4

在 aws cloudformation 中,如何在 Autoscaling launchconfig 组中添加“NetworkInterfaces”,因为我想配置每个启动的实例并且我需要“NetworkInterfaces”与 AWS::EC2::Instance 相同?

4

1 回答 1

1

我目前使用的解决方案是确保每个实例都使用允许包含策略的IAM 实例配置文件启动

"PolicyDocument": {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:CreateTags",
                "ec2:DescribeSubnets",
                "ec2:AttachNetworkInterface",
                "ec2:CreateNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

用于创建AutoScalingGroupLaunchConfiguration的 My Cloud Formation 模板接收要附加到每个附加ENI的子网安全组参数。

"SecondaryNICSubnetIds":{
    "Type" : "CommaDelimitedList",
    "Description" : "Ensure that the spread of Availability Zones for these Subnets matches the SubnetIds used to create Instances, as when creating a Secondary ENI it must exist in the same AZ as the Instance"
},
"SecondaryNICSecurityGroupIds":{
    "Type" : "CommaDelimitedList",
    "Description" : "Security Groups to associate to the Secondary ENI"
},

然后LaunchConfiguration包含一个UserData属性

  1. 确保安装了 awscli
  2. 通过解析实例元数据身份文档设置要使用的区域
  3. 实例元数据中获取实例 ID
  4. 从实例元数据中获取实例的可用区
  5. 通过使用awscli describe-subnets调用,从传入的子网中找到与我的实例 AZ 匹配的第一个
  6. 在我选择的子网中创建一个网络接口,并使用awscli create-network-interface调用向其中添加安全组
  7. 使用awscli create-tags调用标记我的ENI
  8. 使用awscli attach-network-interface调用将ENI附加到我的实例
  9. 使用modify-network-interface-attribute调用修改附件以在实例终止时删除ENI
"UserData": {
      "Fn::Base64" : {
        "Fn::Join": [ "\n",
          [
            "#!/bin/bash -xe",
            "sudo apt-get install -y awscli",
            "export AWS_DEFAULT_REGION=$(curl -sS http://169.254.169.254/latest/dynamic/instance-identity/document | python -c 'import sys, json; print(json.load(sys.stdin)[\"region\"])')",
            "INSTANCE_ID=$(curl -sS http://169.254.169.254/latest/meta-data/instance-id)",
            "AZ=$(curl -sS http://169.254.169.254/latest/meta-data/placement/availability-zone)",
            "echo Availability Zone: ${AZ}",
            {"Fn::Sub":[
                "SUBNET_ID=$(aws ec2 describe-subnets --subnet-ids ${SubnetNetIds} --filters Name=availabilityZone,Values=${!AZ} --query 'Subnets[0].SubnetId' --output text)",
                {"SubnetNetIds":  {"Fn::Join": [" ", {"Ref": "SecondaryNICSubnetIds"} ] }}
            ]},
            "echo Subnet Id: ${SUBNET_ID}",
            {"Fn::Sub":[
              "ENI_ID=$(aws ec2 create-network-interface --subnet ${!SUBNET_ID} --description 'Secondary ENI' --groups ${SecurityGroups} --query 'NetworkInterface.NetworkInterfaceId' --output text)",
              {"SecurityGroups":  {"Fn::Join": [" ", {"Ref": "SecondaryNICSecurityGroupIds"}]} }
            ]},
            "echo ENI ID: ${ENI_ID}",
            "aws ec2 create-tags --resources ${!ENI_ID} --tags Key=Some,Value=Tag",
            "ATTACHMENT_ID=$(aws ec2 attach-network-interface --network-interface-id ${ENI_ID} --instance-id ${INSTANCE_ID} --device-index 1 --output text)",
            "echo Attachment ID: ${ATTACHMENT_ID}",
            "echo Delete On Termination: $(aws ec2 modify-network-interface-attribute --network-interface-id ${ENI_ID} --attachment AttachmentId=${ATTACHMENT_ID},DeleteOnTermination=true --output text)"
           ]
        ]
      }
    }

如果您不想将子网--query传递到 Cloud Formation 模板中,您可以尝试通过在awscli describe-subnets调用中添加标签来查找它们,前提是您的基础架构允许您以这种方式识别它们。

于 2016-10-01T21:27:39.173 回答