stackoom
  简体   繁体   中英

AWS Systems Manager using cloud formation template

 原文  2019-08-29 07:15:12       amazon-web-services/ amazon-cloudformation/ aws-ssm/ aws-systems-manager

Question

I started writing something for AWS Systems Manager to:

  1. Create custom Windows and Linux images and
  2. How to apply Windows and Linux Updates to the AMIs that would be useful...

I'm following this example , but am not able to get results when I run it.

This is the error I receive:

Template format error: At least one Resources member must be defined.

Please let me know what I'm doing wrong here, I have gone through the code but not able to find what I am doing wrong.

#description: Create a Golden AMI with Linux distribution packages(ClamAV) and Amazon
#software(SSM & Inspector). For details,see https://github.com/miztiik/AWS-Demos/tree/master/How-To/setup-ami-lifecycle-management-using-ssm
Resources:
 Ec2Instance:
   Type: 'AWS::EC2::Instance'  
assumeRole: "{{AutomationAssumeRole}}"
parameters:
  SourceAmiId:
    type: String
    description: "(Required) The source Amazon Machine Image ID."
    default: ami-0d2692b6acea72ee6
  InstanceIamRole:
    type: String
    description: "(Required) The name of the role that enables Systems Manager (SSM)
      to manage the instance."
    default: ManagedInstanceRole
  AutomationAssumeRole:
    type: String
    description: "(Required) The ARN of the role that allows Automation to perform
      the actions on your behalf."
    default: arn:aws:iam::{{global:ACCOUNT_ID}}:role/AutomationServiceRole
  SubnetId:
    type: String
    description: "(Required) The subnet that the created instance will be placed into."
    default: subnet-0a72519be8028a56c
  TargetAmiName:
    type: String
    description: "(Optional) The name of the new AMI that will be created. Default
      is a system-generated string including the source AMI id, and the creation time
      and date."
    default: GoldenAMI-RH-7_on_{{global:DATE_TIME}}
  InstanceType:
    type: String
    description: "(Optional) Type of instance to launch as the workspace host. Instance
      types vary by region. Default is t2.micro."
    default: t2.micro
  PreUpdateScript:
    type: String
    description: (Optional) URL of a script to run before updates are applied. Default
      ("none") is to not run a script.
    default: none
  PostUpdateScript:
    type: String
    description: (Optional) URL of a script to run after package updates are applied.
      Default ("none") is to not run a script.
    default: none
  IncludePackages:
    type: String
    description: (Optional) Only update these named packages. By default ("all"),
      all available updates are applied.
    default: all
  ExcludePackages:
    type: String
    description: (Optional) Names of packages to hold back from updates, under all
      conditions. By default ("none"), no package is excluded.
    default: none
  lambdaFunctionName:
    type: String
    description: "(Required) The name of the lambda function. Default ('none') is
      to not run a script."
    default: Automation-UpdateSsmParam
mainSteps:
- name: launchInstance
  action: aws:runInstances
  maxAttempts: 5
  timeoutSeconds: 1200
  onFailure: Abort
  inputs:
    ImageId: "{{SourceAmiId}}"
    InstanceType: "{{InstanceType}}"
    SubnetId: "{{ SubnetId }}"
    UserData: IyEvYmluL2Jhc2gNCg0KZnVuY3Rpb24gZ2V0X2NvbnRlbnRzKCkgew0KICAgIGlmIFsgLXggIiQod2hpY2ggY3VybCkiIF07IHRoZW4NCiAgICAgICAgY3VybCAtcyAtZiAiJDEiDQogICAgZWxpZiBbIC14ICIkKHdoaWNoIHdnZXQpIiBdOyB0aGVuDQogICAgICAgIHdnZXQgIiQxIiAtTyAtDQogICAgZWxzZQ0KICAgICAgICBkaWUgIk5vIGRvd25sb2FkIHV0aWxpdHkgKGN1cmwsIHdnZXQpIg0KICAgIGZpDQp9DQoNCnJlYWRvbmx5IElERU5USVRZX1VSTD0iaHR0cDovLzE2OS4yNTQuMTY5LjI1NC8yMDE2LTA2LTMwL2R5bmFtaWMvaW5zdGFuY2UtaWRlbnRpdHkvZG9jdW1lbnQvIg0KcmVhZG9ubHkgVFJVRV9SRUdJT049JChnZXRfY29udGVudHMgIiRJREVOVElUWV9VUkwiIHwgYXdrIC1GXCIgJy9yZWdpb24vIHsgcHJpbnQgJDQgfScpDQpyZWFkb25seSBERUZBVUxUX1JFR0lPTj0idXMtZWFzdC0xIg0KcmVhZG9ubHkgUkVHSU9OPSIke1RSVUVfUkVHSU9OOi0kREVGQVVMVF9SRUdJT059Ig0KDQpyZWFkb25seSBTQ1JJUFRfTkFNRT0iYXdzLWluc3RhbGwtc3NtLWFnZW50Ig0KIFNDUklQVF9VUkw9Imh0dHBzOi8vYXdzLXNzbS1kb3dubG9hZHMtJFJFR0lPTi5zMy5hbWF6b25hd3MuY29tL3NjcmlwdHMvJFNDUklQVF9OQU1FIg0KDQppZiBbICIkUkVHSU9OIiA9ICJjbi1ub3J0aC0xIiBdOyB0aGVuDQogIFNDUklQVF9VUkw9Imh0dHBzOi8vYXdzLXNzbS1kb3dubG9hZHMtJFJFR0lPTi5zMy5jbi1ub3J0aC0xLmFtYXpvbmF3cy5jb20uY24vc2NyaXB0cy8kU0NSSVBUX05BTUUiDQpmaQ0KDQppZiBbICIkUkVHSU9OIiA9ICJ1cy1nb3Ytd2VzdC0xIiBdOyB0aGVuDQogIFNDUklQVF9VUkw9Imh0dHBzOi8vYXdzLXNzbS1kb3dubG9hZHMtJFJFR0lPTi5zMy11cy1nb3Ytd2VzdC0xLmFtYXpvbmF3cy5jb20vc2NyaXB0cy8kU0NSSVBUX05BTUUiDQpmaQ0KDQpjZCAvdG1wDQpGSUxFX1NJWkU9MA0KTUFYX1JFVFJZX0NPVU5UPTMNClJFVFJZX0NPVU5UPTANCg0Kd2hpbGUgWyAkUkVUUllfQ09VTlQgLWx0ICRNQVhfUkVUUllfQ09VTlQgXSA7IGRvDQogIGVjaG8gQVdTLVVwZGF0ZUxpbnV4QW1pOiBEb3dubG9hZGluZyBzY3JpcHQgZnJvbSAkU0NSSVBUX1VSTA0KICBnZXRfY29udGVudHMgIiRTQ1JJUFRfVVJMIiA+ICIkU0NSSVBUX05BTUUiDQogIEZJTEVfU0laRT0kKGR1IC1rIC90bXAvJFNDUklQVF9OQU1FIHwgY3V0IC1mMSkNCiAgZWNobyBBV1MtVXBkYXRlTGludXhBbWk6IEZpbmlzaGVkIGRvd25sb2FkaW5nIHNjcmlwdCwgc2l6ZTogJEZJTEVfU0laRQ0KICBpZiBbICRGSUxFX1NJWkUgLWd0IDAgXTsgdGhlbg0KICAgIGJyZWFrDQogIGVsc2UNCiAgICBpZiBbWyAkUkVUUllfQ09VTlQgLWx0IE1BWF9SRVRSWV9DT1VOVCBdXTsgdGhlbg0KICAgICAgUkVUUllfQ09VTlQ9JCgoUkVUUllfQ09VTlQrMSkpOw0KICAgICAgZWNobyBBV1MtVXBkYXRlTGludXhBbWk6IEZpbGVTaXplIGlzIDAsIHJldHJ5Q291bnQ6ICRSRVRSWV9DT1VOVA0KICAgIGZpDQogIGZpIA0KZG9uZQ0KDQppZiBbICRGSUxFX1NJWkUgLWd0IDAgXTsgdGhlbg0KICBjaG1vZCAreCAiJFNDUklQVF9OQU1FIg0KICBlY2hvIEFXUy1VcGRhdGVMaW51eEFtaTogUnVubmluZyBVcGRhdGVTU01BZ2VudCBzY3JpcHQgbm93IC4uLi4NCiAgLi8iJFNDUklQVF9OQU1FIiAtLXJlZ2lvbiAiJFJFR0lPTiINCmVsc2UNCiAgZWNobyBBV1MtVXBkYXRlTGludXhBbWk6IFVuYWJsZSB0byBkb3dubG9hZCBzY3JpcHQsIHF1aXR0aW5nIC4uLi4NCmZp
    MinInstanceCount: 1
    MaxInstanceCount: 3
    IamInstanceProfileName: "{{InstanceIamRole}}"
- name: updateOSSoftware
  action: aws:runCommand
  maxAttempts: 3
  timeoutSeconds: 3600
  onFailure: Abort
  inputs:
    DocumentName: AWS-RunShellScript
    InstanceIds:
    - "{{launchInstance.InstanceIds}}"
    Parameters:
      commands:
      - set -e
      - '[ -x "$(which wget)" ] && get_contents=''wget $1 -O -'''
      - '[ -x "$(which curl)" ] && get_contents=''curl -s -f $1'''
      - eval $get_contents https://aws-ssm-downloads-{{global:REGION}}.s3.amazonaws.com/scripts/aws-update-linux-instance
        > /tmp/aws-update-linux-instance
      - chmod +x /tmp/aws-update-linux-instance
      - "/tmp/aws-update-linux-instance --pre-update-script '{{PreUpdateScript}}'
        --post-update-script '{{PostUpdateScript}}' --include-packages '{{IncludePackages}}'
        --exclude-packages '{{ExcludePackages}}' 2>&1 | tee /tmp/aws-update-linux-instance.log"
- name: installCustomizations
  action: aws:runCommand
  maxAttempts: 3
  timeoutSeconds: 600
  onFailure: Abort
  inputs:
    DocumentName: AWS-RunShellScript
    InstanceIds:
    - "{{launchInstance.InstanceIds}}"
    Parameters:
      commands:
      - curl -O http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
      - rpm -ivh epel-release-latest-7.noarch.rpm
      - yum -y install httpd
      - systemctl enable httpd
      - systemctl restart httpd
      - sudo yum --enablerepo=epel install -y clamav
      - yum-config-manager --disable epel
      - cat /etc/motd >> /var/www/html/index.html
      - echo 'Welcome' >> /var/www/html/index.html
      - cat > /etc/motd <<- EOF
      - "           __  __ _                 _                        _   _             "
      - "     /\\   |  \\/  (_)     /\\        | |                      | | (_)            "
      - "    /  \\  | \\  / |_     /  \\  _   _| |_ ___  _ __ ___   __ _| |_ _  ___
        \ _ __  "
      - "   / /\\ \\ | |\\/| | |   / /\\ \\| | | | __/ _ \\| '_ ` _ \\ / _` | __|
        |/ _ \\| '_ \\ "
      - "  / ____ \\| |  | | |  / ____ \\ |_| | || (_) | | | | | | (_| | |_| | (_)
        | | | |"
      - " /_/    \\_\\_|  |_|_| /_/    \\_\\__,_|\\__\\___/|_| |_| |_|\\__,_|\\__|_|\\___/|_|
        |_|"
      - "   "
      - "   "
      - EOF
- name: installInspectorAgent
  action: aws:runCommand
  maxAttempts: 3
  timeoutSeconds: 600
  onFailure: Abort
  inputs:
    DocumentName: AmazonInspector-ManageAWSAgent
    InstanceIds:
    - "{{launchInstance.InstanceIds}}"
    Parameters:
      Operation: Install
- name: installUnifiedCloudWatchAgent
  action: aws:runCommand
  maxAttempts: 3
  timeoutSeconds: 600
  onFailure: Abort
  inputs:
    DocumentName: AWS-ConfigureAWSPackage
    InstanceIds:
    - "{{launchInstance.InstanceIds}}"
    Parameters:
      name: AmazonCloudWatchAgent
      action: Install
- name: stopInstance
  action: aws:changeInstanceState
  maxAttempts: 3
  timeoutSeconds: 1200
  onFailure: Abort
  inputs:
    InstanceIds:
    - "{{launchInstance.InstanceIds}}"
    DesiredState: stopped
- name: createImage
  action: aws:createImage
  maxAttempts: 3
  onFailure: Abort
  inputs:
    InstanceId: "{{launchInstance.InstanceIds}}"
    ImageName: "{{TargetAmiName}}"
    NoReboot: true
    ImageDescription: AMI Generated by EC2 Automation on {{global:DATE_TIME}} from
      {{SourceAmiId}}
- name: createEncryptedCopy
  action: aws:copyImage
  maxAttempts: 3
  onFailure: Abort
  inputs:
    SourceImageId: "{{createImage.ImageId}}"
    SourceRegion: "{{global:REGION}}"
    ImageName: Encrypted-{{TargetAmiName}}
    ImageDescription: Encrypted GoldenAMI by SSM Automation on {{global:DATE_TIME}}
      from source AMI {{createImage.ImageId}}
    Encrypted: true
- name: createTagsForEncryptedImage
  action: aws:createTags
  maxAttempts: 1
  onFailure: Continue
  inputs:
    ResourceType: EC2
    ResourceIds:
    - "{{createEncryptedCopy.ImageId}}"
    Tags:
    - Key: Automation-Id
      Value: "{{automation:EXECUTION_ID}}"
    - Key: Owner
      Value: Mystique
    - Key: SourceAMI
      Value: "{{SourceAmiId}}"
    - Key: Amazon-Inspector
      Value: 'true'
    - Key: Amazon-SSM
      Value: 'true'
    - Key: Encrypted
      Value: 'true'
- name: updateSsmParam
  action: aws:invokeLambdaFunction
  timeoutSeconds: 1200
  maxAttempts: 1
  onFailure: Abort
  inputs:
    FunctionName: Automation-UpdateSsmParam
    Payload: '{"parameterName":"/GoldenAMI/Linux/RedHat-7/latest", "parameterValue":"{{createEncryptedCopy.ImageId}}"}'
- name: terminateInstance
  action: aws:changeInstanceState
  maxAttempts: 3
  onFailure: Continue
  inputs:
    InstanceIds:
    - "{{launchInstance.InstanceIds}}"
    DesiredState: terminated
- name: deleteUnEcryptedImage
  action: aws:deleteImage
  maxAttempts: 3
  timeoutSeconds: 180
  onFailure: Abort
  inputs:
    ImageId: "{{createImage.ImageId}}"
outputs:
- createImage.ImageId

I expect it to run and create a parameter store and a document inside AWS SSM.

1 answers

solution1
 3 ACCPTED  2019-11-22 10:58:01

The code you pasted above is a Systems Manager (SSM) document rather than a CloudFormation template. That's why CF complains Template format error.

Similar to CloudFormation template, the SSM Document supports both JSON and YAML formats.

As you can see from the README description in that same GitHub repository, the JSON file is used to create a SSM Document.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS SageMaker Cloud Formation Template Creating AWS Athena View using Cloud Formation template How to schedule AWS App flow using Cloud Formation Template AWS cloud formation : Inbound rules not getting added with this cloud formation template ARN structure in Cloud formation template for AWS GovClouds Cloud Formation template for AWS::ElastiCache::GlobalReplicationGroup Create Nested If else in AWS Cloud Formation Template Unique Key as array cloud formation template AWS Create CIDR dynamically in AWS Cloud Formation Template AWS cloud formation glue table reusable template
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM