AWS CloudFormation: Não é possível anexar os grupos de segurança às instâncias de ElasticBeanstalk
Aug 18 2020
Estou implantando meu aplicativo Laravel no AWS usando CloudFormation. Estou criando um ambiente ElasticBeanstalk e implantando meu aplicativo nele. Mas quando tentei anexar o grupo de segurança às instâncias, ele falhou.
Este é o meu modelo.
AWSTemplateFormatVersion: '2010-09-09'
Description: "Pathein Directory web application deployment template."
Parameters:
KeyName:
Default: 'PatheinDirectory'
Type: String
InstanceType:
Default: 't2.micro'
Type: String
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x
Vpc:
Default: "vpc-dd53ada4"
Type: String
VpcCidr:
Default: "172.31.0.0/16"
Type: String
Mappings:
Region2Principal:
us-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-south-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-east-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ca-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
sa-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
cn-north-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
cn-northwest-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
eu-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-north-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
Resources:
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for EC2 instances
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp:
Ref: SSHLocation
VpcId: !Ref Vpc
WebServerRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- Fn::FindInMap:
- Region2Principal
- Ref: AWS::Region
- EC2Principal
Action:
- sts:AssumeRole
Path: /
WebServerRolePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: WebServerRole
PolicyDocument:
Statement:
- Effect: Allow
NotAction: iam:*
Resource: '*'
Roles:
- Ref: WebServerRole
WebServerInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- Ref: WebServerRole
Application:
Type: AWS::ElasticBeanstalk::Application
Properties:
Description: AWS Elastic Beanstalk Pathein Directory Laravel application
ApplicationVersion:
Type: AWS::ElasticBeanstalk::ApplicationVersion
Properties:
Description: Version 1.0
ApplicationName:
Ref: Application
SourceBundle:
S3Bucket:
Fn::Join:
- '-'
- - elasticbeanstalk-samples
- Ref: AWS::Region
S3Key: php-sample.zip
ApplicationConfigurationTemplate:
Type: AWS::ElasticBeanstalk::ConfigurationTemplate
Properties:
ApplicationName:
Ref: Application
Description: SSH access to Pathein Directory Laravel application
SolutionStackName: 64bit Amazon Linux 2018.03 v2.9.8 running PHP 7.2
OptionSettings:
- Namespace: aws:autoscaling:launchconfiguration
OptionName: EC2KeyName
Value:
Ref: KeyName
- Namespace: aws:autoscaling:launchconfiguration
OptionName: IamInstanceProfile
Value:
Ref: WebServerInstanceProfile
- Namespace: aws:autoscaling:launchconfiguration
OptionName: SecurityGroups
Value:
Ref: WebServerSecurityGroup
Environment:
Type: AWS::ElasticBeanstalk::Environment
Properties:
Description: AWS Elastic Beanstalk Environment running Pathein Directory Laravel application
ApplicationName:
Ref: Application
EnvironmentName: PatheinDirectoryTesting
TemplateName:
Ref: ApplicationConfigurationTemplate
VersionLabel:
Ref: ApplicationVersion
OptionSettings:
- Namespace: aws:elasticbeanstalk:environment
OptionName: EnvironmentType
Value: SingleInstance
Como você pode ver, há um recurso WebServerSecurityGroup em meu modelo e estou anexando-o ao recurso Beanstalk da seguinte forma.
- Namespace: aws:autoscaling:launchconfiguration
OptionName: SecurityGroups
Value:
Ref: WebServerSecurityGroup
Quando o implanto, ele está falhando. Mas se eu não anexar o grupo de segurança, a implantação será bem-sucedida. O que há de errado com meu código e como posso corrigi-lo?
Este é o erro no log.
{
"StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/2279aec0-e0af-11ea-9638-0239f54378b8",
"EventId": "0f5cb020-e0b0-11ea-9e62-06135fdfc858",
"StackName": "patheindirectory",
"LogicalResourceId": "patheindirectory",
"PhysicalResourceId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/2279aec0-e0af-11ea-9638-0239f54378b8",
"ResourceType": "AWS::CloudFormation::Stack",
"Timestamp": "2020-08-17T17:35:36.459000+00:00",
"ResourceStatus": "UPDATE_ROLLBACK_IN_PROGRESS",
"ResourceStatusReason": "The following resource(s) failed to update: [ApplicationConfigurationTemplate]. "
},
{
"StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/2279aec0-e0af-11ea-9638-0239f54378b8",
"EventId": "ApplicationConfigurationTemplate-UPDATE_FAILED-2020-08-17T17:35:35.723Z",
"StackName": "patheindirectory",
"LogicalResourceId": "ApplicationConfigurationTemplate",
"PhysicalResourceId": "pathe-Appli-YX7VOE30J9B5",
"ResourceType": "AWS::ElasticBeanstalk::ConfigurationTemplate",
"Timestamp": "2020-08-17T17:35:35.723000+00:00",
"ResourceStatus": "UPDATE_FAILED",
"ResourceStatusReason": "Configuration validation exception: Invalid option value: 'sg-0a306c1333b9bf33e' (Namespace: 'aws:autoscaling:launchconfiguration', OptionName: 'SecurityGroups'): The security group 'sg-0a306c133
3b9bf33e' does not exist (Service: AWSElasticBeanstalk; Status Code: 400; Error Code: ConfigurationValidationException; Request ID: 955a0f72-5f26-4ede-a494-e748897b4c93)",
"ResourceProperties": "{\"ApplicationName\":\"patheindirectory-Application-1H2ZF7KLXDN5P\",\"Description\":\"SSH access to Pathein Directory Laravel application\",\"OptionSettings\":[{\"Value\":\"PatheinDirectory\",\"Nam
espace\":\"aws:autoscaling:launchconfiguration\",\"OptionName\":\"EC2KeyName\"},{\"Value\":\"patheindirectory-WebServerInstanceProfile-1F7RC2LIQP996\",\"Namespace\":\"aws:autoscaling:launchconfiguration\",\"OptionName\":\"IamInstanc
eProfile\"},{\"Value\":\"sg-0a306c1333b9bf33e\",\"Namespace\":\"aws:autoscaling:launchconfiguration\",\"OptionName\":\"SecurityGroups\"}],\"SolutionStackName\":\"64bit Amazon Linux 2018.03 v2.9.8 running PHP 7.2\"}"
},
Respostas
1 Marcin Aug 18 2020 at 05:58
O motivo pelo qual WebServerSecurityGroup(SG) não foi encontrado é porque você está criando o SG em um VPC diferente do seu ambiente EB. Especificamente, você está almoçando EB em um VPC padrão, enquanto parece estar criando seu SG em VPC diferente, conforme especificado na seguinte linha:
VpcId: !Ref Vpc # <--- your EB will be in different VPC than your SG
Como não está claro o que você está fazendo com o VPC (você está iniciando o EB em um VPC personalizado, criando um novo VPC ou usando o VPC padrão?), A correção mais fácil para seu modelo é simplesmente remover o VpcId: !Ref Vpc.
Além disso, a versão da sua plataforma está desatualizada e precisa ser alterada. A lista de versões da plataforma PHP disponíveis está aqui .
Eu fixo o modelo e eu posso verificar se ele funciona em us-east-1. Lança EB e seu SG em a default VPC. Para VPC customizado, muitas outras mudanças são necessárias em seu modelo, como definições de sub-redes, tabelas de rota e mudanças específicas de VPC no próprio ambiente EB.
AWSTemplateFormatVersion: '2010-09-09'
Description: "Pathein Directory web application deployment template."
Parameters:
KeyName:
Default: 'PatheinDirectory'
Type: String
InstanceType:
Default: 't2.micro'
Type: String
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x
# Vpc:
# Default: "vpc-dd53ada4"
# Type: String
# VpcCidr:
# Default: "172.31.0.0/16"
# Type: String
Mappings:
Region2Principal:
us-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-south-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-east-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ca-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
sa-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
cn-north-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
cn-northwest-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
eu-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-north-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
Resources:
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for EC2 instances
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp:
Ref: SSHLocation
#VpcId: !Ref Vpc
WebServerRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- Fn::FindInMap:
- Region2Principal
- Ref: AWS::Region
- EC2Principal
Action:
- sts:AssumeRole
Path: /
WebServerRolePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: WebServerRole
PolicyDocument:
Statement:
- Effect: Allow
NotAction: iam:*
Resource: '*'
Roles:
- Ref: WebServerRole
WebServerInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- Ref: WebServerRole
Application:
Type: AWS::ElasticBeanstalk::Application
Properties:
Description: AWS Elastic Beanstalk Pathein Directory Laravel application
ApplicationVersion:
Type: AWS::ElasticBeanstalk::ApplicationVersion
Properties:
Description: Version 1.0
ApplicationName:
Ref: Application
SourceBundle:
S3Bucket:
Fn::Join:
- '-'
- - elasticbeanstalk-samples
- Ref: AWS::Region
S3Key: php-sample.zip
ApplicationConfigurationTemplate:
Type: AWS::ElasticBeanstalk::ConfigurationTemplate
Properties:
ApplicationName:
Ref: Application
Description: SSH access to Pathein Directory Laravel application
SolutionStackName: 64bit Amazon Linux 2018.03 v2.9.9 running PHP 7.2
OptionSettings:
- Namespace: aws:autoscaling:launchconfiguration
OptionName: EC2KeyName
Value:
Ref: KeyName
- Namespace: aws:autoscaling:launchconfiguration
OptionName: IamInstanceProfile
Value:
Ref: WebServerInstanceProfile
- Namespace: aws:autoscaling:launchconfiguration
OptionName: SecurityGroups
Value:
Ref: WebServerSecurityGroup
Environment:
Type: AWS::ElasticBeanstalk::Environment
Properties:
Description: AWS Elastic Beanstalk Environment running Pathein Directory Laravel application
ApplicationName:
Ref: Application
EnvironmentName: PatheinDirectoryTesting
TemplateName:
Ref: ApplicationConfigurationTemplate
VersionLabel:
Ref: ApplicationVersion
OptionSettings:
- Namespace: aws:elasticbeanstalk:environment
OptionName: EnvironmentType
Value: SingleInstance
1 ChrisWilliams Aug 18 2020 at 01:09
Depois de examinar um modelo de exemplo , parece que a configuração requer uma opção VpcId, Subnetse ELBSubnetspara permitir que a configuração EB se junte a um VPC em vez de criar o seu próprio.
Além disso, você estava usando uma versão anterior do SolutionStackName, deveria ser 64bit Amazon Linux 2018.03 v2.9.9 running PHP 7.2.
Também percebi que seu benefício pode usar os parâmetros da AWS para o ID de VPC e o nome da chave, em vez de codificação permanente, o que melhora a usabilidade da interface.
O modelo abaixo corrige o acima
AWSTemplateFormatVersion: '2010-09-09'
Description: "Pathein Directory web application deployment template."
Parameters:
KeyName:
Type: AWS::EC2::KeyPair::KeyName
InstanceType:
Default: 't2.micro'
Type: String
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x
Subnet:
Type: AWS::EC2::Subnet::Id
Vpc:
Type: AWS::EC2::VPC::Id
VpcCidr:
Default: "172.31.0.0/16"
Type: String
Mappings:
Region2Principal:
us-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-west-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-northeast-3:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-southeast-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ap-south-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
us-east-2:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
ca-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
sa-east-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
cn-north-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
cn-northwest-1:
EC2Principal: ec2.amazonaws.com.cn
OpsWorksPrincipal: opsworks.amazonaws.com.cn
eu-central-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
eu-north-1:
EC2Principal: ec2.amazonaws.com
OpsWorksPrincipal: opsworks.amazonaws.com
Resources:
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for EC2 instances
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp:
Ref: SSHLocation
VpcId: !Ref Vpc
WebServerRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- Fn::FindInMap:
- Region2Principal
- Ref: AWS::Region
- EC2Principal
Action:
- sts:AssumeRole
Path: /
WebServerRolePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: WebServerRole
PolicyDocument:
Statement:
- Effect: Allow
NotAction: iam:*
Resource: '*'
Roles:
- Ref: WebServerRole
WebServerInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- Ref: WebServerRole
Application:
Type: AWS::ElasticBeanstalk::Application
Properties:
Description: AWS Elastic Beanstalk Pathein Directory Laravel application
ApplicationVersion:
Type: AWS::ElasticBeanstalk::ApplicationVersion
Properties:
Description: Version 1.0
ApplicationName:
Ref: Application
SourceBundle:
S3Bucket:
Fn::Join:
- '-'
- - elasticbeanstalk-samples
- Ref: AWS::Region
S3Key: php-sample.zip
ApplicationConfigurationTemplate:
Type: AWS::ElasticBeanstalk::ConfigurationTemplate
Properties:
ApplicationName:
Ref: Application
Description: SSH access to Pathein Directory Laravel application
SolutionStackName: 64bit Amazon Linux 2018.03 v2.9.9 running PHP 7.2
OptionSettings:
- Namespace: aws:autoscaling:launchconfiguration
OptionName: EC2KeyName
Value:
Ref: KeyName
- Namespace: aws:autoscaling:launchconfiguration
OptionName: IamInstanceProfile
Value:
Ref: WebServerInstanceProfile
- Namespace: aws:ec2:vpc
OptionName: VPCId
Value:
Ref: Vpc
- Namespace: aws:ec2:vpc
OptionName: ELBSubnets
Value:
Ref: Subnet
- Namespace: aws:ec2:vpc
OptionName: Subnets
Value:
Ref: Subnet
- Namespace: aws:autoscaling:launchconfiguration
OptionName: SecurityGroups
Value:
Ref: WebServerSecurityGroup
Environment:
Type: AWS::ElasticBeanstalk::Environment
Properties:
Description: AWS Elastic Beanstalk Environment running Pathein Directory Laravel application
ApplicationName:
Ref: Application
EnvironmentName: PatheinDirectoryTesting
TemplateName:
Ref: ApplicationConfigurationTemplate
VersionLabel:
Ref: ApplicationVersion
OptionSettings:
- Namespace: aws:elasticbeanstalk:environment
OptionName: EnvironmentType
Value: SingleInstance
O que significa um erro “Não é possível encontrar o símbolo” ou “Não é possível resolver o símbolo”?