云形成AWS安全问题
使用AWS CloudFormation YAML与EC2等和RDS数据库创建资源堆栈。对安全组的参考成员约束有具体问题。
成员必须满足约束:成员必须具有长度小于或等于204,成员必须具有长度大于或等于10。这个错误具体指的是修复成员约束吗?我仔细看了一下,没有发现我有什么错误。
模板错误
成员必须满足约束:成员的长度必须小于或等于204,成员的长度必须大于或等于10
CloudFormation 堆栈错误正在引用“typeNameList”处的 SecurityGroup,但我不确定此“typeNameList”在我的脚本中的错误位置。
CloudFormation 脚本错误消息
1 validation error detected: Value '[AWS::EC2::RouteTable,
AWS::S3::BucketPolicy, AWS::ElasticLoadBalancingV2::Listener,
AWS::EC2::InternetGateway, AWS::ElasticLoadBalancingV2::TargetGroup,
AWS::EC2::Subnet, AWS::EC2::SecurityGroup::Id, AWS::RDS::DBInstance,
AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::EC2::VPC,
AWS::EC2::SubnetRouteTableAssociation,
AWS::EC2::VPCGatewayAttachment, AWS::EC2::Route, AWS::S3::Bucket,
AWS::EC2::Instance, AWS::EC2::SecurityGroup]' at 'typeNameList'
failed to satisfy constraint: Member must satisfy constraint: [Member
must have length less than or equal to 204, Member must have length
greater than or equal to 10, Member must satisfy regular expression
pattern: [A-Za-z0-9]{2,64}::[A-Za-z0-9]{2,64}::[A-Za-z0-9]{2,64}
(::MODULE){0,1}]
CloudFormation 脚本代码
AWSTemplateFormatVersion: 2010-09-09
Parameters:
DBInstance:
Default: DBInstance
Description: My database instance
Type: String
MinLength: '1'
MaxLength: '63'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
DBName:
Default: mydb
Description: My database
Type: String
MinLength: '1'
MaxLength: '64'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
DBInstanceClass:
Default: db.m5.large
Description: DB instance class
Type: String
DBAllocatedStorage:
Default: '50'
Description: The size of the database (GiB)
Type: Number
MinValue: '20'
MaxValue: '65536'
DBUsername:
Type: String
Description: Master username for the RDS instance
Default: admin
DBPassword:
Type: String
NoEcho: true
Description: Master password for the RDS instance
Default: password
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: VPC
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: VPC Internet Gateway
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
PublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.1.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: Public Subnet 1
PrivateSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.2.0/24
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: Private Subnet 1
PublicSubnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.3.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: Public Subnet 2
PrivateSubnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.4.0/24
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: Private Subnet 2
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: Public Route Table
PublicRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
PublicSubnetRouteTableAssociation1:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet1
RouteTableId: !Ref PublicRouteTable
PublicSubnetRouteTableAssociation2:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet2
RouteTableId: !Ref PublicRouteTable
PrivateRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: Private Route Table
PrivateSubnetRouteTableAssociation1:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateSubnet1
RouteTableId: !Ref PrivateRouteTable
PrivateSubnetRouteTableAssociation2:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateSubnet2
RouteTableId: !Ref PrivateRouteTable
EC2Instance1:
Type: AWS::EC2::Instance
Properties:
InstanceType: t2.micro
SecurityGroupIds:
- !Ref EC2SecurityGroup
SubnetId: !Ref PublicSubnet1
KeyName: EC2Instance1
UserData:
Fn::Base64: !Sub |
#!/bin/bash
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
#echo "<h1>Hello from Region us-east-2b</h1>" > /var/www/html/index.html
S3Bucket:
Type: 'AWS::S3::Bucket'
ELBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: ELB Security Group
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 10.0.0.0/24
SSHSecurityGroup:
Type: AWS::EC2::SecurityGroup::Id
Properties:
VpcId: !Ref VPC
GroupDescription: Security group egress
SecurityGroupEgress:
- CidrIp: 127.0.0.1/32
IpProtocol: "-1"
EC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: EC2 Security Group
DependsOn: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupId:
Fn::GetAtt:
- ELBSecurityGroup
- GroupId
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
S3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: 'myBucketV5'
S3BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref S3Bucket
SecurityGroupIds:
- !Ref EC2SecurityGroup
KeyName: S3BucketPolicy
PolicyDocument:
Statement:
- Effect: Allow
Action: 's3:*'
Resource: !Sub 'arn:aws:s3:::${S3Bucket}/*'
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:user/@matthew'
EC2TargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 30
HealthCheckProtocol: HTTP
HealthCheckTimeoutSeconds: 15
HealthyThresholdCount: 5
Matcher:
HttpCode: '200'
Name: EC2TargetGroup
Port: 80
Protocol: HTTP
TargetGroupAttributes:
- Key: deregistration_delay.timeout_seconds
Value: '20'
Targets:
- Id: !Ref EC2Instance1
Port: 80
UnhealthyThresholdCount: 3
ALBListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- Type: forward
TargetGroupArn: !Ref EC2TargetGroup
LoadBalancerArn: !Ref ApplicationLoadBalancer
Port: 80
Protocol: HTTP
ApplicationLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Scheme: internet-facing
Subnets:
- !Ref PublicSubnet1
- !Ref PublicSubnet2
SecurityGroups:
- !GetAtt ELBSecurityGroup.GroupId
MyRDS:
Type: 'AWS::RDS::DBInstance'
Properties:
DBInstanceIdentifier: !Ref DBInstance
DBName: !Ref DBName
DBInstanceClass: !Ref DBInstanceClass
AllocatedStorage: !Ref DBAllocatedStorage
Engine: MySQL
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
SecurityGroupIds:
- !Ref EC2SecurityGroup
KeyName: MyRDS
Outputs:
EC2InstanceId:
Description: InstanceId of EC2 instance
Value: !Ref EC2Instance1
S3BucketName:
Description: S3 bucket
Value: !Ref S3Bucket
DBInstanceId:
Description: DBInstanceIdentifier of RDS instance
Value: !Ref DBInstance
根据错误中的正则表达式,问题在于类型名称(例如
Type: AWS::EC2::VPCType: 'AWS'