【发布时间】:2020-12-21 01:33:56
【问题描述】:
我正在尝试通过 CloudFormation 构建 ECS 集群。集群实例将驻留的子网将是私有的。此外,我从我构建的 EC2 创建了一个映像,并验证了 SSM 代理、ECS 代理和 cloud-init 已安装并正在运行。我还在我的安全组中添加了一个入站规则,以允许来自私有子网的子网/CIDR 的 HTTPS 流量以及端点。
我已将以下端点添加到我的私有子网:
- com.amazonaws.us-west-2.ssm
- com.amazonaws.us-west-2.ssmmessages
- com.amazonaws.us-west-2.ecs
- com.amazonaws.us-west-2.ecs-agent
- com.amazonaws.us-west-2.ecs-telemetry
- com.amazonaws.us-west-2.cloudformation
这是我的 CF 模板:
Description: >-
A stack for deploying containerized applications onto a cluster of EC2 hosts
using Elastic Container Service. This stack runs containers on hosts that are
in a public VPC subnet, and includes a public facing load balancer to register
the services in.
Parameters:
DesiredCapacity:
Type: Number
Default: '1'
Description: Number of EC2 instances to launch in your ECS cluster.
MaxSize:
Type: Number
Default: '2'
Description: Maximum number of EC2 instances that can be launched in your ECS cluster.
ECSAMI:
Description: AMI ID
Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
Default: /aws/service/ecs/optimized-ami/amazon-linux-2/recommended/image_id
InstanceType:
Description: EC2 instance type
Type: String
Default: t2.micro
SecurityGroup:
Description: Select the Security Group to use for the ECS cluster hosts
Type: 'AWS::EC2::SecurityGroup::Id'
Subnets:
Description: Choose which subnets this ECS cluster should be deployed to
Type: 'List<AWS::EC2::Subnet::Id>'
VPC:
Description: Choose which VPC this ECS cluster should be deployed to
Type: 'AWS::EC2::VPC::Id'
Resources:
ECSCluster:
Type: 'AWS::ECS::Cluster'
Properties:
Clustername: change-name
ECSAutoScalingGroup:
Type: 'AWS::AutoScaling::AutoScalingGroup'
Properties:
AvailabilityZones:
- 'us-west-2a'
# VPCZoneIdentifier:
# - '
LaunchConfigurationName: !Ref ContainerInstances
MinSize: '1'
MaxSize: !Ref MaxSize
DesiredCapacity: !Ref DesiredCapacity
CreationPolicy:
ResourceSignal:
Count: 1
Timeout: PT5M
UpdatePolicy:
AutoScalingReplacingUpdate:
WillReplace: 'true'
ContainerInstances:
Type: 'AWS::AutoScaling::LaunchConfiguration'
Properties:
ImageId: <custom ami>
SecurityGroups:
- !Ref SecurityGroup
InstanceType: !Ref InstanceType
IamInstanceProfile: !Ref EC2InstanceProfile
UserData:
"Fn::Base64":
!Sub |
#!/bin/bash -xe
yum update -y
yum install -y aws-cfn-bootstrap
yum install cloud-init
echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ECSAutoScalingGroup --region ${AWS::Region}
systemctl enable amazon-ssm-agent
systemctl start amazon-ssm-agent
AutoscalingRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- application-autoscaling.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: service-autoscaling
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'application-autoscaling:*'
- 'cloudwatch:DescribeAlarms'
- 'cloudwatch:PutMetricAlarm'
- 'ecs:DescribeServices'
- 'ecs:UpdateService'
Resource: '*'
EC2InstanceProfile:
Type: 'AWS::IAM::InstanceProfile'
Properties:
Path: /
Roles:
- !Ref EC2Role
EC2Role:
Type: 'AWS::IAM::Role'
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore'
- 'arn:aws:iam::aws:policy/AmazonECS_FullAccess'
- 'arn:aws:iam::aws:policy/CloudWatchFullAccess'
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: ecs-service
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'ecs:CreateCluster'
- 'ecs:DeregisterContainerInstance'
- 'ecs:DiscoverPollEndpoint'
- 'ecs:Poll'
- 'ecs:RegisterContainerInstance'
- 'ecs:StartTelemetrySession'
- 'ecs:Submit*'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
- 'ecr:GetAuthorizationToken'
- 'ecr:BatchGetImage'
- 'ecr:GetDownloadUrlForLayer'
Resource: '*'
ECSRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ecs.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: ecs-service
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'ec2:AttachNetworkInterface'
- 'ec2:CreateNetworkInterface'
- 'ec2:CreateNetworkInterfacePermission'
- 'ec2:DeleteNetworkInterface'
- 'ec2:DeleteNetworkInterfacePermission'
- 'ec2:Describe*'
- 'ec2:DetachNetworkInterface'
- 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer'
- 'elasticloadbalancing:DeregisterTargets'
- 'elasticloadbalancing:Describe*'
- 'elasticloadbalancing:RegisterInstancesWithLoadBalancer'
- 'elasticloadbalancing:RegisterTargets'
Resource: '*'
Outputs:
ClusterName:
Description: The name of the ECS cluster
Value: !Ref ECSCluster
Export:
Name: !Join
- ':'
- - !Ref 'AWS::StackName'
- ClusterName
ECSRole:
Description: The ARN of the ECS role
Value: !GetAtt ECSRole.Arn
Export:
Name: !Join
- ':'
- - !Ref 'AWS::StackName'
- ECSRole
问题在于,在创建 AutoScaling 角色的最后阶段,它挂起并出错,无法接收成功的状态代码。
错误:
Received 0 SUCCESS signal(s) out of 1. Unable to satisfy 100% MinSuccessfulInstancesPercent requirement
任何帮助将不胜感激,感谢您的宝贵时间。
【问题讨论】:
标签: amazon-web-services amazon-cloudformation amazon-ecs