【发布时间】:2020-01-24 00:44:41
【问题描述】:
我为具有 3 个入口规则的安全组创建了一个 cloudformation 模板,一个用于 SSH,一个用于 HTTP,另一个用于 HTTP(port8080)
首先,当我包含 SourceSecurityGroupOwnerId 时,该组根本不会创建。当我删除它时,该组创建但仅使用一个规则(ssh 规则)。
这是完整的模板:
AWSTemplateFormatVersion: 2010-09-09
Description: Provision security group to allow SSH access to instance
Parameters:
EnvironmentName:
Description: An environment name that will be prefixed to resource names
Type: String
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})'
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
Resources:
InstanceSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
VpcId: !ImportValue hvfVPC-Name
Tags:
- Key: Name
Value: !Ref EnvironmentName
GroupDescription: Enable SSH access and HTTP from the load balancer only
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: !Ref SSHLocation
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
SourceSecurityGroupOwnerId: !ImportValue wordpressELB-SG-Id
SourceSecurityGroupName: !ImportValue wordpressELB-SG-Name
- IpProtocol: tcp
FromPort: '8080'
ToPort: '8080'
SourceSecurityGroupOwnerId: !ImportValue wordpressELB-SG-Id
SourceSecurityGroupName: !ImportValue wordpressELB-SG-Name
这最终只是运行了很长时间而没有实际创建组。当我同时删除 SourceSecurityGroupId 和 SourceSecurityGroupName 时,模板会运行,但它只会创建一个入口规则。
我已经三重检查以确保导出正确,但由于某种原因,除非我删除这两行,否则 Cloudformation 会挂起
附上图片以供澄清 CloudFormation says the group is created Only the SSH ingress rule is actually created
Exports from the ELB template that I'm trying to use in the SG template
【问题讨论】:
-
WordPress ELB 安全组与此堆栈位于不同的 AWS 账户中?
-
为什么要指定
SourceSecurityGroupOwnerId? -
不,ELB在同一个账户上,我贴了一张出口的图片根据文档,使用非默认VPC时必须指定ID
标签: amazon-web-services amazon-cloudformation