是否可以执行命令,然后在CloudFormation模板中更新安全组?
[英]Is it possible to execute commands and then update security groups in a CloudFormation template?
问题描述
I would like to perform the following operations in order with CloudFormation. 
我想与CloudFormation一起执行以下操作。
- Start up an EC2 instance. 启动EC2实例。
- Give it privileges to access the full internet using security group A. 授予使用安全组A访问整个Internet的权限。
- Download particular versions of Java and Python 下载特定版本的Java和Python
- Remove its internet privileges by removing security group A and adding a security group B. 通过删除安全组A并添加安全组B来删除其Internet特权。
I observe that there is a DependsOn attribute for specifying the order in which to create resources, but I was unable to find a feature that would allow me to update the security groups on the same EC2 instance twice over the course of creating a stack. 我观察到有一个DependsOn属性,用于指定创建资源的顺序,但是我找不到能够使我在创建堆栈的过程中两次更新同一EC2实例上的安全组的功能。
Is this possible with CloudFormation? CloudFormation是否可能?
2 个解决方案
解决方案1
0 2019-09-05 00:29:50
Not in CloudFormation natively, but you could launch the EC2 instance with a configured userdata script that itself downloads Java/Python and the awscli , as necessary, and then uses the awscli to switch security groups for the current EC2 instance. 原生不存在于CloudFormation中,但是您可以使用配置的userdata脚本启动EC2实例,该脚本本身会根据需要下载Java / Python和awscli ,然后使用awscli切换当前EC2实例的安全组。
However, if all you need is Java and Python pre-loaded then why not simply create an AMI with them already installed and launch from that AMI? 但是,如果您只需要预加载Java和Python,那为什么不直接创建一个已经安装了AMI并从该AMI启动的AMI呢?
解决方案2
0 2019-09-07 08:21:31
The best way out is to utilise a Cloudformation custom resource here. 最好的解决方法是在此处利用Cloudformation 自定义资源 。 You can create a lambda function that does exactly what you need. 您可以创建一个完全满足您需要的lambda函数。 This lambda function can then be called as a custom resource function in the cloud formation template. 然后可以将该lambda函数称为云形成模板中的自定义资源函数。
You can pass your new security group ID and instance ID to the lambda function and code the lambda function to use AWS SDK and do the modifications that you need. 您可以将新的安全组ID和实例ID传递给lambda函数,并对lambda函数进行编码以使用AWS SDK并进行所需的修改。
I have leveraged it to post an update to my web server about the progress of the cloud formation template. 我利用它来向我的Web服务器发布有关云形成模板进度的更新。 Below is the sample code of the template. 下面是模板的示例代码。
EC2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles: [!Ref 'EC2Role']
MarkInstanceProfileComplete:
Type: 'Custom::EC2InstanceProfileDone'
Version: '1.0'
DependsOn: EC2InstanceProfile
Properties:
ServiceToken: !Ref CustomResourceArn
HostURL: !Ref Host
LoginType: !Ref LoginType
SecretId: !Ref SecretId
WorkspaceId: !Ref WorkspaceId
Event: 2
Total: 3
Here the resource MarkInstanceProfileComplete is a custom resource that calls a Lambda function. 在这里,资源MarkInstanceProfileComplete是调用Lambda函数的自定义资源。 It takes the event count and total count as input and processes them to calculate percentage progress. 它以事件计数和总计数为输入,并对它们进行处理以计算进度百分比。 Based on that it sends out a request to my web server. 基于此,它向我的Web服务器发送一个请求。 For all we care, this Lambda function can do potentially anything you want it to do. 就我们所关心的而言,此Lambda函数可以执行您想要执行的任何操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.