AWS:CloudFormation 一日速成-expert1-ChinaUnix博客

whenexpert1.blog.chinaunix.net

首页　| 　博文目录　| 　关于我

expert1

博客访问： 1066130
博文数量： 186
博客积分： 4939
博客等级：上校
技术积分： 2075
用户组：普通用户
注册时间： 2010-04-08 17:15

文章分类

全部博文（186）

AWS（6）
自动化（26）
php（6）
杂项（23）
工作（41）
感悟（5）
优化？（6）
架构相关（11）
高级脚本（60）
未分配的博文（2）

文章存档

2018年（1）

2017年（3）

2016年（11）

2015年（42）

2014年（21）

2013年（9）

2012年（18）

2011年（46）

2010年（35）

我的朋友

相关博文

AWS:CloudFormation 一日速成

分类：系统运维

2016-07-29 22:10:04

漫笔：
    1. CloudFormation 官方啰嗦一大堆，其实就是根据amazon提供的API和规则编写json文件（stack)来实现自动创建各种资源如vpc/ec2/rds等。然后实现 infrastcture as code，就是把基础设施用code来实现，当然这是在云时代才可行的哦。BTW, 阿里云也推出了类似的工具叫资源编排(名字好奇怪啊），几乎是个拷贝，估计是方便AWS用户迁移到阿里云上吧，兼容性极好，学习起来也是零成本^_^。

    2. 好处：非常的方便，当然也包括删除资源，除非你后来手工做了改动比如加了某个Instance到自动创建的subnet,此时delete会报错（有依赖关系），不过当你手动删掉你之前手工创建的资源后，再次删除delete stack就可以了。建议既然用CF了，就不要人工的去做了。

    3. 所有的stack在console能实现的，都有对应的命令行工具。

    4. 当你创建了stack policy的时候某些资源做了限制。只有满足条件才能update等。

    5. changeset: 当stack执行完毕，若update,此时无需删除stack重来，只需修改tempalte,然后创建changset后执行即可，比如修改instance的type。但可能会造成中断等。

    6. stack分组，比如website/database,这样不影响，然后nested stack，比如把loadbalancer单独当做一个stack.如下

{
    "AWSTemplateFormatVersion" : "2010-09-09",
    "Resources" : {
        "myStackWithParams" : {
           "Type" : "AWS::CloudFormation::Stack",
           "Properties" : {
               "TemplateURL" : "https://s3.amazonaws.com/xxx/elb.template",
               "Parameters" : {
                   "InstanceType" : "t2.micro",
                   "KeyName" : "mykey"
               }
            }
        }
    }
}

########## 一个stack的大致结构 ########################
{
"AWSTemplateFormatVersion" : "version date",

"Description" : "JSON string",

"Metadata" : {
    template metadata
},

"Parameters" : { # 输入参数，有参数类型string等，default值，长度，以及[a-zA-Z0-9]来约束，多选，No echo(针对密码）等。还有一些aws-specfic
    set of parameters
},

"Mappings" : {    # 映射关系，太长懒得解释了，基本上就类似一个环境变量，多跟Fn::FindInMap结合，看官方文档吧，或者看我的代码。
    set of mappings
},

"Conditions" : { # 比如你有2个环境dev/prod，假如prod的话可能需要多几个ec2，那么可以parameter来指定condition，然后resource来标记，多跟and/equals/if/not/or几个函数一起，不废话，看例子1
    set of conditions
},

"Resources" : {   # 这个必须有，不多说了，基本就是各种资源了比如AWS::EC2::Instance这种。
    set of resources
},

"Outputs" : {   # 顾名思义
    set of outputs
}
}

例1:
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Parameters" : {
    "EnvType" : {
      "Description" : "Environment type.",
      "Default" : "test",
      "Type" : "String",
      "AllowedValues" : ["prod", "test"],
      "ConstraintDescription" : "must specify prod or test."
    }
},

"Conditions" : {
    "CreateProdResources" : {"Fn::Equals" : [{"Ref" : "EnvType"}, "prod"]},
     "CreateDevResources" : {"Fn::Not": [{"Fn::Equals" : [{"Ref" : "DBSnapshotName"}, ""]}]}
},

},

"Resources" : {
    "EC2Instance" : {
      "Type" : "AWS::EC2::Instance",
      # 省略7788的一堆
    },

"xxxx":{

       "DBSnapshotIdentifier" : {
          "Fn::If" : [
            ""CreateDevResources" ",                  # 跟资源结合
            {"Ref" : "DBSnapshotName"},
          ]
        }
}

    "MountPoint" : {
      "Type" : "AWS::EC2::VolumeAttachment",
      "Condition" : "CreateProdResources",
      "Properties" : {
        "InstanceId" : { "Ref" : "EC2Instance" },
        "Device" : "/dev/sdh"
      }
    }
}
}

故障排除：

用aws cli的时候需要传递一个list，需要转义

ParameterKey=CIDR,ParameterValue='10.10.0.0/16\,10.10.0.0/24\,10.10.1.0/24'

现在附上我写的一个,本意是创建一个vpc/2 subnets，若干securitygroup,internet gateway, route table。然后一个opsman和nat box这2个instance在public subnet, private subnet的通过nat box上网，还有ELB等资源。当然我添加了若干注释是没用到的，仅仅是为了做笔记，实际上json不允许有任何注释。

{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Initilize Network infrastructure which hosted OpsManger/natbox for China",
"Parameters": {
"KeyName": {
"Description": "Name of an existing EC2 KeyPair to enable SSH access to the instances",
"Type": "AWS::EC2::KeyPair::KeyName"
},
"SshFrom": {
"Description": "ip range that could be access OpsManager (default can be accessible anywhere)",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription": "must be a valid CIDR range of the form x.x.x.x/x."
},
"RdsDBName": {
"Type": "String",
"MinLength": "4",
"Default": "bosh",
"Description": "BOSH database name"
},
"RdsUsername": {
"Type": "String",
"Description": "BOSH database username"
},
"RdsPassword": {
"Type": "String",
"NoEcho": "true",
"MinLength": "8",
"Description": "BOSH database password"
},
"SSLCertARN": {
"Type": "String",
"Description": "ARN for pre-uploaded SSL certificate"
},
"NATInstanceType": {
"Description": "Nat Box EC2 instance type",
"Type": "String",
"Default": "m3.large",
"AllowedValues": [
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"m1.small",
"m1.medium",
"m1.large",
"m1.xlarge",
"m2.xlarge",
"m2.2xlarge",
"m2.4xlarge",
"m3.medium",
"m3.large",
"m3.xlarge",
"m3.2xlarge",
"m4.large",
"m4.xlarge",
"m4.2xlarge",
"m4.4xlarge",
"m4.10xlarge",
"c1.medium",
"c1.xlarge",
"c3.large",
"c3.xlarge",
"c3.2xlarge",
"c3.4xlarge",
"c3.8xlarge",
"c4.large",
"c4.xlarge",
"c4.2xlarge",
"c4.4xlarge",
"c4.8xlarge",
"g2.2xlarge",
"g2.8xlarge",
"r3.large",
"r3.xlarge",
"r3.2xlarge",
"r3.4xlarge",
"r3.8xlarge",
"i2.xlarge",
"i2.2xlarge",
"i2.4xlarge",
"i2.8xlarge",
"d2.xlarge",
"d2.2xlarge",
"d2.4xlarge",
"d2.8xlarge",
"hi1.4xlarge",
"hs1.8xlarge",
"cr1.8xlarge",
"cc2.8xlarge",
"cg1.4xlarge"
],
"ConstraintDescription": "must be a valid EC2 instance type."
},
"OpsmanInstanceType": {
"Description": "ops manager EC2 instance type",
"Type": "String",
"Default": "m3.large",
"AllowedValues": [
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"m1.small",
"m1.medium",
"m1.large",
"m1.xlarge",
"m2.xlarge",
"m2.2xlarge",
"m2.4xlarge",
"m3.medium",
"m3.large",
"m3.xlarge",
"m3.2xlarge",
"m4.large",
"m4.xlarge",
"m4.2xlarge",
"m4.4xlarge",
"m4.10xlarge",
"c1.medium",
"c1.xlarge",
"c3.large",
"c3.xlarge",
"c3.2xlarge",
"c3.4xlarge",
"c3.8xlarge",
"c4.large",
"c4.xlarge",
"c4.2xlarge",
"c4.4xlarge",
"c4.8xlarge",
"g2.2xlarge",
"g2.8xlarge",
"r3.large",
"r3.xlarge",
"r3.2xlarge",
"r3.4xlarge",
"r3.8xlarge",
"i2.xlarge",
"i2.2xlarge",
"i2.4xlarge",
"i2.8xlarge",
"d2.xlarge",
"d2.2xlarge",
"d2.4xlarge",
"d2.8xlarge",
"hi1.4xlarge",
"hs1.8xlarge",
"cr1.8xlarge",
"cc2.8xlarge",
"cg1.4xlarge"
],
"ConstraintDescription": "must be a valid EC2 instance type."
}
},
"Mappings": {
"Region2VPC": {
"us-east-1": {
"VPC": "10.0.0.0/16",
"Public": "10.0.10.0/24",
"Private": "10.0.11.0/24"
},
"cn-north-1": {
"VPC": "10.0.0.0/16",
"Public": "10.0.10.0/24",
"Private": "10.0.80.0/20",
"Rds1": "10.0.3.0/24",
"Rds2": "10.0.2.0/24"
}
},
"ArnSuffix": {
"us-east-1": {"Value": "aws"},
"cn-north-1": {"Value": "aws-cn"}
},
"AWSNATAMI": {
"us-east-1": {
"AMI": "ami-c6699baf"
},
"us-west-2": {
"AMI": "ami-52ff7262"
},
"us-west-1": {
"AMI": "ami-3bcc9e7e"
},
"cn-north-1": {
"AMI": "ami-1848da21"
}
},
"AWSInstanceType2Arch": {
"t1.micro": {
"Arch": "64"
},
"m1.small": {
"Arch": "64"
},
"m1.medium": {
"Arch": "64"
},
"m1.large": {
"Arch": "64"
},
"m1.xlarge": {
"Arch": "64"
},
"m2.xlarge": {
"Arch": "64"
},
"m2.2xlarge": {
"Arch": "64"
},
"m2.4xlarge": {
"Arch": "64"
},
"m3.large": {
"Arch": "64"
},
"m3.xlarge": {
"Arch": "64"
},
"m3.2xlarge": {
"Arch": "64"
},
"c1.medium": {
"Arch": "64"
},
"c1.xlarge": {
"Arch": "64"
},
"cc1.4xlarge": {
"Arch": "64Cluster"
},
"cc2.8xlarge": {
"Arch": "64Cluster"
},
"cg1.4xlarge": {
"Arch": "64GPU"
}
},
"AWSRegionArch2AMI": {
"us-east-1": {
"32": "ami-a0cd60c9",
"64": "ami-aecd60c7"
},
"us-west-2": {
"32": "ami-46da5576",
"64": "ami-48da5578"
},
"us-west-1": {
"32": "ami-7d4c6938",
"64": "ami-734c6936"
},
"cn-north-1": {
"32": "N/A",
"64": "ami-2e02c843"
}
}
},
"Resources": {
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": {
"Fn::FindInMap": [
"Region2VPC",
{
"Ref": "AWS::Region"
},
"VPC"
]
},
"Tags": [
{
"Key": "Name",
"Value": {
"Ref": "AWS::StackName"
}
}
]
}
},
"PublicSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": {
"Fn::FindInMap": [
"Region2VPC",
{
"Ref": "AWS::Region"
},
"Public"
]
},
"AvailabilityZone": {
"Fn::Select": [
"0",
{
"Fn::GetAZs": {
"Ref": "AWS::Region"
}
}
]
},
"Tags": [
{
"Key": "Name",
"Value": {
"Ref": "AWS::StackName"
}
},
{
"Key": "Network",
"Value": "Public"
}
]
}
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": {
"Ref": "AWS::StackName"
}
},
{
"Key": "Network",
"Value": "Public"
}
]
}
},
"GatewayToInternet": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"InternetGatewayId": {
"Ref": "InternetGateway"
}
}
},
"PublicRouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": {
"Ref": "AWS::StackName"
}
},
{
"Key": "Network",
"Value": "Public"
}
]
}
},
"PublicRoute": {
"Type": "AWS::EC2::Route",
"DependsOn": "GatewayToInternet",
"Properties": {
"RouteTableId": {
"Ref": "PublicRouteTable"
},
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {
"Ref": "InternetGateway"
}
}
},
"PublicSubnetRouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PublicSubnet"
},
"RouteTableId": {
"Ref": "PublicRouteTable"
}
}
},
"PrivateSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": {
"Fn::FindInMap": [
"Region2VPC",
{
"Ref": "AWS::Region"
},
"Private"
]
},
"AvailabilityZone": {
"Fn::Select": [
"1",
{
"Fn::GetAZs": {
"Ref": "AWS::Region"
}
}
]
},
"Tags": [
{
"Key": "Name",
"Value": {
"Ref": "AWS::StackName"
}
},
{
"Key": "Network",
"Value": "Private"
}
]
}
},
"PrivateRouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": {
"Ref": "AWS::StackName"
}
},
{
"Key": "Network",
"Value": "Private"
}
]
}
},
"PrivateSubnetRouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PrivateSubnet"
},
"RouteTableId": {
"Ref": "PrivateRouteTable"
}
}
},
"PrivateRoute": {
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "PrivateRouteTable"
},
"DestinationCidrBlock": "0.0.0.0/0",
"InstanceId": {
"Ref": "NatBox"
}
}
},
"NATIPAddress": {
"Type": "AWS::EC2::EIP",
"DependsOn": "GatewayToInternet",
"Properties": {
"Domain": "vpc",
"InstanceId": {
"Ref": "NatBox"
}
}
},
"NatBox": {
"Type": "AWS::EC2::Instance",
"Properties": {
"InstanceType": {
"Ref": "NATInstanceType"
},
"KeyName": {
"Ref": "KeyName"
},
"SubnetId": {
"Ref": "PublicSubnet"
},
"SourceDestCheck": "false",
"ImageId": {
"Fn::FindInMap": [
"AWSNATAMI",
{
"Ref": "AWS::Region"
},
"AMI"
]
},
"SecurityGroupIds": [
{
"Ref": "NATSecurityGroup"
}
],
"Tags": [
{
"Key": "Name",
"Value": "Nat-Box-CN"
}
]
}
},
"NATSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable internal access to the NAT Box",
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"CidrIp": {
"Fn::FindInMap": [
"Region2VPC",
{
"Ref": "AWS::Region"
},
"VPC"
]
},
"IpProtocol": "-1"
}
]
}
},
"OpsManagerIPAddress": {
"Type": "AWS::EC2::EIP",
"DependsOn": "GatewayToInternet",
"Properties": {
"Domain": "vpc",
"InstanceId": {
"Ref": "OpsMananger"
}
}
},
"OpsMananger": {
"Type": "AWS::EC2::Instance",
######################################################### Metadata 被cfn-init 调用 #######################
"Metadata": {
"AWS::CloudFormation::Init": {
"configSets": {
"MyConfigSet": [
"Set1",
"Set2"
]
},
"Set1": {
"packages": {
"yum": {
"php": [],
"mysql": []
}
},
"commands": {
"01command": {
"command": {
"Fn::Join": [
"",
[
{
"Ref": "xxxxx"
},
"abcd"
]
]
},
"test": {}
}
},
"files": {
"File1": {
"content": {
"Fn::Join": [
"",
[
"ABC\n"
]
]
},
"mode": "000400",
"owner": "root",
"group": "root"
},
"File2": {
"source": {
"Fn::Join": [
"",
[
"https://s3.amazonaws.com/",
{
"Ref": "PrivateBucket"
},
"/id_rsa.pub"
]
]
},
"mode": "000500",
"owner": "root",
"group": "root",
"authentication": "S3AccessCreds"}
},
"services": {
"sysvinit": {
"Service1": {
"enable": "true",
"ensureRunning": "true",
"files": [
"file_confg"
]
}
}
}
},
"Set2": {},
"AWS::CloudFormation::Authentication": {
"S3AccessCreds": {
"type": "S3",
"accessKeyId": {
"Ref": "IamUserAccessKey"
},
"secretKey": {
"Fn::GetAtt": [
"IamUserAccessKey",
"SecretAccessKey"
]
},
"buckets": [
{
"Ref": "PrivateBucket"
},
{
"Ref": "PublicBucket"
}
]
}
}
},
"Propterties": {
"KeyName": {
"Ref": "YourKeyName"
}
},
}
######################################################
"Properties": {
"InstanceType": {
"Ref": "OpsmanInstanceType"
},
"KeyName": {
"Ref": "KeyName"
},
###################################################
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"#!/bin/bash -ex\n",
"yum update -y aws-cfn-bootstrap\n",
"/opt/aws/bin/cfn-init -v ",
" --stack ",
{
"Ref": "AWS::StackName"
},
" --resource OpsMananger",
" --configsets MyconfigSet",
" --region ",
{
"Ref": "AWS::Region"
},
"\n",
"/opt/aws/bin/cfn-signal -e $? ",
" --stack ",
{
"Ref": "AWS::StackName"
},
" --resource OpsMananger",
" --region ",
{
"Ref": "AWS::Region"
},
"\n"
]
]
}
}
####################################
cfn-init专门来安装、配置，启动服务等，定义在上面的metadata里面，详细的介绍看http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-init.html#aws-resource-init-sources
### createpolicy接受cf-signal的信号，或者timeout,可以确保资源成功创建。目前 AWS::AutoScaling::AutoScalingGroup, AWS::EC2::Instance, and AWS::CloudFormation::WaitCondition支持。
EC2/Auto Scaling建议使用。还有个waitcondition跟这个类似，但具体区别看不明白，看文档官方以后要去掉waitcondition了吧。
"CreatePolicy": {
"ResourceSignal": {
"Timeout": "PT15M"
}
}
####################################
"SubnetId": {
"Ref": "PublicSubnet"
},
"ImageId": {
"Fn::FindInMap": [
"AWSRegionArch2AMI",
{
"Ref": "AWS::Region"
},
{
"Fn::FindInMap": [
"AWSInstanceType2Arch",
{
"Ref": "OpsmanInstanceType"
},
"Arch"
]
}
]
},
"Tags": [
{
"Key": "Name",
"Value": "OpsManager"
}
],
"SecurityGroupIds": [
{
"Ref": "OpsManSecurityGroup"
}
]
}
},
######################################## Auto Scaling ######################
"WebServerGroup": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"Properties": {
"AvailabilityZones": {
"Fn::GetAZs": ""
},
"LaunchConfigurationName": {
"Ref": "LaunchConfig"
},
"MinSize": "1",
"MaxSize": "5",
"DesiredCapacity": {
"Ref": "WebServerCapacity"
},
"LoadBalancerNames": [
{
"Ref": "PublicElasticLoadBalancer"
}
]
},
"CreationPolicy": {
"ResourceSignal": {
"Timeout": "PT30M"
}
},
"UpdatePolicy": {
"AutoScalingRollingUpdate": {
"MinInstancesInService": "1",
"MaxBatchSize": "1",
"PauseTime": "PT30M",
"WaitOnResourceSignals": "true"
}
}
},
"LaunchConfig": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Metadata": {
"AWS::CloudFormation::Init": { #也可以设置 metadata来初始化
"configSets": {
"xxxx": []
},
"xxx": {
"files": {}
}
}
},
"Properties":{
"ImageId": {},
"InstanceType": {},
"SecurityGroups": [
{}
],
"KeyName": {},
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"#!/bin/bash -xe\n",
"yum update -y aws-cfn-bootstrap\n",
"/opt/aws/bin/cfn-init -v ",
" --stack ",
{
"Ref": "AWS::StackId"
},
" --resource LaunchConfig ",
" --configsets full_install ",
" --region ",
{
"Ref": "AWS::Region"
},
"\n",
"/opt/aws/bin/cfn-signal -e $? ",
" --stack ",
{
"Ref": "AWS::StackId"
},
" --resource WebServerGroup ",
" --region ",
{
"Ref": "AWS::Region"
},
"\n"
]
]
}
}
}
}
##################### Auto Scaling ##############
"OpsManSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable access to the OpsManager ",
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": {
"Ref": "SshFrom"
}
},
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": {
"Ref": "SshFrom"
}
},
{
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": {
"Ref": "SshFrom"
}
},
{
"IpProtocol": "tcp",
"FromPort": "25555",
"ToPort": "25555",
"CidrIp": {
"Fn::FindInMap": [
"Region2VPC",
{
"Ref": "AWS::Region"
},
"VPC"
]
}
},
{
"IpProtocol": "tcp",
"FromPort": "6868",
"ToPort": "6868",
"CidrIp": {
"Fn::FindInMap": [
"Region2VPC",
{
"Ref": "AWS::Region"
},
"VPC"
]
}
}
]
}
},
"VmsSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "PCF VMs Security Group",
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "-1",
"CidrIp": {
"Fn::FindInMap": [
"Region2VPC",
{
"Ref": "AWS::Region"
},
"VPC"
]
}
}
]
}
},
"MysqlSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "PCF MySQL Security Group",
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "3306",
"ToPort": "3306",
"CidrIp": {
"Fn::FindInMap": [
"Region2VPC",
{
"Ref": "AWS::Region"
},
"VPC"
]
}
}
]
}
},
"PublicElasticLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"LoadBalancerName": "pcf-china",
"CrossZone": true,
"ConnectionSettings": {
"IdleTimeout": 3600
},
"SecurityGroups": [
{
"Ref": "PublicLoadBalancerSecurityGroup"
}
],
"Subnets": [
{
"Ref": "PrivateSubnet"
}
],
"Listeners": [
{
"LoadBalancerPort": "80",
"InstancePort": "80",
"Protocol": "HTTP"
},
{
"LoadBalancerPort": "443",
"InstancePort": "80",
"Protocol": "HTTPS",
"SSLCertificateId": {
"Ref": "SSLCertARN"
}
},
{
"LoadBalancerPort": "4443",
"InstancePort": "443",
"Protocol": "SSL",
"SSLCertificateId": {
"Ref": "SSLCertARN"
}
}
],
"HealthCheck": {
"Target": "TCP:80",
"HealthyThreshold": "10",
"UnhealthyThreshold": "2",
"Interval": "30",
"Timeout": "6"
}
}
},
"PublicLoadBalancerSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Public ELB Security Group with HTTP access on port 80 from the internet",
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "4443",
"ToPort": "4443",
"CidrIp": "0.0.0.0/0"
}
]
}
},
"SSHElasticLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"LoadBalancerName": "ssh-elb",
"CrossZone": true,
"ConnectionSettings": {
"IdleTimeout": 3600
},
"SecurityGroups": [
{
"Ref": "SSHLoadBalancerSecurityGroup"
}
],
"Subnets": [
{
"Ref": "PrivateSubnet"
}
],
"Listeners": [
{
"LoadBalancerPort": "2222",
"InstancePort": "2222",
"Protocol": "tcp"
}
],
"HealthCheck": {
"Target": "TCP:2222",
"HealthyThreshold": "10",
"UnhealthyThreshold": "2",
"Interval": "30",
"Timeout": "6"
}
}
},
"SSHLoadBalancerSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "ssh ELB Security Group",
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "2222",
"ToPort": "2222",
"CidrIp": "0.0.0.0/0"
}
]
}
},
"RdsSubnet1": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": {
"Fn::Select": [
"0",
{
"Fn::GetAZs": {
"Ref": "AWS::Region"
}
}
]
},
"CidrBlock": {
"Fn::FindInMap": [
"Region2VPC",
{
"Ref": "AWS::Region"
},
"Rds1"
]
},
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": "rds-subnet-1"
}
]
}
},
"RdsSubnet2": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": {
"Fn::Select": [
"1",
{
"Fn::GetAZs": {
"Ref": "AWS::Region"
}
}
]
},
"CidrBlock": {
"Fn::FindInMap": [
"Region2VPC",
{
"Ref": "AWS::Region"
},
"Rds2"
]
},
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": "rds-subnet-2"
}
]
}
},
"RdsSubnet1tRouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "RdsSubnet1"
},
"RouteTableId": {
"Ref": "PublicRouteTable"
}
}
},
"RdsSubnet2tRouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "RdsSubnet2"
},
"RouteTableId": {
"Ref": "PublicRouteTable"
}
}
},
"OpsManS3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": "PCF Ops Manager S3 Bucket"
}
]
}
},
"IamUser": {
"Type": "AWS::IAM::User",
"DependsOn": [
"OpsManS3Bucket"
],
"Properties": {
"Policies": [
{
"PolicyName": "Policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"iam:*"
],
"Resource": [
"*"
]
},
{
"Sid": "OpsManS3Permissions",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Fn::FindInMap": [
"ArnSuffix",
{"Ref": "AWS::Region"
},
"Value"
]
},
":s3:::",
{
"Ref": "OpsManS3Bucket"
}
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Fn::FindInMap": [
"ArnSuffix",
{"Ref": "AWS::Region"
},
"Value"
]
},
":s3:::",
{
"Ref": "OpsManS3Bucket"
},
"/*"
]
]
}
]
},
{
"Sid": "OpsManEc2Permissions",
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:AssociateAddress",
"ec2:DisassociateAddress",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:RunInstances",
"ec2:RebootInstances",
"ec2:TerminateInstances",
"ec2:DescribeKeypairs",
"ec2:DescribeRegions",
"ec2:DescribeSnapshots",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:CreateTags",
"ec2:DescribeVolumes",
"ec2:CreateVolume",
"ec2:AttachVolume",
"ec2:DeleteVolume",
"ec2:DetachVolume"
],
"Resource": [
"*"
]
},
{
"Sid": "OpsManElbPermissions",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer"
],
"Resource": [
"*"
]
}
]
}
}
]
}
},
"IamUserAccessKey": {
"Type": "AWS::IAM::AccessKey",
"DependsOn": "IamUser",
"Properties": {
"UserName": {
"Ref": "IamUser"
}
}
},
"RdsSubnetGroup": {
"Type": "AWS::RDS::DBSubnetGroup",
"Properties": {
"DBSubnetGroupDescription": "PCF RDS Subnet Group",
"SubnetIds": [
{
"Ref": "RdsSubnet1"
},
{
"Ref": "RdsSubnet2"
}
]
}
},
"Rds": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"AllocatedStorage": "100",
"DBInstanceClass": "db.m3.large",
"Engine": "MySQL",
"EngineVersion": "5.6.22",
"MultiAZ": "True",
"DBName": {
"Ref": "RdsDBName"
},
"Iops": "1000",
"MasterUsername": {
"Ref": "RdsUsername"
},
"MasterUserPassword": {
"Ref": "RdsPassword"
},
"PubliclyAccessible": "False",
"VPCSecurityGroups": [
{
"Ref": "MysqlSecurityGroup"
}
],
"DBSubnetGroupName": {
"Ref": "RdsSubnetGroup"
}
}
}
},
"Outputs": {
"OpsManager": {
"Description": "IP Address of the OpsManager host",
"Value": {
"Ref": "OpsManagerIPAddress"
}
},
"VmsSecurityGroup": {
"Value": {
"Ref": "VmsSecurityGroup"
}
},
"VPCId": {
"Value": {
"Ref": "VPC"
}
},
"PublicSubnet": {
"Value": {
"Ref": "PublicSubnet"
}
},
"IamUserName": {
"Value": {
"Ref": "IamUser"
}
},
"IamUserAccessKey": {
"Value": {
"Ref": "IamUserAccessKey"
}
},
"IamUserSecretAccessKey": {
"Value": {
"Fn::GetAtt": [
"IamUserAccessKey",
"SecretAccessKey"
]
}
},
"S3Bucket": {
"Value": {
"Ref": "OpsManS3Bucket"
}
},
"PrivateSubnet": {
"Value": {
"Ref": "PrivateSubnet"
}
},
"PrivateSubnetAvailabilityZone": {
"Value": {
"Fn::GetAtt": [
"PrivateSubnet",
"AvailabilityZone"
]
}
},
"PublicSubnetAvailabilityZone": {
"Value": {
"Fn::GetAtt": [
"PublicSubnet",
"AvailabilityZone"
]
}
},
"RdsAddress": {
"Value": {
"Fn::GetAtt": [
"Rds",
"Endpoint.Address"
]
}
},
"RdsPort": {
"Value": {
"Fn::GetAtt": [
"Rds",
"Endpoint.Port"
]
}
},
"RdsUsername": {
"Value": {
"Ref": "RdsUsername"
}
},
"RdsPassword": {
"Value": {
"Ref": "RdsPassword"
}
},
"RdsDBName": {
"Value": {
"Ref": "RdsDBName"
}
},
"CidrBlock": {
"Value": {
"Fn::FindInMap": [
"Region2VPC",
{
"Ref": "AWS::Region"
},
"Private"
]
}
},
"KeyPairName": {
"Value": {
"Ref": "KeyName"
}
}
}
}
以下是跟DNS操作有观的，未验证，因为route53我没用到，拷贝为了参考备忘。
"HostedZone": {
"Type": "AWS::Route53::HostedZone",
"Properties": {
"HostedZoneConfig": {
"Comment": "Hosted zone for example.com"
},
"Name": "example.com",
"VPCs": [
{
"VPCId": {
"Ref": "VPC"
},
"VPCRegion": {
"Ref": "AWS::Region"
}
}
]
}
},
"PuppetMasterDNSRecord": {
"Type": "AWS::Route53::RecordSet",
"DependsOn": "HostedZone",
"Properties": {
"HostedZoneId": {
"Fn::Join": [
"",
[
"/hostedzone/",
{
"Ref": "HostedZone"
}
]
]
},
"Name": "puppet.example.com",
"Type": "A",
"TTL": "900",
"ResourceRecords": [
{
"Ref": "PuppetMasterIP"
}
]
}
},
"PuppetAgentLinuxDNSRecord": {
"Type": "AWS::Route53::RecordSet",
"Properties": {
"HostedZoneId": {
"Fn::Join": [
"",
[
"/hostedzone/",
{
"Ref": "HostedZone"
}
]
]
},
"Name": "linuxagent.example.com",
"Type": "A",
"TTL": "900",
"ResourceRecords": [
{
"Ref": "PuppetAgentLinuxIP"
}
]
}
},
"PuppetAgentWindowsDNSRecord": {
"Type": "AWS::Route53::RecordSet",
"Properties": {
"HostedZoneId": {
"Fn::Join": [
"",
[
"/hostedzone/",
{
"Ref": "HostedZone"
}
]
]
},
"Name": "windowsagent.example.com",
"Type": "A",
"TTL": "900",
"ResourceRecords": [
{
"Ref": "PuppetAgentWindowsIP"
}
]
}
}

阅读(4012) | 评论(0) | 转发(0) |

上一篇：bash创建AWS的vpc/ec2等备忘 (**建议用CloudFormation**）

下一篇：统计AWS的ec2的ReservedInstance使用情况

给主人留下些什么吧！~~

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6