通过CloudFormation跨AWS账户创建VPCPeeringConnection
[英]Create VPCPeeringConnection across AWS accounts via CloudFormation
问题描述
Within AWS, I am trying to create a VPC peering connection between two VPC's in different accounts via CloudFormation. 
在AWS中,我试图通过CloudFormation在不同帐户中的两个VPC之间创建VPC对等连接。
I can create the peering connections manually via the UI, with the 4 fields: 我可以通过UI手动创建对等连接,包含4个字段:
Name
Local VPC
Target Account ID
Target VPC ID
It seems as if the CLI also supports a target Account . 似乎CLI也支持目标帐户 。
The problem comes when trying to do this same thing via CloudFormation, using the AWS::EC2::VPCPeeringConnection object, the problem being that this object seems to only support 3 fields, Target Account not being one of them - 当尝试使用AWS::EC2::VPCPeeringConnection对象通过AWS::EC2::VPCPeeringConnection做同样的事情时,问题出现了,问题是这个对象似乎只支持3个字段, 目标帐户不是其中之一 -
PeerVpcId
VpcId
Tags
With my code resulting in 用我的代码导致
AttributeError: AWS::EC2::VPCPeeringConnection object does not support attribute PeerVpcOwner
How can I go about creating a VPCPeeringConnection to a VPC in another account via CloudFormation?
1 个解决方案
解决方案1
10 已采纳 2017-08-14 10:12:15
YES YOU CAN configure VPC peering with cloudformation between two AWS accounts. 是的您可以在两个AWS账户之间配置VPC对等与云形成。
You can peer with a virtual private cloud (VPC) in another AWS account by using AWS::EC2::VPCPeeringConnection.
To establish a VPC peering connection, you need to authorize two separate AWS accounts within a single AWS CloudFormation stack.
Source: Walkthrough: Peer with an Amazon VPC in Another AWS Account 来源: 演练:与另一个AWS账户中的Amazon VPC对等
Step 1: Create a VPC and a Cross-Account Role 第1步:创建VPC和跨账户角色
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create a VPC and an assumable role for cross account VPC peering.",
"Parameters": {
"PeerRequesterAccountId": {
"Type": "String"
}
},
"Resources": {
"vpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.1.0.0/16",
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "default"
}
},
"peerRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Principal": {
"AWS": {
"Ref": "PeerRequesterAccountId"
}
},
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow"
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:AcceptVpcPeeringConnection",
"Resource": "*"
}
]
}
}
]
}
}
},
"Outputs": {
"VPCId": {
"Value": {
"Ref": "vpc"
}
},
"RoleARN": {
"Value": {
"Fn::GetAtt": [
"peerRole",
"Arn"
]
}
}
}
}
Step 2: Create a Template That Includes AWS::EC2::VPCPeeringConnection 第2步:创建包含AWS :: EC2 :: VPCPeeringConnection的模板
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create a VPC and a VPC Peering connection using the PeerRole to accept.",
"Parameters": {
"PeerVPCAccountId": {
"Type": "String"
},
"PeerVPCId": {
"Type": "String"
},
"PeerRoleArn": {
"Type": "String"
}
},
"Resources": {
"vpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.2.0.0/16",
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "default"
}
},
"vpcPeeringConnection": {
"Type": "AWS::EC2::VPCPeeringConnection",
"Properties": {
"VpcId": {
"Ref": "vpc"
},
"PeerVpcId": {
"Ref": "PeerVPCId"
},
"PeerOwnerId": {
"Ref": "PeerVPCAccountId"
},
"PeerRoleArn": {
"Ref": "PeerRoleArn"
}
}
}
},
"Outputs": {
"VPCId": {
"Value": {
"Ref": "vpc"
}
},
"VPCPeeringConnectionId": {
"Value": {
"Ref": "vpcPeeringConnection"
}
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.