AWS CloudFormation: Güvenlik grupları, ElasticBeanstalk örneklerine eklenemiyor

Aug 18 2020

Laravel uygulamamı CloudFormation kullanarak AWS'ye dağıtıyorum. ElasticBeanstalk ortamı yaratıyorum ve uygulamamı ona dağıtıyorum. Ancak güvenlik grubunu örneklere eklemeye çalıştığımda başarısız oluyor.

Bu benim şablonum.

AWSTemplateFormatVersion: '2010-09-09'
Description: "Pathein Directory web application deployment template."
Parameters:
  KeyName:
    Default: 'PatheinDirectory'
    Type: String
  InstanceType:
    Default: 't2.micro'
    Type: String
  SSHLocation:
    Description: The IP address range that can be used to SSH to the EC2 instances
    Type: String
    MinLength: '9'
    MaxLength: '18'
    Default: 0.0.0.0/0
    AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
    ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x
  Vpc:
    Default: "vpc-dd53ada4"
    Type: String
  VpcCidr:
    Default: "172.31.0.0/16"
    Type: String
Mappings:
  Region2Principal:
    us-east-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    us-west-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    us-west-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-west-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-west-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-west-3:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-southeast-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-northeast-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-northeast-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-northeast-3:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-southeast-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-south-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    us-east-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ca-central-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    sa-east-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    cn-north-1:
      EC2Principal: ec2.amazonaws.com.cn
      OpsWorksPrincipal: opsworks.amazonaws.com.cn
    cn-northwest-1:
      EC2Principal: ec2.amazonaws.com.cn
      OpsWorksPrincipal: opsworks.amazonaws.com.cn
    eu-central-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-north-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
Resources:
  WebServerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security Group for EC2 instances
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: '80'
          ToPort: '80'
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: '22'
          ToPort: '22'
          CidrIp:
            Ref: SSHLocation
      VpcId: !Ref Vpc
  WebServerRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - Fn::FindInMap:
                    - Region2Principal
                    - Ref: AWS::Region
                    - EC2Principal
            Action:
              - sts:AssumeRole
      Path: /
  WebServerRolePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: WebServerRole
      PolicyDocument:
        Statement:
          - Effect: Allow
            NotAction: iam:*
            Resource: '*'
      Roles:
        - Ref: WebServerRole
  WebServerInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /
      Roles:
        - Ref: WebServerRole
  Application:
    Type: AWS::ElasticBeanstalk::Application
    Properties:
      Description: AWS Elastic Beanstalk Pathein Directory Laravel application
  ApplicationVersion:
    Type: AWS::ElasticBeanstalk::ApplicationVersion
    Properties:
      Description: Version 1.0
      ApplicationName:
        Ref: Application
      SourceBundle:
        S3Bucket:
          Fn::Join:
            - '-'
            - - elasticbeanstalk-samples
              - Ref: AWS::Region
        S3Key: php-sample.zip
  ApplicationConfigurationTemplate:
    Type: AWS::ElasticBeanstalk::ConfigurationTemplate
    Properties:
      ApplicationName:
        Ref: Application
      Description: SSH access to Pathein Directory Laravel application
      SolutionStackName: 64bit Amazon Linux 2018.03 v2.9.8 running PHP 7.2
      OptionSettings:
        - Namespace: aws:autoscaling:launchconfiguration
          OptionName: EC2KeyName
          Value:
            Ref: KeyName
        - Namespace: aws:autoscaling:launchconfiguration
          OptionName: IamInstanceProfile
          Value:
            Ref: WebServerInstanceProfile
        - Namespace: aws:autoscaling:launchconfiguration
          OptionName: SecurityGroups
          Value:
            Ref: WebServerSecurityGroup
  Environment:
    Type: AWS::ElasticBeanstalk::Environment
    Properties:
      Description: AWS Elastic Beanstalk Environment running Pathein Directory Laravel application
      ApplicationName:
        Ref: Application
      EnvironmentName: PatheinDirectoryTesting
      TemplateName:
        Ref: ApplicationConfigurationTemplate
      VersionLabel:
        Ref: ApplicationVersion
      OptionSettings:
        - Namespace: aws:elasticbeanstalk:environment
          OptionName: EnvironmentType
          Value: SingleInstance

Gördüğünüz gibi şablonumda bir WebServerSecurityGroup kaynağı var ve ben onu Beanstalk kaynağına aşağıdaki gibi ekliyorum.

- Namespace: aws:autoscaling:launchconfiguration
              OptionName: SecurityGroups
              Value:
                Ref: WebServerSecurityGroup

Onu konuşlandırdığımda başarısız oluyor. Ancak güvenlik grubunu eklemezsem dağıtım başarılı olur. Kodumun nesi var ve bunu nasıl düzeltebilirim?

Bu, günlükteki hatadır.

{
            "StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/2279aec0-e0af-11ea-9638-0239f54378b8",
            "EventId": "0f5cb020-e0b0-11ea-9e62-06135fdfc858",
            "StackName": "patheindirectory",
            "LogicalResourceId": "patheindirectory",
            "PhysicalResourceId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/2279aec0-e0af-11ea-9638-0239f54378b8",
            "ResourceType": "AWS::CloudFormation::Stack",
            "Timestamp": "2020-08-17T17:35:36.459000+00:00",
            "ResourceStatus": "UPDATE_ROLLBACK_IN_PROGRESS",
            "ResourceStatusReason": "The following resource(s) failed to update: [ApplicationConfigurationTemplate]. "
        },
        {
            "StackId": "arn:aws:cloudformation:eu-west-1:733553390213:stack/patheindirectory/2279aec0-e0af-11ea-9638-0239f54378b8",
            "EventId": "ApplicationConfigurationTemplate-UPDATE_FAILED-2020-08-17T17:35:35.723Z",
            "StackName": "patheindirectory",
            "LogicalResourceId": "ApplicationConfigurationTemplate",
            "PhysicalResourceId": "pathe-Appli-YX7VOE30J9B5",
            "ResourceType": "AWS::ElasticBeanstalk::ConfigurationTemplate",
            "Timestamp": "2020-08-17T17:35:35.723000+00:00",
            "ResourceStatus": "UPDATE_FAILED",
            "ResourceStatusReason": "Configuration validation exception: Invalid option value: 'sg-0a306c1333b9bf33e' (Namespace: 'aws:autoscaling:launchconfiguration', OptionName: 'SecurityGroups'): The security group 'sg-0a306c133
3b9bf33e' does not exist (Service: AWSElasticBeanstalk; Status Code: 400; Error Code: ConfigurationValidationException; Request ID: 955a0f72-5f26-4ede-a494-e748897b4c93)",
            "ResourceProperties": "{\"ApplicationName\":\"patheindirectory-Application-1H2ZF7KLXDN5P\",\"Description\":\"SSH access to Pathein Directory Laravel application\",\"OptionSettings\":[{\"Value\":\"PatheinDirectory\",\"Nam
espace\":\"aws:autoscaling:launchconfiguration\",\"OptionName\":\"EC2KeyName\"},{\"Value\":\"patheindirectory-WebServerInstanceProfile-1F7RC2LIQP996\",\"Namespace\":\"aws:autoscaling:launchconfiguration\",\"OptionName\":\"IamInstanc
eProfile\"},{\"Value\":\"sg-0a306c1333b9bf33e\",\"Namespace\":\"aws:autoscaling:launchconfiguration\",\"OptionName\":\"SecurityGroups\"}],\"SolutionStackName\":\"64bit Amazon Linux 2018.03 v2.9.8 running PHP 7.2\"}"
        },

Yanıtlar

1 Marcin Aug 18 2020 at 05:58

Nedeni WebServerSecurityGroupbir de SG yaratıyor çünkü (SG) bulunmazsa olan farklı VPC ardından EB ortamında. Özellikle, SG'nizi aşağıdaki satırda belirtildiği gibi farklı VPC'de oluştururken, EB'yi varsayılan bir VPC'de hazırlıyorsunuz:

      VpcId: !Ref Vpc # <--- your EB will be in different VPC than your SG

VPC ile ne yaptığınız net olmadığından (EB'yi özel VPC'de mi başlatıyorsunuz, yeni VPC mi oluşturuyorsunuz yoksa varsayılan VPC mi kullanıyorsunuz?), Şablonunuzdaki en kolay düzeltme VpcId: !Ref Vpc.

Ayrıca platform sürümünüz güncel değil ve değiştirilmesi gerekiyor. Mevcut PHP platformu sürümlerinin listesi burada .

Ben sabit şablonu ve ben yapabilirsiniz çalıştığını doğrulamak içinde us-east-1. EB ve SG'sini bir default VPC. Özel VPC için, şablonunuzda alt ağların tanımları, yönlendirme tabloları ve EB ortamının kendisinde VPC'ye özgü değişiklikler gibi daha birçok değişiklik yapılması gerekir.

AWSTemplateFormatVersion: '2010-09-09'
Description: "Pathein Directory web application deployment template."
Parameters:
  KeyName:
    Default: 'PatheinDirectory'
    Type: String
  InstanceType:
    Default: 't2.micro'
    Type: String
  SSHLocation:
    Description: The IP address range that can be used to SSH to the EC2 instances
    Type: String
    MinLength: '9'
    MaxLength: '18'
    Default: 0.0.0.0/0
    AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
    ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x
  # Vpc:
  #   Default: "vpc-dd53ada4"
  #   Type: String
  # VpcCidr:
  #   Default: "172.31.0.0/16"
  #   Type: String

Mappings:
  Region2Principal:
    us-east-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    us-west-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    us-west-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-west-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-west-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-west-3:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-southeast-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-northeast-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-northeast-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-northeast-3:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-southeast-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ap-south-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    us-east-2:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    ca-central-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    sa-east-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    cn-north-1:
      EC2Principal: ec2.amazonaws.com.cn
      OpsWorksPrincipal: opsworks.amazonaws.com.cn
    cn-northwest-1:
      EC2Principal: ec2.amazonaws.com.cn
      OpsWorksPrincipal: opsworks.amazonaws.com.cn
    eu-central-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
    eu-north-1:
      EC2Principal: ec2.amazonaws.com
      OpsWorksPrincipal: opsworks.amazonaws.com
Resources:

  WebServerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security Group for EC2 instances
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: '80'
          ToPort: '80'
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: '22'
          ToPort: '22'
          CidrIp:
            Ref: SSHLocation
      #VpcId: !Ref Vpc

  WebServerRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - Fn::FindInMap:
                    - Region2Principal
                    - Ref: AWS::Region
                    - EC2Principal
            Action:
              - sts:AssumeRole
      Path: /
  WebServerRolePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: WebServerRole
      PolicyDocument:
        Statement:
          - Effect: Allow
            NotAction: iam:*
            Resource: '*'
      Roles:
        - Ref: WebServerRole

  WebServerInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /
      Roles:
        - Ref: WebServerRole
  Application:
    Type: AWS::ElasticBeanstalk::Application
    Properties:
      Description: AWS Elastic Beanstalk Pathein Directory Laravel application
  ApplicationVersion:
    Type: AWS::ElasticBeanstalk::ApplicationVersion
    Properties:
      Description: Version 1.0
      ApplicationName:
        Ref: Application
      SourceBundle:
        S3Bucket:
          Fn::Join:
            - '-'
            - - elasticbeanstalk-samples
              - Ref: AWS::Region
        S3Key: php-sample.zip

  ApplicationConfigurationTemplate:
    Type: AWS::ElasticBeanstalk::ConfigurationTemplate
    Properties:
      ApplicationName:
        Ref: Application
      Description: SSH access to Pathein Directory Laravel application
      SolutionStackName: 64bit Amazon Linux 2018.03 v2.9.9 running PHP 7.2 
      OptionSettings:
        - Namespace: aws:autoscaling:launchconfiguration
          OptionName: EC2KeyName
          Value:
            Ref: KeyName
        - Namespace: aws:autoscaling:launchconfiguration
          OptionName: IamInstanceProfile
          Value:
            Ref: WebServerInstanceProfile
        - Namespace: aws:autoscaling:launchconfiguration
          OptionName: SecurityGroups
          Value:
            Ref: WebServerSecurityGroup

  Environment:
    Type: AWS::ElasticBeanstalk::Environment
    Properties:
      Description: AWS Elastic Beanstalk Environment running Pathein Directory Laravel application
      ApplicationName:
        Ref: Application
      EnvironmentName: PatheinDirectoryTesting
      TemplateName:
        Ref: ApplicationConfigurationTemplate
      VersionLabel:
        Ref: ApplicationVersion
      OptionSettings:
        - Namespace: aws:elasticbeanstalk:environment
          OptionName: EnvironmentType
          Value: SingleInstance

1 ChrisWilliams Aug 18 2020 at 01:09

Örnek bir şablona baktıktan sonra , konfigürasyon bir VpcId, Subnetsve ELBSubnetsEB kurulumunun kendi VPC'sini oluşturmak yerine bir VPC'ye katılmasına izin verme seçeneğini gerektiriyor gibi görünür .

Ek olarak SolutionStackName, uygulamasının önceki bir sürümünü kullanıyordunuz olmalı 64bit Amazon Linux 2018.03 v2.9.9 running PHP 7.2.

Ayrıca, avantajınızın , arabirimden kullanılabilirliği artıracak sabit kodlama yerine AWS parametrelerini VPC Kimliği ve Anahtar adı için kullanabileceğini de fark ettim .