AWS Lambda-Vorlage - AWS CloudFormation

AWS Lambda-Vorlage

Die folgende Vorlage verwendet eine AWS Lambda (Lambda)-Funktion und eine benutzerdefinierte Ressource, um eine neue Sicherheitsgruppe an die Liste vorhandener Sicherheitsgruppen anzufügen. Diese Funktion ist hilfreich, wenn Sie dynamisch eine Liste von Sicherheitsgruppen erstellen möchten, sodass die Liste sowohl neue als auch vorhandene Sicherheitsgruppen enthält. Sie können beispielsweise eine Liste vorhandener Sicherheitsgruppen als Parameterwert übergeben, den neuen Wert an die Liste anfügen und dann alle Werte mit einer EC2-Instance verknüpfen. Weitere Informationen über die Lambda-Funktion Ressourcentyp finden Sie unter AWS::Lambda::Function.

Im Beispiel, wenn AWS CloudFormation die benutzerdefinierte Ressource AllSecurityGroups erstellt, ruft AWS CloudFormation die AppendItemToListFunction Lambda Funktion auf. AWS CloudFormation übergibt die Liste der vorhandenen Sicherheitsgruppen und eine neue Sicherheitsgruppe (NewSecurityGroup) an die Funktion, die die neue Sicherheitsgruppe an die Liste anhängt und dann die geänderte Liste zurückgibt. AWS CloudFormation verwendet die modifizierte Liste, um alle Sicherheitsgruppen der Ressource MyEC2Instance zuzuordnen.

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Parameters" : { "ExistingSecurityGroups" : { "Type" : "List<AWS::EC2::SecurityGroup::Id>" }, "ExistingVPC" : { "Type" : "AWS::EC2::VPC::Id", "Description" : "The VPC ID that includes the security groups in the ExistingSecurityGroups parameter." }, "InstanceType" : { "Type" : "String", "Default" : "t2.micro", "AllowedValues" : ["t2.micro", "m1.small"] } }, "Mappings": { "AWSInstanceType2Arch" : { "t2.micro" : { "Arch" : "HVM64" }, "m1.small" : { "Arch" : "HVM64" } }, "AWSRegionArch2AMI" : { "us-east-1" : {"HVM64" : "ami-0ff8a91507f77f867", "HVMG2" : "ami-0a584ac55a7631c0c"}, "us-west-2" : {"HVM64" : "ami-a0cfeed8", "HVMG2" : "ami-0e09505bc235aa82d"}, "us-west-1" : {"HVM64" : "ami-0bdb828fd58c52235", "HVMG2" : "ami-066ee5fd4a9ef77f1"}, "eu-west-1" : {"HVM64" : "ami-047bb4163c506cd98", "HVMG2" : "ami-0a7c483d527806435"}, "eu-central-1" : {"HVM64" : "ami-0233214e13e500f77", "HVMG2" : "ami-06223d46a6d0661c7"}, "ap-northeast-1" : {"HVM64" : "ami-06cd52961ce9f0d85", "HVMG2" : "ami-053cdd503598e4a9d"}, "ap-southeast-1" : {"HVM64" : "ami-08569b978cc4dfa10", "HVMG2" : "ami-0be9df32ae9f92309"}, "ap-southeast-2" : {"HVM64" : "ami-09b42976632b27e9b", "HVMG2" : "ami-0a9ce9fecc3d1daf8"}, "sa-east-1" : {"HVM64" : "ami-07b14488da8ea02a0", "HVMG2" : "NOT_SUPPORTED"}, "cn-north-1" : {"HVM64" : "ami-0a4eaf6c4454eda75", "HVMG2" : "NOT_SUPPORTED"} } }, "Resources" : { "SecurityGroup" : { "Type" : "AWS::EC2::SecurityGroup", "Properties" : { "GroupDescription" : "Allow HTTP traffic to the host", "VpcId" : {"Ref" : "ExistingVPC"}, "SecurityGroupIngress" : [{ "IpProtocol" : "tcp", "FromPort" : 80, "ToPort" : 80, "CidrIp" : "0.0.0.0/0" }], "SecurityGroupEgress" : [{ "IpProtocol" : "tcp", "FromPort" : 80, "ToPort" : 80, "CidrIp" : "0.0.0.0/0" }] } }, "AllSecurityGroups": { "Type": "Custom::Split", "Properties": { "ServiceToken": { "Fn::GetAtt" : ["AppendItemToListFunction", "Arn"] }, "List": { "Ref" : "ExistingSecurityGroups" }, "AppendedItem": { "Ref" : "SecurityGroup" } } }, "AppendItemToListFunction": { "Type": "AWS::Lambda::Function", "Properties": { "Handler": "index.handler", "Role": { "Fn::GetAtt" : ["LambdaExecutionRole", "Arn"] }, "Code": { "ZipFile": { "Fn::Join": ["", [ "var response = require('cfn-response');", "exports.handler = function(event, context) {", " var responseData = {Value: event.ResourceProperties.List};", " responseData.Value.push(event.ResourceProperties.AppendedItem);", " response.send(event, context, response.SUCCESS, responseData);", "};" ]]} }, "Runtime": "nodejs8.10" } }, "MyEC2Instance" : { "Type" : "AWS::EC2::Instance", "Properties" : { "ImageId": { "Fn::FindInMap": [ "AWSRegionArch2AMI", { "Ref": "AWS::Region" }, { "Fn::FindInMap": [ "AWSInstanceType2Arch", { "Ref": "InstanceType" }, "Arch" ] } ] }, "SecurityGroupIds" : { "Fn::GetAtt": [ "AllSecurityGroups", "Value" ] }, "InstanceType" : { "Ref" : "InstanceType" } } }, "LambdaExecutionRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"Service": ["lambda.amazonaws.com"]}, "Action": ["sts:AssumeRole"] }] }, "Path": "/", "Policies": [{ "PolicyName": "root", "PolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["logs:*"], "Resource": "arn:aws:logs:*:*:*" }] } }] } } }, "Outputs" : { "AllSecurityGroups" : { "Description" : "Security Groups that are associated with the EC2 instance", "Value" : { "Fn::Join" : [ ", ", { "Fn::GetAtt": [ "AllSecurityGroups", "Value" ] }]} } } }

YAML

AWSTemplateFormatVersion: '2010-09-09' Parameters: ExistingSecurityGroups: Type: List<AWS::EC2::SecurityGroup::Id> ExistingVPC: Type: AWS::EC2::VPC::Id Description: The VPC ID that includes the security groups in the ExistingSecurityGroups parameter. InstanceType: Type: String Default: t2.micro AllowedValues: - t2.micro - m1.small Mappings: AWSInstanceType2Arch: t2.micro: Arch: HVM64 m1.small: Arch: HVM64 AWSRegionArch2AMI: us-east-1: HVM64: ami-0ff8a91507f77f867 HVMG2: ami-0a584ac55a7631c0c us-west-2: HVM64: ami-a0cfeed8 HVMG2: ami-0e09505bc235aa82d us-west-1: HVM64: ami-0bdb828fd58c52235 HVMG2: ami-066ee5fd4a9ef77f1 eu-west-1: HVM64: ami-047bb4163c506cd98 HVMG2: ami-0a7c483d527806435 eu-central-1: HVM64: ami-0233214e13e500f77 HVMG2: ami-06223d46a6d0661c7 ap-northeast-1: HVM64: ami-06cd52961ce9f0d85 HVMG2: ami-053cdd503598e4a9d ap-southeast-1: HVM64: ami-08569b978cc4dfa10 HVMG2: ami-0be9df32ae9f92309 ap-southeast-2: HVM64: ami-09b42976632b27e9b HVMG2: ami-0a9ce9fecc3d1daf8 sa-east-1: HVM64: ami-07b14488da8ea02a0 HVMG2: NOT_SUPPORTED cn-north-1: HVM64: ami-0a4eaf6c4454eda75 HVMG2: NOT_SUPPORTED Resources: SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow HTTP traffic to the host VpcId: Ref: ExistingVPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 SecurityGroupEgress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 AllSecurityGroups: Type: Custom::Split Properties: ServiceToken: !GetAtt AppendItemToListFunction.Arn List: Ref: ExistingSecurityGroups AppendedItem: Ref: SecurityGroup AppendItemToListFunction: Type: AWS::Lambda::Function Properties: Handler: index.handler Role: !GetAtt LambdaExecutionRole.Arn Code: ZipFile: !Sub | var response = require('cfn-response'); exports.handler = function(event, context) { var responseData = {Value: event.ResourceProperties.List}; responseData.Value.push(event.ResourceProperties.AppendedItem); response.send(event, context, response.SUCCESS, responseData); }; Runtime: nodejs8.10 MyEC2Instance: Type: AWS::EC2::Instance Properties: ImageId: Fn::FindInMap: - AWSRegionArch2AMI - Ref: AWS::Region - Fn::FindInMap: - AWSInstanceType2Arch - Ref: InstanceType - Arch SecurityGroupIds: !GetAtt AllSecurityGroups.Value InstanceType: Ref: InstanceType LambdaExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - sts:AssumeRole Path: "/" Policies: - PolicyName: root PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - logs:* Resource: arn:aws:logs:*:*:* Outputs: AllSecurityGroups: Description: Security Groups that are associated with the EC2 instance Value: Fn::Join: - ", " - Fn::GetAtt: - AllSecurityGroups - Value