AWS CloudFormation: no se pueden adjuntar los grupos de seguridad a las instancias de ElasticBeanstalk
Aug 18 2020
Estoy implementando mi aplicación Laravel en AWS usando CloudFormation. Estoy creando un entorno ElasticBeanstalk y desplegando mi aplicación en él. Pero cuando intenté adjuntar el grupo de seguridad a las instancias, falló.
Esta es mi plantilla.
AWSTemplateFormatVersion: '2010-09-09'
Description: "Pathein Directory web application deployment template."
Parameters:
KeyName:
Default: 'PatheinDirectory'
Type: String
InstanceType:
Default: 't2.micro'
Type: String
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x
Vpc:
Default: "vpc-dd53ada4"
Type: String
VpcCidr:
Default: "172.31.0.0/16"
Type: String
Mappings:
Region2Principal:
us-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-south-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-east-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ca-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
sa-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
cn-north-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
cn-northwest-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
eu-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-north-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
Resources:
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for EC2 instances
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp:
Ref: SSHLocation
VpcId: !Ref Vpc
WebServerRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- Fn::FindInMap:
- Region2Principal
- Ref: AWS::Region
- EC2Principal
Action:
- sts:AssumeRole
Path: /
WebServerRolePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: WebServerRole
PolicyDocument:
Statement:
- Effect: Allow
NotAction: iam:*
Resource: '*'
Roles:
- Ref: WebServerRole
WebServerInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- Ref: WebServerRole
Application:
Type: AWS::ElasticBeanstalk::Application
Properties:
Description: AWS Elastic Beanstalk Pathein Directory Laravel application
ApplicationVersion:
Type: AWS::ElasticBeanstalk::ApplicationVersion
Properties:
Description: Version 1.0
ApplicationName:
Ref: Application
SourceBundle:
S3Bucket:
Fn::Join:
- '-'
- - elasticbeanstalk-samples
- Ref: AWS::Region
S3Key: php-sample.zip
ApplicationConfigurationTemplate:
Type: AWS::ElasticBeanstalk::ConfigurationTemplate
Properties:
ApplicationName:
Ref: Application
Description: SSH access to Pathein Directory Laravel application
SolutionStackName: 64bit Amazon Linux 2018.03 v2.9.8 running PHP 7.2
OptionSettings:
- Namespace: aws:autoscaling:launchconfiguration
OptionName: EC2KeyName
Value:
Ref: KeyName
- Namespace: aws:autoscaling:launchconfiguration
OptionName: IamInstanceProfile
Value:
Ref: WebServerInstanceProfile
- Namespace: aws:autoscaling:launchconfiguration
OptionName: SecurityGroups
Value:
Ref: WebServerSecurityGroup
Environment:
Type: AWS::ElasticBeanstalk::Environment
Properties:
Description: AWS Elastic Beanstalk Environment running Pathein Directory Laravel application
ApplicationName:
Ref: Application
EnvironmentName: PatheinDirectoryTesting
TemplateName:
Ref: ApplicationConfigurationTemplate
VersionLabel:
Ref: ApplicationVersion
OptionSettings:
- Namespace: aws:elasticbeanstalk:environment
OptionName: EnvironmentType
Value: SingleInstance
Como puede ver, hay un recurso WebServerSecurityGroup en mi plantilla y lo adjunto al recurso Beanstalk de la siguiente manera.
- Namespace: aws:autoscaling:launchconfiguration
OptionName: SecurityGroups
Value:
Ref: WebServerSecurityGroup
Cuando lo implemento, está fallando. Pero si no adjunto el grupo de seguridad, la implementación es exitosa. ¿Qué está mal con mi código y cómo puedo solucionarlo?
Este es el error en el registro.
{
"StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/2279aec0-e0af-11ea-9638-0239f54378b8",
"EventId": "0f5cb020-e0b0-11ea-9e62-06135fdfc858",
"StackName": "patheindirectory",
"LogicalResourceId": "patheindirectory",
"PhysicalResourceId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/2279aec0-e0af-11ea-9638-0239f54378b8",
"ResourceType": "AWS::CloudFormation::Stack",
"Timestamp": "2020-08-17T17:35:36.459000+00:00",
"ResourceStatus": "UPDATE_ROLLBACK_IN_PROGRESS",
"ResourceStatusReason": "The following resource(s) failed to update: [ApplicationConfigurationTemplate]. "
},
{
"StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/2279aec0-e0af-11ea-9638-0239f54378b8",
"EventId": "ApplicationConfigurationTemplate-UPDATE_FAILED-2020-08-17T17:35:35.723Z",
"StackName": "patheindirectory",
"LogicalResourceId": "ApplicationConfigurationTemplate",
"PhysicalResourceId": "pathe-Appli-YX7VOE30J9B5",
"ResourceType": "AWS::ElasticBeanstalk::ConfigurationTemplate",
"Timestamp": "2020-08-17T17:35:35.723000+00:00",
"ResourceStatus": "UPDATE_FAILED",
"ResourceStatusReason": "Configuration validation exception: Invalid option value: 'sg-0a306c1333b9bf33e' (Namespace: 'aws:autoscaling:launchconfiguration', OptionName: 'SecurityGroups'): The security group 'sg-0a306c133
3b9bf33e' does not exist (Service: AWSElasticBeanstalk; Status Code: 400; Error Code: ConfigurationValidationException; Request ID: 955a0f72-5f26-4ede-a494-e748897b4c93)",
"ResourceProperties": "{\"ApplicationName\":\"patheindirectory-Application-1H2ZF7KLXDN5P\",\"Description\":\"SSH access to Pathein Directory Laravel application\",\"OptionSettings\":[{\"Value\":\"PatheinDirectory\",\"Nam
espace\":\"aws:autoscaling:launchconfiguration\",\"OptionName\":\"EC2KeyName\"},{\"Value\":\"patheindirectory-WebServerInstanceProfile-1F7RC2LIQP996\",\"Namespace\":\"aws:autoscaling:launchconfiguration\",\"OptionName\":\"IamInstanc
eProfile\"},{\"Value\":\"sg-0a306c1333b9bf33e\",\"Namespace\":\"aws:autoscaling:launchconfiguration\",\"OptionName\":\"SecurityGroups\"}],\"SolutionStackName\":\"64bit Amazon Linux 2018.03 v2.9.8 running PHP 7.2\"}"
},
Respuestas
1 Marcin Aug 18 2020 at 05:58
El motivo por el que WebServerSecurityGroupno se encuentra (SG) es porque está creando el SG en una VPC diferente a su entorno de EB. Específicamente, está almorzando EB en una VPC predeterminada, mientras que parece estar creando su SG en una VPC diferente como se especifica en la siguiente línea:
VpcId: !Ref Vpc # <--- your EB will be in different VPC than your SG
Dado que no está claro qué está haciendo con la VPC (¿está iniciando EB en una VPC personalizada, creando una nueva VPC o utilizando la VPC predeterminada?), La solución más sencilla para su plantilla es simplemente eliminar el VpcId: !Ref Vpc.
Además, la versión de su plataforma está desactualizada y debe cambiarse. La lista de versiones de la plataforma PHP disponibles está aquí .
Me fijo de la plantilla y puedo comprobar que funciona en us-east-1. Lanza EB y su SG en a default VPC. Para la VPC personalizada, se requieren muchos más cambios en su plantilla, como definiciones de subredes, tablas de enrutamiento y cambios específicos de VPC en el propio entorno de EB.
AWSTemplateFormatVersion: '2010-09-09'
Description: "Pathein Directory web application deployment template."
Parameters:
KeyName:
Default: 'PatheinDirectory'
Type: String
InstanceType:
Default: 't2.micro'
Type: String
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x
# Vpc:
# Default: "vpc-dd53ada4"
# Type: String
# VpcCidr:
# Default: "172.31.0.0/16"
# Type: String
Mappings:
Region2Principal:
us-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-south-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-east-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ca-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
sa-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
cn-north-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
cn-northwest-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
eu-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-north-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
Resources:
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for EC2 instances
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp:
Ref: SSHLocation
#VpcId: !Ref Vpc
WebServerRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- Fn::FindInMap:
- Region2Principal
- Ref: AWS::Region
- EC2Principal
Action:
- sts:AssumeRole
Path: /
WebServerRolePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: WebServerRole
PolicyDocument:
Statement:
- Effect: Allow
NotAction: iam:*
Resource: '*'
Roles:
- Ref: WebServerRole
WebServerInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- Ref: WebServerRole
Application:
Type: AWS::ElasticBeanstalk::Application
Properties:
Description: AWS Elastic Beanstalk Pathein Directory Laravel application
ApplicationVersion:
Type: AWS::ElasticBeanstalk::ApplicationVersion
Properties:
Description: Version 1.0
ApplicationName:
Ref: Application
SourceBundle:
S3Bucket:
Fn::Join:
- '-'
- - elasticbeanstalk-samples
- Ref: AWS::Region
S3Key: php-sample.zip
ApplicationConfigurationTemplate:
Type: AWS::ElasticBeanstalk::ConfigurationTemplate
Properties:
ApplicationName:
Ref: Application
Description: SSH access to Pathein Directory Laravel application
SolutionStackName: 64bit Amazon Linux 2018.03 v2.9.9 running PHP 7.2
OptionSettings:
- Namespace: aws:autoscaling:launchconfiguration
OptionName: EC2KeyName
Value:
Ref: KeyName
- Namespace: aws:autoscaling:launchconfiguration
OptionName: IamInstanceProfile
Value:
Ref: WebServerInstanceProfile
- Namespace: aws:autoscaling:launchconfiguration
OptionName: SecurityGroups
Value:
Ref: WebServerSecurityGroup
Environment:
Type: AWS::ElasticBeanstalk::Environment
Properties:
Description: AWS Elastic Beanstalk Environment running Pathein Directory Laravel application
ApplicationName:
Ref: Application
EnvironmentName: PatheinDirectoryTesting
TemplateName:
Ref: ApplicationConfigurationTemplate
VersionLabel:
Ref: ApplicationVersion
OptionSettings:
- Namespace: aws:elasticbeanstalk:environment
OptionName: EnvironmentType
Value: SingleInstance
1 ChrisWilliams Aug 18 2020 at 01:09
Después de revisar una plantilla de ejemplo , parece que la configuración requiere una opción VpcId, Subnetsy ELBSubnetspara permitir que la configuración de EB se una a una VPC en lugar de crear la suya propia.
Además, estaba usando una versión anterior de SolutionStackName, debería ser 64bit Amazon Linux 2018.03 v2.9.9 running PHP 7.2.
También noté que su beneficio puede hacer uso de los parámetros de AWS para el ID de VPC y el nombre de la clave en lugar de la codificación rígida, lo que mejorará la usabilidad de la interfaz.
La siguiente plantilla corrige lo anterior
AWSTemplateFormatVersion: '2010-09-09'
Description: "Pathein Directory web application deployment template."
Parameters:
KeyName:
Type: AWS::EC2::KeyPair::KeyName
InstanceType:
Default: 't2.micro'
Type: String
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x
Subnet:
Type: AWS::EC2::Subnet::Id
Vpc:
Type: AWS::EC2::VPC::Id
VpcCidr:
Default: "172.31.0.0/16"
Type: String
Mappings:
Region2Principal:
us-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-south-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-east-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ca-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
sa-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
cn-north-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
cn-northwest-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
eu-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-north-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
Resources:
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for EC2 instances
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp:
Ref: SSHLocation
VpcId: !Ref Vpc
WebServerRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- Fn::FindInMap:
- Region2Principal
- Ref: AWS::Region
- EC2Principal
Action:
- sts:AssumeRole
Path: /
WebServerRolePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: WebServerRole
PolicyDocument:
Statement:
- Effect: Allow
NotAction: iam:*
Resource: '*'
Roles:
- Ref: WebServerRole
WebServerInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- Ref: WebServerRole
Application:
Type: AWS::ElasticBeanstalk::Application
Properties:
Description: AWS Elastic Beanstalk Pathein Directory Laravel application
ApplicationVersion:
Type: AWS::ElasticBeanstalk::ApplicationVersion
Properties:
Description: Version 1.0
ApplicationName:
Ref: Application
SourceBundle:
S3Bucket:
Fn::Join:
- '-'
- - elasticbeanstalk-samples
- Ref: AWS::Region
S3Key: php-sample.zip
ApplicationConfigurationTemplate:
Type: AWS::ElasticBeanstalk::ConfigurationTemplate
Properties:
ApplicationName:
Ref: Application
Description: SSH access to Pathein Directory Laravel application
SolutionStackName: 64bit Amazon Linux 2018.03 v2.9.9 running PHP 7.2
OptionSettings:
- Namespace: aws:autoscaling:launchconfiguration
OptionName: EC2KeyName
Value:
Ref: KeyName
- Namespace: aws:autoscaling:launchconfiguration
OptionName: IamInstanceProfile
Value:
Ref: WebServerInstanceProfile
- Namespace: aws:ec2:vpc
OptionName: VPCId
Value:
Ref: Vpc
- Namespace: aws:ec2:vpc
OptionName: ELBSubnets
Value:
Ref: Subnet
- Namespace: aws:ec2:vpc
OptionName: Subnets
Value:
Ref: Subnet
- Namespace: aws:autoscaling:launchconfiguration
OptionName: SecurityGroups
Value:
Ref: WebServerSecurityGroup
Environment:
Type: AWS::ElasticBeanstalk::Environment
Properties:
Description: AWS Elastic Beanstalk Environment running Pathein Directory Laravel application
ApplicationName:
Ref: Application
EnvironmentName: PatheinDirectoryTesting
TemplateName:
Ref: ApplicationConfigurationTemplate
VersionLabel:
Ref: ApplicationVersion
OptionSettings:
- Namespace: aws:elasticbeanstalk:environment
OptionName: EnvironmentType
Value: SingleInstance