本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS Lambda 範本
下列範本使用 AWS Lambda (Lambda) 函數和自訂資源,將新的安全群組附加至現有安全群組清單。當您想動態建置安全群組清單,使該清單能夠同時包含全新與現有的安全群組時,此函數相當實用。例如,您可以將現有安全群組的清單作為參數值傳遞,將新值附加至清單,然後將所有值與EC2執行個體相關聯。如需 Lambda 函數資源類型的詳細資訊,請參閱AWS::Lambda::Function。
在此範例中, CloudFormation 建立AllSecurityGroups自訂資源時,會 CloudFormation 叫用 AppendItemToListFunction Lambda 函數。 CloudFormation 會將現有安全性群組和新安全性群組 (NewSecurityGroup) 的清單傳遞至函數,此函式會將新的安全性群組附加至清單,然後傳回修改的清單。 CloudFormation 使用修改後的清單將所有安全群組與MyEC2Instance資源相關聯。
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { "ExistingSecurityGroups": { "Type": "List<AWS::EC2::SecurityGroup::Id>" }, "ExistingVPC": { "Type": "AWS::EC2::VPC::Id", "Description": "The VPC ID that includes the security groups in the ExistingSecurityGroups parameter." }, "InstanceType": { "Type": "String", "Default": "t2.micro", "AllowedValues": [ "t2.micro", "m1.small" ] } }, "Mappings": { "AWSInstanceType2Arch": { "t2.micro": { "Arch": "HVM64" }, "m1.small": { "Arch": "HVM64" } }, "AWSRegionArch2AMI": { "us-east-1": { "HVM64": "ami-0ff8a91507f77f867", "HVMG2": "ami-0a584ac55a7631c0c" }, "us-west-2": { "HVM64": "ami-a0cfeed8", "HVMG2": "ami-0e09505bc235aa82d" }, "us-west-1": { "HVM64": "ami-0bdb828fd58c52235", "HVMG2": "ami-066ee5fd4a9ef77f1" }, "eu-west-1": { "HVM64": "ami-047bb4163c506cd98", "HVMG2": "ami-0a7c483d527806435" }, "eu-central-1": { "HVM64": "ami-0233214e13e500f77", "HVMG2": "ami-06223d46a6d0661c7" }, "ap-northeast-1": { "HVM64": "ami-06cd52961ce9f0d85", "HVMG2": "ami-053cdd503598e4a9d" }, "ap-southeast-1": { "HVM64": "ami-08569b978cc4dfa10", "HVMG2": "ami-0be9df32ae9f92309" }, "ap-southeast-2": { "HVM64": "ami-09b42976632b27e9b", "HVMG2": "ami-0a9ce9fecc3d1daf8" }, "sa-east-1": { "HVM64": "ami-07b14488da8ea02a0", "HVMG2": "NOT_SUPPORTED" }, "cn-north-1": { "HVM64": "ami-0a4eaf6c4454eda75", "HVMG2": "NOT_SUPPORTED" } } }, "Resources": { "SecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Allow HTTP traffic to the host", "VpcId": { "Ref": "ExistingVPC" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIp": "0.0.0.0/0" } ], "SecurityGroupEgress": [ { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIp": "0.0.0.0/0" } ] } }, "AllSecurityGroups": { "Type": "Custom::Split", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "AppendItemToListFunction", "Arn" ] }, "List": { "Ref": "ExistingSecurityGroups" }, "AppendedItem": { "Ref": "SecurityGroup" } } }, "AppendItemToListFunction": { "Type": "AWS::Lambda::Function", "Properties": { "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "LambdaExecutionRole", "Arn" ] }, "Code": { "ZipFile": { "Fn::Join": [ "", [ "var response = require('cfn-response');", "exports.handler = function(event, context) {", " var responseData = {Value: event.ResourceProperties.List};", " responseData.Value.push(event.ResourceProperties.AppendedItem);", " response.send(event, context, response.SUCCESS, responseData);", "};" ] ] } }, "Runtime": "nodejs20.x" } }, "MyEC2Instance": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": { "Fn::FindInMap": [ "AWSRegionArch2AMI", { "Ref": "AWS::Region" }, { "Fn::FindInMap": [ "AWSInstanceType2Arch", { "Ref": "InstanceType" }, "Arch" ] } ] }, "SecurityGroupIds": { "Fn::GetAtt": [ "AllSecurityGroups", "Value" ] }, "InstanceType": { "Ref": "InstanceType" } } }, "LambdaExecutionRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/", "Policies": [ { "PolicyName": "root", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:*" ], "Resource": "arn:aws:logs:*:*:*" } ] } } ] } } }, "Outputs": { "AllSecurityGroups": { "Description": "Security Groups that are associated with the EC2 instance", "Value": { "Fn::Join": [ ", ", { "Fn::GetAtt": [ "AllSecurityGroups", "Value" ] } ] } } } }
YAML
AWSTemplateFormatVersion: '2010-09-09' Parameters: ExistingSecurityGroups: Type: List<AWS::EC2::SecurityGroup::Id> ExistingVPC: Type: AWS::EC2::VPC::Id Description: The VPC ID that includes the security groups in the ExistingSecurityGroups parameter. InstanceType: Type: String Default: t2.micro AllowedValues: - t2.micro - m1.small Mappings: AWSInstanceType2Arch: t2.micro: Arch: HVM64 m1.small: Arch: HVM64 AWSRegionArch2AMI: us-east-1: HVM64: ami-0ff8a91507f77f867 HVMG2: ami-0a584ac55a7631c0c us-west-2: HVM64: ami-a0cfeed8 HVMG2: ami-0e09505bc235aa82d us-west-1: HVM64: ami-0bdb828fd58c52235 HVMG2: ami-066ee5fd4a9ef77f1 eu-west-1: HVM64: ami-047bb4163c506cd98 HVMG2: ami-0a7c483d527806435 eu-central-1: HVM64: ami-0233214e13e500f77 HVMG2: ami-06223d46a6d0661c7 ap-northeast-1: HVM64: ami-06cd52961ce9f0d85 HVMG2: ami-053cdd503598e4a9d ap-southeast-1: HVM64: ami-08569b978cc4dfa10 HVMG2: ami-0be9df32ae9f92309 ap-southeast-2: HVM64: ami-09b42976632b27e9b HVMG2: ami-0a9ce9fecc3d1daf8 sa-east-1: HVM64: ami-07b14488da8ea02a0 HVMG2: NOT_SUPPORTED cn-north-1: HVM64: ami-0a4eaf6c4454eda75 HVMG2: NOT_SUPPORTED Resources: SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow HTTP traffic to the host VpcId: !Ref ExistingVPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 SecurityGroupEgress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 AllSecurityGroups: Type: Custom::Split Properties: ServiceToken: !GetAtt AppendItemToListFunction.Arn List: !Ref ExistingSecurityGroups AppendedItem: !Ref SecurityGroup AppendItemToListFunction: Type: AWS::Lambda::Function Properties: Handler: index.handler Role: !GetAtt LambdaExecutionRole.Arn Code: ZipFile: !Join - '' - - var response = require('cfn-response'); - exports.handler = function(event, context) { - ' var responseData = {Value: event.ResourceProperties.List};' - ' responseData.Value.push(event.ResourceProperties.AppendedItem);' - ' response.send(event, context, response.SUCCESS, responseData);' - '};' Runtime: nodejs20.x MyEC2Instance: Type: AWS::EC2::Instance Properties: ImageId: !FindInMap - AWSRegionArch2AMI - !Ref AWS::Region - !FindInMap - AWSInstanceType2Arch - !Ref InstanceType - Arch SecurityGroupIds: !GetAtt AllSecurityGroups.Value InstanceType: !Ref InstanceType LambdaExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - sts:AssumeRole Path: / Policies: - PolicyName: root PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - logs:* Resource: arn:aws:logs:*:*:* Outputs: AllSecurityGroups: Description: Security Groups that are associated with the EC2 instance Value: !Join - ', ' - !GetAtt AllSecurityGroups.Value
