocatedStorage: '5'
8. DBInstanceClass: db.t2.small
9. Engine: oracle-ee
10. LicenseModel: bring-your-own-license
11. MasterUsername: master
12. ManageMasterUserPassword: true
13. MasterUserSecret:
14. KmsKeyId: !Ref KMSKey
15. DeletionPolicy: Snapshot
```
## 适用于 CIDR 范围的 Amazon RDS DBSecurityGroup 资源
此示例说明一个 Amazon RDS `DBSecurityGroup` 资源,该资源具有以 `ddd.ddd.ddd.ddd/dd` 格式指定的 CIDR 范围的入口授权。有关详细信息,请参阅 [AWS::RDS::DBSecurityGroup](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbsecuritygroup.html) 和 [Ingress](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-properties-rds-dbsecuritygroup-ingress.html)。
### JSON
```
1. "MyDbSecurityByCIDRIPGroup" : {
2. "Type" : "AWS::RDS::DBSecurityGroup",
3. "Properties" : {
4. "GroupDescription" : "Ingress for CIDRIP",
5. "DBSecurityGroupIngress" : {
6. "CIDRIP" : "192.168.0.0/32"
7. }
8. }
9. }
```
### YAML
```
1. MyDbSecurityByCIDRIPGroup:
2. Type: AWS::RDS::DBSecurityGroup
3. Properties:
4. GroupDescription: Ingress for CIDRIP
5. DBSecurityGroupIngress:
6. CIDRIP: "192.168.0.0/32"
```
## 带 Amazon EC2 安全组的 Amazon RDS DBSecurityGroup
此示例展示的 [AWS::RDS::DBSecurityGroup](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbsecuritygroup.html) 资源具有 `MyEc2SecurityGroup` 所引用 Amazon EC2 安全组中的入口授权。
要执行此操作,您需要定义一个 EC2 安全组,然后在 `DBSecurityGroup` 中使用 `Ref` 内置函数引用该 EC2 安全组。
### JSON
```
"DBInstance" : {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBName" : { "Ref" : "DBName" },
"Engine" : "MySQL",
"MasterUsername" : { "Ref" : "DBUsername" },
"DBInstanceClass" : { "Ref" : "DBClass" },
"DBSecurityGroups" : [ { "Ref" : "DBSecurityGroup" } ],
"AllocatedStorage" : { "Ref" : "DBAllocatedStorage" },
"MasterUserPassword": { "Ref" : "DBPassword" }
}
},
"DBSecurityGroup": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"DBSecurityGroupIngress": {
"EC2SecurityGroupName": {
"Fn::GetAtt": ["WebServerSecurityGroup", "GroupName"]
}
},
"GroupDescription" : "Frontend Access"
}
},
"WebServerSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Enable HTTP access via port 80 and SSH access",
"SecurityGroupIngress" : [
{"IpProtocol" : "tcp", "FromPort" : 80, "ToPort" : 80, "CidrIp" : "0.0.0.0/0"},
{"IpProtocol" : "tcp", "FromPort" : 22, "ToPort" : 22, "CidrIp" : "0.0.0.0/0"}
]
}
}
```
### YAML
该示例提取自下面的完整示例:[Drupal\$1Single\$1Instance\$1With\$1RDS.template](https://s3.amazonaws.com/cloudformation-templates-us-east-1/Drupal_Single_Instance_With_RDS.template)
```
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
DBName:
Ref: DBName
Engine: MySQL
MasterUsername:
Ref: DBUsername
DBInstanceClass:
Ref: DBClass
DBSecurityGroups:
- Ref: DBSecurityGroup
AllocatedStorage:
Ref: DBAllocatedStorage
MasterUserPassword:
Ref: DBPassword
DBSecurityGroup:
Type: AWS::RDS::DBSecurityGroup
Properties:
DBSecurityGroupIngress:
EC2SecurityGroupName:
Ref: WebServerSecurityGroup
GroupDescription: Frontend Access
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP access via port 80 and SSH access
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
```
## 多 VPC 安全组
此示例显示的是具有 [AWS::RDS::DBSecurityGroupIngress](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbsecuritygroupingress.html) 中的多个 Amazon EC2 VPC 安全组的入口授权的 [AWS::RDS::DBSecurityGroup](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbsecuritygroup.html) 资源。
### JSON
```
{
"Resources" : {
"DBinstance" : {
"Type" : "AWS::RDS::DBInstance",
"Properties" : {
"AllocatedStorage" : "5",
"DBInstanceClass" : "db.t2.small",
"DBName" : {"Ref": "MyDBName" },
"DBSecurityGroups" : [ { "Ref" : "DbSecurityByEC2SecurityGroup" } ],
"DBSubnetGroupName" : { "Ref" : "MyDBSubnetGroup" },
"Engine" : "MySQL",
"MasterUserPassword": { "Ref" : "MyDBPassword" },
"MasterUsername" : { "Ref" : "MyDBUsername" }
},
"DeletionPolicy" : "Snapshot"
},
"DbSecurityByEC2SecurityGroup" : {
"Type" : "AWS::RDS::DBSecurityGroup",
"Properties" : {
"GroupDescription" : "Ingress for Amazon EC2 security group",
"EC2VpcId" : { "Ref" : "MyVPC" },
"DBSecurityGroupIngress" : [ {
"EC2SecurityGroupId" : "sg-b0ff1111",
"EC2SecurityGroupOwnerId" : "111122223333"
}, {
"EC2SecurityGroupId" : "sg-ffd722222",
"EC2SecurityGroupOwnerId" : "111122223333"
} ]
}
}
}
}
```
### YAML
```
Resources:
DBinstance:
Type: AWS::RDS::DBInstance
Properties:
AllocatedStorage: '5'
DBInstanceClass: db.t2.small
DBName:
Ref: MyDBName
DBSecurityGroups:
- Ref: DbSecurityByEC2SecurityGroup
DBSubnetGroupName:
Ref: MyDBSubnetGroup
Engine: MySQL
MasterUserPassword:
Ref: MyDBPassword
MasterUsername:
Ref: MyDBUsername
DeletionPolicy: Snapshot
DbSecurityByEC2SecurityGroup:
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: Ingress for Amazon EC2 security group
EC2VpcId:
Ref: MyVPC
DBSecurityGroupIngress:
- EC2SecurityGroupId: sg-b0ff1111
EC2SecurityGroupOwnerId: '111122223333'
- EC2SecurityGroupId: sg-ffd722222
EC2SecurityGroupOwnerId: '111122223333'
```
## VPC 安全组中的 Amazon RDS 数据库实例
该示例显示一个与 Amazon EC2 VPC 安全组关联的 Amazon RDS 数据库实例。
### JSON
```
{
"DBEC2SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription": "Open database for access",
"SecurityGroupIngress" : [{
"IpProtocol" : "tcp",
"FromPort" : 3306,
"ToPort" : 3306,
"SourceSecurityGroupName" : { "Ref" : "WebServerSecurityGroup" }
}]
}
},
"DBInstance" : {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBName" : { "Ref" : "DBName" },
"Engine" : "MySQL",
"MultiAZ" : { "Ref": "MultiAZDatabase" },
"MasterUsername" : { "Ref" : "DBUser" },
"DBInstanceClass" : { "Ref" : "DBClass" },
"AllocatedStorage" : { "Ref" : "DBAllocatedStorage" },
"MasterUserPassword": { "Ref" : "DBPassword" },
"VPCSecurityGroups" : [ { "Fn::GetAtt": [ "DBEC2SecurityGroup", "GroupId" ] } ]
}
}
}
```
### YAML
```
DBEC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Open database for access
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 3306
ToPort: 3306
SourceSecurityGroupName:
Ref: WebServerSecurityGroup
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
DBName:
Ref: DBName
Engine: MySQL
MultiAZ:
Ref: MultiAZDatabase
MasterUsername:
Ref: DBUser
DBInstanceClass:
Ref: DBClass
AllocatedStorage:
Ref: DBAllocatedStorage
MasterUserPassword:
Ref: DBPassword
VPCSecurityGroups:
- !GetAtt DBEC2SecurityGroup.GroupId
```
# Route 53 模板代码段
**Topics**
+ [
## 使用托管区名称或 ID 的 Amazon Route 53 资源记录集
](#scenario-route53-recordset-by-host)
+ [
## 使用 RecordSetGroup 设置加权资源记录集
](#scenario-recordsetgroup-weighted)
+ [
## 使用 RecordSetGroup 设置别名资源记录集
](#scenario-recordsetgroup-zoneapex)
+ [
## CloudFront 分配的别名资源记录集
](#scenario-user-friendly-url-for-cloudfront-distribution)
## 使用托管区名称或 ID 的 Amazon Route 53 资源记录集
创建 Amazon Route 53 资源记录集时,必须指定要添加该记录集的托管区。CloudFormation 提供了两种指定托管区的方法:
+ 您可以使用 `HostedZoneId` 属性明确指定托管区域。
+ 您可以使用 `HostedZoneName` 属性让 CloudFormation 查找托管区。如果使用 `HostedZoneName` 属性且存在多个名称相同的托管区,则 CloudFormation 不会创建堆栈。
### 使用 HostedZoneId 添加 RecordSet
此示例添加了一个 Amazon Route 53 资源记录集,其中包含域名 `mysite.example.com` 的 `SPF` 记录(使用 `HostedZoneId` 属性指定托管区)。
#### JSON
```
1. "myDNSRecord" : {
2. "Type" : "AWS::Route53::RecordSet",
3. "Properties" :
4. {
5. "HostedZoneId" : "Z3DG6IL3SJCGPX",
6. "Name" : "mysite.example.com.",
7. "Type" : "SPF",
8. "TTL" : "900",
9. "ResourceRecords" : [ "\"v=spf1 ip4:192.168.0.1/16 -all\"" ]
10. }
11. }
```
#### YAML
```
1. myDNSRecord:
2. Type: AWS::Route53::RecordSet
3. Properties:
4. HostedZoneId: Z3DG6IL3SJCGPX
5. Name: mysite.example.com.
6. Type: SPF
7. TTL: '900'
8. ResourceRecords:
9. - '"v=spf1 ip4:192.168.0.1/16 -all"'
```
### 使用 HostedZoneName 添加 RecordSet
此示例使用 `HostedZoneName` 属性为域名“mysite.example.com”添加 Amazon Route 53 资源记录集,以指定托管区。
#### JSON
```
1. "myDNSRecord2" : {
2. "Type" : "AWS::Route53::RecordSet",
3. "Properties" : {
4. "HostedZoneName" : "example.com.",
5. "Name" : "mysite.example.com.",
6. "Type" : "A",
7. "TTL" : "900",
8. "ResourceRecords" : [
9. "192.168.0.1",
10. "192.168.0.2"
11. ]
12. }
13. }
```
#### YAML
```
1. myDNSRecord2:
2. Type: AWS::Route53::RecordSet
3. Properties:
4. HostedZoneName: example.com.
5. Name: mysite.example.com.
6. Type: A
7. TTL: '900'
8. ResourceRecords:
9. - 192.168.0.1
10. - 192.168.0.2
```
## 使用 RecordSetGroup 设置加权资源记录集
此示例使用 [AWS::Route53::RecordSetGroup](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-route53-recordsetgroup.html) 为“example.com.”托管区域设置两条 CNAME 记录。`RecordSets` 属性中含有 "mysite.example.com" DNS 名称的 CNAME 记录集。每个记录集都含有一个标识符 (`SetIdentifier`) 和权重 (`Weight`)。路由到资源的 Internet 流量比例基于以下计算:
+ `Frontend One`: `140/(140+60)` = `140/200` = 70%
+ `Frontend Two`: `60/(140+60)` = `60/200` = 30%
有关加权资源记录集的更多信息,请参阅《Amazon Route 53 开发人员指南》中的[加权路由](https://docs.amazonaws.cn/Route53/latest/DeveloperGuide/routing-policy-weighted.html)。
### JSON
```
1. "myDNSOne" : {
2. "Type" : "AWS::Route53::RecordSetGroup",
3. "Properties" : {
4. "HostedZoneName" : "example.com.",
5. "Comment" : "Weighted RR for my frontends.",
6. "RecordSets" : [
7. {
8. "Name" : "mysite.example.com.",
9. "Type" : "CNAME",
10. "TTL" : "900",
11. "SetIdentifier" : "Frontend One",
12. "Weight" : "140",
13. "ResourceRecords" : ["example-ec2.amazonaws.com"]
14. },
15. {
16. "Name" : "mysite.example.com.",
17. "Type" : "CNAME",
18. "TTL" : "900",
19. "SetIdentifier" : "Frontend Two",
20. "Weight" : "60",
21. "ResourceRecords" : ["example-ec2-larger.amazonaws.com"]
22. }
23. ]
24. }
25. }
```
### YAML
```
1. myDNSOne:
2. Type: AWS::Route53::RecordSetGroup
3. Properties:
4. HostedZoneName: example.com.
5. Comment: Weighted RR for my frontends.
6. RecordSets:
7. - Name: mysite.example.com.
8. Type: CNAME
9. TTL: '900'
10. SetIdentifier: Frontend One
11. Weight: '140'
12. ResourceRecords:
13. - example-ec2.amazonaws.com
14. - Name: mysite.example.com.
15. Type: CNAME
16. TTL: '900'
17. SetIdentifier: Frontend Two
18. Weight: '60'
19. ResourceRecords:
20. - example-ec2-larger.amazonaws.com
```
## 使用 RecordSetGroup 设置别名资源记录集
以下示例使用 [AWS::Route53::RecordSetGroup](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-route53-recordsetgroup.html) 设置名为 `example.com` 的别名资源记录集,将流量路由到 ELB 版本 1(经典)负载均衡器和版本 2(应用程序或网络)负载均衡器。[AliasTarget](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-properties-route53-recordset-aliastarget.html) 属性使用 `GetAtt` 内置函数指定 `myELB` `LoadBalancer` 的托管区 ID 和 DNS 名称。`GetAtt` 将根据是要将流量路由到版本 1 还是版本 2 的负载均衡器来检索 `myELB` 资源的不同属性:
+ 版本 1 负载均衡器:`CanonicalHostedZoneNameID` 和 `DNSName`
+ 版本 2 负载均衡器:`CanonicalHostedZoneID` 和 `DNSName`
有关别名资源记录集的更多信息,请参阅《Route 53 开发人员指南》**中的[在别名记录和非别名记录之间进行选择](https://docs.amazonaws.cn/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html)。
### 适用于版本 1 负载均衡器的 JSON
```
1. "myELB" : {
2. "Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
3. "Properties" : {
4. "AvailabilityZones" : [ "cn-north-1a" ],
5. "Listeners" : [ {
6. "LoadBalancerPort" : "80",
7. "InstancePort" : "80",
8. "Protocol" : "HTTP"
9. } ]
10. }
11. },
12. "myDNS" : {
13. "Type" : "AWS::Route53::RecordSetGroup",
14. "Properties" : {
15. "HostedZoneName" : "example.com.",
16. "Comment" : "Zone apex alias targeted to myELB LoadBalancer.",
17. "RecordSets" : [
18. {
19. "Name" : "example.com.",
20. "Type" : "A",
21. "AliasTarget" : {
22. "HostedZoneId" : { "Fn::GetAtt" : ["myELB", "CanonicalHostedZoneNameID"] },
23. "DNSName" : { "Fn::GetAtt" : ["myELB","DNSName"] }
24. }
25. }
26. ]
27. }
28. }
```
### 适用于版本 1 负载均衡器的 YAML
```
1. myELB:
2. Type: AWS::ElasticLoadBalancing::LoadBalancer
3. Properties:
4. AvailabilityZones:
5. - "cn-north-1a"
6. Listeners:
7. - LoadBalancerPort: '80'
8. InstancePort: '80'
9. Protocol: HTTP
10. myDNS:
11. Type: AWS::Route53::RecordSetGroup
12. Properties:
13. HostedZoneName: example.com.
14. Comment: Zone apex alias targeted to myELB LoadBalancer.
15. RecordSets:
16. - Name: example.com.
17. Type: A
18. AliasTarget:
19. HostedZoneId: !GetAtt 'myELB.CanonicalHostedZoneNameID'
20. DNSName: !GetAtt 'myELB.DNSName'
```
### 适用于版本 2 负载均衡器的 JSON
```
1. "myELB" : {
2. "Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
3. "Properties" : {
4. "Subnets" : [
5. {"Ref": "SubnetAZ1"},
6. {"Ref" : "SubnetAZ2"}
7. ]
8. }
9. },
10. "myDNS" : {
11. "Type" : "AWS::Route53::RecordSetGroup",
12. "Properties" : {
13. "HostedZoneName" : "example.com.",
14. "Comment" : "Zone apex alias targeted to myELB LoadBalancer.",
15. "RecordSets" : [
16. {
17. "Name" : "example.com.",
18. "Type" : "A",
19. "AliasTarget" : {
20. "HostedZoneId" : { "Fn::GetAtt" : ["myELB", "CanonicalHostedZoneID"] },
21. "DNSName" : { "Fn::GetAtt" : ["myELB","DNSName"] }
22. }
23. }
24. ]
25. }
26. }
```
### 适用于版本 2 负载均衡器的 YAML
```
1. myELB:
2. Type: AWS::ElasticLoadBalancingV2::LoadBalancer
3. Properties:
4. Subnets:
5. - Ref: SubnetAZ1
6. - Ref: SubnetAZ2
7. myDNS:
8. Type: AWS::Route53::RecordSetGroup
9. Properties:
10. HostedZoneName: example.com.
11. Comment: Zone apex alias targeted to myELB LoadBalancer.
12. RecordSets:
13. - Name: example.com.
14. Type: A
15. AliasTarget:
16. HostedZoneId: !GetAtt 'myELB.CanonicalHostedZoneID'
17. DNSName: !GetAtt 'myELB.DNSName'
```
## CloudFront 分配的别名资源记录集
下面的示例创建了将自定义域名指向 CloudFront 分发的别名 A 记录。`myHostedZoneID` 假定要么是引用同一模板中的实际 `AWS::Route53::HostedZone` 资源,要么是参数。`myCloudFrontDistribution` 指同一模板中的 `AWS::CloudFront::Distribution` 资源。别名记录会使用标准的 CloudFront 托管区 ID (`Z2FDTNDATAQYW2`),并使用 `Fn::GetAtt` 自动解析分发的域名。此设置允许在不需要 IP 地址的情况下将网络流量从自定义域路由到 CloudFront 分发。
**注意**
在创建别名资源记录集时,必须为 `Z2FDTNDATAQYW2` 属性指定 `HostedZoneId`。无法在私有区域中创建 CloudFront 的别名资源记录集。
### JSON
```
1. {
2. "myDNS": {
3. "Type": "AWS::Route53::RecordSetGroup",
4. "Properties": {
5. "HostedZoneId": {
6. "Ref": "myHostedZoneID"
7. },
8. "RecordSets": [
9. {
10. "Name": {
11. "Ref": "myRecordSetDomainName"
12. },
13. "Type": "A",
14. "AliasTarget": {
15. "HostedZoneId": "Z2FDTNDATAQYW2",
16. "DNSName": {
17. "Fn::GetAtt": [
18. "myCloudFrontDistribution",
19. "DomainName"
20. ]
21. },
22. "EvaluateTargetHealth": false
23. }
24. }
25. ]
26. }
27. }
28. }
```
### YAML
```
1. myDNS:
2. Type: AWS::Route53::RecordSetGroup
3. Properties:
4. HostedZoneId: !Ref myHostedZoneID
5. RecordSets:
6. - Name: !Ref myRecordSetDomainName
7. Type: A
8. AliasTarget:
9. HostedZoneId: Z2FDTNDATAQYW2
10. DNSName: !GetAtt
11. - myCloudFrontDistribution
12. - DomainName
13. EvaluateTargetHealth: false
```
# Amazon S3 模板代码段
可以使用这些 Amazon S3 示例模板帮助在 CloudFormation 中描述 Amazon S3 存储桶。有关更多示例,请参阅 `AWS::S3::Bucket` 资源中的[示例](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucket.html#aws-resource-s3-bucket--examples)部分。
**Topics**
+ [
## 使用默认值创建 Amazon S3 存储桶
](#scenario-s3-bucket)
+ [
## 为虚拟主机创建一个带 `DeletionPolicy` 的 Amazon S3 存储桶
](#scenario-s3-bucket-website)
+ [
## 使用自定义域创建静态网站
](#scenario-s3-bucket-website-customdomain)
## 使用默认值创建 Amazon S3 存储桶
此示例使用 [AWS::S3::Bucket](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucket.html) 创建带默认设置的桶。
### JSON
```
1. "myS3Bucket" : {
2. "Type" : "AWS::S3::Bucket"
3. }
```
### YAML
```
1. MyS3Bucket:
2. Type: AWS::S3::Bucket
```
## 为虚拟主机创建一个带 `DeletionPolicy` 的 Amazon S3 存储桶
此示例将创建一个存储桶作为网站,并禁用阻止公有访问(为网站托管设置的存储桶需要公有读取权限)。然后,将公有存储桶策略添加到存储桶。由于此存储桶资源有一个设置为 `Retain` 的 `DeletionPolicy` 属性,因此 CloudFormation 不会在其删除堆栈时删除此存储桶。`Output` 部分使用 `Fn::GetAtt` 检索 `S3Bucket` 资源的 `WebsiteURL` 属性和 `DomainName` 属性。
**注意**
以下示例假设 `BlockPublicPolicy` 和 `RestrictPublicBuckets` 阻止公有访问设置已在账户级别禁用。
### JSON
```
1. {
2. "AWSTemplateFormatVersion": "2010-09-09",
3. "Resources": {
4. "S3Bucket": {
5. "Type": "AWS::S3::Bucket",
6. "Properties": {
7. "PublicAccessBlockConfiguration": {
8. "BlockPublicAcls": false,
9. "BlockPublicPolicy": false,
10. "IgnorePublicAcls": false,
11. "RestrictPublicBuckets": false
12. },
13. "WebsiteConfiguration": {
14. "IndexDocument": "index.html",
15. "ErrorDocument": "error.html"
16. }
17. },
18. "DeletionPolicy": "Retain",
19. "UpdateReplacePolicy": "Retain"
20. },
21. "BucketPolicy": {
22. "Type": "AWS::S3::BucketPolicy",
23. "Properties": {
24. "PolicyDocument": {
25. "Id": "MyPolicy",
26. "Version": "2012-10-17",
27. "Statement": [
28. {
29. "Sid": "PublicReadForGetBucketObjects",
30. "Effect": "Allow",
31. "Principal": "*",
32. "Action": "s3:GetObject",
33. "Resource": {
34. "Fn::Join": [
35. "",
36. [
37. "arn:aws:s3:::",
38. {
39. "Ref": "S3Bucket"
40. },
41. "/*"
42. ]
43. ]
44. }
45. }
46. ]
47. },
48. "Bucket": {
49. "Ref": "S3Bucket"
50. }
51. }
52. }
53. },
54. "Outputs": {
55. "WebsiteURL": {
56. "Value": {
57. "Fn::GetAtt": [
58. "S3Bucket",
59. "WebsiteURL"
60. ]
61. },
62. "Description": "URL for website hosted on S3"
63. },
64. "S3BucketSecureURL": {
65. "Value": {
66. "Fn::Join": [
67. "",
68. [
69. "https://",
70. {
71. "Fn::GetAtt": [
72. "S3Bucket",
73. "DomainName"
74. ]
75. }
76. ]
77. ]
78. },
79. "Description": "Name of S3 bucket to hold website content"
80. }
81. }
82. }
```
### YAML
```
1. AWSTemplateFormatVersion: 2010-09-09
2. Resources:
3. S3Bucket:
4. Type: AWS::S3::Bucket
5. Properties:
6. PublicAccessBlockConfiguration:
7. BlockPublicAcls: false
8. BlockPublicPolicy: false
9. IgnorePublicAcls: false
10. RestrictPublicBuckets: false
11. WebsiteConfiguration:
12. IndexDocument: index.html
13. ErrorDocument: error.html
14. DeletionPolicy: Retain
15. UpdateReplacePolicy: Retain
16. BucketPolicy:
17. Type: AWS::S3::BucketPolicy
18. Properties:
19. PolicyDocument:
20. Id: MyPolicy
21. Version: 2012-10-17
22. Statement:
23. - Sid: PublicReadForGetBucketObjects
24. Effect: Allow
25. Principal: '*'
26. Action: 's3:GetObject'
27. Resource: !Join
28. - ''
29. - - 'arn:aws:s3:::'
30. - !Ref S3Bucket
31. - /*
32. Bucket: !Ref S3Bucket
33. Outputs:
34. WebsiteURL:
35. Value: !GetAtt
36. - S3Bucket
37. - WebsiteURL
38. Description: URL for website hosted on S3
39. S3BucketSecureURL:
40. Value: !Join
41. - ''
42. - - 'https://'
43. - !GetAtt
44. - S3Bucket
45. - DomainName
46. Description: Name of S3 bucket to hold website content
```
## 使用自定义域创建静态网站
可以将 Route 53 和已注册的域一起使用。以下示例假设您已在 Route 53 中为您的域创建了托管区域。该示例创建两个用于网站托管的存储桶。根存储桶托管内容,另一个存储桶将 `www.domainname.com` 请求重定向到根存储桶。该记录集将您的域名映射到 Amazon S3 端点。
您还需要添加存储桶策略,如上面的示例所示。
有关使用自定义域的更多信息,请参阅《Amazon Simple Storage Service 用户指南**》中的[教程:使用注册到 Route 53 的自定义域配置静态网站](https://docs.amazonaws.cn/AmazonS3/latest/userguide/website-hosting-custom-domain-walkthrough.html)。
**注意**
以下示例假设 `BlockPublicPolicy` 和 `RestrictPublicBuckets` 阻止公有访问设置已在账户级别禁用。
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Mappings" : {
"RegionMap" : {
"us-east-1" : { "S3hostedzoneID" : "Z3AQBSTGFYJSTF", "websiteendpoint" : "s3-website-us-east-1.amazonaws.com" },
"us-west-1" : { "S3hostedzoneID" : "Z2F56UZL2M1ACD", "websiteendpoint" : "s3-website-us-west-1.amazonaws.com" },
"us-west-2" : { "S3hostedzoneID" : "Z3BJ6K6RIION7M", "websiteendpoint" : "s3-website-us-west-2.amazonaws.com" },
"eu-west-1" : { "S3hostedzoneID" : "Z1BKCTXD74EZPE", "websiteendpoint" : "s3-website-eu-west-1.amazonaws.com" },
"ap-southeast-1" : { "S3hostedzoneID" : "Z3O0J2DXBE1FTB", "websiteendpoint" : "s3-website-ap-southeast-1.amazonaws.com" },
"ap-southeast-2" : { "S3hostedzoneID" : "Z1WCIGYICN2BYD", "websiteendpoint" : "s3-website-ap-southeast-2.amazonaws.com" },
"ap-northeast-1" : { "S3hostedzoneID" : "Z2M4EHUR26P7ZW", "websiteendpoint" : "s3-website-ap-northeast-1.amazonaws.com" },
"sa-east-1" : { "S3hostedzoneID" : "Z31GFT0UA1I2HV", "websiteendpoint" : "s3-website-sa-east-1.amazonaws.com" }
}
},
"Parameters": {
"RootDomainName": {
"Description": "Domain name for your website (example.com)",
"Type": "String"
}
},
"Resources": {
"RootBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName" : {"Ref":"RootDomainName"},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": false,
"RestrictPublicBuckets": false
},
"WebsiteConfiguration": {
"IndexDocument":"index.html",
"ErrorDocument":"404.html"
}
}
},
"WWWBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": {
"Fn::Join": ["", ["www.", {"Ref":"RootDomainName"}]]
},
"AccessControl": "BucketOwnerFullControl",
"WebsiteConfiguration": {
"RedirectAllRequestsTo": {
"HostName": {"Ref": "RootBucket"}
}
}
}
},
"myDNS": {
"Type": "AWS::Route53::RecordSetGroup",
"Properties": {
"HostedZoneName": {
"Fn::Join": ["", [{"Ref": "RootDomainName"}, "."]]
},
"Comment": "Zone apex alias.",
"RecordSets": [
{
"Name": {"Ref": "RootDomainName"},
"Type": "A",
"AliasTarget": {
"HostedZoneId": {"Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "S3hostedzoneID"]},
"DNSName": {"Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "websiteendpoint"]}
}
},
{
"Name": {
"Fn::Join": ["", ["www.", {"Ref":"RootDomainName"}]]
},
"Type": "CNAME",
"TTL" : "900",
"ResourceRecords" : [
{"Fn::GetAtt":["WWWBucket", "DomainName"]}
]
}
]
}
}
},
"Outputs": {
"WebsiteURL": {
"Value": {"Fn::GetAtt": ["RootBucket", "WebsiteURL"]},
"Description": "URL for website hosted on S3"
}
}
}
```
### YAML
```
Parameters:
RootDomainName:
Description: Domain name for your website (example.com)
Type: String
Mappings:
RegionMap:
us-east-1:
S3hostedzoneID: Z3AQBSTGFYJSTF
websiteendpoint: s3-website-us-east-1.amazonaws.com
us-west-1:
S3hostedzoneID: Z2F56UZL2M1ACD
websiteendpoint: s3-website-us-west-1.amazonaws.com
us-west-2:
S3hostedzoneID: Z3BJ6K6RIION7M
websiteendpoint: s3-website-us-west-2.amazonaws.com
eu-west-1:
S3hostedzoneID: Z1BKCTXD74EZPE
websiteendpoint: s3-website-eu-west-1.amazonaws.com
ap-southeast-1:
S3hostedzoneID: Z3O0J2DXBE1FTB
websiteendpoint: s3-website-ap-southeast-1.amazonaws.com
ap-southeast-2:
S3hostedzoneID: Z1WCIGYICN2BYD
websiteendpoint: s3-website-ap-southeast-2.amazonaws.com
ap-northeast-1:
S3hostedzoneID: Z2M4EHUR26P7ZW
websiteendpoint: s3-website-ap-northeast-1.amazonaws.com
sa-east-1:
S3hostedzoneID: Z31GFT0UA1I2HV
websiteendpoint: s3-website-sa-east-1.amazonaws.com
Resources:
RootBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref RootDomainName
PublicAccessBlockConfiguration:
BlockPublicAcls: false
BlockPublicPolicy: false
IgnorePublicAcls: false
RestrictPublicBuckets: false
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: 404.html
WWWBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub
- www.${Domain}
- Domain: !Ref RootDomainName
AccessControl: BucketOwnerFullControl
WebsiteConfiguration:
RedirectAllRequestsTo:
HostName: !Ref RootBucket
myDNS:
Type: AWS::Route53::RecordSetGroup
Properties:
HostedZoneName: !Sub
- ${Domain}.
- Domain: !Ref RootDomainName
Comment: Zone apex alias.
RecordSets:
- Name: !Ref RootDomainName
Type: A
AliasTarget:
HostedZoneId: !FindInMap [ RegionMap, !Ref 'AWS::Region', S3hostedzoneID]
DNSName: !FindInMap [ RegionMap, !Ref 'AWS::Region', websiteendpoint]
- Name: !Sub
- www.${Domain}
- Domain: !Ref RootDomainName
Type: CNAME
TTL: 900
ResourceRecords:
- !GetAtt WWWBucket.DomainName
Outputs:
WebsiteURL:
Value: !GetAtt RootBucket.WebsiteURL
Description: URL for website hosted on S3
```
# Amazon SNS 模板代码段
此示例显示 Amazon SNS 主题资源。它需要有效的电子邮件地址。
## JSON
```
1. "MySNSTopic" : {
2. "Type" : "AWS::SNS::Topic",
3. "Properties" : {
4. "Subscription" : [ {
5. "Endpoint" : "add valid email address",
6. "Protocol" : "email"
7. } ]
8. }
9. }
```
## YAML
```
1. MySNSTopic:
2. Type: AWS::SNS::Topic
3. Properties:
4. Subscription:
5. - Endpoint: "add valid email address"
6. Protocol: email
```
# Amazon SQS 模板代码段
此示例显示的是 Amazon SQS 队列。
## JSON
```
1. "MyQueue" : {
2. "Type" : "AWS::SQS::Queue",
3. "Properties" : {
4. "VisibilityTimeout" : "value"
5. }
6. }
```
## YAML
```
1. MyQueue:
2. Type: AWS::SQS::Queue
3. Properties:
4. VisibilityTimeout: value
```
# Amazon Timestream 模板代码片段
借助适用于 InfluxDB 的 Amazon Timestream,应用程序开发人员和 DevOps 团队可以在 Amazon 上轻松使用开源 API 为实时时间序列应用程序运行完全托管的 InfluxDB 数据库。您可以快速创建 InfluxDB 数据库,用来处理要求严格的时间序列工作负载。只需几个简单的 API 调用,就可以在 Amazon 上安装、迁移、操作和扩展具有自动软件修补、备份和恢复功能的 InfluxDB 数据库。此外还可以在 GitHub 中的 [awslabs/amazon-timestream-tools/tree/mainline/integrations/cloudformation/timestream-influxdb](https://github.com/awslabs/amazon-timestream-tools/tree/mainline/integrations/cloudformation/timestream-influxdb) 页面上找到这些示例。
**Topics**
+ [
## 使用默认值的精简样本
](#scenario-timestream-influxdb-example-1)
+ [
## 带参数的更完整示例
](#scenario-timestream-influxdb-example-2)
这些 Amazon CloudFormation 模板将创建下列所需的资源,以成功创建、连接到和监控适用于 InfluxDB 的 Amazon Timestream 实例:
**Amazon VPC**
+ `VPC`
+ 一个或多个 `Subnet`
+ `InternetGateway`
+ `RouteTable`
+ `SecurityGroup`
**Amazon S3**
+ `Bucket`
**Amazon Timestream**
+ `InfluxDBInstance`
## 使用默认值的精简样本
此示例会尽可能使用默认值部署多可用区和可公开访问的实例。
### JSON
```
{
"Metadata": {
"AWS::CloudFormation::Interface": {
"ParameterGroups": [
{
"Label": {"default": "Amazon Timestream for InfluxDB Configuration"},
"Parameters": [
"DbInstanceName",
"InfluxDBPassword"
]
}
],
"ParameterLabels": {
"VPCCIDR": {"default": "VPC CIDR"}
}
}
},
"Parameters": {
"DbInstanceName": {
"Description": "The name that uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and CLI commands. This name will also be a prefix included in the endpoint. DB instance names must be unique per customer and per Region.",
"Type": "String",
"Default": "mydbinstance",
"MinLength": 3,
"MaxLength": 40,
"AllowedPattern": "^[a-zA-z][a-zA-Z0-9]*(-[a-zA-Z0-9]+)*$"
},
"InfluxDBPassword": {
"Description": "The password of the initial admin user created in InfluxDB. This password will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in Amazon Secrets Manager in your account.",
"Type": "String",
"NoEcho": true,
"MinLength": 8,
"MaxLength": 64,
"AllowedPattern": "^[a-zA-Z0-9]+$"
}
},
"Resources": {
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {"CidrBlock": "10.0.0.0/16"}
},
"InternetGateway": {"Type": "AWS::EC2::InternetGateway"},
"InternetGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"InternetGatewayId": {"Ref": "InternetGateway"},
"VpcId": {"Ref": "VPC"}
}
},
"Subnet1": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {"Ref": "VPC"},
"AvailabilityZone": {
"Fn::Select": [
0,
{"Fn::GetAZs": ""}
]
},
"CidrBlock": {
"Fn::Select": [
0,
{
"Fn::Cidr": [
{
"Fn::GetAtt": [
"VPC",
"CidrBlock"
]
},
2,
12
]
}
]
},
"MapPublicIpOnLaunch": true
}
},
"Subnet2": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {"Ref": "VPC"},
"AvailabilityZone": {
"Fn::Select": [
1,
{"Fn::GetAZs": ""}
]
},
"CidrBlock": {
"Fn::Select": [
1,
{
"Fn::Cidr": [
{
"Fn::GetAtt": [
"VPC",
"CidrBlock"
]
},
2,
12
]
}
]
},
"MapPublicIpOnLaunch": true
}
},
"RouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {"Ref": "VPC"}
}
},
"DefaultRoute": {
"Type": "AWS::EC2::Route",
"DependsOn": "InternetGatewayAttachment",
"Properties": {
"RouteTableId": {"Ref": "RouteTable"},
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {"Ref": "InternetGateway"}
}
},
"Subnet1RouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {"Ref": "RouteTable"},
"SubnetId": {"Ref": "Subnet1"}
}
},
"Subnet2RouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {"Ref": "RouteTable"},
"SubnetId": {"Ref": "Subnet2"}
}
},
"InfluxDBSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupName": "influxdb-sg",
"GroupDescription": "Security group allowing port 8086 ingress for InfluxDB",
"VpcId": {"Ref": "VPC"}
}
},
"InfluxDBSecurityGroupIngress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {"Ref": "InfluxDBSecurityGroup"},
"IpProtocol": "tcp",
"CidrIp": "0.0.0.0/0",
"FromPort": 8086,
"ToPort": 8086
}
},
"InfluxDBLogsS3Bucket": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Retain"
},
"InfluxDBLogsS3BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {"Ref": "InfluxDBLogsS3Bucket"},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": {"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}/InfluxLogs/*"},
"Principal": {"Service": "timestream-influxdb.amazonaws.com"}
},
{
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
{"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}/*"},
{"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}"}
],
"Principal": "*",
"Condition": {
"Bool": {"aws:SecureTransport": false}
}
}
]
}
}
},
"DbInstance": {
"Type": "AWS::Timestream::InfluxDBInstance",
"DependsOn": "InfluxDBLogsS3BucketPolicy",
"Properties": {
"AllocatedStorage": 20,
"DbInstanceType": "db.influx.medium",
"Name": {"Ref": "DbInstanceName"},
"Password": {"Ref": "InfluxDBPassword"},
"PubliclyAccessible": true,
"DeploymentType": "WITH_MULTIAZ_STANDBY",
"VpcSecurityGroupIds": [
{"Ref": "InfluxDBSecurityGroup"}
],
"VpcSubnetIds": [
{"Ref": "Subnet1"},
{"Ref": "Subnet2"}
],
"LogDeliveryConfiguration": {
"S3Configuration": {
"BucketName": {"Ref": "InfluxDBLogsS3Bucket"},
"Enabled": true
}
}
}
}
},
"Outputs": {
"VPC": {
"Description": "A reference to the VPC used to create network resources",
"Value": {"Ref": "VPC"}
},
"Subnets": {
"Description": "A list of the subnets created",
"Value": {
"Fn::Join": [
",",
[
{"Ref": "Subnet1"},
{"Ref": "Subnet2"}
]
]
}
},
"Subnet1": {
"Description": "A reference to the subnet in the 1st Availability Zone",
"Value": {"Ref": "Subnet1"}
},
"Subnet2": {
"Description": "A reference to the subnet in the 2nd Availability Zone",
"Value": {"Ref": "Subnet2"}
},
"InfluxDBSecurityGroup": {
"Description": "Security group with port 8086 ingress rule",
"Value": {"Ref": "InfluxDBSecurityGroup"}
},
"InfluxDBLogsS3Bucket": {
"Description": "S3 Bucket containing InfluxDB logs from the DB instance",
"Value": {"Ref": "InfluxDBLogsS3Bucket"}
},
"DbInstance": {
"Description": "A reference to the Timestream for InfluxDB DB instance",
"Value": {"Ref": "DbInstance"}
},
"InfluxAuthParametersSecretArn": {
"Description": "The Amazon Resource Name (ARN) of the Amazon Secrets Manager secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password.",
"Value": {
"Fn::GetAtt": [
"DbInstance",
"InfluxAuthParametersSecretArn"
]
}
},
"Endpoint": {
"Description": "The endpoint URL to connect to InfluxDB",
"Value": {
"Fn::Join": [
"",
[
"https://",
{
"Fn::GetAtt": [
"DbInstance",
"Endpoint"
]
},
":8086"
]
]
}
}
}
}
```
### YAML
```
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
-
Label:
default: "Amazon Timestream for InfluxDB Configuration"
Parameters:
- DbInstanceName
- InfluxDBPassword
ParameterLabels:
VPCCIDR:
default: VPC CIDR
Parameters:
DbInstanceName:
Description: The name that uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and CLI commands. This name will also be a prefix included in the endpoint. DB instance names must be unique per customer and per Region.
Type: String
Default: mydbinstance
MinLength: 3
MaxLength: 40
AllowedPattern: ^[a-zA-z][a-zA-Z0-9]*(-[a-zA-Z0-9]+)*$
InfluxDBPassword:
Description: The password of the initial admin user created in InfluxDB. This password will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in Amazon Secrets Manager in your account.
Type: String
NoEcho: true
MinLength: 8
MaxLength: 64
AllowedPattern: ^[a-zA-Z0-9]+$
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
InternetGateway:
Type: AWS::EC2::InternetGateway
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
Subnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [0, !GetAZs '']
CidrBlock: !Select [0, !Cidr [!GetAtt VPC.CidrBlock, 2, 12 ]]
MapPublicIpOnLaunch: true
Subnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [1, !GetAZs '']
CidrBlock: !Select [1, !Cidr [!GetAtt VPC.CidrBlock, 2, 12 ]]
MapPublicIpOnLaunch: true
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
DefaultRoute:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref RouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
Subnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref Subnet1
Subnet2RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref Subnet2
InfluxDBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "influxdb-sg"
GroupDescription: "Security group allowing port 8086 ingress for InfluxDB"
VpcId: !Ref VPC
InfluxDBSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref InfluxDBSecurityGroup
IpProtocol: tcp
CidrIp: 0.0.0.0/0
FromPort: 8086
ToPort: 8086
InfluxDBLogsS3Bucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
InfluxDBLogsS3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref InfluxDBLogsS3Bucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action: "s3:PutObject"
Effect: Allow
Resource: !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}/InfluxLogs/*
Principal:
Service: timestream-influxdb.amazonaws.com
- Action: "s3:*"
Effect: Deny
Resource:
- !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}/*
- !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}
Principal: "*"
Condition:
Bool:
aws:SecureTransport: false
DbInstance:
Type: AWS::Timestream::InfluxDBInstance
DependsOn: InfluxDBLogsS3BucketPolicy
Properties:
AllocatedStorage: 20
DbInstanceType: db.influx.medium
Name: !Ref DbInstanceName
Password: !Ref InfluxDBPassword
PubliclyAccessible: true
DeploymentType: WITH_MULTIAZ_STANDBY
VpcSecurityGroupIds:
- !Ref InfluxDBSecurityGroup
VpcSubnetIds:
- !Ref Subnet1
- !Ref Subnet2
LogDeliveryConfiguration:
S3Configuration:
BucketName: !Ref InfluxDBLogsS3Bucket
Enabled: true
Outputs:
# Network Resources
VPC:
Description: A reference to the VPC used to create network resources
Value: !Ref VPC
Subnets:
Description: A list of the subnets created
Value: !Join [",", [!Ref Subnet1, !Ref Subnet2]]
Subnet1:
Description: A reference to the subnet in the 1st Availability Zone
Value: !Ref Subnet1
Subnet2:
Description: A reference to the subnet in the 2nd Availability Zone
Value: !Ref Subnet2
InfluxDBSecurityGroup:
Description: Security group with port 8086 ingress rule
Value: !Ref InfluxDBSecurityGroup
# Timestream for InfluxDB Resources
InfluxDBLogsS3Bucket:
Description: S3 Bucket containing InfluxDB logs from the DB instance
Value: !Ref InfluxDBLogsS3Bucket
DbInstance:
Description: A reference to the Timestream for InfluxDB DB instance
Value: !Ref DbInstance
InfluxAuthParametersSecretArn:
Description: "The Amazon Resource Name (ARN) of the Amazon Secrets Manager secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password."
Value: !GetAtt DbInstance.InfluxAuthParametersSecretArn
Endpoint:
Description: The endpoint URL to connect to InfluxDB
Value: !Join ["", ["https://", !GetAtt DbInstance.Endpoint, ":8086"]]
```
## 带参数的更完整示例
此示例模板会根据提供的参数动态更改网络资源。参数包括 `PubliclyAccessible` 和 `DeploymentType`。
### JSON
```
{
"Metadata": {
"AWS::CloudFormation::Interface": {
"ParameterGroups": [
{
"Label": {"default": "Network Configuration"},
"Parameters": ["VPCCIDR"]
},
{
"Label": {"default": "Amazon Timestream for InfluxDB Configuration"},
"Parameters": [
"DbInstanceName",
"InfluxDBUsername",
"InfluxDBPassword",
"InfluxDBOrganization",
"InfluxDBBucket",
"DbInstanceType",
"DbStorageType",
"AllocatedStorage",
"PubliclyAccessible",
"DeploymentType"
]
}
],
"ParameterLabels": {
"VPCCIDR": {"default": "VPC CIDR"}
}
}
},
"Parameters": {
"VPCCIDR": {
"Description": "Please enter the IP range (CIDR notation) for the new VPC",
"Type": "String",
"Default": "10.0.0.0/16"
},
"DbInstanceName": {
"Description": "The name that uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and CLI commands. This name will also be a prefix included in the endpoint. DB instance names must be unique per customer and per Region.",
"Type": "String",
"Default": "mydbinstance",
"MinLength": 3,
"MaxLength": 40,
"AllowedPattern": "^[a-zA-z][a-zA-Z0-9]*(-[a-zA-Z0-9]+)*$"
},
"InfluxDBUsername": {
"Description": "The username of the initial admin user created in InfluxDB. Must start with a letter and can't end with a hyphen or contain two consecutive hyphens. For example, my-user1. This username will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in Amazon Secrets Manager in your account.",
"Type": "String",
"Default": "admin",
"MinLength": 1,
"MaxLength": 64
},
"InfluxDBPassword": {
"Description": "The password of the initial admin user created in InfluxDB. This password will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in Amazon Secrets Manager in your account.",
"Type": "String",
"NoEcho": true,
"MinLength": 8,
"MaxLength": 64,
"AllowedPattern": "^[a-zA-Z0-9]+$"
},
"InfluxDBOrganization": {
"Description": "The name of the initial organization for the initial admin user in InfluxDB. An InfluxDB organization is a workspace for a group of users.",
"Type": "String",
"Default": "org",
"MinLength": 1,
"MaxLength": 64
},
"InfluxDBBucket": {
"Description": "The name of the initial InfluxDB bucket. All InfluxDB data is stored in a bucket. A bucket combines the concept of a database and a retention period (the duration of time that each data point persists). A bucket belongs to an organization.",
"Type": "String",
"Default": "bucket",
"MinLength": 2,
"MaxLength": 64,
"AllowedPattern": "^[^_\\\"][^\\\"]*$"
},
"DeploymentType": {
"Description": "Specifies whether the Timestream for InfluxDB is deployed as Single-AZ or with a MultiAZ Standby for High availability",
"Type": "String",
"Default": "WITH_MULTIAZ_STANDBY",
"AllowedValues": [
"SINGLE_AZ",
"WITH_MULTIAZ_STANDBY"
]
},
"AllocatedStorage": {
"Description": "The amount of storage to allocate for your DB storage type in GiB (gibibytes).",
"Type": "Number",
"Default": 400,
"MinValue": 20,
"MaxValue": 16384
},
"DbInstanceType": {
"Description": "The Timestream for InfluxDB DB instance type to run InfluxDB on.",
"Type": "String",
"Default": "db.influx.medium",
"AllowedValues": [
"db.influx.medium",
"db.influx.large",
"db.influx.xlarge",
"db.influx.2xlarge",
"db.influx.4xlarge",
"db.influx.8xlarge",
"db.influx.12xlarge",
"db.influx.16xlarge"
]
},
"DbStorageType": {
"Description": "The Timestream for InfluxDB DB storage type to read and write InfluxDB data.",
"Type": "String",
"Default": "InfluxIOIncludedT1",
"AllowedValues": [
"InfluxIOIncludedT1",
"InfluxIOIncludedT2",
"InfluxIOIncludedT3"
]
},
"PubliclyAccessible": {
"Description": "Configures the DB instance with a public IP to facilitate access.",
"Type": "String",
"Default": true,
"AllowedValues": [
true,
false
]
}
},
"Conditions": {
"IsMultiAZ": {
"Fn::Equals": [
{"Ref": "DeploymentType"},
"WITH_MULTIAZ_STANDBY"
]
},
"IsPublic": {
"Fn::Equals": [
{"Ref": "PubliclyAccessible"},
true
]
}
},
"Resources": {
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": {"Ref": "VPCCIDR"}
}
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway",
"Condition": "IsPublic"
},
"InternetGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Condition": "IsPublic",
"Properties": {
"InternetGatewayId": {"Ref": "InternetGateway"},
"VpcId": {"Ref": "VPC"}
}
},
"Subnet1": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {"Ref": "VPC"},
"AvailabilityZone": {
"Fn::Select": [
0,
{"Fn::GetAZs": ""}
]
},
"CidrBlock": {
"Fn::Select": [
0,
{
"Fn::Cidr": [
{
"Fn::GetAtt": [
"VPC",
"CidrBlock"
]
},
2,
12
]
}
]
},
"MapPublicIpOnLaunch": {
"Fn::If": [
"IsPublic",
true,
false
]
}
}
},
"Subnet2": {
"Type": "AWS::EC2::Subnet",
"Condition": "IsMultiAZ",
"Properties": {
"VpcId": {"Ref": "VPC"},
"AvailabilityZone": {
"Fn::Select": [
1,
{"Fn::GetAZs": ""}
]
},
"CidrBlock": {
"Fn::Select": [
1,
{
"Fn::Cidr": [
{
"Fn::GetAtt": [
"VPC",
"CidrBlock"
]
},
2,
12
]
}
]
},
"MapPublicIpOnLaunch": {
"Fn::If": [
"IsPublic",
true,
false
]
}
}
},
"RouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {"Ref": "VPC"}
}
},
"DefaultRoute": {
"Type": "AWS::EC2::Route",
"Condition": "IsPublic",
"DependsOn": "InternetGatewayAttachment",
"Properties": {
"RouteTableId": {"Ref": "RouteTable"},
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {"Ref": "InternetGateway"}
}
},
"Subnet1RouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {"Ref": "RouteTable"},
"SubnetId": {"Ref": "Subnet1"}
}
},
"Subnet2RouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Condition": "IsMultiAZ",
"Properties": {
"RouteTableId": {"Ref": "RouteTable"},
"SubnetId": {"Ref": "Subnet2"}
}
},
"InfluxDBSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupName": "influxdb-sg",
"GroupDescription": "Security group allowing port 8086 ingress for InfluxDB",
"VpcId": {"Ref": "VPC"}
}
},
"InfluxDBSecurityGroupIngress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {"Ref": "InfluxDBSecurityGroup"},
"IpProtocol": "tcp",
"CidrIp": "0.0.0.0/0",
"FromPort": 8086,
"ToPort": 8086
}
},
"InfluxDBLogsS3Bucket": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Retain"
},
"InfluxDBLogsS3BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {"Ref": "InfluxDBLogsS3Bucket"},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": {"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}/InfluxLogs/*"},
"Principal": {"Service": "timestream-influxdb.amazonaws.com"}
},
{
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
{"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}/*"},
{"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}"}
],
"Principal": "*",
"Condition": {
"Bool": {"aws:SecureTransport": false}
}
}
]
}
}
},
"DbInstance": {
"Type": "AWS::Timestream::InfluxDBInstance",
"DependsOn": "InfluxDBLogsS3BucketPolicy",
"Properties": {
"DbStorageType": {"Ref": "DbStorageType"},
"AllocatedStorage": {"Ref": "AllocatedStorage"},
"DbInstanceType": {"Ref": "DbInstanceType"},
"Name": {"Ref": "DbInstanceName"},
"Username": {"Ref": "InfluxDBUsername"},
"Password": {"Ref": "InfluxDBPassword"},
"Organization": {"Ref": "InfluxDBOrganization"},
"Bucket": {"Ref": "InfluxDBBucket"},
"PubliclyAccessible": {
"Fn::If": [
"IsPublic",
true,
false
]
},
"DeploymentType": {"Ref": "DeploymentType"},
"VpcSecurityGroupIds": [
{"Ref": "InfluxDBSecurityGroup"}
],
"VpcSubnetIds": {
"Fn::If": [
"IsMultiAZ",
[
{"Ref": "Subnet1"},
{"Ref": "Subnet2"}
],
[
{"Ref": "Subnet1"}
]
]
},
"LogDeliveryConfiguration": {
"S3Configuration": {
"BucketName": {"Ref": "InfluxDBLogsS3Bucket"},
"Enabled": true
}
}
}
}
},
"Outputs": {
"VPC": {
"Description": "A reference to the VPC used to create network resources",
"Value": {"Ref": "VPC"}
},
"Subnets": {
"Description": "A list of the subnets created",
"Value": {
"Fn::If": [
"IsMultiAZ",
{
"Fn::Join": [
",",
[
{"Ref": "Subnet1"},
{"Ref": "Subnet2"}
]
]
},
{"Ref": "Subnet1"}
]
}
},
"Subnet1": {
"Description": "A reference to the subnet in the 1st Availability Zone",
"Value": {"Ref": "Subnet1"}
},
"Subnet2": {
"Condition": "IsMultiAZ",
"Description": "A reference to the subnet in the 2nd Availability Zone",
"Value": {"Ref": "Subnet2"}
},
"InfluxDBSecurityGroup": {
"Description": "Security group with port 8086 ingress rule",
"Value": {"Ref": "InfluxDBSecurityGroup"}
},
"InfluxDBLogsS3Bucket": {
"Description": "S3 Bucket containing InfluxDB logs from the DB instance",
"Value": {"Ref": "InfluxDBLogsS3Bucket"}
},
"DbInstance": {
"Description": "A reference to the Timestream for InfluxDB DB instance",
"Value": {"Ref": "DbInstance"}
},
"InfluxAuthParametersSecretArn": {
"Description": "The Amazon Resource Name (ARN) of the Amazon Secrets Manager secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password.",
"Value": {
"Fn::GetAtt": [
"DbInstance",
"InfluxAuthParametersSecretArn"
]
}
},
"Endpoint": {
"Description": "The endpoint URL to connect to InfluxDB",
"Value": {
"Fn::Join": [
"",
[
"https://",
{
"Fn::GetAtt": [
"DbInstance",
"Endpoint"
]
},
":8086"
]
]
}
}
}
}
```
### YAML
```
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
-
Label:
default: "Network Configuration"
Parameters:
- VPCCIDR
-
Label:
default: "Amazon Timestream for InfluxDB Configuration"
Parameters:
- DbInstanceName
- InfluxDBUsername
- InfluxDBPassword
- InfluxDBOrganization
- InfluxDBBucket
- DbInstanceType
- DbStorageType
- AllocatedStorage
- PubliclyAccessible
- DeploymentType
ParameterLabels:
VPCCIDR:
default: VPC CIDR
Parameters:
# Network Configuration
VPCCIDR:
Description: Please enter the IP range (CIDR notation) for the new VPC
Type: String
Default: 10.0.0.0/16
# Timestream for InfluxDB Configuration
DbInstanceName:
Description: The name that uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and CLI commands. This name will also be a prefix included in the endpoint. DB instance names must be unique per customer and per Region.
Type: String
Default: mydbinstance
MinLength: 3
MaxLength: 40
AllowedPattern: ^[a-zA-z][a-zA-Z0-9]*(-[a-zA-Z0-9]+)*$
# InfluxDB initial user configurations
InfluxDBUsername:
Description: The username of the initial admin user created in InfluxDB. Must start with a letter and can't end with a hyphen or contain two consecutive hyphens. For example, my-user1. This username will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in Amazon Secrets Manager in your account.
Type: String
Default: admin
MinLength: 1
MaxLength: 64
InfluxDBPassword:
Description: The password of the initial admin user created in InfluxDB. This password will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in Amazon in your account.
Type: String
NoEcho: true
MinLength: 8
MaxLength: 64
AllowedPattern: ^[a-zA-Z0-9]+$
InfluxDBOrganization:
Description: The name of the initial organization for the initial admin user in InfluxDB. An InfluxDB organization is a workspace for a group of users.
Type: String
Default: org
MinLength: 1
MaxLength: 64
InfluxDBBucket:
Description: The name of the initial InfluxDB bucket. All InfluxDB data is stored in a bucket. A bucket combines the concept of a database and a retention period (the duration of time that each data point persists). A bucket belongs to an organization.
Type: String
Default: bucket
MinLength: 2
MaxLength: 64
AllowedPattern: ^[^_\"][^\"]*$
DeploymentType:
Description: Specifies whether the Timestream for InfluxDB is deployed as Single-AZ or with a MultiAZ Standby for High availability
Type: String
Default: WITH_MULTIAZ_STANDBY
AllowedValues:
- SINGLE_AZ
- WITH_MULTIAZ_STANDBY
AllocatedStorage:
Description: The amount of storage to allocate for your DB storage type in GiB (gibibytes).
Type: Number
Default: 400
MinValue: 20
MaxValue: 16384
DbInstanceType:
Description: The Timestream for InfluxDB DB instance type to run InfluxDB on.
Type: String
Default: db.influx.medium
AllowedValues:
- db.influx.medium
- db.influx.large
- db.influx.xlarge
- db.influx.2xlarge
- db.influx.4xlarge
- db.influx.8xlarge
- db.influx.12xlarge
- db.influx.16xlarge
DbStorageType:
Description: The Timestream for InfluxDB DB storage type to read and write InfluxDB data.
Type: String
Default: InfluxIOIncludedT1
AllowedValues:
- InfluxIOIncludedT1
- InfluxIOIncludedT2
- InfluxIOIncludedT3
PubliclyAccessible:
Description: Configures the DB instance with a public IP to facilitate access.
Type: String
Default: true
AllowedValues:
- true
- false
Conditions:
IsMultiAZ: !Equals [!Ref DeploymentType, WITH_MULTIAZ_STANDBY]
IsPublic: !Equals [!Ref PubliclyAccessible, true]
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref VPCCIDR
InternetGateway:
Type: AWS::EC2::InternetGateway
Condition: IsPublic
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Condition: IsPublic
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
Subnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [0, !GetAZs '']
CidrBlock: !Select [0, !Cidr [!GetAtt VPC.CidrBlock, 2, 12 ]]
MapPublicIpOnLaunch: !If [IsPublic, true, false]
Subnet2:
Type: AWS::EC2::Subnet
Condition: IsMultiAZ
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [1, !GetAZs '']
CidrBlock: !Select [1, !Cidr [!GetAtt VPC.CidrBlock, 2, 12 ]]
MapPublicIpOnLaunch: !If [IsPublic, true, false]
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
DefaultRoute:
Type: AWS::EC2::Route
Condition: IsPublic
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref RouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
Subnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref Subnet1
Subnet2RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Condition: IsMultiAZ
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref Subnet2
InfluxDBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "influxdb-sg"
GroupDescription: "Security group allowing port 8086 ingress for InfluxDB"
VpcId: !Ref VPC
InfluxDBSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref InfluxDBSecurityGroup
IpProtocol: tcp
CidrIp: 0.0.0.0/0
FromPort: 8086
ToPort: 8086
InfluxDBLogsS3Bucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
InfluxDBLogsS3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref InfluxDBLogsS3Bucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action: "s3:PutObject"
Effect: Allow
Resource: !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}/InfluxLogs/*
Principal:
Service: timestream-influxdb.amazonaws.com
- Action: "s3:*"
Effect: Deny
Resource:
- !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}/*
- !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}
Principal: "*"
Condition:
Bool:
aws:SecureTransport: false
DbInstance:
Type: AWS::Timestream::InfluxDBInstance
DependsOn: InfluxDBLogsS3BucketPolicy
Properties:
DbStorageType: !Ref DbStorageType
AllocatedStorage: !Ref AllocatedStorage
DbInstanceType: !Ref DbInstanceType
Name: !Ref DbInstanceName
Username: !Ref InfluxDBUsername
Password: !Ref InfluxDBPassword
Organization: !Ref InfluxDBOrganization
Bucket: !Ref InfluxDBBucket
PubliclyAccessible: !If [IsPublic, true, false]
DeploymentType: !Ref DeploymentType
VpcSecurityGroupIds:
- !Ref InfluxDBSecurityGroup
VpcSubnetIds: !If
- IsMultiAZ
-
- !Ref Subnet1
- !Ref Subnet2
-
- !Ref Subnet1
LogDeliveryConfiguration:
S3Configuration:
BucketName: !Ref InfluxDBLogsS3Bucket
Enabled: true
Outputs:
# Network Resources
VPC:
Description: A reference to the VPC used to create network resources
Value: !Ref VPC
Subnets:
Description: A list of the subnets created
Value: !If
- IsMultiAZ
- !Join [",", [!Ref Subnet1, !Ref Subnet2]]
- !Ref Subnet1
Subnet1:
Description: A reference to the subnet in the 1st Availability Zone
Value: !Ref Subnet1
Subnet2:
Condition: IsMultiAZ
Description: A reference to the subnet in the 2nd Availability Zone
Value: !Ref Subnet2
InfluxDBSecurityGroup:
Description: Security group with port 8086 ingress rule
Value: !Ref InfluxDBSecurityGroup
# Timestream for InfluxDB Resources
InfluxDBLogsS3Bucket:
Description: S3 Bucket containing InfluxDB logs from the DB instance
Value: !Ref InfluxDBLogsS3Bucket
DbInstance:
Description: A reference to the Timestream for InfluxDB DB instance
Value: !Ref DbInstance
InfluxAuthParametersSecretArn:
Description: "The Amazon Resource Name (ARN) of the Amazon Secrets Manager secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password."
Value: !GetAtt DbInstance.InfluxAuthParametersSecretArn
Endpoint:
Description: The endpoint URL to connect to InfluxDB
Value: !Join ["", ["https://", !GetAtt DbInstance.Endpoint, ":8086"]]
```
# 使用 CloudFormation 部署基于 Windows 的堆栈
本页面提供指向基于 Windows 的部署中常用 CloudFormation 资源技术参考文档的链接。
CloudFormation 支持通过 Infrastructure as Code (IaC) 部署和管理 MicrosoftWindows 堆栈。您可以使用 CloudFormation 自动预置基于 Windows 的 EC2 实例、Amazon RDS 上的 SQL Server,以及通过 Amazon Directory Service 部署的 Microsoft Active Directory。
Amazon 提供专为 Windows 平台设计的预配置亚马逊机器映像(AMI),可帮助您在 Amazon EC2 上快速部署应用程序。这些 AMI 包括默认的 Microsoft 设置和 Amazon 特定的自定义设置。使用 CloudFormation,您可以选择适当的 AMI,启动实例,然后使用远程桌面连接访问该实例,就如同访问任何其他 Windows Server 一样。AMI 包含必要的软件组件,包括 EC2Launch(版本因 Windows Server 版本而异)、Amazon Systems Manager、CloudFormation、Amazon Tools for PowerShell 以及各种网络、存储和图形驱动程序,以确保最佳性能并与 Amazon 服务兼容。有关更多信息,请参阅 [Amazon Windows AMI Reference](https://docs.amazonaws.cn/ec2/latest/windows-ami-reference/windows-amis.html)。
CloudFormation 还支持软件配置工具,例如 `UserData` 脚本,这些工具可以在 EC2 实例首次启动时运行 PowerShell 或批处理命令。它还提供帮助程序脚本(`cfn-init`、`cfn-signal`、`cfn-get-metadata` 和 `cfn-hup`),并支持用于管理 Windows 实例上的包、文件和服务的 `AWS::CloudFormation::Init` 元数据。
对于企业环境,CloudFormation 支持域加入、通过 EC2 许可模式管理 Windows 许可证以及使用 Amazon Secrets Manager 进行安全凭证处理。结合版本控制的模板和可重复的部署,CloudFormation 可帮助组织跨多个 Amazon Web Services 区域和账户维护一致、安全和可扩展的 Windows 环境。
有关基于 Windows 的部署中常用 CloudFormation 资源的详细信息,请参阅以下技术参考主题。
| 资源类型 | 说明 |
| --- | --- |
| [AWS::EC2::Instance](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) | 用于启动 Windows EC2 实例。 |
| [AWS::EC2::SecurityGroup](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) | 为 Windows 工作负载定义防火墙规则。 |
| [AWS::AutoScaling::AutoScalingGroup](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) [AWS::EC2::LaunchTemplate](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) | 用于扩展 Windows EC2 实例。 |
| [AWS::DirectoryService::MicrosoftAD](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-directoryservice-microsoftad.html) | 用于部署 Microsoft Active Directory。 |
| [AWS::FSx::FileSystem](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-fsx-filesystem.html) | 用于部署 FSx for Windows File Server。 |
| [AWS::RDS::DBInstance](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html) | 用于在 Amazon RDS 上预置 SQL Server。 |
| [AWS::CloudFormation::Init](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-init.html) | 在 EC2 元数据中用于配置实例。 有关更多信息,请参阅 [引导基于 Windows 的 CloudFormation 堆栈](cfn-windows-stacks-bootstrapping.md)。 |
| [AWS::SecretsManager::Secret](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-secretsmanager-secret.html) | 用于安全地管理凭证和 Windows 密码。 |
| [AWS::SSM::Parameter](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-ssm-parameter.html) | 用于安全地存储配置值。 |
| [AWS::IAM::InstanceProfile](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-instanceprofile.html) [AWS::IAM::Role](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-role.html) | 用于向在 EC2 实例上运行的应用程序授予权限。 |
# 引导基于 Windows 的 CloudFormation 堆栈
本主题将介绍如何引导 Windows 堆栈并排除堆栈创建问题。
**Topics**
+ [
## EC2 实例中的用户数据功能
](#cfn-windows-bootstrapping-user-data)
+ [
## CloudFormation 帮助程序脚本
](#cfn-windows-bootstrapping-helper-scripts)
+ [
## 启动 Windows 堆栈的示例
](#cfn-windows-bootstrapping-example)
+ [
## 转义文件路径中的 Windows 反斜杠
](#cfn-windows-stacks-escape-backslashes)
+ [
## 管理 Windows 服务
](#cfn-windows-stacks-manage-windows-services)
+ [
## 解决堆栈创建故障问题
](#cfn-windows-stacks-troubleshooting)
## EC2 实例中的用户数据功能
使用 Amazon EC2 的用户数据功能,可以在启动 EC2 实例时将脚本或配置信息传递至实例。
对于 Windows EC2 实例:
+ 您可以使用批处理脚本(通过 `