CloudFormation WaitCondition 需要公共访问权限

Question

我有一个 CloudFormation 脚本，它在 VPC 中部署单个实例。 该脚本仅在实例具有公共 IP 时才有效。如果没有公共 IP 地址，模板部署将在 WaitCondition 阶段失败。我猜那是因为 WaitCondition 要求实例可以访问 Internet？

如果我在服务器上设置代理地址，而不是分配公共IP，它会起作用吗？因此，实例通过 Web 代理访问 Internet。如果是这种情况，代理上需要将哪些 Web URL 列入白名单？我可以在用户数据中添加添加代理地址命令吗？

下面是我的模板：

  "Mappings": {
    "AWSRegion2AMI": {
      "ap-southeast-2": {
        "Windows2008r2": "ami-27b39a44",
        "Windows2012r2": "ami-83b198e0"
      }
    }

  },

  "Resources": {
    "DomainController": {
      "Type": "AWS::EC2::Instance",
      "Metadata": {
        "AWS::CloudFormation::Init": {
          "config": {
            "files": {
              "c:\\cfn\\cfn-hup.conf": {
                "content": {
                  "Fn::Join": ["", [
                    "[main]\n",
                    "stack=", {
                      "Ref": "AWS::StackId"
                    }, "\n",
                    "region=", {
                      "Ref": "AWS::Region"
                    }, "\n"
                  ]]
                }
              },

              "c:\\cfn\\hooks.d\\cfn-auto-reloader.conf": {
                "content": {
                  "Fn::Join": ["", [
                    "[cfn-auto-reloader-hook]\n",
                    "triggers=post.update\n",
                    "path=Resources.DomainController.Metadata.AWS::CloudFormation::Init\n",
                    "action=cfn-init.exe -v -s ", {
                      "Ref": "AWS::StackId"
                    },
                    " -r DomainController",
                    " --region ", {
                      "Ref": "AWS::Region"
                    }, "\n"
                  ]]
                }
              },

              "C:\\cfn\\RunCommand.bat": {
                "content": "%~1\nIF %ERRORLEVEL% GTR 10 ( exit /b 1 ) else ( exit /b 0 )"
              }
            },

            "commands": {
              "1-run-dcpromo": {
                "command": {
                  "Fn::Join": ["", [
                    "C:\\cfn\\RunCommand.bat \"dcpromo /unattend  /ReplicaOrNewDomain:Domain  /NewDomain:Forest  /NewDomainDNSName:", {
                      "Ref": "DomainDNSName"
                    },
                    "  /ForestLevel:4 /DomainNetbiosName:", {
                      "Ref": "DomainNetBIOSName"
                    },
                    " /DomainLevel:4  /InstallDNS:Yes  /ConfirmGc:Yes  /CreateDNSDelegation:No  /DatabasePath:\"C:\\Windows\\NTDS\"  /LogPath:\"C:\\Windows\\NTDS\"  /SYSVOLPath:\"C:\\Windows\\SYSVOL\" /SafeModeAdminPassword=", {
                      "Ref": "RestoreModePassword"
                    },
                    " /RebootOnCompletion:Yes\""
                  ]]
                },
                "waitAfterCompletion": "forever"
              },
              "2-signal-success": {
                "command": {
                  "Fn::Join": ["", [
                    "cfn-signal.exe -e 0 \"", {
                      "Fn::Base64": {
                        "Ref": "DomainControllerWaitHandle"
                      }
                    }, "\""
                  ]]
                }
              }
            },

            "services": {
              "windows": {
                "cfn-hup": {
                  "enabled": "true",
                  "ensureRunning": "true",
                  "files": ["c:\\cfn\\cfn-hup.conf", "c:\\cfn\\hooks.d\\cfn-auto-reloader.conf"]
                }
              }
            }
          }
        }
      },

      "Properties": {
        "ImageId": {
          "Fn::FindInMap": ["AWSRegion2AMI", {
            "Ref": "AWS::Region"
          }, "Windows2008r2"]
        },
        "InstanceType": {
          "Ref": "InstanceType"
        },
        "NetworkInterfaces": [{
          "AssociatePublicIpAddress": "false",
          "DeviceIndex": "0",
          "SubnetId": {
            "Ref": "SubnetId"
          }
        }],

        "KeyName": {
          "Ref": "KeyName"
        },

        "UserData": {
          "Fn::Base64": {
            "Fn::Join": ["", [
              "<script>\n",

              "cfn-init.exe -v -s ", {
                "Ref": "AWS::StackId"
              },
              " -r DomainController ",
              " --region ", {
                "Ref": "AWS::Region"
              }, "\n",

              "</script>"
            ]]
          }
        }
      }
    },

    "DomainControllerWaitCondition": {
      "Type": "AWS::CloudFormation::WaitCondition",
      "DependsOn": "DomainController",
      "Properties": {
        "Handle": {
          "Ref": "DomainControllerWaitHandle"
        },
        "Timeout": "1500"
      }
    },

    "DomainControllerWaitHandle": {
      "Type": "AWS::CloudFormation::WaitConditionHandle"
    }

Answer 1

通过将这些参数添加到 cfn-signal.exe 来传递代理：

--http-proxy
An HTTP proxy (non-SSL). Use the following format: http://user:password@host:port

--https-proxy
An HTTPS proxy. Use the following format: https://user:password@host:port

信号被发送到 S3 存储桶。您可以将以下内容列入白名单：

https://cloudformation-waitcondition-*.s3.amazonaws.com

注意：您还可以使用 S3 VPC 终端节点功能来允许私有子网内的资源访问 S3。 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html