Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.
# CloudFormation frammenti di modello
Questa sezione fornisce una serie di scenari di esempio che ti aiutano a capire come dichiarare varie parti del modello CloudFormation . Puoi anche utilizzare i frammenti come punto di partenza per le sezioni dei tuoi modelli personalizzati.
**Topics**
+ [Frammenti di modello generale](quickref-general.md)
+ [frammenti di CloudFormation modello con ridimensionamento automatico](quickref-autoscaling.md)
+ [AWS Frammenti di modello della Billing Console](quickref-billingconductor.md)
+ [CloudFormation frammenti di modello](quickref-cloudformation.md)
+ [Frammenti CloudFront di modello Amazon](quickref-cloudfront.md)
+ [Frammenti CloudWatch di modello Amazon](quickref-cloudwatch.md)
+ [Frammenti di modello Amazon CloudWatch Logs](quickref-cloudwatchlogs.md)
+ [Frammenti di modello Amazon DynamoDB](quickref-dynamodb.md)
+ [Frammenti EC2 CloudFormation di modello Amazon](quickref-ec2.md)
+ [Modelli di esempio di Amazon Elastic Container Service](quickref-ecs.md)
+ [Modello di esempio Amazon Elastic File System](quickref-efs.md)
+ [Frammenti di modello Elastic Beanstalk](quickref-elasticbeanstalk.md)
+ [Frammenti di modello Elastic Load Balancing](quickref-elb.md)
+ [AWS Identity and Access Management frammenti di modello](quickref-iam.md)
+ [AWS Lambda modello](quickref-lambda.md)
+ [Frammenti di modello Amazon Redshift](quickref-redshift.md)
+ [Frammenti di modello Amazon RDS](quickref-rds.md)
+ [Frammenti di modello Route 53](quickref-route53.md)
+ [Frammenti di modello Amazon S3](quickref-s3.md)
+ [Frammenti di modello Amazon SNS](quickref-sns.md)
+ [Frammenti di modello Amazon SQS](scenario-sqs-queue.md)
+ [Frammenti di modello Amazon Timestream](scenario-timestream-queue.md)
# Frammenti di modello generale
Gli esempi seguenti mostrano diverse funzionalità dei CloudFormation modelli che non sono specifiche di un AWS servizio.
**Topics**
+ [Proprietà UserData codificata Base64](#scenario-userdata-base64)
+ [Proprietà UserData codificata Base64 con AccessKey e SecretKey](#scenario-userdata-base64-with-keys)
+ [Sezione Parameters con un parametro di stringa letterale](#scenario-one-string-parameter)
+ [Sezione Parameters con parametro di stringa con vincolo di espressione regolare](#scenario-constraint-string-parameter)
+ [Sezione Parameters con parametri numerici con vincoli MinValue e MaxValue](#scenario-one-number-min-parameter)
+ [Parameterssezione con parametro numerico con AllowedValues vincolo](#scenario-one-number-parameter)
+ [Sezione Parameters con un parametro letterale CommaDelimitedList](#scenario-one-list-parameter)
+ [Sezione Parameters con valore di parametro basato su uno pseudo parametro](#scenario-one-pseudo-parameter)
+ [Sezione Mapping con tre mappature](#scenario-mapping-with-four-maps)
+ [Description basata sulla stringa letterale](#scenario-description-from-literal-string)
+ [Sezione Outputs con un output di stringa letterale](#scenario-output-with-literal-string)
+ [Sezione Outputs con un output di riferimento della risorsa e un output di pseudo riferimento](#scenario-output-with-ref-and-pseudo-ref)
+ [Sezione Outputs con un output basato su una funzione, una stringa letterale, un riferimento e uno pseudo parametro](#scenario-output-with-complex-spec)
+ [Versione del modello](#scenario-format-version)
+ [ProprietàAWS Tags](#scenario-format-aws-tag)
## Proprietà UserData codificata Base64
Questo esempio illustra l’assemblaggio di una proprietà `UserData` utilizzando le funzioni `Fn::Base64` e `Fn::Join`. I riferimenti `MyValue` e `MyName` sono i parametri che devono essere definiti nella sezione `Parameters` del modello. La stringa letterale `Hello World` è solo un altro valore che questo esempio trasferisce come parte di `UserData`.
### JSON
```
1. "UserData" : {
2. "Fn::Base64" : {
3. "Fn::Join" : [ ",", [
4. { "Ref" : "MyValue" },
5. { "Ref" : "MyName" },
6. "Hello World" ] ]
7. }
8. }
```
### YAML
```
1. UserData:
2. Fn::Base64: !Sub |
3. Ref: MyValue
4. Ref: MyName
5. Hello World
```
## Proprietà UserData codificata Base64 con AccessKey e SecretKey
Questo esempio illustra l’assemblaggio di una proprietà `UserData` utilizzando le funzioni `Fn::Base64` e `Fn::Join`. Include le informazioni `AccessKey` e `SecretKey`. I riferimenti `AccessKey` e `SecretKey` sono i parametri che devono essere definiti nella sezione Parametri del modello.
### JSON
```
1. "UserData" : {
2. "Fn::Base64" : {
3. "Fn::Join" : [ "", [
4. "ACCESS_KEY=", { "Ref" : "AccessKey" },
5. "SECRET_KEY=", { "Ref" : "SecretKey" } ]
6. ]
7. }
8. }
```
### YAML
```
1. UserData:
2. Fn::Base64: !Sub |
3. ACCESS_KEY=${AccessKey}
4. SECRET_KEY=${SecretKey}
```
## Sezione Parameters con un parametro di stringa letterale
Il seguente esempio illustra una dichiarazione della sezione parametri valida in cui viene dichiarato un singolo tipo di parametro `String`.
### JSON
```
1. "Parameters" : {
2. "UserName" : {
3. "Type" : "String",
4. "Default" : "nonadmin",
5. "Description" : "Assume a vanilla user if no command-line spec provided"
6. }
7. }
```
### YAML
```
1. Parameters:
2. UserName:
3. Type: String
4. Default: nonadmin
5. Description: Assume a vanilla user if no command-line spec provided
```
## Sezione Parameters con parametro di stringa con vincolo di espressione regolare
Il seguente esempio illustra una dichiarazione della sezione parametri valida in cui viene dichiarato un singolo tipo di parametro `String`. Il parametro `AdminUserAccount` ha un valore predefinito di `admin`. Il valore di parametro deve avere una lunghezza minima di 1 e una massima di 16 e contiene caratteri alfabetici e numeri, ma deve iniziare con un carattere alfabetico.
### JSON
```
1. "Parameters" : {
2. "AdminUserAccount": {
3. "Default": "admin",
4. "NoEcho": "true",
5. "Description" : "The admin account user name",
6. "Type": "String",
7. "MinLength": "1",
8. "MaxLength": "16",
9. "AllowedPattern" : "[a-zA-Z][a-zA-Z0-9]*"
10. }
11. }
```
### YAML
```
1. Parameters:
2. AdminUserAccount:
3. Default: admin
4. NoEcho: true
5. Description: The admin account user name
6. Type: String
7. MinLength: 1
8. MaxLength: 16
9. AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
```
## Sezione Parameters con parametri numerici con vincoli MinValue e MaxValue
Il seguente esempio illustra una dichiarazione della sezione parametri valida in cui viene dichiarato un singolo tipo di parametro `Number`. Il parametro `WebServerPort` ha un valore predefinito di 80 e un valore minimo di 1 e un valore massimo di 65535.
### JSON
```
1. "Parameters" : {
2. "WebServerPort": {
3. "Default": "80",
4. "Description" : "TCP/IP port for the web server",
5. "Type": "Number",
6. "MinValue": "1",
7. "MaxValue": "65535"
8. }
9. }
```
### YAML
```
1. Parameters:
2. WebServerPort:
3. Default: 80
4. Description: TCP/IP port for the web server
5. Type: Number
6. MinValue: 1
7. MaxValue: 65535
```
## Parameterssezione con parametro numerico con AllowedValues vincolo
Il seguente esempio illustra una dichiarazione della sezione parametri valida in cui viene dichiarato un singolo tipo di parametro `Number`. Il parametro `WebServerPort` ha un valore predefinito di 80 e consente soltanto i valori di 80 e 8888.
### JSON
```
1. "Parameters" : {
2. "WebServerPortLimited": {
3. "Default": "80",
4. "Description" : "TCP/IP port for the web server",
5. "Type": "Number",
6. "AllowedValues" : ["80", "8888"]
7. }
8. }
```
### YAML
```
1. Parameters:
2. WebServerPortLimited:
3. Default: 80
4. Description: TCP/IP port for the web server
5. Type: Number
6. AllowedValues:
7. - 80
8. - 8888
```
## Sezione Parameters con un parametro letterale CommaDelimitedList
Il seguente esempio illustra una dichiarazione della sezione `Parameters` valida in cui viene dichiarato un singolo tipo di parametro `CommaDelimitedList`. La proprietà `NoEcho` è impostata su `TRUE`, che maschererà il suo valore con asterischi (\$1\$1\$1\$1\$1) nell’output **describe-stacks**, ad eccezione delle informazioni memorizzate nelle posizioni specificate di seguito.
**Importante**
L’utilizzo dell’attributo `NoEcho` non maschera le informazioni memorizzate nei seguenti elementi:
La sezione dei `Metadata` modelli. CloudFormation non trasforma, modifica o oscura le informazioni incluse nella `Metadata` sezione. Per ulteriori informazioni, vedere [Metadati](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html).
Sezione dei modelli `Outputs`. Per ulteriori informazioni, consulta [Output](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html).
Attributo `Metadata` di una definizione di risorsa. Per ulteriori informazioni, consulta [Attributo `Metadata`](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-metadata.html).
Si consiglia vivamente di non utilizzare questi meccanismi per includere informazioni sensibili, come password o segreti.
**Importante**
Anziché incorporare informazioni riservate direttamente nei CloudFormation modelli, consigliamo di utilizzare parametri dinamici nel modello di pila per fare riferimento a informazioni sensibili archiviate e gestite all'esterno CloudFormation, ad esempio nel AWS Systems Manager Parameter Store o. Gestione dei segreti AWS
Per ulteriori informazioni, consulta la best practice [Non incorporare le credenziali nei modelli](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/security-best-practices.html#creds).
### JSON
```
1. "Parameters" : {
2. "UserRoles" : {
3. "Type" : "CommaDelimitedList",
4. "Default" : "guest,newhire",
5. "NoEcho" : "TRUE"
6. }
7. }
```
### YAML
```
1. Parameters:
2. UserRoles:
3. Type: CommaDelimitedList
4. Default: "guest,newhire"
5. NoEcho: true
```
## Sezione Parameters con valore di parametro basato su uno pseudo parametro
L’esempio seguente mostra i comandi dei dati utente EC2 che utilizzano gli pseudo parametri `AWS::StackName` e `AWS::Region`. Per ulteriori informazioni sugli pseudoparametri, consulta [Ottieni AWS valori usando pseudo parametri](pseudo-parameter-reference.md).
### JSON
```
1. "UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
2. "#!/bin/bash -xe\n",
3. "yum install -y aws-cfn-bootstrap\n",
4.
5. "/opt/aws/bin/cfn-init -v ",
6. " --stack ", { "Ref" : "AWS::StackName" },
7. " --resource LaunchConfig ",
8. " --region ", { "Ref" : "AWS::Region" }, "\n",
9.
10. "/opt/aws/bin/cfn-signal -e $? ",
11. " --stack ", { "Ref" : "AWS::StackName" },
12. " --resource WebServerGroup ",
13. " --region ", { "Ref" : "AWS::Region" }, "\n"
14. ]]}}
15. }
```
### YAML
```
1. UserData:
2. Fn::Base64: !Sub |
3. #!/bin/bash -xe
4. yum update -y aws-cfn-bootstrap
5. /opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource LaunchConfig --region ${AWS::Region}
6. /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource WebServerGroup --region ${AWS::Region}
```
## Sezione Mapping con tre mappature
L’esempio seguente mostra una dichiarazione di sezione di `Mapping` valida che contiene tre mappature. La mappa, quando abbinata a una chiave di mappatura `Stop`, `SlowDown` oppure `Go`, fornisce i valori RGB assegnati all’attributo corrispondente `RGBColor`.
### JSON
```
1. "Mappings" : {
2. "LightColor" : {
3. "Stop" : {
4. "Description" : "red",
5. "RGBColor" : "RED 255 GREEN 0 BLUE 0"
6. },
7. "SlowDown" : {
8. "Description" : "yellow",
9. "RGBColor" : "RED 255 GREEN 255 BLUE 0"
10. },
11. "Go" : {
12. "Description" : "green",
13. "RGBColor" : "RED 0 GREEN 128 BLUE 0"
14. }
15. }
16. }
```
### YAML
```
1. Mappings:
2. LightColor:
3. Stop:
4. Description: red
5. RGBColor: "RED 255 GREEN 0 BLUE 0"
6. SlowDown:
7. Description: yellow
8. RGBColor: "RED 255 GREEN 255 BLUE 0"
9. Go:
10. Description: green
11. RGBColor: "RED 0 GREEN 128 BLUE 0"
```
## Description basata sulla stringa letterale
L’esempio seguente mostra una dichiarazione della sezione `Description` valida in cui il valore si basa su una stringa letterale. Questo frammento può essere per modelli, parametri, risorse, proprietà o output.
### JSON
```
1. "Description" : "Replace this value"
```
### YAML
```
1. Description: "Replace this value"
```
## Sezione Outputs con un output di stringa letterale
Questo esempio illustra un’assegnazione di output basata su una stringa letterale.
### JSON
```
1. "Outputs" : {
2. "MyPhone" : {
3. "Value" : "Please call 555-5555",
4. "Description" : "A random message for aws cloudformation describe-stacks"
5. }
6. }
```
### YAML
```
1. Outputs:
2. MyPhone:
3. Value: Please call 555-5555
4. Description: A random message for aws cloudformation describe-stacks
```
## Sezione Outputs con un output di riferimento della risorsa e un output di pseudo riferimento
Questo esempio illustra una sezione `Outputs` con due assegnazioni di output. Una si basa su una risorsa e l’altra si basa su uno pseudoriferimento.
### JSON
```
1. "Outputs" : {
2. "SNSTopic" : { "Value" : { "Ref" : "MyNotificationTopic" } },
3. "StackName" : { "Value" : { "Ref" : "AWS::StackName" } }
4. }
```
### YAML
```
1. Outputs:
2. SNSTopic:
3. Value: !Ref MyNotificationTopic
4. StackName:
5. Value: !Ref AWS::StackName
```
## Sezione Outputs con un output basato su una funzione, una stringa letterale, un riferimento e uno pseudo parametro
Questo esempio illustra una sezione output con un’assegnazione di output. La funzione Join viene utilizzata per concatenare il valore, utilizzando un segno di percentuale come delimitatore.
### JSON
```
1. "Outputs" : {
2. "MyOutput" : {
3. "Value" : { "Fn::Join" :
4. [ "%", [ "A-string", {"Ref" : "AWS::StackName" } ] ]
5. }
6. }
7. }
```
### YAML
```
1. Outputs:
2. MyOutput:
3. Value: !Join [ %, [ 'A-string', !Ref 'AWS::StackName' ]]
```
## Versione del modello
Il seguente frammento illustra una dichiarazione di sezione della `AWSTemplateFormatVersion` valida.
### JSON
```
1. "AWSTemplateFormatVersion" : "2010-09-09"
```
### YAML
```
1. AWSTemplateFormatVersion: '2010-09-09'
```
## ProprietàAWS Tags
Questo esempio mostra una AWS `Tags` proprietà. Devi specificare questa proprietà all’interno della sezione proprietà di una risorsa. Quando la risorsa viene creata, verrà contrassegnata con i tag dichiarati.
### JSON
```
1. "Tags" : [
2. {
3. "Key" : "keyname1",
4. "Value" : "value1"
5. },
6. {
7. "Key" : "keyname2",
8. "Value" : "value2"
9. }
10. ]
```
### YAML
```
1. Tags:
2. -
3. Key: "keyname1"
4. Value: "value1"
5. -
6. Key: "keyname2"
7. Value: "value2"
```
# frammenti di CloudFormation modello con ridimensionamento automatico
Con Amazon EC2 Auto Scaling, puoi scalare automaticamente EC2 le istanze Amazon, con politiche di scalabilità o con scalabilità programmata. I gruppi Auto Scaling sono raccolte di EC2 istanze Amazon che abilitano funzionalità di scalabilità automatica e gestione del parco veicoli, come politiche di scalabilità, azioni pianificate, controlli dello stato, ganci del ciclo di vita e bilanciamento del carico.
Application Auto Scaling fornisce il ridimensionamento automatico di diverse risorse oltre Amazon EC2, con politiche di scalabilità o con scalabilità programmata.
Puoi creare e configurare gruppi di Auto Scaling, policy di scaling, azioni pianificate e altre risorse di auto scaling come parte della tua infrastruttura utilizzando modelli. CloudFormation I modelli semplificano la gestione e l’automazione dell’implementazione delle risorse di dimensionamento automatico in modo ripetibile e ottimizzato.
I seguenti frammenti di modello di esempio descrivono CloudFormation risorse o componenti per Amazon Auto EC2 Scaling e Application Auto Scaling. Questi frammenti sono progettati per essere integrati in un modello e non sono destinati a essere eseguiti in modo indipendente.
**Topics**
+ [Configurazione delle risorse Amazon EC2 Auto Scaling](quickref-ec2-auto-scaling.md)
+ [Configurazione di risorse Application Auto Scaling](quickref-application-auto-scaling.md)
# Configura le risorse di Amazon EC2 Auto Scaling con CloudFormation
Negli esempi seguenti vengono illustrati frammenti diversi da includere nei modelli da utilizzare con Amazon EC2 Auto Scaling.
**Topics**
+ [Creazione di un gruppo Auto Scaling con una singola istanza](#scenario-single-instance-as-group)
+ [Creazione di un gruppo Auto Scaling con un bilanciatore del carico allegato](#scenario-as-group)
+ [Creazione di un gruppo Auto Scaling con notifiche](#scenario-as-notification)
+ [Creazione di un gruppo Auto Scaling usando una `CreationPolicy` e una `UpdatePolicy`](#scenario-as-updatepolicy)
+ [Creazione di una policy di dimensionamento per fasi](#scenario-step-scaling-policy)
+ [Esempi di gruppi di istanze miste](#scenario-mixed-instances-group-template-examples)
+ [Esempi di configurazione di avvio](#scenario-launch-config-template-examples)
## Creazione di un gruppo Auto Scaling con una singola istanza
Questo esempio mostra una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) con una singola istanza per aiutarti a iniziare. La proprietà `VPCZoneIdentifier` del gruppo Auto Scaling specifica un elenco di sottoreti esistenti in diverse zone di disponibilità. Devi specificare la sottorete applicabile IDs dal tuo account prima di creare lo stack. La proprietà `LaunchTemplate` fa riferimento a una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) con il nome logico `myLaunchTemplate` definito altrove nel modello.
**Nota**
Per altri esempi di modelli di avvio, consulta [Crea modelli di lancio con CloudFormation](quickref-ec2-launch-templates.md) nella sezione relativa ai frammenti Amazon EC2 e la sezione [Esempi](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html#aws-resource-ec2-launchtemplate--examples) nella risorsa `AWS::EC2::LaunchTemplate`.
### JSON
```
1. "myASG" : {
2. "Type" : "AWS::AutoScaling::AutoScalingGroup",
3. "Properties" : {
4. "VPCZoneIdentifier" : [ "subnetIdAz1", "subnetIdAz2", "subnetIdAz3" ],
5. "LaunchTemplate" : {
6. "LaunchTemplateId" : {
7. "Ref" : "myLaunchTemplate"
8. },
9. "Version" : {
10. "Fn::GetAtt" : [
11. "myLaunchTemplate",
12. "LatestVersionNumber"
13. ]
14. }
15. },
16. "MaxSize" : "1",
17. "MinSize" : "1"
18. }
19. }
```
### YAML
```
1. myASG:
2. Type: AWS::AutoScaling::AutoScalingGroup
3. Properties:
4. VPCZoneIdentifier:
5. - subnetIdAz1
6. - subnetIdAz2
7. - subnetIdAz3
8. LaunchTemplate:
9. LaunchTemplateId: !Ref myLaunchTemplate
10. Version: !GetAtt myLaunchTemplate.LatestVersionNumber
11. MaxSize: '1'
12. MinSize: '1'
```
## Creazione di un gruppo Auto Scaling con un bilanciatore del carico allegato
Questo esempio mostra una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) per il bilanciamento del carico su più server. Specifica i nomi logici delle AWS risorse dichiarate altrove nello stesso modello.
1. La proprietà `VPCZoneIdentifier` specifica i nomi logici di due risorse [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-subnet.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-subnet.html) in cui verranno create le istanze EC2 del gruppo Auto Scaling: `myPublicSubnet1` e `myPublicSubnet2`.
1. La proprietà `LaunchTemplate` specifica una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) con il nome logico `myLaunchTemplate`.
1. La proprietà `TargetGroupARNs` elenca i gruppi di destinazione per Application Load Balancer o Network Load Balancer utilizzati per instradare il traffico al gruppo Auto Scaling. In questo esempio viene specificato un gruppo di destinazione, una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html) con il nome logico `myTargetGroup`.
### JSON
```
1. "myServerGroup" : {
2. "Type" : "AWS::AutoScaling::AutoScalingGroup",
3. "Properties" : {
4. "VPCZoneIdentifier" : [ { "Ref" : "myPublicSubnet1" }, { "Ref" : "myPublicSubnet2" } ],
5. "LaunchTemplate" : {
6. "LaunchTemplateId" : {
7. "Ref" : "myLaunchTemplate"
8. },
9. "Version" : {
10. "Fn::GetAtt" : [
11. "myLaunchTemplate",
12. "LatestVersionNumber"
13. ]
14. }
15. },
16. "MaxSize" : "5",
17. "MinSize" : "1",
18. "TargetGroupARNs" : [ { "Ref" : "myTargetGroup" } ]
19. }
20. }
```
### YAML
```
1. myServerGroup:
2. Type: AWS::AutoScaling::AutoScalingGroup
3. Properties:
4. VPCZoneIdentifier:
5. - !Ref myPublicSubnet1
6. - !Ref myPublicSubnet2
7. LaunchTemplate:
8. LaunchTemplateId: !Ref myLaunchTemplate
9. Version: !GetAtt myLaunchTemplate.LatestVersionNumber
10. MaxSize: '5'
11. MinSize: '1'
12. TargetGroupARNs:
13. - !Ref myTargetGroup
```
### Consulta anche
Per un esempio dettagliato nel quale viene creato un gruppo Auto Scaling con una policy di dimensionamento di tracciamento della destinazione basato sul parametro predefinito `ALBRequestCountPerTarget` per Application Load Balancer, consulta la sezione [Esempi](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-scalingpolicy.html#aws-resource-autoscaling-scalingpolicy--examples) nella risorsa `AWS::AutoScaling::ScalingPolicy`.
## Creazione di un gruppo Auto Scaling con notifiche
Questo esempio illustra una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) che invia notifiche Amazon SNS quando hanno luogo gli eventi specificati. La `NotificationConfigurations` proprietà specifica l'argomento SNS a cui CloudFormation invia una notifica e gli eventi che CloudFormation provocheranno l'invio delle notifiche. Quando si `NotificationTypes` verificano gli eventi specificati da, CloudFormation invierà una notifica all'argomento SNS specificato da. `TopicARN` Quando avvii lo stack, CloudFormation crea una [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-subscription.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-subscription.html)risorsa (`snsTopicForAutoScalingGroup`) dichiarata all'interno dello stesso modello.
La proprietà `VPCZoneIdentifier` del gruppo Auto Scaling specifica un elenco di sottoreti esistenti in diverse zone di disponibilità. È necessario specificare la sottorete applicabile IDs dal vostro account prima di creare lo stack. La proprietà `LaunchTemplate` fa riferimento al nome logico di una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) dichiarata altrove nello stesso modello.
### JSON
```
1. "myASG" : {
2. "Type" : "AWS::AutoScaling::AutoScalingGroup",
3. "DependsOn": [
4. "snsTopicForAutoScalingGroup"
5. ],
6. "Properties" : {
7. "VPCZoneIdentifier" : [ "subnetIdAz1", "subnetIdAz2", "subnetIdAz3" ],
8. "LaunchTemplate" : {
9. "LaunchTemplateId" : {
10. "Ref" : "logicalName"
11. },
12. "Version" : {
13. "Fn::GetAtt" : [
14. "logicalName",
15. "LatestVersionNumber"
16. ]
17. }
18. },
19. "MaxSize" : "5",
20. "MinSize" : "1",
21. "NotificationConfigurations" : [
22. {
23. "TopicARN" : { "Ref" : "snsTopicForAutoScalingGroup" },
24. "NotificationTypes" : [
25. "autoscaling:EC2_INSTANCE_LAUNCH",
26. "autoscaling:EC2_INSTANCE_LAUNCH_ERROR",
27. "autoscaling:EC2_INSTANCE_TERMINATE",
28. "autoscaling:EC2_INSTANCE_TERMINATE_ERROR",
29. "autoscaling:TEST_NOTIFICATION"
30. ]
31. }
32. ]
33. }
34. }
```
### YAML
```
1. myASG:
2. Type: AWS::AutoScaling::AutoScalingGroup
3. DependsOn:
4. - snsTopicForAutoScalingGroup
5. Properties:
6. VPCZoneIdentifier:
7. - subnetIdAz1
8. - subnetIdAz2
9. - subnetIdAz3
10. LaunchTemplate:
11. LaunchTemplateId: !Ref logicalName
12. Version: !GetAtt logicalName.LatestVersionNumber
13. MaxSize: '5'
14. MinSize: '1'
15. NotificationConfigurations:
16. - TopicARN: !Ref snsTopicForAutoScalingGroup
17. NotificationTypes:
18. - autoscaling:EC2_INSTANCE_LAUNCH
19. - autoscaling:EC2_INSTANCE_LAUNCH_ERROR
20. - autoscaling:EC2_INSTANCE_TERMINATE
21. - autoscaling:EC2_INSTANCE_TERMINATE_ERROR
22. - autoscaling:TEST_NOTIFICATION
```
## Creazione di un gruppo Auto Scaling usando una `CreationPolicy` e una `UpdatePolicy`
L’esempio seguente mostra come aggiungere attributi `CreationPolicy` e `UpdatePolicy` a una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html).
La politica di creazione del campione impedisce al gruppo Auto Scaling di raggiungere `CREATE_COMPLETE` lo stato finché non CloudFormation riceve un `Count` numero di segnali di successo quando il gruppo è pronto. Per segnalare che il gruppo Auto Scaling è pronto, sulle istanze viene eseguito uno script helper `cfn-signal` aggiunto ai dati utente del modello di avvio (non visualizzato). Se le istanze non inviano un segnale entro il limite specificato`Timeout`, CloudFormation presuppone che le istanze non siano state create, la creazione della risorsa fallisce e ripristina lo stack CloudFormation .
La politica di aggiornamento di esempio indica di CloudFormation eseguire un aggiornamento continuo utilizzando la proprietà. `AutoScalingRollingUpdate` L’aggiornamento in sequenza modifica il gruppo Auto Scaling in piccoli batch (per questo esempio, istanza per istanza) in base a `MaxBatchSize` e alla pausa che intercorre tra i batch di aggiornamento in base al `PauseTime`. L'`MinInstancesInService`attributo specifica il numero minimo di istanze che devono essere in servizio all'interno del gruppo Auto Scaling CloudFormation durante l'aggiornamento delle vecchie istanze.
L’attributo `WaitOnResourceSignals` viene impostato su `true`. CloudFormation deve ricevere un segnale da ogni nuova istanza entro il `PauseTime` specificato prima di procedere con l'aggiornamento. Durante l’aggiornamento dello stack, vengono sospesi i seguenti processi di EC2 Auto Scaling: `HealthCheck`, `ReplaceUnhealthy`, `AZRebalance`, `AlarmNotification` e `ScheduledActions`. Nota: non sospendere i tipi di processo `Launch`, `Terminate`, o `AddToLoadBalancer` (se il gruppo Auto Scaling viene utilizzato con Elastic Load Balancing) perché in tal modo è possibile impedire il corretto funzionamento dell’aggiornamento in sequenza.
La proprietà `VPCZoneIdentifier` del gruppo Auto Scaling specifica un elenco di sottoreti esistenti in diverse zone di disponibilità. È necessario specificare la sottorete applicabile IDs dal proprio account prima di creare lo stack. La proprietà `LaunchTemplate` fa riferimento al nome logico di una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) dichiarata altrove nello stesso modello.
Per ulteriori informazioni sugli attributi `CreationPolicy` e `UpdatePolicy`, consulta [Riferimento attributo della risorsa](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-product-attribute-reference.html).
### JSON
```
{
"Resources":{
"myASG":{
"CreationPolicy":{
"ResourceSignal":{
"Count":"3",
"Timeout":"PT15M"
}
},
"UpdatePolicy":{
"AutoScalingRollingUpdate":{
"MinInstancesInService":"3",
"MaxBatchSize":"1",
"PauseTime":"PT12M5S",
"WaitOnResourceSignals":"true",
"SuspendProcesses":[
"HealthCheck",
"ReplaceUnhealthy",
"AZRebalance",
"AlarmNotification",
"ScheduledActions",
"InstanceRefresh"
]
}
},
"Type":"AWS::AutoScaling::AutoScalingGroup",
"Properties":{
"VPCZoneIdentifier":[ "subnetIdAz1", "subnetIdAz2", "subnetIdAz3" ],
"LaunchTemplate":{
"LaunchTemplateId":{
"Ref":"logicalName"
},
"Version":{
"Fn::GetAtt":[
"logicalName",
"LatestVersionNumber"
]
}
},
"MaxSize":"5",
"MinSize":"3"
}
}
}
}
```
### YAML
```
---
Resources:
myASG:
CreationPolicy:
ResourceSignal:
Count: '3'
Timeout: PT15M
UpdatePolicy:
AutoScalingRollingUpdate:
MinInstancesInService: '3'
MaxBatchSize: '1'
PauseTime: PT12M5S
WaitOnResourceSignals: true
SuspendProcesses:
- HealthCheck
- ReplaceUnhealthy
- AZRebalance
- AlarmNotification
- ScheduledActions
- InstanceRefresh
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
VPCZoneIdentifier:
- subnetIdAz1
- subnetIdAz2
- subnetIdAz3
LaunchTemplate:
LaunchTemplateId: !Ref logicalName
Version: !GetAtt logicalName.LatestVersionNumber
MaxSize: '5'
MinSize: '3'
```
## Creazione di una policy di dimensionamento per fasi
Questo esempio illustra una [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-scalingpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-scalingpolicy.html) che aumenta orizzontalmente il gruppo Auto Scaling utilizzando una semplice policy di dimensionamento. La proprietà `AdjustmentType` specifica `ChangeInCapacity`, il che significa che `ScalingAdjustment` rappresenta il numero di istanze da aggiungere (se `ScalingAdjustment` è positiva) o eliminare (se è negativa). In questo esempio, `ScalingAdjustment` corrisponde a 1, perciò la policy aumenta il numero di istanze EC2 nel gruppo di 1 quando viene toccata la soglia dell’allarme.
La risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudwatch-alarm.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudwatch-alarm.html) `CPUAlarmHigh` specifica la policy di dimensionamento `ASGScalingPolicyHigh` come operazione da eseguire quando l’allarme è in uno stato ALARM (`AlarmActions`). La proprietà `Dimensions` fa riferimento al nome logico di una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) dichiarata altrove nello stesso modello.
### JSON
```
1. {
2. "Resources":{
3. "ASGScalingPolicyHigh":{
4. "Type":"AWS::AutoScaling::ScalingPolicy",
5. "Properties":{
6. "AutoScalingGroupName":{ "Ref":"logicalName" },
7. "PolicyType":"StepScaling",
8. "AdjustmentType":"ChangeInCapacity",
9. "StepAdjustments":[
10. {
11. "MetricIntervalLowerBound":0,
12. "ScalingAdjustment":1
13. }
14. ]
15. }
16. },
17. "CPUAlarmHigh":{
18. "Type":"AWS::CloudWatch::Alarm",
19. "Properties":{
20. "EvaluationPeriods":"2",
21. "Statistic":"Average",
22. "Threshold":"90",
23. "AlarmDescription":"Scale out if CPU > 90% for 2 minutes",
24. "Period":"60",
25. "AlarmActions":[ { "Ref":"ASGScalingPolicyHigh" } ],
26. "Namespace":"AWS/EC2",
27. "Dimensions":[
28. {
29. "Name":"AutoScalingGroupName",
30. "Value":{ "Ref":"logicalName" }
31. }
32. ],
33. "ComparisonOperator":"GreaterThanThreshold",
34. "MetricName":"CPUUtilization"
35. }
36. }
37. }
38. }
```
### YAML
```
1. ---
2. Resources:
3. ASGScalingPolicyHigh:
4. Type: AWS::AutoScaling::ScalingPolicy
5. Properties:
6. AutoScalingGroupName: !Ref logicalName
7. PolicyType: StepScaling
8. AdjustmentType: ChangeInCapacity
9. StepAdjustments:
10. - MetricIntervalLowerBound: 0
11. ScalingAdjustment: 1
12. CPUAlarmHigh:
13. Type: AWS::CloudWatch::Alarm
14. Properties:
15. EvaluationPeriods: 2
16. Statistic: Average
17. Threshold: 90
18. AlarmDescription: 'Scale out if CPU > 90% for 2 minutes'
19. Period: 60
20. AlarmActions:
21. - !Ref ASGScalingPolicyHigh
22. Namespace: AWS/EC2
23. Dimensions:
24. - Name: AutoScalingGroupName
25. Value:
26. !Ref logicalName
27. ComparisonOperator: GreaterThanThreshold
28. MetricName: CPUUtilization
```
### Consulta anche
Per altri modelli di esempio per le policy di dimensionamento, consulta la sezione [Esempi](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-scalingpolicy.html#aws-resource-autoscaling-scalingpolicy--examples) nella risorsa `AWS::AutoScaling::ScalingPolicy`.
## Esempi di gruppi di istanze miste
### Crea un gruppo Auto Scaling utilizzando la selezione del tipo di istanza basata su attributi
Questo esempio mostra una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) che contiene le informazioni per avviare un gruppo di istanze miste utilizzando la selezione del tipo di istanza basata su attributi. Puoi specificare il valore minimo e massimo per la proprietà `VCpuCount` e il valore minimo per la proprietà `MemoryMiB`. Tutti i tipi di istanza utilizzati dal gruppo Auto Scaling devono rispettare agli attributi dell’istanza richiesti.
La proprietà `VPCZoneIdentifier` del gruppo Auto Scaling specifica un elenco di sottoreti esistenti in diverse zone di disponibilità. È necessario specificare la sottorete applicabile IDs dal proprio account prima di creare lo stack. La proprietà `LaunchTemplate` fa riferimento al nome logico di una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) dichiarata altrove nello stesso modello.
#### JSON
```
1. {
2. "Resources":{
3. "myASG":{
4. "Type":"AWS::AutoScaling::AutoScalingGroup",
5. "Properties":{
6. "VPCZoneIdentifier":[
7. "subnetIdAz1",
8. "subnetIdAz2",
9. "subnetIdAz3"
10. ],
11. "MixedInstancesPolicy":{
12. "LaunchTemplate":{
13. "LaunchTemplateSpecification":{
14. "LaunchTemplateId":{
15. "Ref":"logicalName"
16. },
17. "Version":{
18. "Fn::GetAtt":[
19. "logicalName",
20. "LatestVersionNumber"
21. ]
22. }
23. },
24. "Overrides":[
25. {
26. "InstanceRequirements":{
27. "VCpuCount":{
28. "Min":2,
29. "Max":4
30. },
31. "MemoryMiB":{
32. "Min":2048
33. }
34. }
35. }
36. ]
37. }
38. },
39. "MaxSize":"5",
40. "MinSize":"1"
41. }
42. }
43. }
44. }
```
#### YAML
```
1. ---
2. Resources:
3. myASG:
4. Type: AWS::AutoScaling::AutoScalingGroup
5. Properties:
6. VPCZoneIdentifier:
7. - subnetIdAz1
8. - subnetIdAz2
9. - subnetIdAz3
10. MixedInstancesPolicy:
11. LaunchTemplate:
12. LaunchTemplateSpecification:
13. LaunchTemplateId: !Ref logicalName
14. Version: !GetAtt logicalName.LatestVersionNumber
15. Overrides:
16. - InstanceRequirements:
17. VCpuCount:
18. Min: 2
19. Max: 4
20. MemoryMiB:
21. Min: 2048
22. MaxSize: '5'
23. MinSize: '1'
```
## Esempi di configurazione di avvio
### Creazione di una configurazione di avvio
Questo esempio illustra una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-launchconfiguration.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-launchconfiguration.html) per un gruppo Auto Scaling nel quale vengono specificati valori per le proprietà `ImageId`, `InstanceType` e `SecurityGroups`. La proprietà `SecurityGroups` specifica sia il nome logico di una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) definita altrove nel modello, che un gruppo di sicurezza EC2 esistente denominato `myExistingEC2SecurityGroup`.
#### JSON
```
1. "mySimpleConfig" : {
2. "Type" : "AWS::AutoScaling::LaunchConfiguration",
3. "Properties" : {
4. "ImageId" : "ami-02354e95b3example",
5. "InstanceType" : "t3.micro",
6. "SecurityGroups" : [ { "Ref" : "logicalName" }, "myExistingEC2SecurityGroup" ]
7. }
8. }
```
#### YAML
```
1. mySimpleConfig:
2. Type: AWS::AutoScaling::LaunchConfiguration
3. Properties:
4. ImageId: ami-02354e95b3example
5. InstanceType: t3.micro
6. SecurityGroups:
7. - !Ref logicalName
8. - myExistingEC2SecurityGroup
```
### Creazione di un gruppo Auto Scaling utilizzando una configurazione di avvio
Questo esempio mostra una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) con una singola istanza. La proprietà `VPCZoneIdentifier` del gruppo Auto Scaling specifica un elenco di sottoreti esistenti in diverse zone di disponibilità. È necessario specificare la sottorete applicabile IDs dal proprio account prima di creare lo stack. La proprietà `LaunchConfigurationName` fa riferimento a una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-launchconfiguration.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-launchconfiguration.html) con il nome logico `mySimpleConfig` definito nel modello.
#### JSON
```
1. "myASG" : {
2. "Type" : "AWS::AutoScaling::AutoScalingGroup",
3. "Properties" : {
4. "VPCZoneIdentifier" : [ "subnetIdAz1", "subnetIdAz2", "subnetIdAz3" ],
5. "LaunchConfigurationName" : { "Ref" : "mySimpleConfig" },
6. "MaxSize" : "1",
7. "MinSize" : "1"
8. }
9. }
```
#### YAML
```
1. myASG:
2. Type: AWS::AutoScaling::AutoScalingGroup
3. Properties:
4. VPCZoneIdentifier:
5. - subnetIdAz1
6. - subnetIdAz2
7. - subnetIdAz3
8. LaunchConfigurationName: !Ref mySimpleConfig
9. MaxSize: '1'
10. MinSize: '1'
```
# Configura le risorse di Application Auto Scaling con CloudFormation
Questa sezione fornisce esempi di CloudFormation modelli per le politiche di scalabilità di Application Auto Scaling e le azioni pianificate per diverse risorse. AWS
**Importante**
Quando un frammento di Application Auto Scaling è incluso nel modello, potrebbe essere necessario dichiarare una dipendenza dalla risorsa scalabile specifica creata tramite il modello utilizzando l’attributo `DependsOn`. Questo sovrascrive il parallelismo predefinito e indirizza CloudFormation a operare sulle risorse in un ordine specifico. In caso contrario, la configurazione di ridimensionamento potrebbe essere applicata prima che la risorsa sia stata configurata completamente.
Per ulteriori informazioni, consulta [Attributo DependsOn](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-dependson.html).
**Topics**
+ [Crea una politica di scalabilità per una flotta AppStream](#w2aac11c41c15c19b9)
+ [Creazione di una policy di dimensionamento per un cluster Aurora DB](#w2aac11c41c15c19c11)
+ [Creazione di una policy di dimensionamento per una tabella DynamoDB](#w2aac11c41c15c19c13)
+ [Creazione di una policy di dimensionamento per un servizio Amazon ECS (parametri: CPU e memoria medie)](#w2aac11c41c15c19c15)
+ [Creazione di una policy di dimensionamento per un servizio Amazon ECS (metrica: numero medio di richieste per destinazione)](#w2aac11c41c15c19c17)
+ [Creazione di un’operazione pianificata con una espressione Cron per una funzione Lambda](#w2aac11c41c15c19c19)
+ [Creazione di un’operazione pianificata con una espressione `at` per un parco istanze spot](#w2aac11c41c15c19c21)
## Crea una politica di scalabilità per una flotta AppStream
Questo frammento mostra come creare una policy e applicarla a una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-appstream-fleet.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-appstream-fleet.html) utilizzando la risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html). La risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) dichiara una destinazione scalabile a cui viene applicata questa policy. Application Auto Scaling può scalare il numero di istanze del parco istanze a un minimo di un’istanza e un massimo di 20. La policy mantiene l’utilizzo medio della capacità del parco istanze al 75%, con tempi di raffreddamento delle operazioni di dimensionamento di 300 secondi (5 minuti).
Utilizza le funzioni intrinseche `Fn::Join` e `Rev` per costruire la proprietà `ResourceId` con il nome logico della risorsa `AWS::AppStream::Fleet` specificata nello stesso modello. Per ulteriori informazioni, consulta [Riferimento funzione intrinseca](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html).
### JSON
```
{
"Resources" : {
"ScalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : 20,
"MinCapacity" : 1,
"RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/appstream.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_AppStreamFleet" },
"ServiceNamespace" : "appstream",
"ScalableDimension" : "appstream:fleet:DesiredCapacity",
"ResourceId" : {
"Fn::Join" : [
"/",
[
"fleet",
{
"Ref" : "logicalName"
}
]
]
}
}
},
"ScalingPolicyAppStreamFleet" : {
"Type" : "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties" : {
"PolicyName" : { "Fn::Sub" : "${AWS::StackName}-target-tracking-cpu75" },
"PolicyType" : "TargetTrackingScaling",
"ServiceNamespace" : "appstream",
"ScalableDimension" : "appstream:fleet:DesiredCapacity",
"ResourceId" : {
"Fn::Join" : [
"/",
[
"fleet",
{
"Ref" : "logicalName"
}
]
]
},
"TargetTrackingScalingPolicyConfiguration" : {
"TargetValue" : 75,
"PredefinedMetricSpecification" : {
"PredefinedMetricType" : "AppStreamAverageCapacityUtilization"
},
"ScaleInCooldown" : 300,
"ScaleOutCooldown" : 300
}
}
}
}
}
```
### YAML
```
---
Resources:
ScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 20
MinCapacity: 1
RoleARN:
Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/appstream.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_AppStreamFleet'
ServiceNamespace: appstream
ScalableDimension: appstream:fleet:DesiredCapacity
ResourceId: !Join
- /
- - fleet
- !Ref logicalName
ScalingPolicyAppStreamFleet:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: !Sub ${AWS::StackName}-target-tracking-cpu75
PolicyType: TargetTrackingScaling
ServiceNamespace: appstream
ScalableDimension: appstream:fleet:DesiredCapacity
ResourceId: !Join
- /
- - fleet
- !Ref logicalName
TargetTrackingScalingPolicyConfiguration:
TargetValue: 75
PredefinedMetricSpecification:
PredefinedMetricType: AppStreamAverageCapacityUtilization
ScaleInCooldown: 300
ScaleOutCooldown: 300
```
## Creazione di una policy di dimensionamento per un cluster Aurora DB
In questo frammento registri una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbcluster.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbcluster.html). La registrazione [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) indica che il cluster DB deve essere dimensionato dinamicamente per avere da uno a otto repliche Aurora. Puoi inoltre applicare al cluster una policy di scalabilità di rilevamento di destinazione utilizzando la risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html).
In questa configurazione, il parametro predefinito `RDSReaderAverageCPUUtilization` viene utilizzato per regolare un cluster di database Aurora; in base a un utilizzo medio della CPU del 40 per cento in tutte le repliche Aurora; in quel cluster di database Aurora. La configurazione fornisce un tempo di raffreddamento di riduzione di 10 minuti e un tempo di raffreddamento di aumento di 5 minuti.
Questo esempio utilizza la funzione intrinseca `Fn::Sub` per costruire la proprietà `ResourceId` con il nome logico della risorsa `AWS::RDS::DBCluster` specificata nello stesso modello. Per ulteriori informazioni, consulta [Riferimento funzione intrinseca](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html).
### JSON
```
{
"Resources" : {
"ScalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : 8,
"MinCapacity" : 1,
"RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/rds.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_RDSCluster" },
"ServiceNamespace" : "rds",
"ScalableDimension" : "rds:cluster:ReadReplicaCount",
"ResourceId" : { "Fn::Sub" : "cluster:${logicalName}" }
}
},
"ScalingPolicyDBCluster" : {
"Type" : "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties" : {
"PolicyName" : { "Fn::Sub" : "${AWS::StackName}-target-tracking-cpu40" },
"PolicyType" : "TargetTrackingScaling",
"ServiceNamespace" : "rds",
"ScalableDimension" : "rds:cluster:ReadReplicaCount",
"ResourceId" : { "Fn::Sub" : "cluster:${logicalName}" },
"TargetTrackingScalingPolicyConfiguration" : {
"TargetValue" : 40,
"PredefinedMetricSpecification" : {
"PredefinedMetricType" : "RDSReaderAverageCPUUtilization"
},
"ScaleInCooldown" : 600,
"ScaleOutCooldown" : 300
}
}
}
}
}
```
### YAML
```
---
Resources:
ScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 8
MinCapacity: 1
RoleARN:
Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/rds.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_RDSCluster'
ServiceNamespace: rds
ScalableDimension: rds:cluster:ReadReplicaCount
ResourceId: !Sub cluster:${logicalName}
ScalingPolicyDBCluster:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: !Sub ${AWS::StackName}-target-tracking-cpu40
PolicyType: TargetTrackingScaling
ServiceNamespace: rds
ScalableDimension: rds:cluster:ReadReplicaCount
ResourceId: !Sub cluster:${logicalName}
TargetTrackingScalingPolicyConfiguration:
TargetValue: 40
PredefinedMetricSpecification:
PredefinedMetricType: RDSReaderAverageCPUUtilization
ScaleInCooldown: 600
ScaleOutCooldown: 300
```
## Creazione di una policy di dimensionamento per una tabella DynamoDB
Questo frammento mostra come creare una policy con il tipo di policy `TargetTrackingScaling` e applicarla a una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-table.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-table.html) utilizzando la risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html). La risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) dichiara una destinazione scalabile a cui viene applicata questa policy, con un minimo di cinque unità di capacità di scrittura e un massimo di 15. La policy di dimensionamento ridimensiona la capacità di throughput di scrittura della tabella per mantenere l’utilizzo target al 50% in base al parametro predefinito `DynamoDBWriteCapacityUtilization`.
Utilizza le funzioni intrinseche `Fn::Join` e `Ref` per costruire la proprietà `ResourceId` con il nome logico della risorsa `AWS::DynamoDB::Table` specificata nello stesso modello. Per ulteriori informazioni, consulta [Intrinsic function reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html).
**Nota**
Per ulteriori informazioni su come creare un CloudFormation modello per le risorse DynamoDB, consulta il [post del blog How to use CloudFormation to configure auto scaling for Amazon DynamoDB tables and index on the Database Blog](https://aws.amazon.com/blogs/database/how-to-use-aws-cloudformation-to-configure-auto-scaling-for-amazon-dynamodb-tables-and-indexes/). AWS
### JSON
```
{
"Resources" : {
"WriteCapacityScalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : 15,
"MinCapacity" : 5,
"RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable" },
"ServiceNamespace" : "dynamodb",
"ScalableDimension" : "dynamodb:table:WriteCapacityUnits",
"ResourceId" : {
"Fn::Join" : [
"/",
[
"table",
{
"Ref" : "logicalName"
}
]
]
}
}
},
"WriteScalingPolicy" : {
"Type" : "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties" : {
"PolicyName" : "WriteScalingPolicy",
"PolicyType" : "TargetTrackingScaling",
"ScalingTargetId" : { "Ref" : "WriteCapacityScalableTarget" },
"TargetTrackingScalingPolicyConfiguration" : {
"TargetValue" : 50.0,
"ScaleInCooldown" : 60,
"ScaleOutCooldown" : 60,
"PredefinedMetricSpecification" : {
"PredefinedMetricType" : "DynamoDBWriteCapacityUtilization"
}
}
}
}
}
}
```
### YAML
```
---
Resources:
WriteCapacityScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 15
MinCapacity: 5
RoleARN:
Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable'
ServiceNamespace: dynamodb
ScalableDimension: dynamodb:table:WriteCapacityUnits
ResourceId: !Join
- /
- - table
- !Ref logicalName
WriteScalingPolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: WriteScalingPolicy
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref WriteCapacityScalableTarget
TargetTrackingScalingPolicyConfiguration:
TargetValue: 50.0
ScaleInCooldown: 60
ScaleOutCooldown: 60
PredefinedMetricSpecification:
PredefinedMetricType: DynamoDBWriteCapacityUtilization
```
## Creazione di una policy di dimensionamento per un servizio Amazon ECS (parametri: CPU e memoria medie)
Questo frammento mostra come creare una policy e applicarla a una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-service.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-service.html) utilizzando la risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html). La risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) dichiara una destinazione scalabile a cui viene applicata questa policy. Application Auto Scaling può scalare il numero di attività a un minimo di 1 e un massimo di 6.
Vengono creati due criteri di ridimensionamento con il tipo di criterio `TargetTrackingScaling`. Le policy vengono utilizzate per scalare il servizio ECS in base all’utilizzo medio della CPU e della memoria del servizio. Utilizza le funzioni intrinseche `Fn::Join` e `Ref` per costruire la proprietà `ResourceId` con i nomi logici delle risorse [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-cluster.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-cluster.html) (`myContainerCluster`) e `AWS::ECS::Service` (`myService`) specificate nello stesso modello. Per ulteriori informazioni, consulta [Intrinsic function reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html).
### JSON
```
{
"Resources" : {
"ECSScalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : "6",
"MinCapacity" : "1",
"RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService" },
"ServiceNamespace" : "ecs",
"ScalableDimension" : "ecs:service:DesiredCount",
"ResourceId" : {
"Fn::Join" : [
"/",
[
"service",
{
"Ref" : "myContainerCluster"
},
{
"Fn::GetAtt" : [
"myService",
"Name"
]
}
]
]
}
}
},
"ServiceScalingPolicyCPU" : {
"Type" : "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties" : {
"PolicyName" : { "Fn::Sub" : "${AWS::StackName}-target-tracking-cpu70" },
"PolicyType" : "TargetTrackingScaling",
"ScalingTargetId" : { "Ref" : "ECSScalableTarget" },
"TargetTrackingScalingPolicyConfiguration" : {
"TargetValue" : 70.0,
"ScaleInCooldown" : 180,
"ScaleOutCooldown" : 60,
"PredefinedMetricSpecification" : {
"PredefinedMetricType" : "ECSServiceAverageCPUUtilization"
}
}
}
},
"ServiceScalingPolicyMem" : {
"Type" : "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties" : {
"PolicyName" : { "Fn::Sub" : "${AWS::StackName}-target-tracking-mem90" },
"PolicyType" : "TargetTrackingScaling",
"ScalingTargetId" : { "Ref" : "ECSScalableTarget" },
"TargetTrackingScalingPolicyConfiguration" : {
"TargetValue" : 90.0,
"ScaleInCooldown" : 180,
"ScaleOutCooldown" : 60,
"PredefinedMetricSpecification" : {
"PredefinedMetricType" : "ECSServiceAverageMemoryUtilization"
}
}
}
}
}
}
```
### YAML
```
---
Resources:
ECSScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 6
MinCapacity: 1
RoleARN:
Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService'
ServiceNamespace: ecs
ScalableDimension: 'ecs:service:DesiredCount'
ResourceId: !Join
- /
- - service
- !Ref myContainerCluster
- !GetAtt myService.Name
ServiceScalingPolicyCPU:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: !Sub ${AWS::StackName}-target-tracking-cpu70
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref ECSScalableTarget
TargetTrackingScalingPolicyConfiguration:
TargetValue: 70.0
ScaleInCooldown: 180
ScaleOutCooldown: 60
PredefinedMetricSpecification:
PredefinedMetricType: ECSServiceAverageCPUUtilization
ServiceScalingPolicyMem:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: !Sub ${AWS::StackName}-target-tracking-mem90
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref ECSScalableTarget
TargetTrackingScalingPolicyConfiguration:
TargetValue: 90.0
ScaleInCooldown: 180
ScaleOutCooldown: 60
PredefinedMetricSpecification:
PredefinedMetricType: ECSServiceAverageMemoryUtilization
```
## Creazione di una policy di dimensionamento per un servizio Amazon ECS (metrica: numero medio di richieste per destinazione)
Nell’esempio seguente viene applicato a un servizio ECS un criterio di scalabilità di tracciamento della destinazione con il parametro predefinito `ALBRequestCountPerTarget`. La policy viene utilizzata per aggiungere capacità al servizio ECS quando il conteggio di richieste per target (al minuto) supera il valore previsto. Poiché il valore di `DisableScaleIn` è impostato su `true`, la policy di monitoraggio target non rimuoverà capacità dal target scalabile.
Utilizza le funzioni intrinseche `Fn::Join` e `Fn::GetAtt` per costruire la proprietà `ResourceLabel` con i nomi logici delle risorse [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-loadbalancer.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-loadbalancer.html) (`myLoadBalancer`) e [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html) (`myTargetGroup`) specificate nello stesso modello. Per ulteriori informazioni, consulta [Intrinsic function reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html).
Le proprietà `MaxCapacity` e `MinCapacity` della destinazione scalabile e la proprietà `TargetValue` dei valori dei parametri di riferimento del criterio di ridimensionamento che vengono passati al modello durante la creazione o l’aggiornamento di uno stack.
### JSON
```
{
"Resources" : {
"ECSScalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : { "Ref" : "MaxCount" },
"MinCapacity" : { "Ref" : "MinCount" },
"RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService" },
"ServiceNamespace" : "ecs",
"ScalableDimension" : "ecs:service:DesiredCount",
"ResourceId" : {
"Fn::Join" : [
"/",
[
"service",
{
"Ref" : "myContainerCluster"
},
{
"Fn::GetAtt" : [
"myService",
"Name"
]
}
]
]
}
}
},
"ServiceScalingPolicyALB" : {
"Type" : "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties" : {
"PolicyName" : "alb-requests-per-target-per-minute",
"PolicyType" : "TargetTrackingScaling",
"ScalingTargetId" : { "Ref" : "ECSScalableTarget" },
"TargetTrackingScalingPolicyConfiguration" : {
"TargetValue" : { "Ref" : "ALBPolicyTargetValue" },
"ScaleInCooldown" : 180,
"ScaleOutCooldown" : 30,
"DisableScaleIn" : true,
"PredefinedMetricSpecification" : {
"PredefinedMetricType" : "ALBRequestCountPerTarget",
"ResourceLabel" : {
"Fn::Join" : [
"/",
[
{
"Fn::GetAtt" : [
"myLoadBalancer",
"LoadBalancerFullName"
]
},
{
"Fn::GetAtt" : [
"myTargetGroup",
"TargetGroupFullName"
]
}
]
]
}
}
}
}
}
}
}
```
### YAML
```
---
Resources:
ECSScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: !Ref MaxCount
MinCapacity: !Ref MinCount
RoleARN:
Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService'
ServiceNamespace: ecs
ScalableDimension: 'ecs:service:DesiredCount'
ResourceId: !Join
- /
- - service
- !Ref myContainerCluster
- !GetAtt myService.Name
ServiceScalingPolicyALB:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: alb-requests-per-target-per-minute
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref ECSScalableTarget
TargetTrackingScalingPolicyConfiguration:
TargetValue: !Ref ALBPolicyTargetValue
ScaleInCooldown: 180
ScaleOutCooldown: 30
DisableScaleIn: true
PredefinedMetricSpecification:
PredefinedMetricType: ALBRequestCountPerTarget
ResourceLabel: !Join
- '/'
- - !GetAtt myLoadBalancer.LoadBalancerFullName
- !GetAtt myTargetGroup.TargetGroupFullName
```
## Creazione di un’operazione pianificata con una espressione Cron per una funzione Lambda
Questo frammento registra la concorrenza fornita per una funzione alias ([https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-alias.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-alias.html)) denominata `BLUE` utilizzando la risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html). Viene creata anche un’operazione pianificata con una pianificazione ricorrente utilizzando un’espressione Cron. Il fuso orario per la pianificazione ricorrente è UTC.
In questo esempio vengono utilizzate le funzioni intrinseche `Fn::Join` e `Ref` nella proprietà `RoleARN` per specificare l’ARN del ruolo collegato al servizio. Utilizza la funzione intrinseca `Fn::Sub` per costruire la proprietà `ResourceId` con il nome logico della risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html) o [https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html) specificata nello stesso modello. Per ulteriori informazioni, consulta [Riferimento funzione intrinseca](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html).
**Nota**
Non puoi allocare la simultaneità fornita su un alias che punta alla versione non pubblicata (`$LATEST`).
Per ulteriori informazioni su come creare un CloudFormation modello per le risorse Lambda, consulta il post di blog [Scheduling AWS Lambda Provisioned Concurrency for recurring](https://aws.amazon.com/blogs/compute/scheduling-aws-lambda-provisioned-concurrency-for-recurring-peak-usage/) peak usage on the Compute Blog. AWS
### JSON
```
{
"ScalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : 250,
"MinCapacity" : 0,
"RoleARN" : {
"Fn::Join" : [
":",
[
"arn:aws:iam:",
{
"Ref" : "AWS::AccountId"
},
"role/aws-service-role/lambda.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_LambdaConcurrency"
]
]
},
"ServiceNamespace" : "lambda",
"ScalableDimension" : "lambda:function:ProvisionedConcurrency",
"ResourceId" : { "Fn::Sub" : "function:${logicalName}:BLUE" },
"ScheduledActions" : [
{
"ScalableTargetAction" : {
"MinCapacity" : "250"
},
"ScheduledActionName" : "my-scale-out-scheduled-action",
"Schedule" : "cron(0 18 * * ? *)",
"EndTime" : "2022-12-31T12:00:00.000Z"
}
]
}
}
}
```
### YAML
```
ScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 250
MinCapacity: 0
RoleARN: !Join
- ':'
- - 'arn:aws:iam:'
- !Ref 'AWS::AccountId'
- role/aws-service-role/lambda.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_LambdaConcurrency
ServiceNamespace: lambda
ScalableDimension: lambda:function:ProvisionedConcurrency
ResourceId: !Sub function:${logicalName}:BLUE
ScheduledActions:
- ScalableTargetAction:
MinCapacity: 250
ScheduledActionName: my-scale-out-scheduled-action
Schedule: 'cron(0 18 * * ? *)'
EndTime: '2022-12-31T12:00:00.000Z'
```
## Creazione di un’operazione pianificata con una espressione `at` per un parco istanze spot
Questo frammento mostra come creare due azioni pianificate che si verificano una sola volta per una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-spotfleet.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-spotfleet.html) che utilizza la risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html). Il fuso orario per ogni operazione pianificata occasionale è UTC.
Utilizza le funzioni intrinseche `Fn::Join` e `Ref` per costruire la proprietà `ResourceId` con il nome logico della risorsa `AWS::EC2::SpotFleet` specificata nello stesso modello. Per ulteriori informazioni, consulta [Intrinsic function reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html).
**Nota**
La richiesta del parco istanze spot deve avere un tipo di richiesta di `maintain`. La scalabilità automatica non è supportata per le richieste una tantum o i blocchi Spot.
### JSON
```
{
"Resources" : {
"SpotFleetScalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : 0,
"MinCapacity" : 0,
"RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ec2.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest" },
"ServiceNamespace" : "ec2",
"ScalableDimension" : "ec2:spot-fleet-request:TargetCapacity",
"ResourceId" : {
"Fn::Join" : [
"/",
[
"spot-fleet-request",
{
"Ref" : "logicalName"
}
]
]
},
"ScheduledActions" : [
{
"ScalableTargetAction" : {
"MaxCapacity" : "10",
"MinCapacity" : "10"
},
"ScheduledActionName" : "my-scale-out-scheduled-action",
"Schedule" : "at(2022-05-20T13:00:00)"
},
{
"ScalableTargetAction" : {
"MaxCapacity" : "0",
"MinCapacity" : "0"
},
"ScheduledActionName" : "my-scale-in-scheduled-action",
"Schedule" : "at(2022-05-20T21:00:00)"
}
]
}
}
}
}
```
### YAML
```
---
Resources:
SpotFleetScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 0
MinCapacity: 0
RoleARN:
Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ec2.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest'
ServiceNamespace: ec2
ScalableDimension: 'ec2:spot-fleet-request:TargetCapacity'
ResourceId: !Join
- /
- - spot-fleet-request
- !Ref logicalName
ScheduledActions:
- ScalableTargetAction:
MaxCapacity: 10
MinCapacity: 10
ScheduledActionName: my-scale-out-scheduled-action
Schedule: 'at(2022-05-20T13:00:00)'
- ScalableTargetAction:
MaxCapacity: 0
MinCapacity: 0
ScheduledActionName: my-scale-in-scheduled-action
Schedule: 'at(2022-05-20T21:00:00)'
```
# AWS Frammenti di modello della Billing Console
Questo esempio crea un piano tariffario con una regola di determinazione del prezzo di markup globale del 10%. Questo piano tariffario è collegato al gruppo di fatturazione. Il gruppo di fatturazione presenta anche due voci personalizzate che applicano un addebito di \$1 10 e un addebito del 10% oltre al costo totale del gruppo di fatturazione.
## JSON
```
1. {
2. "Parameters": {
3. "LinkedAccountIds": {
4. "Type": "ListNumber"
5. },
6. "PrimaryAccountId": {
7. "Type": "Number"
8. }
9. },
10. "Resources": {
11. "TestPricingRule": {
12. "Type": "AWS::BillingConductor::PricingRule",
13. "Properties": {
14. "Name": "TestPricingRule",
15. "Description": "Test pricing rule created through Cloudformation. Mark everything by 10%.",
16. "Type": "MARKUP",
17. "Scope": "GLOBAL",
18. "ModifierPercentage": 10
19. }
20. },
21. "TestPricingPlan": {
22. "Type": "AWS::BillingConductor::PricingPlan",
23. "Properties": {
24. "Name": "TestPricingPlan",
25. "Description": "Test pricing plan created through Cloudformation.",
26. "PricingRuleArns": [
27. {"Fn::GetAtt": ["TestPricingRule", "Arn"]}
28. ]
29. }
30. },
31. "TestBillingGroup": {
32. "Type": "AWS::BillingConductor::BillingGroup",
33. "Properties": {
34. "Name": "TestBillingGroup",
35. "Description": "Test billing group created through Cloudformation with 1 linked account. The linked account is also the primary account.",
36. "PrimaryAccountId": {
37. "Ref": "PrimaryAccountId"
38. },
39. "AccountGrouping": {
40. "LinkedAccountIds": null
41. },
42. "ComputationPreference": {
43. "PricingPlanArn": {
44. "Fn::GetAtt": ["TestPricingPlan", "Arn"]
45. }
46. }
47. }
48. },
49. "TestFlatCustomLineItem": {
50. "Type": "AWS::BillingConductor::CustomLineItem",
51. "Properties": {
52. "Name": "TestFlatCustomLineItem",
53. "Description": "Test flat custom line item created through Cloudformation for a $10 charge.",
54. "BillingGroupArn": {
55. "Fn::GetAtt": ["TestBillingGroup", "Arn"]
56. },
57. "CustomLineItemChargeDetails": {
58. "Flat": {
59. "ChargeValue": 10
60. },
61. "Type": "FEE"
62. }
63. }
64. },
65. "TestPercentageCustomLineItem": {
66. "Type": "AWS::BillingConductor::CustomLineItem",
67. "Properties": {
68. "Name": "TestPercentageCustomLineItem",
69. "Description": "Test percentage custom line item created through Cloudformation for a %10 additional charge on the overall total bill of the billing group.",
70. "BillingGroupArn": {
71. "Fn::GetAtt": ["TestBillingGroup", "Arn"]
72. },
73. "CustomLineItemChargeDetails": {
74. "Percentage": {
75. "PercentageValue": 10,
76. "ChildAssociatedResources": [
77. {"Fn::GetAtt": ["TestBillingGroup", "Arn"]}
78. ]
79. },
80. "Type": "FEE"
81. }
82. }
83. }
84. }
85. }
```
## YAML
```
1. Parameters:
2. LinkedAccountIds:
3. Type: ListNumber
4. PrimaryAccountId:
5. Type: Number
6. Resources:
7. TestPricingRule:
8. Type: AWS::BillingConductor::PricingRule
9. Properties:
10. Name: 'TestPricingRule'
11. Description: 'Test pricing rule created through Cloudformation. Mark everything by 10%.'
12. Type: 'MARKUP'
13. Scope: 'GLOBAL'
14. ModifierPercentage: 10
15. TestPricingPlan:
16. Type: AWS::BillingConductor::PricingPlan
17. Properties:
18. Name: 'TestPricingPlan'
19. Description: 'Test pricing plan created through Cloudformation.'
20. PricingRuleArns:
21. - !GetAtt TestPricingRule.Arn
22. TestBillingGroup:
23. Type: AWS::BillingConductor::BillingGroup
24. Properties:
25. Name: 'TestBillingGroup'
26. Description: 'Test billing group created through Cloudformation with 1 linked account. The linked account is also the primary account.'
27. PrimaryAccountId: !Ref PrimaryAccountId
28. AccountGrouping:
29. LinkedAccountIds: !Ref LinkedAccountIds
30. ComputationPreference:
31. PricingPlanArn: !GetAtt TestPricingPlan.Arn
32. TestFlatCustomLineItem:
33. Type: AWS::BillingConductor::CustomLineItem
34. Properties:
35. Name: 'TestFlatCustomLineItem'
36. Description: 'Test flat custom line item created through Cloudformation for a $10 charge.'
37. BillingGroupArn: !GetAtt TestBillingGroup.Arn
38. CustomLineItemChargeDetails:
39. Flat:
40. ChargeValue: 10
41. Type: 'FEE'
42. TestPercentageCustomLineItem:
43. Type: AWS::BillingConductor::CustomLineItem
44. Properties:
45. Name: 'TestPercentageCustomLineItem'
46. Description: 'Test percentage custom line item created through Cloudformation for a %10 additional charge on the overall total bill of the billing group.'
47. BillingGroupArn: !GetAtt TestBillingGroup.Arn
48. CustomLineItemChargeDetails:
49. Percentage:
50. PercentageValue: 10
51. ChildAssociatedResources:
52. - !GetAtt TestBillingGroup.Arn
53. Type: 'FEE'
```
# CloudFormation frammenti di modello
**Topics**
+ [Stack nidificati](#w2aac11c41c23b5)
+ [Condizione di attesa](#w2aac11c41c23b7)
## Stack nidificati
### Nidificazione di uno stack in un modello
Questo modello di esempio contiene una risorsa stack nidificata denominata `myStack`. Quando CloudFormation crea uno stack dal modello, crea il`myStack`, il cui modello è specificato nella `TemplateURL` proprietà. Il valore di output `StackRef` restituisce l’ID dello stack per `myStack` e il valore `OutputFromNestedStack` restituisce il valore di output `BucketName` dalla risorsa `myStack`. Il formato `Outputs.nestedstackoutputname` è riservato alla specifica di valori di output dagli stack nidificati e può essere utilizzato ovunque all’interno del modello.
Per ulteriori informazioni, consulta [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudformation-stack.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudformation-stack.html).
#### JSON
```
1. {
2. "AWSTemplateFormatVersion" : "2010-09-09",
3. "Resources" : {
4. "myStack" : {
5. "Type" : "AWS::CloudFormation::Stack",
6. "Properties" : {
7. "TemplateURL" : "https://s3.amazonaws.com/cloudformation-templates-us-east-1/S3_Bucket.template",
8. "TimeoutInMinutes" : "60"
9. }
10. }
11. },
12. "Outputs": {
13. "StackRef": {"Value": { "Ref" : "myStack"}},
14. "OutputFromNestedStack" : {
15. "Value" : { "Fn::GetAtt" : [ "myStack", "Outputs.BucketName" ] }
16. }
17. }
18. }
```
#### YAML
```
1. AWSTemplateFormatVersion: '2010-09-09'
2. Resources:
3. myStack:
4. Type: AWS::CloudFormation::Stack
5. Properties:
6. TemplateURL: https://s3.amazonaws.com/cloudformation-templates-us-east-1/S3_Bucket.template
7. TimeoutInMinutes: '60'
8. Outputs:
9. StackRef:
10. Value: !Ref myStack
11. OutputFromNestedStack:
12. Value: !GetAtt myStack.Outputs.BucketName
```
### Nidificazione di un stack con i parametri di input in un modello
In questo esempio il modello contiene una risorsa di stack che specifica i parametri di input. Quando CloudFormation crea uno stack da questo modello, utilizza le coppie di valori dichiarate all'interno della `Parameters` proprietà come parametri di input per il modello utilizzato per creare lo `myStackWithParams` stack. In questo esempio vengono specificati i parametri `InstanceType` e `KeyName`.
Per ulteriori informazioni, consulta [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudformation-stack.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudformation-stack.html).
#### JSON
```
1. {
2. "AWSTemplateFormatVersion" : "2010-09-09",
3. "Resources" : {
4. "myStackWithParams" : {
5. "Type" : "AWS::CloudFormation::Stack",
6. "Properties" : {
7. "TemplateURL" : "https://s3.amazonaws.com/cloudformation-templates-us-east-1/EC2ChooseAMI.template",
8. "Parameters" : {
9. "InstanceType" : "t2.micro",
10. "KeyName" : "mykey"
11. }
12. }
13. }
14. }
15. }
```
#### YAML
```
1. AWSTemplateFormatVersion: '2010-09-09'
2. Resources:
3. myStackWithParams:
4. Type: AWS::CloudFormation::Stack
5. Properties:
6. TemplateURL: https://s3.amazonaws.com/cloudformation-templates-us-east-1/EC2ChooseAMI.template
7. Parameters:
8. InstanceType: t2.micro
9. KeyName: mykey
```
## Condizione di attesa
### Utilizzo di una condizione di attesa con un’istanza Amazon EC2
**Importante**
Per le risorse Amazon EC2 e Auto Scaling, consigliamo di utilizzare CreationPolicy un attributo anziché condizioni di attesa. Aggiungi un CreationPolicy attributo a tali risorse e utilizza lo script di supporto cfn-signal per segnalare quando il processo di creazione di un'istanza è stato completato con successo.
Se non riesci a utilizzare una policy di creazione, puoi visualizzare il seguente modello di esempio, che dichiara un’istanza Amazon EC2 con una condizione di attesa. La condizione di attesa `myWaitCondition` utilizza `myWaitConditionHandle` per le segnalazioni, l’attributo `DependsOn` per specificare che la condizione di attesa si attiverà dopo che la risorsa dell’istanza Amazon EC2 è stata creata e la proprietà `Timeout` per specificare una durata di 4.500 secondi per la condizione di attesa. Inoltre, l’URL prefirmato che segnala la condizione di attesa viene passato all’istanza Amazon EC2 con la proprietà `UserData` della risorsa `Ec2Instance`, consentendo a un’applicazione o a uno script in esecuzione su quell’istanza Amazon EC2 di recuperare l’URL prefirmato e di utilizzarlo per segnalare l’esito positivo o negativo alla condizione di attesa. Devi utilizzare `cfn-signal` o creare l’applicazione o lo script che segnala la condizione di attesa. Il valore di output `ApplicationData` contiene i dati trasferiti dal segnale della condizione di attesa.
Per ulteriori informazioni, consulta [Creare condizioni di attesa in un CloudFormation modello](using-cfn-waitcondition.md).
#### JSON
```
1. {
2. "AWSTemplateFormatVersion" : "2010-09-09",
3. "Mappings" : {
4. "RegionMap" : {
5. "us-east-1" : {
6. "AMI" : "ami-0123456789abcdef0"
7. },
8. "us-west-1" : {
9. "AMI" : "ami-0987654321fedcba0"
10. },
11. "eu-west-1" : {
12. "AMI" : "ami-0abcdef123456789a"
13. },
14. "ap-northeast-1" : {
15. "AMI" : "ami-0fedcba987654321b"
16. },
17. "ap-southeast-1" : {
18. "AMI" : "ami-0c1d2e3f4a5b6c7d8"
19. }
20. }
21. },
22. "Resources" : {
23. "Ec2Instance" : {
24. "Type" : "AWS::EC2::Instance",
25. "Properties" : {
26. "UserData" : { "Fn::Base64" : {"Ref" : "myWaitHandle"}},
27. "ImageId" : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "AMI" ]}
28. }
29. },
30. "myWaitHandle" : {
31. "Type" : "AWS::CloudFormation::WaitConditionHandle",
32. "Properties" : {
33. }
34. },
35. "myWaitCondition" : {
36. "Type" : "AWS::CloudFormation::WaitCondition",
37. "DependsOn" : "Ec2Instance",
38. "Properties" : {
39. "Handle" : { "Ref" : "myWaitHandle" },
40. "Timeout" : "4500"
41. }
42. }
43. },
44. "Outputs" : {
45. "ApplicationData" : {
46. "Value" : { "Fn::GetAtt" : [ "myWaitCondition", "Data" ]},
47. "Description" : "The data passed back as part of signalling the WaitCondition."
48. }
49. }
50. }
```
#### YAML
```
1. AWSTemplateFormatVersion: '2010-09-09'
2. Mappings:
3. RegionMap:
4. us-east-1:
5. AMI: ami-0123456789abcdef0
6. us-west-1:
7. AMI: ami-0987654321fedcba0
8. eu-west-1:
9. AMI: ami-0abcdef123456789a
10. ap-northeast-1:
11. AMI: ami-0fedcba987654321b
12. ap-southeast-1:
13. AMI: ami-0c1d2e3f4a5b6c7d8
14. Resources:
15. Ec2Instance:
16. Type: AWS::EC2::Instance
17. Properties:
18. UserData:
19. Fn::Base64: !Ref myWaitHandle
20. ImageId:
21. Fn::FindInMap:
22. - RegionMap
23. - Ref: AWS::Region
24. - AMI
25. myWaitHandle:
26. Type: AWS::CloudFormation::WaitConditionHandle
27. Properties: {}
28. myWaitCondition:
29. Type: AWS::CloudFormation::WaitCondition
30. DependsOn: Ec2Instance
31. Properties:
32. Handle: !Ref myWaitHandle
33. Timeout: '4500'
34. Outputs:
35. ApplicationData:
36. Value: !GetAtt myWaitCondition.Data
37. Description: The data passed back as part of signalling the WaitCondition.
```
### Utilizzo dello script helper cfn-signal per segnalare una condizione di attesa
Nell’esempio seguente viene mostrata una riga di comando `cfn-signal` che segnala l’operazione riuscita di una condizione di attesa. È necessario definire la riga di comando nella proprietà `UserData` dell’istanza EC2.
#### JSON
```
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"#!/bin/bash -xe\n",
"/opt/aws/bin/cfn-signal --exit-code 0 '",
{
"Ref": "myWaitHandle"
},
"'\n"
]
]
}
}
```
#### YAML
```
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
/opt/aws/bin/cfn-signal --exit-code 0 '${myWaitHandle}'
```
### Utilizzo di Curl per segnalare una condizione di attesa
Nell’esempio seguente viene mostrata una riga di comando Curl che segnala l’operazione riuscita a una condizione di attesa.
```
1. curl -T /tmp/a "https://cloudformation-waitcondition-test.s3.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-east-1%3A034017226601%3Astack%2Fstack-gosar-20110427004224-test-stack-with-WaitCondition--VEYW%2Fe498ce60-70a1-11e0-81a7-5081d0136786%2FmyWaitConditionHandle?Expires=1303976584&AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE&Signature=ik1twT6hpS4cgNAw7wyOoRejVoo%3D"
```
Dove il file /tmp/a contiene la seguente struttura JSON:
```
1. {
2. "Status" : "SUCCESS",
3. "Reason" : "Configuration Complete",
4. "UniqueId" : "ID1234",
5. "Data" : "Application has completed configuration."
6. }
```
In questo esempio viene mostrata una riga di comando Curl che invia lo stesso segnale di operazione riuscita, con la differenza che come parametro invia la struttura JSON sulla riga di comando.
```
1. curl -X PUT -H 'Content-Type:' --data-binary '{"Status" : "SUCCESS","Reason" : "Configuration Complete","UniqueId" : "ID1234","Data" : "Application has completed configuration."}' "https://cloudformation-waitcondition-test.s3.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-east-1%3A034017226601%3Astack%2Fstack-gosar-20110427004224-test-stack-with-WaitCondition--VEYW%2Fe498ce60-70a1-11e0-81a7-5081d0136786%2FmyWaitConditionHandle?Expires=1303976584&AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE&Signature=ik1twT6hpS4cgNAw7wyOoRejVoo%3D"
```
# Frammenti CloudFront di modello Amazon
Usa questi frammenti di modello di esempio con la tua risorsa di CloudFront distribuzione Amazon in. CloudFormation Per ulteriori informazioni, consulta il [riferimento ai tipi di CloudFront risorse Amazon](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/AWS_CloudFront.html).
**Topics**
+ [Risorsa di CloudFront distribuzione Amazon con origine Amazon S3](#scenario-cloudfront-s3origin)
+ [Risorsa CloudFront di distribuzione Amazon con origine personalizzata](#scenario-cloudfront-customorigin)
+ [CloudFront Distribuzione Amazon con supporto multiorigine](#scenario-cloudfront-multiorigin)
+ [CloudFront Distribuzione Amazon con una funzione Lambda come origine](#scenario-cloudfront-lambda-origin)
+ [Consulta anche](#w2aac11c41c27c15)
## Risorsa di CloudFront distribuzione Amazon con origine Amazon S3
Il seguente modello di esempio mostra una CloudFront [distribuzione](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.html) Amazon che utilizza un [S3Origin e una legacy Origin](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-s3originconfig.html) Access Identity (OAI). Per informazioni sull'utilizzo del controllo dell'accesso all'origine (OAC), consulta [Restricting access to an Amazon Simple Storage Service origin (Limitazione dell'accesso a un'origine di Amazon Simple Storage Service](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html)) nella *Amazon CloudFront Developer Guide*.
### JSON
```
1. {
2. "AWSTemplateFormatVersion" : "2010-09-09",
3. "Resources" : {
4. "myDistribution" : {
5. "Type" : "AWS::CloudFront::Distribution",
6. "Properties" : {
7. "DistributionConfig" : {
8. "Origins" : [ {
9. "DomainName" : "amzn-s3-demo-bucket.s3.amazonaws.com",
10. "Id" : "myS3Origin",
11. "S3OriginConfig" : {
12. "OriginAccessIdentity" : "origin-access-identity/cloudfront/E127EXAMPLE51Z"
13. }
14. }],
15. "Enabled" : "true",
16. "Comment" : "Some comment",
17. "DefaultRootObject" : "index.html",
18. "Logging" : {
19. "IncludeCookies" : "false",
20. "Bucket" : "amzn-s3-demo-logging-bucket.s3.amazonaws.com",
21. "Prefix" : "myprefix"
22. },
23. "Aliases" : [ "mysite.example.com", "yoursite.example.com" ],
24. "DefaultCacheBehavior" : {
25. "AllowedMethods" : [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ],
26. "TargetOriginId" : "myS3Origin",
27. "ForwardedValues" : {
28. "QueryString" : "false",
29. "Cookies" : { "Forward" : "none" }
30. },
31. "TrustedSigners" : [ "1234567890EX", "1234567891EX" ],
32. "ViewerProtocolPolicy" : "allow-all"
33. },
34. "PriceClass" : "PriceClass_200",
35. "Restrictions" : {
36. "GeoRestriction" : {
37. "RestrictionType" : "whitelist",
38. "Locations" : [ "AQ", "CV" ]
39. }
40. },
41. "ViewerCertificate" : { "CloudFrontDefaultCertificate" : "true" }
42. }
43. }
44. }
45. }
46. }
```
### YAML
```
1. AWSTemplateFormatVersion: '2010-09-09'
2. Resources:
3. myDistribution:
4. Type: AWS::CloudFront::Distribution
5. Properties:
6. DistributionConfig:
7. Origins:
8. - DomainName: amzn-s3-demo-bucket.s3.amazonaws.com
9. Id: myS3Origin
10. S3OriginConfig:
11. OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z
12. Enabled: 'true'
13. Comment: Some comment
14. DefaultRootObject: index.html
15. Logging:
16. IncludeCookies: 'false'
17. Bucket: amzn-s3-demo-logging-bucket.s3.amazonaws.com
18. Prefix: myprefix
19. Aliases:
20. - mysite.example.com
21. - yoursite.example.com
22. DefaultCacheBehavior:
23. AllowedMethods:
24. - DELETE
25. - GET
26. - HEAD
27. - OPTIONS
28. - PATCH
29. - POST
30. - PUT
31. TargetOriginId: myS3Origin
32. ForwardedValues:
33. QueryString: 'false'
34. Cookies:
35. Forward: none
36. TrustedSigners:
37. - 1234567890EX
38. - 1234567891EX
39. ViewerProtocolPolicy: allow-all
40. PriceClass: PriceClass_200
41. Restrictions:
42. GeoRestriction:
43. RestrictionType: whitelist
44. Locations:
45. - AQ
46. - CV
47. ViewerCertificate:
48. CloudFrontDefaultCertificate: 'true'
```
## Risorsa CloudFront di distribuzione Amazon con origine personalizzata
Il seguente modello di esempio mostra una CloudFront [distribuzione](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.html) Amazon che utilizza un [CustomOrigin](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-customoriginconfig.html).
### JSON
```
1. {
2. "AWSTemplateFormatVersion" : "2010-09-09",
3. "Resources" : {
4. "myDistribution" : {
5. "Type" : "AWS::CloudFront::Distribution",
6. "Properties" : {
7. "DistributionConfig" : {
8. "Origins" : [ {
9. "DomainName" : "www.example.com",
10. "Id" : "myCustomOrigin",
11. "CustomOriginConfig" : {
12. "HTTPPort" : "80",
13. "HTTPSPort" : "443",
14. "OriginProtocolPolicy" : "http-only"
15. }
16. } ],
17. "Enabled" : "true",
18. "Comment" : "Somecomment",
19. "DefaultRootObject" : "index.html",
20. "Logging" : {
21. "IncludeCookies" : "true",
22. "Bucket" : "amzn-s3-demo-logging-bucket.s3.amazonaws.com",
23. "Prefix": "myprefix"
24. },
25. "Aliases" : [
26. "mysite.example.com",
27. "*.yoursite.example.com"
28. ],
29. "DefaultCacheBehavior" : {
30. "TargetOriginId" : "myCustomOrigin",
31. "SmoothStreaming" : "false",
32. "ForwardedValues" : {
33. "QueryString" : "false",
34. "Cookies" : { "Forward" : "all" }
35. },
36. "TrustedSigners" : [
37. "1234567890EX",
38. "1234567891EX"
39. ],
40. "ViewerProtocolPolicy" : "allow-all"
41. },
42. "CustomErrorResponses" : [ {
43. "ErrorCode" : "404",
44. "ResponsePagePath" : "/error-pages/404.html",
45. "ResponseCode" : "200",
46. "ErrorCachingMinTTL" : "30"
47. } ],
48. "PriceClass" : "PriceClass_200",
49. "Restrictions" : {
50. "GeoRestriction" : {
51. "RestrictionType" : "whitelist",
52. "Locations" : [ "AQ", "CV" ]
53. }
54. },
55. "ViewerCertificate": { "CloudFrontDefaultCertificate" : "true" }
56. }
57. }
58. }
59. }
60. }
```
### YAML
```
1. AWSTemplateFormatVersion: '2010-09-09'
2. Resources:
3. myDistribution:
4. Type: AWS::CloudFront::Distribution
5. Properties:
6. DistributionConfig:
7. Origins:
8. - DomainName: www.example.com
9. Id: myCustomOrigin
10. CustomOriginConfig:
11. HTTPPort: '80'
12. HTTPSPort: '443'
13. OriginProtocolPolicy: http-only
14. Enabled: 'true'
15. Comment: Somecomment
16. DefaultRootObject: index.html
17. Logging:
18. IncludeCookies: 'true'
19. Bucket: amzn-s3-demo-logging-bucket.s3.amazonaws.com
20. Prefix: myprefix
21. Aliases:
22. - mysite.example.com
23. - "*.yoursite.example.com"
24. DefaultCacheBehavior:
25. TargetOriginId: myCustomOrigin
26. SmoothStreaming: 'false'
27. ForwardedValues:
28. QueryString: 'false'
29. Cookies:
30. Forward: all
31. TrustedSigners:
32. - 1234567890EX
33. - 1234567891EX
34. ViewerProtocolPolicy: allow-all
35. CustomErrorResponses:
36. - ErrorCode: '404'
37. ResponsePagePath: "/error-pages/404.html"
38. ResponseCode: '200'
39. ErrorCachingMinTTL: '30'
40. PriceClass: PriceClass_200
41. Restrictions:
42. GeoRestriction:
43. RestrictionType: whitelist
44. Locations:
45. - AQ
46. - CV
47. ViewerCertificate:
48. CloudFrontDefaultCertificate: 'true'
```
## CloudFront Distribuzione Amazon con supporto multiorigine
Il seguente modello di esempio mostra come dichiarare una CloudFront [distribuzione con supporto](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.html) multiorigine. In [DistributionConfig](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-distributionconfig.html), viene fornito un elenco di origini e viene impostato un [DefaultCacheBehavior](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-defaultcachebehavior.html).
### JSON
```
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"myDistribution" : {
"Type" : "AWS::CloudFront::Distribution",
"Properties" : {
"DistributionConfig" : {
"Origins" : [ {
"Id" : "myS3Origin",
"DomainName" : "amzn-s3-demo-bucket.s3.amazonaws.com",
"S3OriginConfig" : {
"OriginAccessIdentity" : "origin-access-identity/cloudfront/E127EXAMPLE51Z"
}
},
{
"Id" : "myCustomOrigin",
"DomainName" : "www.example.com",
"CustomOriginConfig" : {
"HTTPPort" : "80",
"HTTPSPort" : "443",
"OriginProtocolPolicy" : "http-only"
}
}
],
"Enabled" : "true",
"Comment" : "Some comment",
"DefaultRootObject" : "index.html",
"Logging" : {
"IncludeCookies" : "true",
"Bucket" : "amzn-s3-demo-logging-bucket.s3.amazonaws.com",
"Prefix" : "myprefix"
},
"Aliases" : [ "mysite.example.com", "yoursite.example.com" ],
"DefaultCacheBehavior" : {
"TargetOriginId" : "myS3Origin",
"ForwardedValues" : {
"QueryString" : "false",
"Cookies" : { "Forward" : "all" }
},
"TrustedSigners" : [ "1234567890EX", "1234567891EX" ],
"ViewerProtocolPolicy" : "allow-all",
"MinTTL" : "100",
"SmoothStreaming" : "true"
},
"CacheBehaviors" : [ {
"AllowedMethods" : [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ],
"TargetOriginId" : "myS3Origin",
"ForwardedValues" : {
"QueryString" : "true",
"Cookies" : { "Forward" : "none" }
},
"TrustedSigners" : [ "1234567890EX", "1234567891EX" ],
"ViewerProtocolPolicy" : "allow-all",
"MinTTL" : "50",
"PathPattern" : "images1/*.jpg"
},
{
"AllowedMethods" : [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ],
"TargetOriginId" : "myCustomOrigin",
"ForwardedValues" : {
"QueryString" : "true",
"Cookies" : { "Forward" : "none" }
},
"TrustedSigners" : [ "1234567890EX", "1234567891EX" ],
"ViewerProtocolPolicy" : "allow-all",
"MinTTL" : "50",
"PathPattern" : "images2/*.jpg"
}
],
"CustomErrorResponses" : [ {
"ErrorCode" : "404",
"ResponsePagePath" : "/error-pages/404.html",
"ResponseCode" : "200",
"ErrorCachingMinTTL" : "30"
} ],
"PriceClass" : "PriceClass_All",
"ViewerCertificate" : { "CloudFrontDefaultCertificate" : "true" }
}
}
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- Id: myS3Origin
DomainName: amzn-s3-demo-bucket.s3.amazonaws.com
S3OriginConfig:
OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z
- Id: myCustomOrigin
DomainName: www.example.com
CustomOriginConfig:
HTTPPort: '80'
HTTPSPort: '443'
OriginProtocolPolicy: http-only
Enabled: 'true'
Comment: Some comment
DefaultRootObject: index.html
Logging:
IncludeCookies: 'true'
Bucket: amzn-s3-demo-logging-bucket.s3.amazonaws.com
Prefix: myprefix
Aliases:
- mysite.example.com
- yoursite.example.com
DefaultCacheBehavior:
TargetOriginId: myS3Origin
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: all
TrustedSigners:
- 1234567890EX
- 1234567891EX
ViewerProtocolPolicy: allow-all
MinTTL: '100'
SmoothStreaming: 'true'
CacheBehaviors:
- AllowedMethods:
- DELETE
- GET
- HEAD
- OPTIONS
- PATCH
- POST
- PUT
TargetOriginId: myS3Origin
ForwardedValues:
QueryString: 'true'
Cookies:
Forward: none
TrustedSigners:
- 1234567890EX
- 1234567891EX
ViewerProtocolPolicy: allow-all
MinTTL: '50'
PathPattern: images1/*.jpg
- AllowedMethods:
- DELETE
- GET
- HEAD
- OPTIONS
- PATCH
- POST
- PUT
TargetOriginId: myCustomOrigin
ForwardedValues:
QueryString: 'true'
Cookies:
Forward: none
TrustedSigners:
- 1234567890EX
- 1234567891EX
ViewerProtocolPolicy: allow-all
MinTTL: '50'
PathPattern: images2/*.jpg
CustomErrorResponses:
- ErrorCode: '404'
ResponsePagePath: "/error-pages/404.html"
ResponseCode: '200'
ErrorCachingMinTTL: '30'
PriceClass: PriceClass_All
ViewerCertificate:
CloudFrontDefaultCertificate: 'true'
```
## CloudFront Distribuzione Amazon con una funzione Lambda come origine
L'esempio seguente crea una CloudFront distribuzione che fronteggia l'URL di una funzione Lambda specificato (fornito come parametro), abilitando l'accesso, la memorizzazione nella cache, la compressione e la consegna globale solo tramite HTTPS. Configura l'URL Lambda come origine HTTPS personalizzata e applica una politica di memorizzazione nella cache AWS standard. La distribuzione è ottimizzata per le prestazioni con HTTP/2 e IPv6 supporta e restituisce il nome di CloudFront dominio, consentendo agli utenti di accedere alla funzione Lambda tramite un endpoint sicuro supportato da CDN. Per ulteriori informazioni, consulta [Usare Amazon CloudFront with AWS Lambda as origin per accelerare le tue applicazioni web](https://aws.amazon.com/blogs/networking-and-content-delivery/using-amazon-cloudfront-with-aws-lambda-as-origin-to-accelerate-your-web-applications/) sul AWS blog.
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"LambdaEndpoint": {
"Type": "String",
"Description": "The Lambda function URL endpoint without the 'https://'"
}
},
"Resources": {
"MyDistribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"PriceClass": "PriceClass_All",
"HttpVersion": "http2",
"IPV6Enabled": true,
"Origins": [
{
"DomainName": {
"Ref": "LambdaEndpoint"
},
"Id": "LambdaOrigin",
"CustomOriginConfig": {
"HTTPSPort": 443,
"OriginProtocolPolicy": "https-only"
}
}
],
"Enabled": "true",
"DefaultCacheBehavior": {
"TargetOriginId": "LambdaOrigin",
"CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
"ViewerProtocolPolicy": "redirect-to-https",
"SmoothStreaming": "false",
"Compress": "true"
}
}
}
}
},
"Outputs": {
"CloudFrontDomain": {
"Description": "CloudFront default domain name configured",
"Value": {
"Fn::Sub": "https://${MyDistribution.DomainName}/"
}
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: 2010-09-09
Parameters:
LambdaEndpoint:
Type: String
Description: The Lambda function URL endpoint without the 'https://'
Resources:
MyDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
PriceClass: PriceClass_All
HttpVersion: http2
IPV6Enabled: true
Origins:
- DomainName: !Ref LambdaEndpoint
Id: LambdaOrigin
CustomOriginConfig:
HTTPSPort: 443
OriginProtocolPolicy: https-only
Enabled: 'true'
DefaultCacheBehavior:
TargetOriginId: LambdaOrigin
CachePolicyId: '658327ea-f89d-4fab-a63d-7e88639e58f6'
ViewerProtocolPolicy: redirect-to-https
SmoothStreaming: 'false'
Compress: 'true'
Outputs:
CloudFrontDomain:
Description: CloudFront default domain name configured
Value: !Sub https://${MyDistribution.DomainName}/
```
## Consulta anche
Per un esempio di aggiunta di un alias personalizzato a un record di Route 53 per creare un nome descrittivo per una CloudFront distribuzione, consulta[Alias: record di risorse impostato per una distribuzione CloudFront](quickref-route53.md#scenario-user-friendly-url-for-cloudfront-distribution).
# Frammenti CloudWatch di modello Amazon
Usa questi frammenti di modello di esempio per descrivere le tue CloudWatch risorse Amazon in. CloudFormation Per ulteriori informazioni, consulta il [riferimento ai tipi di CloudWatch risorse Amazon](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/AWS_CloudWatch.html).
**Topics**
+ [Allarme di fatturazione](#cloudwatch-sample-billing-alarm)
+ [Allarme di utilizzo della CPU](#cloudwatch-sample-cpu-utilization-alarm)
+ [Ripristino di un’istanza Amazon Elastic Compute Cloud](#cloudwatch-sample-recover-instance)
+ [Creazione di un pannello di controllo di base](#cloudwatch-sample-dashboard-basic)
+ [Crea una dashboard con widget side-by-side](#cloudwatch-sample-dashboard-sidebyside)
## Allarme di fatturazione
Nel seguente esempio, Amazon CloudWatch invia una notifica via e-mail quando gli addebiti AWS sul tuo account superano la soglia di allarme. Per ricevere notifiche di utilizzo, abilita avvisi di fatturazione. Per ulteriori informazioni, consulta [Creare un allarme di fatturazione per monitorare i AWS costi stimati](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/monitor_estimated_charges_with_cloudwatch.html) nella *Amazon CloudWatch User Guide*. >
### JSON
```
"SpendingAlarm": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": { "Fn::Join": ["", [
"Alarm if AWS spending is over $",
{ "Ref": "AlarmThreshold" }
]]},
"Namespace": "AWS/Billing",
"MetricName": "EstimatedCharges",
"Dimensions": [{
"Name": "Currency",
"Value" : "USD"
}],
"Statistic": "Maximum",
"Period": "21600",
"EvaluationPeriods": "1",
"Threshold": { "Ref": "AlarmThreshold" },
"ComparisonOperator": "GreaterThanThreshold",
"AlarmActions": [{
"Ref": "BillingAlarmNotification"
}],
"InsufficientDataActions": [{
"Ref": "BillingAlarmNotification"
}]
}
}
```
### YAML
```
SpendingAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription:
'Fn::Join':
- ''
- - Alarm if AWS spending is over $
- !Ref: AlarmThreshold
Namespace: AWS/Billing
MetricName: EstimatedCharges
Dimensions:
- Name: Currency
Value: USD
Statistic: Maximum
Period: '21600'
EvaluationPeriods: '1'
Threshold:
!Ref: "AlarmThreshold"
ComparisonOperator: GreaterThanThreshold
AlarmActions:
- !Ref: "BillingAlarmNotification"
InsufficientDataActions:
- !Ref: "BillingAlarmNotification"
```
## Allarme di utilizzo della CPU
Nel seguente frammento di codice viene creato un allarme che invia una notifica quando l’utilizzo medio CPU di un’istanza Amazon EC2 supera il 90% per più di 60 secondi su tre periodi di valutazione.
### JSON
```
1. "CPUAlarm" : {
2. "Type" : "AWS::CloudWatch::Alarm",
3. "Properties" : {
4. "AlarmDescription" : "CPU alarm for my instance",
5. "AlarmActions" : [ { "Ref" : "logical name of an AWS::SNS::Topic resource" } ],
6. "MetricName" : "CPUUtilization",
7. "Namespace" : "AWS/EC2",
8. "Statistic" : "Average",
9. "Period" : "60",
10. "EvaluationPeriods" : "3",
11. "Threshold" : "90",
12. "ComparisonOperator" : "GreaterThanThreshold",
13. "Dimensions" : [ {
14. "Name" : "InstanceId",
15. "Value" : { "Ref" : "logical name of an AWS::EC2::Instance resource" }
16. } ]
17. }
18. }
```
### YAML
```
1. CPUAlarm:
2. Type: AWS::CloudWatch::Alarm
3. Properties:
4. AlarmDescription: CPU alarm for my instance
5. AlarmActions:
6. - !Ref: "logical name of an AWS::SNS::Topic resource"
7. MetricName: CPUUtilization
8. Namespace: AWS/EC2
9. Statistic: Average
10. Period: '60'
11. EvaluationPeriods: '3'
12. Threshold: '90'
13. ComparisonOperator: GreaterThanThreshold
14. Dimensions:
15. - Name: InstanceId
16. Value: !Ref: "logical name of an AWS::EC2::Instance resource"
```
## Ripristino di un’istanza Amazon Elastic Compute Cloud
Il seguente CloudWatch allarme ripristina un'istanza EC2 quando presenta errori di controllo dello stato per 15 minuti consecutivi. *Per ulteriori informazioni sulle azioni relative agli allarmi, consulta la sezione [Create alarms to stop, terminate, reboot or recovery a EC2 nella](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/UsingAlarmActions.html) Amazon User Guide. CloudWatch *
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters" : {
"RecoveryInstance" : {
"Description" : "The EC2 instance ID to associate this alarm with.",
"Type" : "AWS::EC2::Instance::Id"
}
},
"Resources": {
"RecoveryTestAlarm": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "Trigger a recovery when instance status check fails for 15 consecutive minutes.",
"Namespace": "AWS/EC2" ,
"MetricName": "StatusCheckFailed_System",
"Statistic": "Minimum",
"Period": "60",
"EvaluationPeriods": "15",
"ComparisonOperator": "GreaterThanThreshold",
"Threshold": "0",
"AlarmActions": [ {"Fn::Join" : ["", ["arn:aws:automate:", { "Ref" : "AWS::Region" }, ":ec2:recover" ]]} ],
"Dimensions": [{"Name": "InstanceId","Value": {"Ref": "RecoveryInstance"}}]
}
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
RecoveryInstance:
Description: The EC2 instance ID to associate this alarm with.
Type: AWS::EC2::Instance::Id
Resources:
RecoveryTestAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription: Trigger a recovery when instance status check fails for 15
consecutive minutes.
Namespace: AWS/EC2
MetricName: StatusCheckFailed_System
Statistic: Minimum
Period: '60'
EvaluationPeriods: '15'
ComparisonOperator: GreaterThanThreshold
Threshold: '0'
AlarmActions: [ !Sub "arn:aws:automate:${AWS::Region}:ec2:recover" ]
Dimensions:
- Name: InstanceId
Value: !Ref: RecoveryInstance
```
## Creazione di un pannello di controllo di base
L'esempio seguente crea una CloudWatch dashboard semplice con un widget metrico che mostra l'utilizzo della CPU e un widget di testo che mostra un messaggio.
### JSON
```
{
"BasicDashboard": {
"Type": "AWS::CloudWatch::Dashboard",
"Properties": {
"DashboardName": "Dashboard1",
"DashboardBody": "{\"widgets\":[{\"type\":\"metric\",\"x\":0,\"y\":0,\"width\":12,\"height\":6,\"properties\":{\"metrics\":[[\"AWS/EC2\",\"CPUUtilization\",\"InstanceId\",\"i-012345\"]],\"period\":300,\"stat\":\"Average\",\"region\":\"us-east-1\",\"title\":\"EC2 Instance CPU\"}},{\"type\":\"text\",\"x\":0,\"y\":7,\"width\":3,\"height\":3,\"properties\":{\"markdown\":\"Hello world\"}}]}"
}
}
}
```
### YAML
```
BasicDashboard:
Type: AWS::CloudWatch::Dashboard
Properties:
DashboardName: Dashboard1
DashboardBody: '{"widgets":[{"type":"metric","x":0,"y":0,"width":12,"height":6,"properties":{"metrics":[["AWS/EC2","CPUUtilization","InstanceId","i-012345"]],"period":300,"stat":"Average","region":"us-east-1","title":"EC2 Instance CPU"}},{"type":"text","x":0,"y":7,"width":3,"height":3,"properties":{"markdown":"Hello world"}}]}'
```
## Crea una dashboard con widget side-by-side
Nell’esempio seguente viene creato un pannello di controllo con due widget parametro visualizzati affiancati.
### JSON
```
{
"DashboardSideBySide": {
"Type": "AWS::CloudWatch::Dashboard",
"Properties": {
"DashboardName": "Dashboard1",
"DashboardBody": "{\"widgets\":[{\"type\":\"metric\",\"x\":0,\"y\":0,\"width\":12,\"height\":6,\"properties\":{\"metrics\":[[\"AWS/EC2\",\"CPUUtilization\",\"InstanceId\",\"i-012345\"]],\"period\":300,\"stat\":\"Average\",\"region\":\"us-east-1\",\"title\":\"EC2 Instance CPU\"}},{\"type\":\"metric\",\"x\":12,\"y\":0,\"width\":12,\"height\":6,\"properties\":{\"metrics\":[[\"AWS/S3\",\"BucketSizeBytes\",\"BucketName\",\"amzn-s3-demo-bucket\"]],\"period\":86400,\"stat\":\"Maximum\",\"region\":\"us-east-1\",\"title\":\"amzn-s3-demo-bucket bytes\"}}]}"
}
}
}
```
### YAML
```
DashboardSideBySide:
Type: AWS::CloudWatch::Dashboard
Properties:
DashboardName: Dashboard1
DashboardBody: '{"widgets":[{"type":"metric","x":0,"y":0,"width":12,"height":6,"properties":{"metrics":[["AWS/EC2","CPUUtilization","InstanceId","i-012345"]],"period":300,"stat":"Average","region":"us-east-1","title":"EC2 Instance CPU"}},{"type":"metric","x":12,"y":0,"width":12,"height":6,"properties":{"metrics":[["AWS/S3","BucketSizeBytes","BucketName","amzn-s3-demo-bucket"]],"period":86400,"stat":"Maximum","region":"us-east-1","title":"amzn-s3-demo-bucket bytes"}}]}'
```
# Frammenti di modello Amazon CloudWatch Logs
Amazon CloudWatch Logs può monitorare il sistema, l'applicazione e i file di log personalizzati da istanze Amazon EC2 o altre fonti. Puoi utilizzarlo CloudFormation per fornire e gestire gruppi di log e filtri metrici. Per ulteriori informazioni su Amazon CloudWatch Logs, consulta la [Amazon CloudWatch Logs User Guide.](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html)
**Topics**
+ [Invia log a Logs da un' CloudWatch istanza Linux](#quickref-cloudwatchlogs-example1)
+ [Invia i log a Logs da un'istanza di Windows CloudWatch](#quickref-cloudwatchlogs-example2)
+ [Consulta anche](#w2aac11c41c35c11)
## Invia log a Logs da un' CloudWatch istanza Linux
Il modello seguente mostra come configurare un server Web su Amazon Linux 2023 con l'integrazione di CloudWatch Logs. Il modello effettua le seguenti attività:
+ Installa Apache e PHP.
+ Configura l' CloudWatch agente per inoltrare i log di accesso di Apache a Logs. CloudWatch
+ Imposta un ruolo IAM per consentire all' CloudWatch agente di inviare i dati di registro a Logs. CloudWatch
+ Crea notifiche e allarmi personalizzati per monitorare gli errori 404 o l’utilizzo elevato della larghezza di banda.
Gli eventi di registro dal server Web forniscono dati metrici per gli CloudWatch allarmi. I due filtri metrici descrivono come le informazioni di registro vengono trasformate in metriche. CloudWatch Il parametro 404 conta il numero di occorrenze 404. Il parametro delle dimensioni monitora le dimensioni di una richiesta. I due CloudWatch allarmi invieranno notifiche se ci sono più di due 404 entro 2 minuti o se la dimensione media della richiesta supera i 3500 KB nell'arco di 10 minuti.
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Sample template that sets up and configures CloudWatch Logs on Amazon Linux 2023 instance.",
"Parameters": {
"KeyName": {
"Description": "Name of an existing EC2 KeyPair to enable SSH access to the instances",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription": "must be the name of an existing EC2 KeyPair."
},
"SSHLocation": {
"Description": "The IP address range that can be used to SSH to the EC2 instances",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
},
"OperatorEmail": {
"Description": "Email address to notify when CloudWatch alarms are triggered (404 errors or high bandwidth usage)",
"Type": "String"
}
},
"Resources": {
"LogRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "LogRolePolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:DescribeLogStreams",
"logs:DescribeLogGroups",
"logs:CreateLogGroup",
"logs:CreateLogStream"
],
"Resource": "*"
}
]
}
}
]
}
},
"LogRoleInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [{"Ref": "LogRole"}]
}
},
"WebServerSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable HTTP access via port 80 and SSH access via port 22",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": {"Ref": "SSHLocation"}
}
]
}
},
"WebServerHost": {
"Type": "AWS::EC2::Instance",
"Metadata": {
"Comment": "Install a simple PHP application on Amazon Linux 2023",
"AWS::CloudFormation::Init": {
"config": {
"packages": {
"dnf": {
"httpd": [],
"php": [],
"php-fpm": []
}
},
"files": {
"/etc/amazon-cloudwatch-agent/amazon-cloudwatch-agent.json": {
"content": {
"logs": {
"logs_collected": {
"files": {
"collect_list": [{
"file_path": "/var/log/httpd/access_log",
"log_group_name": {"Ref": "WebServerLogGroup"},
"log_stream_name": "{instance_id}/apache.log",
"timestamp_format": "%d/%b/%Y:%H:%M:%S %z"
}]
}
}
}
},
"mode": "000644",
"owner": "root",
"group": "root"
},
"/var/www/html/index.php": {
"content": "AWS CloudFormation sample PHP application on Amazon Linux 2023';\n?>\n",
"mode": "000644",
"owner": "apache",
"group": "apache"
},
"/etc/cfn/cfn-hup.conf": {
"content": {
"Fn::Join": [
"",
[
"[main]\n",
"stack=",
{"Ref": "AWS::StackId"},
"\n",
"region=",
{"Ref": "AWS::Region"},
"\n"
]
]
},
"mode": "000400",
"owner": "root",
"group": "root"
},
"/etc/cfn/hooks.d/cfn-auto-reloader.conf": {
"content": {
"Fn::Join": [
"",
[
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.WebServerHost.Metadata.AWS::CloudFormation::Init\n",
"action=/opt/aws/bin/cfn-init -s ",
{"Ref": "AWS::StackId"},
" -r WebServerHost ",
" --region ",
{"Ref": "AWS::Region"},
"\n",
"runas=root\n"
]
]
}
}
},
"services": {
"systemd": {
"httpd": {
"enabled": "true",
"ensureRunning": "true"
},
"php-fpm": {
"enabled": "true",
"ensureRunning": "true"
}
}
}
}
}
},
"CreationPolicy": {
"ResourceSignal": {
"Timeout": "PT5M"
}
},
"Properties": {
"ImageId": "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64}}",
"KeyName": {"Ref": "KeyName"},
"InstanceType": "t3.micro",
"SecurityGroupIds": [{"Ref": "WebServerSecurityGroup"}],
"IamInstanceProfile": {"Ref": "LogRoleInstanceProfile"},
"UserData": {"Fn::Base64": {"Fn::Join": [ "", [
"#!/bin/bash\n",
"dnf update -y aws-cfn-bootstrap\n",
"dnf install -y amazon-cloudwatch-agent\n",
"/opt/aws/bin/cfn-init -v --stack ", {"Ref": "AWS::StackName"}, " --resource WebServerHost --region ", {"Ref": "AWS::Region"}, "\n",
"\n",
"# Verify Apache log directory exists and create if needed\n",
"mkdir -p /var/log/httpd\n",
"\n",
"# Start CloudWatch agent\n",
"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/etc/amazon-cloudwatch-agent/amazon-cloudwatch-agent.json -s\n",
"\n",
"# Signal success\n",
"/opt/aws/bin/cfn-signal -e $? --stack ", {"Ref": "AWS::StackName"}, " --resource WebServerHost --region ", {"Ref": "AWS::Region"}, "\n"
]]}}
}
},
"WebServerLogGroup": {
"Type": "AWS::Logs::LogGroup",
"DeletionPolicy": "Retain",
"UpdateReplacePolicy": "Retain",
"Properties": {
"RetentionInDays": 7
}
},
"404MetricFilter": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"LogGroupName": {"Ref": "WebServerLogGroup"},
"FilterPattern": "[ip, identity, user_id, timestamp, request, status_code = 404, size, ...]",
"MetricTransformations": [
{
"MetricValue": "1",
"MetricNamespace": "test/404s",
"MetricName": "test404Count"
}
]
}
},
"BytesTransferredMetricFilter": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"LogGroupName": {"Ref": "WebServerLogGroup"},
"FilterPattern": "[ip, identity, user_id, timestamp, request, status_code, size, ...]",
"MetricTransformations": [
{
"MetricValue": "$size",
"MetricNamespace": "test/BytesTransferred",
"MetricName": "testBytesTransferred"
}
]
}
},
"404Alarm": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "The number of 404s is greater than 2 over 2 minutes",
"MetricName": "test404Count",
"Namespace": "test/404s",
"Statistic": "Sum",
"Period": "60",
"EvaluationPeriods": "2",
"Threshold": "2",
"AlarmActions": [{"Ref": "AlarmNotificationTopic"}],
"ComparisonOperator": "GreaterThanThreshold"
}
},
"BandwidthAlarm": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "The average volume of traffic is greater 3500 KB over 10 minutes",
"MetricName": "testBytesTransferred",
"Namespace": "test/BytesTransferred",
"Statistic": "Average",
"Period": "300",
"EvaluationPeriods": "2",
"Threshold": "3500",
"AlarmActions": [{"Ref": "AlarmNotificationTopic"}],
"ComparisonOperator": "GreaterThanThreshold"
}
},
"AlarmNotificationTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"Subscription": [{"Endpoint": {"Ref": "OperatorEmail"}, "Protocol": "email"}]
}
}
},
"Outputs": {
"InstanceId": {
"Description": "The instance ID of the web server",
"Value": {"Ref": "WebServerHost"}
},
"WebsiteURL": {
"Value": {"Fn::Sub": "http://${WebServerHost.PublicDnsName}"},
"Description": "URL for the web server"
},
"PublicIP": {
"Description": "Public IP address of the web server",
"Value": {"Fn::GetAtt": ["WebServerHost","PublicIp"]
}
},
"CloudWatchLogGroupName": {
"Description": "The name of the CloudWatch log group",
"Value": {"Ref": "WebServerLogGroup"}
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: 2010-09-09
Description: Sample template that sets up and configures CloudWatch Logs on Amazon Linux 2023 instance.
Parameters:
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instances
Type: AWS::EC2::KeyPair::KeyName
ConstraintDescription: must be the name of an existing EC2 KeyPair.
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})'
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
OperatorEmail:
Description: Email address to notify when CloudWatch alarms are triggered (404 errors or high bandwidth usage)
Type: String
Resources:
LogRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: LogRolePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:PutLogEvents'
- 'logs:DescribeLogStreams'
- 'logs:DescribeLogGroups'
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
Resource: '*'
LogRoleInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref LogRole
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP access via port 80 and SSH access via port 22
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: !Ref SSHLocation
WebServerHost:
Type: AWS::EC2::Instance
Metadata:
Comment: Install a simple PHP application on Amazon Linux 2023
'AWS::CloudFormation::Init':
config:
packages:
dnf:
httpd: []
php: []
php-fpm: []
files:
/etc/amazon-cloudwatch-agent/amazon-cloudwatch-agent.json:
content: !Sub |
{
"logs": {
"logs_collected": {
"files": {
"collect_list": [
{
"file_path": "/var/log/httpd/access_log",
"log_group_name": "${WebServerLogGroup}",
"log_stream_name": "{instance_id}/apache.log",
"timestamp_format": "%d/%b/%Y:%H:%M:%S %z"
}
]
}
}
}
}
mode: '000644'
owner: root
group: root
/var/www/html/index.php:
content: |
AWS CloudFormation sample PHP application on Amazon Linux 2023';
?>
mode: '000644'
owner: apache
group: apache
/etc/cfn/cfn-hup.conf:
content: !Sub |
[main]
stack=${AWS::StackId}
region=${AWS::Region}
mode: '000400'
owner: root
group: root
/etc/cfn/hooks.d/cfn-auto-reloader.conf:
content: !Sub |
[cfn-auto-reloader-hook]
triggers=post.update
path=Resources.WebServerHost.Metadata.AWS::CloudFormation::Init
action=/opt/aws/bin/cfn-init -s ${AWS::StackId} -r WebServerHost --region ${AWS::Region}
runas=root
services:
systemd:
httpd:
enabled: 'true'
ensureRunning: 'true'
php-fpm:
enabled: 'true'
ensureRunning: 'true'
CreationPolicy:
ResourceSignal:
Timeout: PT5M
Properties:
ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64}}'
KeyName: !Ref KeyName
InstanceType: t3.micro
SecurityGroupIds:
- !Ref WebServerSecurityGroup
IamInstanceProfile: !Ref LogRoleInstanceProfile
UserData: !Base64
Fn::Sub: |
#!/bin/bash
dnf update -y aws-cfn-bootstrap
dnf install -y amazon-cloudwatch-agent
/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource WebServerHost --region ${AWS::Region}
# Verify Apache log directory exists and create if needed
mkdir -p /var/log/httpd
# Start CloudWatch agent
/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/etc/amazon-cloudwatch-agent/amazon-cloudwatch-agent.json -s
# Signal success
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource WebServerHost --region ${AWS::Region}
echo "Done"
WebServerLogGroup:
Type: AWS::Logs::LogGroup
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Properties:
RetentionInDays: 7
404MetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref WebServerLogGroup
FilterPattern: >-
[ip, identity, user_id, timestamp, request, status_code = 404, size, ...]
MetricTransformations:
- MetricValue: '1'
MetricNamespace: test/404s
MetricName: test404Count
BytesTransferredMetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref WebServerLogGroup
FilterPattern: '[ip, identity, user_id, timestamp, request, status_code, size, ...]'
MetricTransformations:
- MetricValue: $size
MetricNamespace: test/BytesTransferred
MetricName: testBytesTransferred
404Alarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription: The number of 404s is greater than 2 over 2 minutes
MetricName: test404Count
Namespace: test/404s
Statistic: Sum
Period: '60'
EvaluationPeriods: '2'
Threshold: '2'
AlarmActions:
- !Ref AlarmNotificationTopic
ComparisonOperator: GreaterThanThreshold
BandwidthAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription: The average volume of traffic is greater 3500 KB over 10 minutes
MetricName: testBytesTransferred
Namespace: test/BytesTransferred
Statistic: Average
Period: '300'
EvaluationPeriods: '2'
Threshold: '3500'
AlarmActions:
- !Ref AlarmNotificationTopic
ComparisonOperator: GreaterThanThreshold
AlarmNotificationTopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint: !Ref OperatorEmail
Protocol: email
Outputs:
InstanceId:
Description: The instance ID of the web server
Value: !Ref WebServerHost
WebsiteURL:
Value: !Sub 'http://${WebServerHost.PublicDnsName}'
Description: URL for the web server
PublicIP:
Description: Public IP address of the web server
Value: !GetAtt WebServerHost.PublicIp
CloudWatchLogGroupName:
Description: The name of the CloudWatch log group
Value: !Ref WebServerLogGroup
```
## Invia i log a Logs da un'istanza di Windows CloudWatch
Il modello seguente configura i CloudWatch log per un'istanza di Windows 2012R2.
L'agente CloudWatch Logs su Windows (agente SSM su Windows 2012R2 e Windows 2016 AMIs) invia i log solo dopo l'avvio, quindi i log generati prima dell'avvio non vengono inviati. A questo proposito, il modello aiuta a garantire che l’agente venga avviato prima della scrittura dei log da:
+ Impostazione della configurazione dell’agente come prima voce `config` in `configSets` cfn-init.
+ Utilizzo di `waitAfterCompletion` per inserire una pausa dopo il comando che avvia l’agente.
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Sample template that sets up and configures CloudWatch Logs on Windows 2012R2 instance.",
"Parameters": {
"KeyPair": {
"Description": "Name of an existing EC2 KeyPair to enable RDP access to the instances",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription": "must be the name of an existing EC2 KeyPair."
},
"RDPLocation": {
"Description": "The IP address range that can be used to RDP to the EC2 instances",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
},
"OperatorEmail": {
"Description": "Email address to notify when CloudWatch alarms are triggered (404 errors)",
"Type": "String"
}
},
"Resources": {
"WebServerSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable HTTP access via port 80 and RDP access via port 3389",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "3389",
"ToPort": "3389",
"CidrIp": {"Ref": "RDPLocation"}
}
]
}
},
"LogRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
],
"Path": "/",
"Policies": [
{
"PolicyName": "LogRolePolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:Create*",
"logs:PutLogEvents",
"s3:GetObject"
],
"Resource": [
"arn:aws:logs:*:*:*",
"arn:aws:s3:::*"
]
}
]
}
}
]
}
},
"LogRoleInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [{"Ref": "LogRole"}]
}
},
"WebServerHost": {
"Type": "AWS::EC2::Instance",
"CreationPolicy": {
"ResourceSignal": {
"Timeout": "PT15M"
}
},
"Metadata": {
"AWS::CloudFormation::Init": {
"configSets": {
"config": [
"00-ConfigureCWLogs",
"01-InstallWebServer",
"02-ConfigureApplication",
"03-Finalize"
]
},
"00-ConfigureCWLogs": {
"files": {
"C:\\Program Files\\Amazon\\SSM\\Plugins\\awsCloudWatch\\AWS.EC2.Windows.CloudWatch.json": {
"content": {
"EngineConfiguration": {
"Components": [
{
"FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "ApplicationEventLog",
"Parameters": {
"Levels": "7",
"LogName": "Application"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "SystemEventLog",
"Parameters": {
"Levels": "7",
"LogName": "System"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "SecurityEventLog",
"Parameters": {
"Levels": "7",
"LogName": "Security"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "EC2ConfigLog",
"Parameters": {
"CultureName": "en-US",
"Encoding": "ASCII",
"Filter": "EC2ConfigLog.txt",
"LogDirectoryPath": "C:\\Program Files\\Amazon\\Ec2ConfigService\\Logs",
"TimeZoneKind": "UTC",
"TimestampFormat": "yyyy-MM-ddTHH:mm:ss.fffZ:"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "CfnInitLog",
"Parameters": {
"CultureName": "en-US",
"Encoding": "ASCII",
"Filter": "cfn-init.log",
"LogDirectoryPath": "C:\\cfn\\log",
"TimeZoneKind": "Local",
"TimestampFormat": "yyyy-MM-dd HH:mm:ss,fff"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "IISLogs",
"Parameters": {
"CultureName": "en-US",
"Encoding": "UTF-8",
"Filter": "",
"LineCount": "3",
"LogDirectoryPath": "C:\\inetpub\\logs\\LogFiles\\W3SVC1",
"TimeZoneKind": "UTC",
"TimestampFormat": "yyyy-MM-dd HH:mm:ss"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.PerformanceCounterComponent.PerformanceCounterInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "MemoryPerformanceCounter",
"Parameters": {
"CategoryName": "Memory",
"CounterName": "Available MBytes",
"DimensionName": "",
"DimensionValue": "",
"InstanceName": "",
"MetricName": "Memory",
"Unit": "Megabytes"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchApplicationEventLog",
"Parameters": {
"AccessKey": "",
"LogGroup": {"Ref": "LogGroup"},
"LogStream": "{instance_id}/ApplicationEventLog",
"Region": {"Ref": "AWS::Region"},
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchSystemEventLog",
"Parameters": {
"AccessKey": "",
"LogGroup": {"Ref": "LogGroup"},
"LogStream": "{instance_id}/SystemEventLog",
"Region": {"Ref": "AWS::Region"},
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchSecurityEventLog",
"Parameters": {
"AccessKey": "",
"LogGroup": {"Ref": "LogGroup"},
"LogStream": "{instance_id}/SecurityEventLog",
"Region": {"Ref": "AWS::Region"},
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchEC2ConfigLog",
"Parameters": {
"AccessKey": "",
"LogGroup": {"Ref": "LogGroup"},
"LogStream": "{instance_id}/EC2ConfigLog",
"Region": {"Ref": "AWS::Region"},
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchCfnInitLog",
"Parameters": {
"AccessKey": "",
"LogGroup": {"Ref": "LogGroup"},
"LogStream": "{instance_id}/CfnInitLog",
"Region": {"Ref": "AWS::Region"},
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchIISLogs",
"Parameters": {
"AccessKey": "",
"LogGroup": {"Ref": "LogGroup"},
"LogStream": "{instance_id}/IISLogs",
"Region": {"Ref": "AWS::Region"},
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatch.CloudWatchOutputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatch",
"Parameters": {
"AccessKey": "",
"NameSpace": "Windows/Default",
"Region": {"Ref": "AWS::Region"},
"SecretKey": ""
}
}
],
"Flows": {
"Flows": [
"ApplicationEventLog,CloudWatchApplicationEventLog",
"SystemEventLog,CloudWatchSystemEventLog",
"SecurityEventLog,CloudWatchSecurityEventLog",
"EC2ConfigLog,CloudWatchEC2ConfigLog",
"CfnInitLog,CloudWatchCfnInitLog",
"IISLogs,CloudWatchIISLogs",
"MemoryPerformanceCounter,CloudWatch"
]
},
"PollInterval": "00:00:05"
},
"IsEnabled": true
}
}
},
"commands": {
"0-enableSSM": {
"command": "powershell.exe -Command \"Set-Service -Name AmazonSSMAgent -StartupType Automatic\" ",
"waitAfterCompletion": "0"
},
"1-restartSSM": {
"command": "powershell.exe -Command \"Restart-Service AmazonSSMAgent \"",
"waitAfterCompletion": "30"
}
}
},
"01-InstallWebServer": {
"commands": {
"01_install_webserver": {
"command": "powershell.exe -Command \"Install-WindowsFeature Web-Server -IncludeAllSubFeature\"",
"waitAfterCompletion": "0"
}
}
},
"02-ConfigureApplication": {
"files": {
"c:\\Inetpub\\wwwroot\\index.htm": {
"content": " Test Application Page Congratulations!! Your IIS server is configured.
"
}
}
},
"03-Finalize": {
"commands": {
"00_signal_success": {
"command": {
"Fn::Sub": "cfn-signal.exe -e 0 --resource WebServerHost --stack ${AWS::StackName} --region ${AWS::Region}"
},
"waitAfterCompletion": "0"
}
}
}
}
},
"Properties": {
"KeyName": {
"Ref": "KeyPair"
},
"ImageId": "{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2012-R2_RTM-English-64Bit-Base}}",
"InstanceType": "t2.xlarge",
"SecurityGroupIds": [{"Ref": "WebServerSecurityGroup"}],
"IamInstanceProfile": {"Ref": "LogRoleInstanceProfile"},
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"\n"
]
]
}
}
}
},
"LogGroup": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"RetentionInDays": 7
}
},
"404MetricFilter": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"LogGroupName": {"Ref": "LogGroup"},
"FilterPattern": "[timestamps, serverip, method, uri, query, port, dash, clientip, useragent, status_code = 404, ...]",
"MetricTransformations": [
{
"MetricValue": "1",
"MetricNamespace": "test/404s",
"MetricName": "test404Count"
}
]
}
},
"404Alarm": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "The number of 404s is greater than 2 over 2 minutes",
"MetricName": "test404Count",
"Namespace": "test/404s",
"Statistic": "Sum",
"Period": "60",
"EvaluationPeriods": "2",
"Threshold": "2",
"AlarmActions": [{"Ref": "AlarmNotificationTopic"}],
"ComparisonOperator": "GreaterThanThreshold"
}
},
"AlarmNotificationTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"Subscription": [{"Endpoint": {"Ref": "OperatorEmail"}, "Protocol": "email"}]
}
}
},
"Outputs": {
"InstanceId": {
"Description": "The instance ID of the web server",
"Value": {"Ref": "WebServerHost"}
},
"WebsiteURL": {
"Value": {"Fn::Sub": "http://${WebServerHost.PublicDnsName}"},
"Description": "URL for the web server"
},
"PublicIP": {
"Description": "Public IP address of the web server",
"Value": {"Fn::GetAtt": ["WebServerHost","PublicIp"]}
},
"CloudWatchLogGroupName": {
"Description": "The name of the CloudWatch log group",
"Value": {"Ref": "LogGroup"}
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: 2010-09-09
Description: >-
Sample template that sets up and configures CloudWatch Logs on Windows 2012R2 instance.
Parameters:
KeyPair:
Description: Name of an existing EC2 KeyPair to enable RDP access to the instances
Type: AWS::EC2::KeyPair::KeyName
ConstraintDescription: must be the name of an existing EC2 KeyPair.
RDPLocation:
Description: The IP address range that can be used to RDP to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})'
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
OperatorEmail:
Description: Email address to notify when CloudWatch alarms are triggered (404 errors)
Type: String
Resources:
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP access via port 80 and RDP access via port 3389
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '3389'
ToPort: '3389'
CidrIp: !Ref RDPLocation
LogRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore'
Path: /
Policies:
- PolicyName: LogRolePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:Create*'
- 'logs:PutLogEvents'
- 's3:GetObject'
Resource:
- 'arn:aws:logs:*:*:*'
- 'arn:aws:s3:::*'
LogRoleInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref LogRole
WebServerHost:
Type: AWS::EC2::Instance
CreationPolicy:
ResourceSignal:
Timeout: PT15M
Metadata:
'AWS::CloudFormation::Init':
configSets:
config:
- 00-ConfigureCWLogs
- 01-InstallWebServer
- 02-ConfigureApplication
- 03-Finalize
00-ConfigureCWLogs:
files:
'C:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWS.EC2.Windows.CloudWatch.json':
content: !Sub |
{
"EngineConfiguration": {
"Components": [
{
"FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "ApplicationEventLog",
"Parameters": {
"Levels": "7",
"LogName": "Application"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "SystemEventLog",
"Parameters": {
"Levels": "7",
"LogName": "System"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "SecurityEventLog",
"Parameters": {
"Levels": "7",
"LogName": "Security"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "EC2ConfigLog",
"Parameters": {
"CultureName": "en-US",
"Encoding": "ASCII",
"Filter": "EC2ConfigLog.txt",
"LogDirectoryPath": "C:\\Program Files\\Amazon\\Ec2ConfigService\\Logs",
"TimeZoneKind": "UTC",
"TimestampFormat": "yyyy-MM-ddTHH:mm:ss.fffZ:"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "CfnInitLog",
"Parameters": {
"CultureName": "en-US",
"Encoding": "ASCII",
"Filter": "cfn-init.log",
"LogDirectoryPath": "C:\\cfn\\log",
"TimeZoneKind": "Local",
"TimestampFormat": "yyyy-MM-dd HH:mm:ss,fff"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "IISLogs",
"Parameters": {
"CultureName": "en-US",
"Encoding": "UTF-8",
"Filter": "",
"LineCount": "3",
"LogDirectoryPath": "C:\\inetpub\\logs\\LogFiles\\W3SVC1",
"TimeZoneKind": "UTC",
"TimestampFormat": "yyyy-MM-dd HH:mm:ss"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.PerformanceCounterComponent.PerformanceCounterInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "MemoryPerformanceCounter",
"Parameters": {
"CategoryName": "Memory",
"CounterName": "Available MBytes",
"DimensionName": "",
"DimensionValue": "",
"InstanceName": "",
"MetricName": "Memory",
"Unit": "Megabytes"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchApplicationEventLog",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/ApplicationEventLog",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchSystemEventLog",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/SystemEventLog",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchSecurityEventLog",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/SecurityEventLog",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchEC2ConfigLog",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/EC2ConfigLog",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchCfnInitLog",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/CfnInitLog",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchIISLogs",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/IISLogs",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatch.CloudWatchOutputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatch",
"Parameters": {
"AccessKey": "",
"NameSpace": "Windows/Default",
"Region": "${AWS::Region}",
"SecretKey": ""
}
}
],
"Flows": {
"Flows": [
"ApplicationEventLog,CloudWatchApplicationEventLog",
"SystemEventLog,CloudWatchSystemEventLog",
"SecurityEventLog,CloudWatchSecurityEventLog",
"EC2ConfigLog,CloudWatchEC2ConfigLog",
"CfnInitLog,CloudWatchCfnInitLog",
"IISLogs,CloudWatchIISLogs",
"MemoryPerformanceCounter,CloudWatch"
]
},
"PollInterval": "00:00:05"
},
"IsEnabled": true
}
commands:
0-enableSSM:
command: >-
powershell.exe -Command "Set-Service -Name AmazonSSMAgent
-StartupType Automatic"
waitAfterCompletion: '0'
1-restartSSM:
command: powershell.exe -Command "Restart-Service AmazonSSMAgent "
waitAfterCompletion: '30'
01-InstallWebServer:
commands:
01_install_webserver:
command: >-
powershell.exe -Command "Install-WindowsFeature Web-Server
-IncludeAllSubFeature"
waitAfterCompletion: '0'
02-ConfigureApplication:
files:
'c:\Inetpub\wwwroot\index.htm':
content: >-
Test Application Page
Congratulations !! Your IIS server is
configured.
03-Finalize:
commands:
00_signal_success:
command: !Sub >-
cfn-signal.exe -e 0 --resource WebServerHost --stack
${AWS::StackName} --region ${AWS::Region}
waitAfterCompletion: '0'
Properties:
KeyName: !Ref KeyPair
ImageId: "{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2012-R2_RTM-English-64Bit-Base}}"
InstanceType: t2.xlarge
SecurityGroupIds:
- !Ref WebServerSecurityGroup
IamInstanceProfile: !Ref LogRoleInstanceProfile
UserData: !Base64
'Fn::Sub': >
LogGroup:
Type: AWS::Logs::LogGroup
Properties:
RetentionInDays: 7
404MetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref LogGroup
FilterPattern: >-
[timestamps, serverip, method, uri, query, port, dash, clientip,
useragent, status_code = 404, ...]
MetricTransformations:
- MetricValue: '1'
MetricNamespace: test/404s
MetricName: test404Count
404Alarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription: The number of 404s is greater than 2 over 2 minutes
MetricName: test404Count
Namespace: test/404s
Statistic: Sum
Period: '60'
EvaluationPeriods: '2'
Threshold: '2'
AlarmActions:
- !Ref AlarmNotificationTopic
ComparisonOperator: GreaterThanThreshold
AlarmNotificationTopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint: !Ref OperatorEmail
Protocol: email
Outputs:
InstanceId:
Description: The instance ID of the web server
Value: !Ref WebServerHost
WebsiteURL:
Value: !Sub 'http://${WebServerHost.PublicDnsName}'
Description: URL for the web server
PublicIP:
Description: Public IP address of the web server
Value: !GetAtt
- WebServerHost
- PublicIp
CloudWatchLogGroupName:
Description: The name of the CloudWatch log group
Value: !Ref LogGroup
```
## Consulta anche
Per ulteriori informazioni sulle risorse Logs, consulta o. CloudWatch [AWS::Logs::LogGroup[AWS::Logs::MetricFilter](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-logs-metricfilter.html)](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-logs-loggroup.html)
# Frammenti di modello Amazon DynamoDB
**Topics**
+ [Application Auto Scaling con una tabella Amazon DynamoDB](#quickref-dynamodb-application-autoscaling)
+ [Consulta anche](#w2aac11c41c39b7)
## Application Auto Scaling con una tabella Amazon DynamoDB
In questo esempio Application Auto Scaling viene configurato per una risorsa `AWS::DynamoDB::Table`. Il modello definisce una policy di dimensionamento `TargetTrackingScaling` che aumenta il throughput `WriteCapacityUnits` della tabella.
### JSON
```
{
"Resources": {
"DDBTable": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "ArtistId",
"AttributeType": "S"
},
{
"AttributeName": "Concert",
"AttributeType": "S"
},
{
"AttributeName": "TicketSales",
"AttributeType": "S"
}
],
"KeySchema": [
{
"AttributeName": "ArtistId",
"KeyType": "HASH"
},
{
"AttributeName": "Concert",
"KeyType": "RANGE"
}
],
"GlobalSecondaryIndexes": [
{
"IndexName": "GSI",
"KeySchema": [
{
"AttributeName": "TicketSales",
"KeyType": "HASH"
}
],
"Projection": {
"ProjectionType": "KEYS_ONLY"
},
"ProvisionedThroughput": {
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5
}
}
],
"ProvisionedThroughput": {
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5
}
}
},
"WriteCapacityScalableTarget": {
"Type": "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties": {
"MaxCapacity": 15,
"MinCapacity": 5,
"ResourceId": {
"Fn::Join": [
"/",
[
"table",
{
"Ref": "DDBTable"
}
]
]
},
"RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable" },
"ScalableDimension": "dynamodb:table:WriteCapacityUnits",
"ServiceNamespace": "dynamodb"
}
},
"WriteScalingPolicy": {
"Type": "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties": {
"PolicyName": "WriteAutoScalingPolicy",
"PolicyType": "TargetTrackingScaling",
"ScalingTargetId": {
"Ref": "WriteCapacityScalableTarget"
},
"TargetTrackingScalingPolicyConfiguration": {
"TargetValue": 50,
"ScaleInCooldown": 60,
"ScaleOutCooldown": 60,
"PredefinedMetricSpecification": {
"PredefinedMetricType": "DynamoDBWriteCapacityUtilization"
}
}
}
}
}
}
```
### YAML
```
Resources:
DDBTable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeName: "ArtistId"
AttributeType: "S"
- AttributeName: "Concert"
AttributeType: "S"
- AttributeName: "TicketSales"
AttributeType: "S"
KeySchema:
- AttributeName: "ArtistId"
KeyType: "HASH"
- AttributeName: "Concert"
KeyType: "RANGE"
GlobalSecondaryIndexes:
- IndexName: "GSI"
KeySchema:
- AttributeName: "TicketSales"
KeyType: "HASH"
Projection:
ProjectionType: "KEYS_ONLY"
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
WriteCapacityScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 15
MinCapacity: 5
ResourceId: !Join
- /
- - table
- !Ref DDBTable
RoleARN:
Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable'
ScalableDimension: dynamodb:table:WriteCapacityUnits
ServiceNamespace: dynamodb
WriteScalingPolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: WriteAutoScalingPolicy
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref WriteCapacityScalableTarget
TargetTrackingScalingPolicyConfiguration:
TargetValue: 50.0
ScaleInCooldown: 60
ScaleOutCooldown: 60
PredefinedMetricSpecification:
PredefinedMetricType: DynamoDBWriteCapacityUtilization
```
## Consulta anche
Per ulteriori informazioni, consulta il post del blog [How to use CloudFormation to configure auto scaling for DynamoDB table and index on the Database Blog](https://aws.amazon.com/blogs/database/how-to-use-aws-cloudformation-to-configure-auto-scaling-for-amazon-dynamodb-tables-and-indexes/). AWS
Per ulteriori informazioni sulle risorse DynamoDB, vedere. [AWS::DynamoDB::Table](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-table.html)
# Frammenti EC2 CloudFormation di modello Amazon
Amazon EC2 fornisce capacità di elaborazione scalabile in. Cloud AWS Puoi usare Amazon EC2 per avviare tutti o pochi server virtuali di cui hai bisogno, configurare sicurezza e rete e gestire lo storage. Questi server virtuali, noti come istanze, possono eseguire una varietà di sistemi operativi e applicazioni, e possono essere personalizzati per soddisfare requisiti specifici. Amazon ti EC2 consente di scalare verso l'alto o verso il basso per gestire i cambiamenti nei requisiti o i picchi di utilizzo.
Puoi definire e fornire EC2 istanze Amazon come parte della tua infrastruttura utilizzando CloudFormation modelli. I modelli semplificano la gestione e l'automazione della distribuzione delle EC2 risorse Amazon in modo ripetibile e coerente.
I seguenti frammenti di modello di esempio descrivono CloudFormation risorse o componenti per Amazon. EC2 Questi frammenti sono progettati per essere integrati in un modello e non sono destinati a essere eseguiti in modo indipendente.
**Topics**
+ [Configurazione delle istanze EC2](quickref-ec2-instance-config.md)
+ [Creazione di modelli di avvio](quickref-ec2-launch-templates.md)
+ [Gestione dei gruppi di sicurezza](quickref-ec2-sg.md)
+ [Alloca Elastic IPs](quickref-ec2-elastic-ip.md)
+ [Configurazione di risorse VPC](quickref-ec2-vpc.md)
# Configura le istanze Amazon EC2 con CloudFormation
I seguenti frammenti mostrano come configurare le istanze Amazon EC2 utilizzando CloudFormation.
**Topics**
+ [Configurazioni generali di Amazon EC2](#quickref-ec2-instance-config-general)
+ [Specifica della mappatura dei dispositivi a blocchi per un’istanza](#scenario-ec2-bdm)
## Configurazioni generali di Amazon EC2
I seguenti frammenti mostrano le configurazioni generali per le istanze Amazon EC2 che utilizzano CloudFormation.
**Topics**
+ [Creazione di un’istanza Amazon EC2 in una zona di disponibilità specificata](#scenario-ec2-instance)
+ [Configurazione di un’istanza Amazon EC2 dotata di tag con un volume EBS e dati utente](#scenario-ec2-instance-with-vol-and-tags)
+ [Definizione del nome della tabella DynamoDB nei dati utente per il lancio dell’istanza Amazon EC2](#scenario-ec2-with-sdb-domain)
+ [Creazione di un volume Amazon EBS con `DeletionPolicy`](#scenario-ec2-volume)
### Creazione di un’istanza Amazon EC2 in una zona di disponibilità specificata
Il seguente frammento crea un'istanza Amazon EC2 nella zona di disponibilità specificata utilizzando una risorsa. [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) Il codice per la zona di disponibilità è il codice della Regione seguito da un identificatore con una lettera. Puoi avviare un’istanza in una singola zona di disponibilità.
#### JSON
```
1. "Ec2Instance": {
2. "Type": "AWS::EC2::Instance",
3. "Properties": {
4. "AvailabilityZone": "aa-example-1a",
5. "ImageId": "ami-1234567890abcdef0"
6. }
7. }
```
#### YAML
```
1. Ec2Instance:
2. Type: AWS::EC2::Instance
3. Properties:
4. AvailabilityZone: aa-example-1a
5. ImageId: ami-1234567890abcdef0
```
### Configurazione di un’istanza Amazon EC2 dotata di tag con un volume EBS e dati utente
Il seguente frammento crea un’istanza Amazon EC2 con un tag, un volume EBS e dati utente. Utilizza una risorsa. [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) Nello stesso modello, è necessario definire una [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html)risorsa, una [AWS::SNS::Topic](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html)risorsa e una [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html)risorsa. Il `KeyName` deve essere definito nella sezione `Parameters` del modello.
I tag possono aiutarti a classificare AWS le risorse in base alle tue preferenze, ad esempio per scopo, proprietario o ambiente. I dati utente consentono di fornire script o dati personalizzati a un’istanza durante il lancio. Questi dati aiutano ad automatizzare le attività, configurare il software, installare i pacchetti e compiere altre azioni su un’istanza durante l’inizializzazione.
Per ulteriori informazioni sul tagging delle risorse, consulta [Tag your Amazon EC2 resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html) nella *Guida per l’utente di Amazon EC2*.
Per informazioni sui dati utente, consulta [Utilizzo dei metadati dell’istanza per gestire l’istanza EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) nella *Guida per l’utente di Amazon EC2*.
#### JSON
```
1. "Ec2Instance": {
2. "Type": "AWS::EC2::Instance",
3. "Properties": {
4. "KeyName": { "Ref": "KeyName" },
5. "SecurityGroups": [ { "Ref": "Ec2SecurityGroup" } ],
6. "UserData": {
7. "Fn::Base64": {
8. "Fn::Join": [ ":", [
9. "PORT=80",
10. "TOPIC=",
11. { "Ref": "MySNSTopic" }
12. ]
13. ]
14. }
15. },
16. "InstanceType": "aa.size",
17. "AvailabilityZone": "aa-example-1a",
18. "ImageId": "ami-1234567890abcdef0",
19. "Volumes": [
20. {
21. "VolumeId": { "Ref": "MyVolumeResource" },
22. "Device": "/dev/sdk"
23. }
24. ],
25. "Tags": [ { "Key": "Name", "Value": "MyTag" } ]
26. }
27. }
```
#### YAML
```
1. Ec2Instance:
2. Type: AWS::EC2::Instance
3. Properties:
4. KeyName: !Ref KeyName
5. SecurityGroups:
6. - !Ref Ec2SecurityGroup
7. UserData:
8. Fn::Base64:
9. Fn::Join:
10. - ":"
11. - - "PORT=80"
12. - "TOPIC="
13. - !Ref MySNSTopic
14. InstanceType: aa.size
15. AvailabilityZone: aa-example-1a
16. ImageId: ami-1234567890abcdef0
17. Volumes:
18. - VolumeId: !Ref MyVolumeResource
19. Device: "/dev/sdk"
20. Tags:
21. - Key: Name
22. Value: MyTag
```
### Definizione del nome della tabella DynamoDB nei dati utente per il lancio dell’istanza Amazon EC2
Il seguente frammento crea un’istanza Amazon EC2 e definisce un nome di tabella DynamoDB nei dati utente da passare all’istanza all’avvio. Utilizza una [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html)risorsa. Puoi definire parametri o valori dinamici nei dati utente per passare un’istanza EC2 al momento del lancio.
Per ulteriori informazioni sui dati utente, consulta [Use instance metadata to manage your EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) nella *Guida per l’utente di Amazon EC2*.
#### JSON
```
1. "Ec2Instance": {
2. "Type": "AWS::EC2::Instance",
3. "Properties": {
4. "UserData": {
5. "Fn::Base64": {
6. "Fn::Join": [
7. "",
8. [
9. "TableName=",
10. {
11. "Ref": "DynamoDBTableName"
12. }
13. ]
14. ]
15. }
16. },
17. "AvailabilityZone": "aa-example-1a",
18. "ImageId": "ami-1234567890abcdef0"
19. }
20. }
```
#### YAML
```
1. Ec2Instance:
2. Type: AWS::EC2::Instance
3. Properties:
4. UserData:
5. Fn::Base64:
6. Fn::Join:
7. - ''
8. - - 'TableName='
9. - Ref: DynamoDBTableName
10. AvailabilityZone: aa-example-1a
11. ImageId: ami-1234567890abcdef0
```
### Creazione di un volume Amazon EBS con `DeletionPolicy`
I seguenti frammenti creano un volume Amazon EBS utilizzando una risorsa Amazon EC2. [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) Puoi utilizzare le proprietà `Size` o `SnapshotID` per definire il volume, ma non entrambe. Un attributo `DeletionPolicy` viene impostato per creare uno snapshot del volume quando lo stack viene eliminato.
Per ulteriori informazioni sull’attributo `DeletionPolicy`, consulta l’[attributo DeletionPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-deletionpolicy.html).
Per ulteriori informazioni sulla creazione di volumi Amazon EBS, consulta [Creazione di un volume Amazon EBS](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-creating-volume.html).
#### JSON
Questo frammento crea un volume Amazon EBS con una **dimensione** specificata. La dimensione è impostata su 10, ma è possibile regolarla in base alle esigenze. La [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html)risorsa consente di specificare la dimensione o l'ID di uno snapshot, ma non entrambi.
```
1. "MyEBSVolume": {
2. "Type": "AWS::EC2::Volume",
3. "Properties": {
4. "Size": "10",
5. "AvailabilityZone": {
6. "Ref": "AvailabilityZone"
7. }
8. },
9. "DeletionPolicy": "Snapshot"
10. }
```
Questo frammento crea un volume Amazon EBS utilizzando un **ID snapshot** fornito. La [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html)risorsa consente di specificare la dimensione o l'ID di un'istantanea, ma non entrambi.
```
1. "MyEBSVolume": {
2. "Type": "AWS::EC2::Volume",
3. "Properties": {
4. "SnapshotId" : "snap-1234567890abcdef0",
5. "AvailabilityZone": {
6. "Ref": "AvailabilityZone"
7. }
8. },
9. "DeletionPolicy": "Snapshot"
10. }
```
#### YAML
Questo frammento crea un volume Amazon EBS con una **dimensione** specificata. La dimensione è impostata su 10, ma è possibile regolarla in base alle esigenze. La [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html)risorsa consente di specificare la dimensione o l'ID di un'istantanea, ma non entrambi.
```
1. MyEBSVolume:
2. Type: AWS::EC2::Volume
3. Properties:
4. Size: 10
5. AvailabilityZone:
6. Ref: AvailabilityZone
7. DeletionPolicy: Snapshot
```
Questo frammento crea un volume Amazon EBS utilizzando un **ID snapshot** fornito. La [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html)risorsa consente di specificare la dimensione o l'ID di un'istantanea, ma non entrambi.
```
1. MyEBSVolume:
2. Type: AWS::EC2::Volume
3. Properties:
4. SnapshotId: snap-1234567890abcdef0
5. AvailabilityZone:
6. Ref: AvailabilityZone
7. DeletionPolicy: Snapshot
```
## Specifica della mappatura dei dispositivi a blocchi per un’istanza
Una mappatura dei dispositivi a blocchi definisce i dispositivi a blocchi, inclusi i volumi di archivio dell’istanza e i volumi EBS, da collegare a un’istanza. Puoi specificare una mappatura dei dispositivi a blocchi quando crei un’AMI in modo che la mappatura venga utilizzata da tutte le istanze avviate dall’AMI. In alternativa, puoi specificare una mappatura dei dispositivi a blocchi quando avvii un’istanza, in modo che la mappatura sostituisca quella specificata nell’AMI da cui è stata avviata l’istanza.
Puoi utilizzare i seguenti frammenti di modello per specificare le mappature dei dispositivi a blocchi per i tuoi volumi EBS o Instance Store utilizzando la proprietà di una risorsa. `BlockDeviceMappings` [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html)
Per ulteriori informazioni sulle mappature dei dispositivi a blocchi, consulta [Block device mappings for volumes on Amazon EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html) nella *Guida per l’utente di Amazon EC2*.
**Topics**
+ [Specifica le mappature dei dispositivi a blocchi per due volumi EBS](#w2aac11c41c43c13b9c11)
+ [Specifica la mappatura dei dispositivi a blocchi per un volume di archivio dell’istanza](#w2aac11c41c43c13b9c13)
### Specifica le mappature dei dispositivi a blocchi per due volumi EBS
#### JSON
```
"Ec2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}",
"KeyName": { "Ref": "KeyName" },
"InstanceType": { "Ref": "InstanceType" },
"SecurityGroups": [{ "Ref": "Ec2SecurityGroup" }],
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": { "VolumeSize": "50" }
},
{
"DeviceName": "/dev/sdm",
"Ebs": { "VolumeSize": "100" }
}
]
}
}
}
```
#### YAML
```
EC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}'
KeyName: !Ref KeyName
InstanceType: !Ref InstanceType
SecurityGroups:
- !Ref Ec2SecurityGroup
BlockDeviceMappings:
-
DeviceName: /dev/sda1
Ebs:
VolumeSize: 50
-
DeviceName: /dev/sdm
Ebs:
VolumeSize: 100
```
### Specifica la mappatura dei dispositivi a blocchi per un volume di archivio dell’istanza
#### JSON
```
"Ec2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}",
"KeyName" : { "Ref" : "KeyName" },
"InstanceType": { "Ref": "InstanceType" },
"SecurityGroups" : [{ "Ref" : "Ec2SecurityGroup" }],
"BlockDeviceMappings" : [
{
"DeviceName" : "/dev/sdc",
"VirtualName" : "ephemeral0"
}
]
}
}
```
#### YAML
```
EC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}'
KeyName: !Ref KeyName
InstanceType: !Ref InstanceType
SecurityGroups:
- !Ref Ec2SecurityGroup
BlockDeviceMappings:
- DeviceName: /dev/sdc
VirtualName: ephemeral0
```
# Crea modelli di lancio con CloudFormation
Questa sezione fornisce un esempio per la creazione di un modello di lancio di Amazon EC2 utilizzando. CloudFormation I modelli di avvio consentono di creare modelli per la configurazione e il provisioning delle istanze Amazon EC2 all’interno di AWS. Con i modelli di avvio, puoi archiviare i parametri di avvio in modo da non doverli specificare ogni volta che avvii un’istanza. Per altri esempi, consulta la sezione [Esempi](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html#aws-resource-ec2-launchtemplate--examples) nella risorsa `AWS::EC2::LaunchTemplate`.
Per maggiori informazioni sui modelli di avvio, consulta [Store instance launch parameters in Amazon EC2 launch templates](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html) nella *Guida per l’utente di Amazon EC2*.
Per ulteriori informazioni su come creare modelli di avvio da utilizzare con i gruppi di Auto Scaling, consulta [Auto Scaling launch templates](https://docs.aws.amazon.com/autoscaling/ec2/userguide/launch-templates.html) nella *Guida per l’utente di Amazon EC2 Auto Scaling*.
**Topics**
+ [Creazione di un modello di avvio che specifica gruppi di sicurezza, tag, dati utente e un ruolo IAM](#scenario-as-launch-template)
## Creazione di un modello di avvio che specifica gruppi di sicurezza, tag, dati utente e un ruolo IAM
Questo frammento mostra una [AWS::EC2::LaunchTemplate](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html)risorsa che contiene le informazioni di configurazione per avviare un'istanza. Puoi specificare i valori per le proprietà `ImageId`, `InstanceType`, `SecurityGroups`, `UserData` e `TagSpecifications`. La `SecurityGroups` proprietà specifica un gruppo di sicurezza EC2 esistente e un nuovo gruppo di sicurezza. La `Ref` funzione ottiene l'ID della [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html)risorsa `myNewEC2SecurityGroup` dichiarata altrove nel modello dello stack.
Il modello di avvio include una sezione per i dati utente personalizzati. In questa sezione puoi passare attività di configurazione e script che vengono eseguiti all’avvio di un’istanza. In questo esempio, i dati utente installano l' AWS Systems Manager agente e lo avviano.
Il modello di avvio include anche un ruolo IAM che consente alle applicazioni in esecuzione sulle istanze di eseguire operazioni per tuo conto. Questo esempio mostra una [AWS::IAM::Role](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-role.html)risorsa per il modello di avvio, che utilizza la `IamInstanceProfile` proprietà per specificare il ruolo IAM. La `Ref` funzione ottiene il nome della [AWS::IAM::InstanceProfile](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-instanceprofile.html)risorsa`myInstanceProfile`. Per configurare le autorizzazioni del ruolo IAM, è necessario specificare un valore per la proprietà `ManagedPolicyArns`.
### JSON
```
1. {
2. "Resources":{
3. "myLaunchTemplate":{
4. "Type":"AWS::EC2::LaunchTemplate",
5. "Properties":{
6. "LaunchTemplateName":{ "Fn::Sub": "${AWS::StackName}-launch-template" },
7. "LaunchTemplateData":{
8. "ImageId":"ami-02354e95b3example",
9. "InstanceType":"t3.micro",
10. "IamInstanceProfile":{
11. "Name":{
12. "Ref":"myInstanceProfile"
13. }
14. },
15. "SecurityGroupIds":[
16. {
17. "Ref":"myNewEC2SecurityGroup"
18. },
19. "sg-083cd3bfb8example"
20. ],
21. "UserData":{
22. "Fn::Base64":{
23. "Fn::Join": [
24. "", [
25. "#!/bin/bash\n",
26. "cd /tmp\n",
27. "yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm\n",
28. "systemctl enable amazon-ssm-agent\n",
29. "systemctl start amazon-ssm-agent\n"
30. ]
31. ]
32. }
33. },
34. "TagSpecifications":[
35. {
36. "ResourceType":"instance",
37. "Tags":[
38. {
39. "Key":"environment",
40. "Value":"development"
41. }
42. ]
43. },
44. {
45. "ResourceType":"volume",
46. "Tags":[
47. {
48. "Key":"environment",
49. "Value":"development"
50. }
51. ]
52. }
53. ]
54. }
55. }
56. },
57. "myInstanceRole":{
58. "Type":"AWS::IAM::Role",
59. "Properties":{
60. "RoleName":"InstanceRole",
61. "AssumeRolePolicyDocument":{
62. "Version": "2012-10-17",
63. "Statement":[
64. {
65. "Effect":"Allow",
66. "Principal":{
67. "Service":[
68. "ec2.amazonaws.com"
69. ]
70. },
71. "Action":[
72. "sts:AssumeRole"
73. ]
74. }
75. ]
76. },
77. "ManagedPolicyArns":[
78. "arn:aws:iam::aws:policy/myCustomerManagedPolicy"
79. ]
80. }
81. },
82. "myInstanceProfile":{
83. "Type":"AWS::IAM::InstanceProfile",
84. "Properties":{
85. "Path":"/",
86. "Roles":[
87. {
88. "Ref":"myInstanceRole"
89. }
90. ]
91. }
92. }
93. }
94. }
```
### YAML
```
1. ---
2. Resources:
3. myLaunchTemplate:
4. Type: AWS::EC2::LaunchTemplate
5. Properties:
6. LaunchTemplateName: !Sub ${AWS::StackName}-launch-template
7. LaunchTemplateData:
8. ImageId: ami-02354e95b3example
9. InstanceType: t3.micro
10. IamInstanceProfile:
11. Name: !Ref myInstanceProfile
12. SecurityGroupIds:
13. - !Ref myNewEC2SecurityGroup
14. - sg-083cd3bfb8example
15. UserData:
16. Fn::Base64: !Sub |
17. #!/bin/bash
18. cd /tmp
19. yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
20. systemctl enable amazon-ssm-agent
21. systemctl start amazon-ssm-agent
22. TagSpecifications:
23. - ResourceType: instance
24. Tags:
25. - Key: environment
26. Value: development
27. - ResourceType: volume
28. Tags:
29. - Key: environment
30. Value: development
31. myInstanceRole:
32. Type: AWS::IAM::Role
33. Properties:
34. RoleName: InstanceRole
35. AssumeRolePolicyDocument:
36. Version: '2012-10-17'
37. Statement:
38. - Effect: 'Allow'
39. Principal:
40. Service:
41. - 'ec2.amazonaws.com'
42. Action:
43. - 'sts:AssumeRole'
44. ManagedPolicyArns:
45. - 'arn:aws:iam::aws:policy/myCustomerManagedPolicy'
46. myInstanceProfile:
47. Type: AWS::IAM::InstanceProfile
48. Properties:
49. Path: '/'
50. Roles:
51. - !Ref myInstanceRole
```
# Gestisci i gruppi di sicurezza con CloudFormation
I seguenti frammenti mostrano come gestire i gruppi CloudFormation di sicurezza e le istanze Amazon EC2 per controllare l'accesso alle risorse. AWS
**Topics**
+ [Associazione di un gruppo di sicurezza a un’istanza Amazon EC2](#quickref-ec2-instances-associate-security-group)
+ [Creazione di gruppi di sicurezza con regole di ingresso](#quickref-ec2-instances-ingress)
+ [Creazione di un Elastic Load Balancer con una regola di ingresso al gruppo di sicurezza](#scenario-ec2-security-group-elbingress)
## Associazione di un gruppo di sicurezza a un’istanza Amazon EC2
I seguenti frammenti di esempio mostrano come associare un'istanza Amazon EC2 a un gruppo di sicurezza Amazon VPC predefinito utilizzando CloudFormation.
**Topics**
+ [Associazione di un gruppo di sicurezza VPC predefinito a un’istanza Amazon EC2](#using-cfn-getatt-default-values)
+ [Creazione di un’istanza Amazon EC2 con un volume e un gruppo di sicurezza collegati](#scenario-ec2-volumeattachment)
### Associazione di un gruppo di sicurezza VPC predefinito a un’istanza Amazon EC2
Il seguente frammento crea un Amazon VPC, una sottorete all’interno del VPC e un’istanza Amazon EC2. Il VPC viene creato utilizzando una risorsa [AWS::EC2::VPC](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-vpc.html). L’intervallo di indirizzi IP per il VPC è definito nel modello più grande e viene richiamato dal parametro `MyVPCCIDRRange`.
Una sottorete viene creata all’interno del VPC utilizzando una risorsa [AWS::EC2::Subnet](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-subnet.html). La sottorete è associata al VPC, a cui si fa riferimento come `MyVPC`.
Un'istanza EC2 viene avviata all'interno del VPC e della sottorete utilizzando una risorsa. [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) Questa risorsa specifica l’Amazon Machine Image (AMI) da utilizzare per avviare l’istanza, la sottorete in cui verrà eseguita l’istanza e il gruppo di sicurezza da associare all’istanza. `ImageId` utilizza un parametro Systems Manager per recuperare dinamicamente l’ultima AMI Amazon Linux 2.
L’ID del gruppo di sicurezza viene ottenuto utilizzando la funzione `Fn::GetAtt`, che recupera il gruppo di sicurezza predefinito dalla risorsa `MyVPC`.
L’istanza viene inserita all’interno della risorsa `MySubnet` definita nel frammento.
Quando crei un VPC utilizzando CloudFormation, crea AWS automaticamente risorse predefinite all'interno del VPC, incluso un gruppo di sicurezza predefinito. Tuttavia, quando si definisce un VPC all'interno di un CloudFormation modello, è possibile che non si abbia accesso a queste risorse predefinite al momento IDs della creazione del modello. Per accedere e utilizzare le risorse predefinite specificate nel modello, puoi utilizzare funzioni intrinseche come `Fn::GetAtt`. Questa funzione consente di lavorare con le risorse predefinite create automaticamente da CloudFormation.
#### JSON
```
"MyVPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": {
"Ref": "MyVPCCIDRRange"
},
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "default"
}
},
"MySubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": {
"Ref": "MyVPCCIDRRange"
},
"VpcId": {
"Ref": "MyVPC"
}
}
},
"MyInstance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}",
"SecurityGroupIds": [
{
"Fn::GetAtt": [
"MyVPC",
"DefaultSecurityGroup"
]
}
],
"SubnetId": {
"Ref": "MySubnet"
}
}
}
```
#### YAML
```
MyVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock:
Ref: MyVPCCIDRRange
EnableDnsSupport: false
EnableDnsHostnames: false
InstanceTenancy: default
MySubnet:
Type: AWS::EC2::Subnet
Properties:
CidrBlock:
Ref: MyVPCCIDRRange
VpcId:
Ref: MyVPC
MyInstance:
Type: AWS::EC2::Instance
Properties:
ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}'
SecurityGroupIds:
- Fn::GetAtt:
- MyVPC
- DefaultSecurityGroup
SubnetId:
Ref: MySubnet
```
### Creazione di un’istanza Amazon EC2 con un volume e un gruppo di sicurezza collegati
Il seguente frammento crea un'istanza Amazon EC2 utilizzando una risorsa, che viene lanciata da [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html)un'AMI designata. L'istanza è associata a un gruppo di sicurezza che consente il traffico SSH in entrata sulla porta 22 da un indirizzo IP specificato, utilizzando una risorsa. [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) Crea un volume Amazon EBS da 100 GB utilizzando una [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html)risorsa. Il volume viene creato nella stessa zona di disponibilità dell’istanza, come specificato dalla funzione `GetAtt`, e viene montato sull’istanza sul dispositivo `/dev/sdh`.
Per ulteriori informazioni sulla creazione di volumi Amazon EBS, consulta [Creazione di un volume Amazon EBS](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-creating-volume.html).
#### JSON
```
1. "Ec2Instance": {
2. "Type": "AWS::EC2::Instance",
3. "Properties": {
4. "SecurityGroups": [
5. {
6. "Ref": "InstanceSecurityGroup"
7. }
8. ],
9. "ImageId": "ami-1234567890abcdef0"
10. }
11. },
12. "InstanceSecurityGroup": {
13. "Type": "AWS::EC2::SecurityGroup",
14. "Properties": {
15. "GroupDescription": "Enable SSH access via port 22",
16. "SecurityGroupIngress": [
17. {
18. "IpProtocol": "tcp",
19. "FromPort": "22",
20. "ToPort": "22",
21. "CidrIp": "192.0.2.0/24"
22. }
23. ]
24. }
25. },
26. "NewVolume": {
27. "Type": "AWS::EC2::Volume",
28. "Properties": {
29. "Size": "100",
30. "AvailabilityZone": {
31. "Fn::GetAtt": [
32. "Ec2Instance",
33. "AvailabilityZone"
34. ]
35. }
36. }
37. },
38. "MountPoint": {
39. "Type": "AWS::EC2::VolumeAttachment",
40. "Properties": {
41. "InstanceId": {
42. "Ref": "Ec2Instance"
43. },
44. "VolumeId": {
45. "Ref": "NewVolume"
46. },
47. "Device": "/dev/sdh"
48. }
49. }
```
#### YAML
```
1. Ec2Instance:
2. Type: AWS::EC2::Instance
3. Properties:
4. SecurityGroups:
5. - !Ref InstanceSecurityGroup
6. ImageId: ami-1234567890abcdef0
7. InstanceSecurityGroup:
8. Type: AWS::EC2::SecurityGroup
9. Properties:
10. GroupDescription: Enable SSH access via port 22
11. SecurityGroupIngress:
12. - IpProtocol: tcp
13. FromPort: 22
14. ToPort: 22
15. CidrIp: 192.0.2.0/24
16. NewVolume:
17. Type: AWS::EC2::Volume
18. Properties:
19. Size: 100
20. AvailabilityZone: !GetAtt [Ec2Instance, AvailabilityZone]
21. MountPoint:
22. Type: AWS::EC2::VolumeAttachment
23. Properties:
24. InstanceId: !Ref Ec2Instance
25. VolumeId: !Ref NewVolume
26. Device: /dev/sdh
```
## Creazione di gruppi di sicurezza con regole di ingresso
I frammenti di esempio seguenti mostrano come configurare i gruppi di sicurezza con regole di ingresso specifiche utilizzando CloudFormation.
**Topics**
+ [Creazione di un gruppo di sicurezza con regole di ingresso per l’accesso SSH e HTTP](#scenario-ec2-security-group-rule)
+ [Creazione di un gruppo di sicurezza con regole di ingresso per l’accesso HTTP e SSH da intervalli CIDR specificati](#scenario-ec2-security-group-two-ports)
+ [Crea gruppi di sicurezza con riferimenti incrociati e regole di ingresso](#scenario-ec2-security-group-ingress)
### Creazione di un gruppo di sicurezza con regole di ingresso per l’accesso SSH e HTTP
Il seguente frammento descrive due regole di ingresso per gruppi di sicurezza che utilizzano una risorsa. [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) La prima regola di ingresso consente l'accesso SSH (porta 22) da un gruppo di sicurezza esistente denominato`MyAdminSecurityGroup`, di proprietà dell'account con il numero di AWS account. `1111-2222-3333` La seconda regola di ingresso consente l’accesso HTTP (porta 80) da un gruppo di sicurezza diverso denominato `MySecurityGroupCreatedInCFN`, creato nello stesso modello. La funzione `Ref` viene utilizzata per fare riferimento al nome logico del gruppo di sicurezza creato nello stesso modello.
Nella prima regola di ingresso, è necessario aggiungere un valore per entrambe le proprietà `SourceSecurityGroupName` e `SourceSecurityGroupOwnerId`. Nella seconda regola di ingresso, `MySecurityGroupCreatedInCFNTemplate` fa riferimento a un gruppo di sicurezza diverso, creato nello stesso modello. Verifica che il nome logico `MySecurityGroupCreatedInCFNTemplate` corrisponda al nome logico effettivo della risorsa del gruppo di sicurezza specificata nel modello più grande.
Per ulteriori informazioni sui gruppi di sicurezza, consulta [Amazon EC2 security groups for your Amazon EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html) nella *Guida per l’utente di Amazon EC2*.
#### JSON
```
1. "SecurityGroup": {
2. "Type": "AWS::EC2::SecurityGroup",
3. "Properties": {
4. "GroupDescription": "Allow connections from specified source security group",
5. "SecurityGroupIngress": [
6. {
7. "IpProtocol": "tcp",
8. "FromPort": "22",
9. "ToPort": "22",
10. "SourceSecurityGroupName": "MyAdminSecurityGroup",
11. "SourceSecurityGroupOwnerId": "1111-2222-3333"
12. },
13. {
14. "IpProtocol": "tcp",
15. "FromPort": "80",
16. "ToPort": "80",
17. "SourceSecurityGroupName": {
18. "Ref": "MySecurityGroupCreatedInCFNTemplate"
19. }
20. }
21. ]
22. }
23. }
```
#### YAML
```
1. SecurityGroup:
2. Type: AWS::EC2::SecurityGroup
3. Properties:
4. GroupDescription: Allow connections from specified source security group
5. SecurityGroupIngress:
6. - IpProtocol: tcp
7. FromPort: '22'
8. ToPort: '22'
9. SourceSecurityGroupName: MyAdminSecurityGroup
10. SourceSecurityGroupOwnerId: '1111-2222-3333'
11. - IpProtocol: tcp
12. FromPort: '80'
13. ToPort: '80'
14. SourceSecurityGroupName:
15. Ref: MySecurityGroupCreatedInCFNTemplate
```
### Creazione di un gruppo di sicurezza con regole di ingresso per l’accesso HTTP e SSH da intervalli CIDR specificati
Il seguente frammento crea un gruppo di sicurezza per un’istanza Amazon EC2 con due regole in entrata. Le regole in entrata consentono il traffico TCP in ingresso sulle porte specificate dagli intervalli CIDR designati. Viene utilizzata una [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html)risorsa per specificare le regole. È possibile specificare un protocollo per ciascuna regola. Per TCP, è necessario anche specificare una porta o un intervallo di porte. Se non si specifica un gruppo di sicurezza di origine o un intervallo CIDR, lo stack verrà avviato correttamente, ma la regola non verrà applicata al gruppo di sicurezza.
Per ulteriori informazioni sui gruppi di sicurezza, consulta [Amazon EC2 security groups for your Amazon EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html) nella *Guida per l’utente di Amazon EC2*.
#### JSON
```
1. "ServerSecurityGroup": {
2. "Type": "AWS::EC2::SecurityGroup",
3. "Properties": {
4. "GroupDescription": "Allow connections from specified CIDR ranges",
5. "SecurityGroupIngress": [
6. {
7. "IpProtocol": "tcp",
8. "FromPort": "80",
9. "ToPort": "80",
10. "CidrIp": "192.0.2.0/24"
11. },
12. {
13. "IpProtocol": "tcp",
14. "FromPort": "22",
15. "ToPort": "22",
16. "CidrIp": "192.0.2.0/24"
17. }
18. ]
19. }
20. }
```
#### YAML
```
1. ServerSecurityGroup:
2. Type: AWS::EC2::SecurityGroup
3. Properties:
4. GroupDescription: Allow connections from specified CIDR ranges
5. SecurityGroupIngress:
6. - IpProtocol: tcp
7. FromPort: 80
8. ToPort: 80
9. CidrIp: 192.0.2.0/24
10. - IpProtocol: tcp
11. FromPort: 22
12. ToPort: 22
13. CidrIp: 192.0.2.0/24
```
### Crea gruppi di sicurezza con riferimenti incrociati e regole di ingresso
Il seguente frammento utilizza la [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html)risorsa per creare due gruppi di sicurezza Amazon EC2 e. `SGroup1` `SGroup2` [Le regole di ingresso che consentono la comunicazione tra i due gruppi di sicurezza vengono create utilizzando la risorsa Ingress. AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroupingress.html) `SGroup1Ingress`stabilisce una regola di ingresso `SGroup1` che consente il traffico TCP in entrata sulla porta 80 dal gruppo di sicurezza di origine,. `SGroup2` `SGroup2Ingress`stabilisce una regola di ingresso `SGroup2` che consente il traffico TCP in entrata sulla porta 80 dal gruppo di sicurezza di origine,. `SGroup1`
#### JSON
```
1. "SGroup1": {
2. "Type": "AWS::EC2::SecurityGroup",
3. "Properties": {
4. "GroupDescription": "EC2 instance access"
5. }
6. },
7. "SGroup2": {
8. "Type": "AWS::EC2::SecurityGroup",
9. "Properties": {
10. "GroupDescription": "EC2 instance access"
11. }
12. },
13. "SGroup1Ingress": {
14. "Type": "AWS::EC2::SecurityGroupIngress",
15. "Properties": {
16. "GroupName": {
17. "Ref": "SGroup1"
18. },
19. "IpProtocol": "tcp",
20. "ToPort": "80",
21. "FromPort": "80",
22. "SourceSecurityGroupName": {
23. "Ref": "SGroup2"
24. }
25. }
26. },
27. "SGroup2Ingress": {
28. "Type": "AWS::EC2::SecurityGroupIngress",
29. "Properties": {
30. "GroupName": {
31. "Ref": "SGroup2"
32. },
33. "IpProtocol": "tcp",
34. "ToPort": "80",
35. "FromPort": "80",
36. "SourceSecurityGroupName": {
37. "Ref": "SGroup1"
38. }
39. }
40. }
```
#### YAML
```
1. SGroup1:
2. Type: AWS::EC2::SecurityGroup
3. Properties:
4. GroupDescription: EC2 Instance access
5. SGroup2:
6. Type: AWS::EC2::SecurityGroup
7. Properties:
8. GroupDescription: EC2 Instance access
9. SGroup1Ingress:
10. Type: AWS::EC2::SecurityGroupIngress
11. Properties:
12. GroupName: !Ref SGroup1
13. IpProtocol: tcp
14. ToPort: 80
15. FromPort: 80
16. SourceSecurityGroupName: !Ref SGroup2
17. SGroup2Ingress:
18. Type: AWS::EC2::SecurityGroupIngress
19. Properties:
20. GroupName: !Ref SGroup2
21. IpProtocol: tcp
22. ToPort: 80
23. FromPort: 80
24. SourceSecurityGroupName: !Ref SGroup1
```
## Creazione di un Elastic Load Balancer con una regola di ingresso al gruppo di sicurezza
Il modello seguente crea una [AWS::ElasticLoadBalancing::LoadBalancer](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancing-loadbalancer.html)risorsa nella zona di disponibilità specificata. La [AWS::ElasticLoadBalancing::LoadBalancer](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancing-loadbalancer.html)risorsa è configurata per ascoltare il traffico HTTP sulla porta 80 e indirizzare le richieste alle istanze anche sulla porta 80. Elastic Load Balancer è responsabile del bilanciamento del carico del traffico HTTP in entrata tra le istanze.
Inoltre, questo modello genera una [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html)risorsa associata al load balancer. Questo gruppo di sicurezza viene creato con un’unica regola di ingresso, descritta come `ELB ingress group`, che consente il traffico TCP in entrata sulla porta 80. L’origine di questa regola di ingresso viene definita utilizzando la funzione `Fn::GetAtt` per recuperare gli attributi dalla risorsa di bilanciamento del carico. `SourceSecurityGroupOwnerId` utilizza `Fn::GetAtt` per ottenere l’`OwnerAlias` del gruppo di sicurezza di origine del bilanciatore del carico. `SourceSecurityGroupName` utilizza `Fn::Getatt` per ottenere il `GroupName` del gruppo di sicurezza di origine dell’ELB.
Questa configurazione garantisce una comunicazione sicura tra l’ELB e le istanze.
Per ulteriori informazioni su Elastic Load Balancing, consulta la [Guida per l’utente di Elastic Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/).
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyELB": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"AvailabilityZones": [
"aa-example-1a"
],
"Listeners": [
{
"LoadBalancerPort": "80",
"InstancePort": "80",
"Protocol": "HTTP"
}
]
}
},
"MyELBIngressGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "ELB ingress group",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"SourceSecurityGroupOwnerId": {
"Fn::GetAtt": [
"MyELB",
"SourceSecurityGroup.OwnerAlias"
]
},
"SourceSecurityGroupName": {
"Fn::GetAtt": [
"MyELB",
"SourceSecurityGroup.GroupName"
]
}
}
]
}
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
MyELB:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- aa-example-1a
Listeners:
- LoadBalancerPort: '80'
InstancePort: '80'
Protocol: HTTP
MyELBIngressGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: ELB ingress group
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
SourceSecurityGroupOwnerId:
Fn::GetAtt:
- MyELB
- SourceSecurityGroup.OwnerAlias
SourceSecurityGroupName:
Fn::GetAtt:
- MyELB
- SourceSecurityGroup.GroupName
```
# Alloca e associa indirizzi IP elastici con CloudFormation
I seguenti frammenti di modello sono esempi relativi agli indirizzi IP elastici (EIP) in Amazon EC2. Questi esempi riguardano l'allocazione, l'associazione e la gestione delle istanze. EIPs
**Topics**
+ [Allocazione di un indirizzo IP elastico e relativa associazione a un’istanza Amazon EC2](#scenario-ec2-eip)
+ [Associazione di un indirizzo IP elastico a un’istanza Amazon EC2 specificando l’indirizzo IP](#scenario-ec2-eip-association)
+ [Associazione di un indirizzo IP elastico a un’istanza Amazon EC2 specificando l’ID di allocazione dell’indirizzo IP](#scenario-ec2-eip-association-vpc)
## Allocazione di un indirizzo IP elastico e relativa associazione a un’istanza Amazon EC2
Il seguente frammento alloca un indirizzo Amazon EC2 Elastic IP (EIP) e lo associa a un'istanza Amazon EC2 utilizzando una risorsa. [AWS::EC2::EIP ](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eip.html) [Puoi allocare un indirizzo EIP da un pool di indirizzi di proprietà AWS o proveniente da un pool di indirizzi creato da un intervallo di indirizzi pubblico da te utilizzato AWS per utilizzarlo con AWS le tue risorse utilizzando i tuoi IPv4 indirizzi IP personali (BYOIP).](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html) In questo esempio, l'EIP viene allocato da un pool di indirizzi di proprietà di. AWS
Per maggiori informazioni sugli indirizzi IP elastici, consulta [Indirizzo IP elastico](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html) nella *Guida per l’utente di Amazon EC2*.
### JSON
```
1. "ElasticIP": {
2. "Type": "AWS::EC2::EIP",
3. "Properties": {
4. "InstanceId": {
5. "Ref": "Ec2Instance"
6. }
7. }
8. }
```
### YAML
```
1. ElasticIP:
2. Type: AWS::EC2::EIP
3. Properties:
4. InstanceId: !Ref EC2Instance
```
## Associazione di un indirizzo IP elastico a un’istanza Amazon EC2 specificando l’indirizzo IP
Il seguente frammento associa un indirizzo IP elastico Amazon EC2 esistente a un'istanza EC2 utilizzando una risorsa [AWS](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eipassociation.html): :EC2::. EIPAssociation Per utilizzare un indirizzo IP elastico, occorre prima allocarlo per l’uso nel proprio account. Un indirizzo IP elastico può essere associato a un’istanza singola.
### JSON
```
1. "IPAssoc": {
2. "Type": "AWS::EC2::EIPAssociation",
3. "Properties": {
4. "InstanceId": {
5. "Ref": "Ec2Instance"
6. },
7. "EIP": "192.0.2.0"
8. }
9. }
```
### YAML
```
1. IPAssoc:
2. Type: AWS::EC2::EIPAssociation
3. Properties:
4. InstanceId: !Ref EC2Instance
5. EIP: 192.0.2.0
```
## Associazione di un indirizzo IP elastico a un’istanza Amazon EC2 specificando l’ID di allocazione dell’indirizzo IP
[Il seguente frammento associa un indirizzo IP elastico esistente a un'istanza Amazon EC2 specificando l'ID di allocazione utilizzando una risorsa AWS: :EC2::. EIPAssociation](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eipassociation.html) Un ID di allocazione viene assegnato a un indirizzo IP elastico al momento dell’allocazione dell’indirizzo IP elastico.
### JSON
```
1. "IPAssoc": {
2. "Type": "AWS::EC2::EIPAssociation",
3. "Properties": {
4. "InstanceId": {
5. "Ref": "Ec2Instance"
6. },
7. "AllocationId": "eipalloc-1234567890abcdef0"
8. }
9. }
```
### YAML
```
1. IPAssoc:
2. Type: AWS::EC2::EIPAssociation
3. Properties:
4. InstanceId: !Ref EC2Instance
5. AllocationId: eipalloc-1234567890abcdef0
```
# Configura le risorse Amazon VPC con CloudFormation
Questa sezione fornisce esempi per configurare le risorse Amazon VPC utilizzando. CloudFormation VPCsconsentono di creare una rete virtuale all'interno AWS di una rete virtuale e questi frammenti mostrano come configurare alcuni aspetti per VPCs soddisfare i requisiti di rete.
**Topics**
+ [Abilita l'accesso a Internet IPv6 solo in uscita in un VPC](#quickref-ec2-route-egressonlyinternetgateway)
+ [Frammenti di modello di interfaccia di rete elastica (ENI)](#cfn-template-snippets-eni)
## Abilita l'accesso a Internet IPv6 solo in uscita in un VPC
Un gateway Internet solo in uscita consente alle istanze all’interno di un VPC di accedere a Internet e impedire che le risorse su Internet comunichino con le istanze. Il seguente frammento consente l'accesso a Internet IPv6 solo in uscita dall'interno di un VPC. Crea un VPC con un intervallo di IPv4 indirizzi `10.0.0/16` utilizzando una risorsa [AWS: :EC2: :VPC](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-vpc.html). Una tabella di routing è associata a questa risorsa VPC utilizzando una [AWS::EC2::RouteTable](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-routetable.html)risorsa. La tabella di routing gestisce i percorsi per le istanze all’interno del VPC. An [AWS::EC2::EgressOnlyInternetGateway](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-egressonlyinternetgateway.html)viene utilizzato per creare un gateway Internet solo in uscita per consentire la IPv6 comunicazione per il traffico in uscita dalle istanze all'interno del VPC, impedendo al contempo il traffico in entrata. Viene specificata una [AWS::EC2::Route](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-route.html)risorsa per creare un IPv6 percorso nella tabella delle rotte che indirizza tutto il traffico in uscita () verso il gateway Internet di sola uscita IPv6. `::/0`
*Per ulteriori informazioni sui gateway Internet solo in uscita, consulta [Abilitare il IPv6 traffico in uscita utilizzando un gateway Internet solo in uscita nella Amazon VPC User](https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html) Guide.*
### JSON
```
"DefaultIpv6Route": {
"Type": "AWS::EC2::Route",
"Properties": {
"DestinationIpv6CidrBlock": "::/0",
"EgressOnlyInternetGatewayId": {
"Ref": "EgressOnlyInternetGateway"
},
"RouteTableId": {
"Ref": "RouteTable"
}
}
},
"EgressOnlyInternetGateway": {
"Type": "AWS::EC2::EgressOnlyInternetGateway",
"Properties": {
"VpcId": {
"Ref": "VPC"
}
}
},
"RouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
}
}
},
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16"
}
}
```
### YAML
```
DefaultIpv6Route:
Type: AWS::EC2::Route
Properties:
DestinationIpv6CidrBlock: "::/0"
EgressOnlyInternetGatewayId:
Ref: "EgressOnlyInternetGateway"
RouteTableId:
Ref: "RouteTable"
EgressOnlyInternetGateway:
Type: AWS::EC2::EgressOnlyInternetGateway
Properties:
VpcId:
Ref: "VPC"
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: "VPC"
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: "10.0.0.0/16"
```
## Frammenti di modello di interfaccia di rete elastica (ENI)
### Crea un'istanza Amazon EC2 con interfacce di rete elastiche collegate () ENIs
Il seguente frammento di esempio crea un’istanza Amazon EC2 utilizzando una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) nella sottorete e nell’Amazon VPC specificati. Collega due interfacce di rete (ENIs) all'istanza, associa gli indirizzi IP elastici alle istanze tramite l'interfaccia allegata ENIs e configura il gruppo di sicurezza per l'accesso SSH e HTTP. I dati utente vengono forniti all’istanza come parte della configurazione di avvio al momento della creazione dell’istanza. I dati utente includono uno script codificato in formato `base64` per garantire che venga passato all’istanza. All’avvio dell’istanza, lo script viene eseguito automaticamente come parte del processo di bootstrap. Installa `ec2-net-utils`, configura le interfacce di rete e avvia il servizio HTTP.
Per determinare l’Amazon Machine Image (AMI) appropriata in base alla Regione selezionata, il frammento utilizza una funzione `Fn::FindInMap` che cerca i valori in una mappatura `RegionMap`. Questa mappatura deve essere definita nel modello più grande. Le due interfacce di rete vengono create utilizzando risorse [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-networkinterface.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-networkinterface.html). Gli indirizzi IP elastici vengono specificati utilizzando risorse [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eip.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eip.html) allocate al dominio `vpc`. Questi indirizzi IP elastici sono associati alle interfacce di rete utilizzando risorse [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eipassociation.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eipassociation.html).
La sezione `Outputs` definisce i valori o le risorse a cui si desidera accedere dopo la creazione dello stack. In questo frammento, l’output definito è `InstancePublicIp`, che rappresenta l’indirizzo IP pubblico dell’istanza EC2 creata dallo stack. **[È possibile recuperare questo output nella scheda Output della CloudFormation console o utilizzando il comando describe-stacks.](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/describe-stacks.html)**
Per ulteriori informazioni sulle interfacce di rete elastiche, consulta [Interfacce di rete Elastiche](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html).
#### JSON
```
"Resources": {
"ControlPortAddress": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
}
},
"AssociateControlPort": {
"Type": "AWS::EC2::EIPAssociation",
"Properties": {
"AllocationId": {
"Fn::GetAtt": [
"ControlPortAddress",
"AllocationId"
]
},
"NetworkInterfaceId": {
"Ref": "controlXface"
}
}
},
"WebPortAddress": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
}
},
"AssociateWebPort": {
"Type": "AWS::EC2::EIPAssociation",
"Properties": {
"AllocationId": {
"Fn::GetAtt": [
"WebPortAddress",
"AllocationId"
]
},
"NetworkInterfaceId": {
"Ref": "webXface"
}
}
},
"SSHSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "VpcId"
},
"GroupDescription": "Enable SSH access via port 22",
"SecurityGroupIngress": [
{
"CidrIp": "0.0.0.0/0",
"FromPort": 22,
"IpProtocol": "tcp",
"ToPort": 22
}
]
}
},
"WebSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "VpcId"
},
"GroupDescription": "Enable HTTP access via user-defined port",
"SecurityGroupIngress": [
{
"CidrIp": "0.0.0.0/0",
"FromPort": 80,
"IpProtocol": "tcp",
"ToPort": 80
}
]
}
},
"controlXface": {
"Type": "AWS::EC2::NetworkInterface",
"Properties": {
"SubnetId": {
"Ref": "SubnetId"
},
"Description": "Interface for controlling traffic such as SSH",
"GroupSet": [
{
"Fn::GetAtt": [
"SSHSecurityGroup",
"GroupId"
]
}
],
"SourceDestCheck": true,
"Tags": [
{
"Key": "Network",
"Value": "Control"
}
]
}
},
"webXface": {
"Type": "AWS::EC2::NetworkInterface",
"Properties": {
"SubnetId": {
"Ref": "SubnetId"
},
"Description": "Interface for web traffic",
"GroupSet": [
{
"Fn::GetAtt": [
"WebSecurityGroup",
"GroupId"
]
}
],
"SourceDestCheck": true,
"Tags": [
{
"Key": "Network",
"Value": "Web"
}
]
}
},
"Ec2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": {
"Fn::FindInMap": [
"RegionMap",
{
"Ref": "AWS::Region"
},
"AMI"
]
},
"KeyName": {
"Ref": "KeyName"
},
"NetworkInterfaces": [
{
"NetworkInterfaceId": {
"Ref": "controlXface"
},
"DeviceIndex": "0"
},
{
"NetworkInterfaceId": {
"Ref": "webXface"
},
"DeviceIndex": "1"
}
],
"Tags": [
{
"Key": "Role",
"Value": "Test Instance"
}
],
"UserData": {
"Fn::Base64": {
"Fn::Sub": "#!/bin/bash -xe\nyum install ec2-net-utils -y\nec2ifup eth1\nservice httpd start\n"
}
}
}
}
},
"Outputs": {
"InstancePublicIp": {
"Description": "Public IP Address of the EC2 Instance",
"Value": {
"Fn::GetAtt": [
"Ec2Instance",
"PublicIp"
]
}
}
}
```
#### YAML
```
Resources:
ControlPortAddress:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
AssociateControlPort:
Type: AWS::EC2::EIPAssociation
Properties:
AllocationId:
Fn::GetAtt:
- ControlPortAddress
- AllocationId
NetworkInterfaceId:
Ref: controlXface
WebPortAddress:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
AssociateWebPort:
Type: AWS::EC2::EIPAssociation
Properties:
AllocationId:
Fn::GetAtt:
- WebPortAddress
- AllocationId
NetworkInterfaceId:
Ref: webXface
SSHSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId:
Ref: VpcId
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
FromPort: 22
IpProtocol: tcp
ToPort: 22
WebSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId:
Ref: VpcId
GroupDescription: Enable HTTP access via user-defined port
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
FromPort: 80
IpProtocol: tcp
ToPort: 80
controlXface:
Type: AWS::EC2::NetworkInterface
Properties:
SubnetId:
Ref: SubnetId
Description: Interface for controlling traffic such as SSH
GroupSet:
- Fn::GetAtt:
- SSHSecurityGroup
- GroupId
SourceDestCheck: true
Tags:
- Key: Network
Value: Control
webXface:
Type: AWS::EC2::NetworkInterface
Properties:
SubnetId:
Ref: SubnetId
Description: Interface for web traffic
GroupSet:
- Fn::GetAtt:
- WebSecurityGroup
- GroupId
SourceDestCheck: true
Tags:
- Key: Network
Value: Web
Ec2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId:
Fn::FindInMap:
- RegionMap
- Ref: AWS::Region
- AMI
KeyName:
Ref: KeyName
NetworkInterfaces:
- NetworkInterfaceId:
Ref: controlXface
DeviceIndex: "0"
- NetworkInterfaceId:
Ref: webXface
DeviceIndex: "1"
Tags:
- Key: Role
Value: Test Instance
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
yum install ec2-net-utils -y
ec2ifup eth1
service httpd start
Outputs:
InstancePublicIp:
Description: Public IP Address of the EC2 Instance
Value:
Fn::GetAtt:
- Ec2Instance
- PublicIp
```
# Modelli di esempio di Amazon Elastic Container Service
Amazon Elastic Container Service (Amazon ECS) è un servizio di gestione dei container che facilita l’esecuzione, l’arresto e la gestione di container Docker in un cluster di istanze Amazon Elastic Compute Cloud (Amazon EC2).
## Crea un cluster con AL2023 Amazon ECS-Optimized-AMI
Definisci un cluster con un provider di capacità che avvia istanze AL2023 su Amazon EC2.
**Importante**
Per l'AMI più recente IDs, consulta l'AMI ottimizzata per [Amazon ECS](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) nella *Amazon Elastic Container Service Developer Guide*.
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "EC2 ECS cluster that starts out empty, with no EC2 instances yet. An ECS capacity provider automatically launches more EC2 instances as required on the fly when you request ECS to launch services or standalone tasks.",
"Parameters": {
"InstanceType": {
"Type": "String",
"Description": "EC2 instance type",
"Default": "t2.medium",
"AllowedValues": [
"t1.micro",
"t2.2xlarge",
"t2.large",
"t2.medium",
"t2.micro",
"t2.nano",
"t2.small",
"t2.xlarge",
"t3.2xlarge",
"t3.large",
"t3.medium",
"t3.micro",
"t3.nano",
"t3.small",
"t3.xlarge"
]
},
"DesiredCapacity": {
"Type": "Number",
"Default": "0",
"Description": "Number of EC2 instances to launch in your ECS cluster."
},
"MaxSize": {
"Type": "Number",
"Default": "100",
"Description": "Maximum number of EC2 instances that can be launched in your ECS cluster."
},
"ECSAMI": {
"Description": "The Amazon Machine Image ID used for the cluster",
"Type": "AWS::SSM::Parameter::Value",
"Default": "/aws/service/ecs/optimized-ami/amazon-linux-2023/recommended/image_id"
},
"VpcId": {
"Type": "AWS::EC2::VPC::Id",
"Description": "VPC ID where the ECS cluster is launched",
"Default": "vpc-1234567890abcdef0"
},
"SubnetIds": {
"Type": "List",
"Description": "List of subnet IDs where the EC2 instances will be launched",
"Default": "subnet-021345abcdef67890"
}
},
"Resources": {
"ECSCluster": {
"Type": "AWS::ECS::Cluster",
"Properties": {
"ClusterSettings": [
{
"Name": "containerInsights",
"Value": "enabled"
}
]
}
},
"ECSAutoScalingGroup": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"DependsOn": [
"ECSCluster",
"EC2Role"
],
"Properties": {
"VPCZoneIdentifier": {
"Ref": "SubnetIds"
},
"LaunchTemplate": {
"LaunchTemplateId": {
"Ref": "ContainerInstances"
},
"Version": {
"Fn::GetAtt": [
"ContainerInstances",
"LatestVersionNumber"
]
}
},
"MinSize": 0,
"MaxSize": {
"Ref": "MaxSize"
},
"DesiredCapacity": {
"Ref": "DesiredCapacity"
},
"NewInstancesProtectedFromScaleIn": true
},
"UpdatePolicy": {
"AutoScalingReplacingUpdate": {
"WillReplace": "true"
}
}
},
"ContainerInstances": {
"Type": "AWS::EC2::LaunchTemplate",
"Properties": {
"LaunchTemplateName": "asg-launch-template",
"LaunchTemplateData": {
"ImageId": {
"Ref": "ECSAMI"
},
"InstanceType": {
"Ref": "InstanceType"
},
"IamInstanceProfile": {
"Name": {
"Ref": "EC2InstanceProfile"
}
},
"SecurityGroupIds": [
{
"Ref": "ContainerHostSecurityGroup"
}
],
"UserData": {
"Fn::Base64": {
"Fn::Sub": "#!/bin/bash -xe\n echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config\n yum install -y aws-cfn-bootstrap\n /opt/aws/bin/cfn-init -v --stack ${AWS::StackId} --resource ContainerInstances --configsets full_install --region ${AWS::Region} &\n"
}
},
"MetadataOptions": {
"HttpEndpoint": "enabled",
"HttpTokens": "required"
}
}
}
},
"EC2InstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "EC2Role"
}
]
}
},
"CapacityProvider": {
"Type": "AWS::ECS::CapacityProvider",
"Properties": {
"AutoScalingGroupProvider": {
"AutoScalingGroupArn": {
"Ref": "ECSAutoScalingGroup"
},
"ManagedScaling": {
"InstanceWarmupPeriod": 60,
"MinimumScalingStepSize": 1,
"MaximumScalingStepSize": 100,
"Status": "ENABLED",
"TargetCapacity": 100
},
"ManagedTerminationProtection": "ENABLED"
}
}
},
"CapacityProviderAssociation": {
"Type": "AWS::ECS::ClusterCapacityProviderAssociations",
"Properties": {
"CapacityProviders": [
{
"Ref": "CapacityProvider"
}
],
"Cluster": {
"Ref": "ECSCluster"
},
"DefaultCapacityProviderStrategy": [
{
"Base": 0,
"CapacityProvider": {
"Ref": "CapacityProvider"
},
"Weight": 1
}
]
}
},
"ContainerHostSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Access to the EC2 hosts that run containers",
"VpcId": {
"Ref": "VpcId"
}
}
},
"EC2Role": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
]
}
},
"ECSTaskExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ecs-tasks.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
],
"Condition": {
"ArnLike": {
"aws:SourceArn": {
"Fn::Sub": "arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:*"
}
},
"StringEquals": {
"aws:SourceAccount": {
"Fn::Sub": "${AWS::AccountId}"
}
}
}
}
]
},
"Path": "/",
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
]
}
}
},
"Outputs": {
"ClusterName": {
"Description": "The ECS cluster into which to launch resources",
"Value": "ECSCluster"
},
"ECSTaskExecutionRole": {
"Description": "The role used to start up a task",
"Value": "ECSTaskExecutionRole"
},
"CapacityProvider": {
"Description": "The cluster capacity provider that the service should use to request capacity when it wants to start up a task",
"Value": "CapacityProvider"
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: 2010-09-09
Description: EC2 ECS cluster that starts out empty, with no EC2 instances yet.
An ECS capacity provider automatically launches more EC2 instances as required
on the fly when you request ECS to launch services or standalone tasks.
Parameters:
InstanceType:
Type: String
Description: EC2 instance type
Default: "t2.medium"
AllowedValues:
- t1.micro
- t2.2xlarge
- t2.large
- t2.medium
- t2.micro
- t2.nano
- t2.small
- t2.xlarge
- t3.2xlarge
- t3.large
- t3.medium
- t3.micro
- t3.nano
- t3.small
- t3.xlarge
DesiredCapacity:
Type: Number
Default: "0"
Description: Number of EC2 instances to launch in your ECS cluster.
MaxSize:
Type: Number
Default: "100"
Description: Maximum number of EC2 instances that can be launched in your ECS cluster.
ECSAMI:
Description: The Amazon Machine Image ID used for the cluster
Type: AWS::SSM::Parameter::Value
Default: /aws/service/ecs/optimized-ami/amazon-linux-2023/recommended/image_id
VpcId:
Type: AWS::EC2::VPC::Id
Description: VPC ID where the ECS cluster is launched
Default: vpc-1234567890abcdef0
SubnetIds:
Type: List
Description: List of subnet IDs where the EC2 instances will be launched
Default: "subnet-021345abcdef67890"
Resources:
# This is authorizes ECS to manage resources on your
# account on your behalf. This role is likely already created on your account
# ECSRole:
# Type: AWS::IAM::ServiceLinkedRole
# Properties:
# AWSServiceName: 'ecs.amazonaws.com'
# ECS Resources
ECSCluster:
Type: AWS::ECS::Cluster
Properties:
ClusterSettings:
- Name: containerInsights
Value: enabled
# Autoscaling group. This launches the actual EC2 instances that will register
# themselves as members of the cluster, and run the docker containers.
ECSAutoScalingGroup:
Type: AWS::AutoScaling::AutoScalingGroup
DependsOn:
# This is to ensure that the ASG gets deleted first before these
# resources, when it comes to stack teardown.
- ECSCluster
- EC2Role
Properties:
VPCZoneIdentifier:
Ref: SubnetIds
LaunchTemplate:
LaunchTemplateId: !Ref ContainerInstances
Version: !GetAtt ContainerInstances.LatestVersionNumber
MinSize: 0
MaxSize:
Ref: MaxSize
DesiredCapacity:
Ref: DesiredCapacity
NewInstancesProtectedFromScaleIn: true
UpdatePolicy:
AutoScalingReplacingUpdate:
WillReplace: "true"
# The config for each instance that is added to the cluster
ContainerInstances:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: "asg-launch-template"
LaunchTemplateData:
ImageId:
Ref: ECSAMI
InstanceType:
Ref: InstanceType
IamInstanceProfile:
Name: !Ref EC2InstanceProfile
SecurityGroupIds:
- !Ref ContainerHostSecurityGroup
# This injected configuration file is how the EC2 instance
# knows which ECS cluster on your AWS account it should be joining
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config
yum install -y aws-cfn-bootstrap
/opt/aws/bin/cfn-init -v --stack ${AWS::StackId} --resource ContainerInstances --configsets full_install --region ${AWS::Region} &
# Disable IMDSv1, and require IMDSv2
MetadataOptions:
HttpEndpoint: enabled
HttpTokens: required
EC2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref EC2Role
# Create an ECS capacity provider to attach the ASG to the ECS cluster
# so that it autoscales as we launch more containers
CapacityProvider:
Type: AWS::ECS::CapacityProvider
Properties:
AutoScalingGroupProvider:
AutoScalingGroupArn: !Ref ECSAutoScalingGroup
ManagedScaling:
InstanceWarmupPeriod: 60
MinimumScalingStepSize: 1
MaximumScalingStepSize: 100
Status: ENABLED
# Percentage of cluster reservation to try to maintain
TargetCapacity: 100
ManagedTerminationProtection: ENABLED
# Create a cluster capacity provider assocation so that the cluster
# will use the capacity provider
CapacityProviderAssociation:
Type: AWS::ECS::ClusterCapacityProviderAssociations
Properties:
CapacityProviders:
- !Ref CapacityProvider
Cluster: !Ref ECSCluster
DefaultCapacityProviderStrategy:
- Base: 0
CapacityProvider: !Ref CapacityProvider
Weight: 1
# A security group for the EC2 hosts that will run the containers.
# This can be used to limit incoming traffic to or outgoing traffic
# from the container's host EC2 instance.
ContainerHostSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Access to the EC2 hosts that run containers
VpcId:
Ref: VpcId
# Role for the EC2 hosts. This allows the ECS agent on the EC2 hosts
# to communciate with the ECS control plane, as well as download the docker
# images from ECR to run on your host.
EC2Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: /
ManagedPolicyArns:
# See reference: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonEC2ContainerServiceforEC2Role
- arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
# This managed policy allows us to connect to the instance using SSM
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
# This is a role which is used within Fargate to allow the Fargate agent
# to download images, and upload logs.
ECSTaskExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- sts:AssumeRole
Condition:
ArnLike:
aws:SourceArn: !Sub arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:*
StringEquals:
aws:SourceAccount: !Sub ${AWS::AccountId}
Path: /
# This role enables all features of ECS. See reference:
# https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonECSTaskExecutionRolePolicy
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
Outputs:
ClusterName:
Description: The ECS cluster into which to launch resources
Value: ECSCluster
ECSTaskExecutionRole:
Description: The role used to start up a task
Value: ECSTaskExecutionRole
CapacityProvider:
Description: The cluster capacity provider that the service should use to
request capacity when it wants to start up a task
Value: CapacityProvider
```
## Implementa un servizio
Il modello seguente definisce un servizio che utilizza il provider di capacità per richiedere la AL2023 capacità su cui funzionare. I contenitori verranno avviati sulle AL2023 istanze non appena saranno online:
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "An example service that deploys in AWS VPC networking mode on EC2 capacity. Service uses a capacity provider to request EC2 instances to run on. Service runs with networking in private subnets, but still accessible to the internet via a load balancer hosted in public subnets.",
"Parameters": {
"VpcId": {
"Type": "String",
"Description": "The VPC that the service is running inside of"
},
"PublicSubnetIds": {
"Type": "List",
"Description": "List of public subnet ID's to put the load balancer in"
},
"PrivateSubnetIds": {
"Type": "List",
"Description": "List of private subnet ID's that the AWS VPC tasks are in"
},
"ClusterName": {
"Type": "String",
"Description": "The name of the ECS cluster into which to launch capacity."
},
"ECSTaskExecutionRole": {
"Type": "String",
"Description": "The role used to start up an ECS task"
},
"CapacityProvider": {
"Type": "String",
"Description": "The cluster capacity provider that the service should use to request capacity when it wants to start up a task"
},
"ServiceName": {
"Type": "String",
"Default": "web",
"Description": "A name for the service"
},
"ImageUrl": {
"Type": "String",
"Default": "public.ecr.aws/docker/library/nginx:latest",
"Description": "The url of a docker image that contains the application process that will handle the traffic for this service"
},
"ContainerCpu": {
"Type": "Number",
"Default": 256,
"Description": "How much CPU to give the container. 1024 is 1 CPU"
},
"ContainerMemory": {
"Type": "Number",
"Default": 512,
"Description": "How much memory in megabytes to give the container"
},
"ContainerPort": {
"Type": "Number",
"Default": 80,
"Description": "What port that the application expects traffic on"
},
"DesiredCount": {
"Type": "Number",
"Default": 2,
"Description": "How many copies of the service task to run"
}
},
"Resources": {
"TaskDefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"Family": {
"Ref": "ServiceName"
},
"Cpu": {
"Ref": "ContainerCpu"
},
"Memory": {
"Ref": "ContainerMemory"
},
"NetworkMode": "awsvpc",
"RequiresCompatibilities": [
"EC2"
],
"ExecutionRoleArn": {
"Ref": "ECSTaskExecutionRole"
},
"ContainerDefinitions": [
{
"Name": {
"Ref": "ServiceName"
},
"Cpu": {
"Ref": "ContainerCpu"
},
"Memory": {
"Ref": "ContainerMemory"
},
"Image": {
"Ref": "ImageUrl"
},
"PortMappings": [
{
"ContainerPort": {
"Ref": "ContainerPort"
},
"HostPort": {
"Ref": "ContainerPort"
}
}
],
"LogConfiguration": {
"LogDriver": "awslogs",
"Options": {
"mode": "non-blocking",
"max-buffer-size": "25m",
"awslogs-group": {
"Ref": "LogGroup"
},
"awslogs-region": {
"Ref": "AWS::Region"
},
"awslogs-stream-prefix": {
"Ref": "ServiceName"
}
}
}
}
]
}
},
"Service": {
"Type": "AWS::ECS::Service",
"DependsOn": "PublicLoadBalancerListener",
"Properties": {
"ServiceName": {
"Ref": "ServiceName"
},
"Cluster": {
"Ref": "ClusterName"
},
"PlacementStrategies": [
{
"Field": "attribute:ecs.availability-zone",
"Type": "spread"
},
{
"Field": "cpu",
"Type": "binpack"
}
],
"CapacityProviderStrategy": [
{
"Base": 0,
"CapacityProvider": {
"Ref": "CapacityProvider"
},
"Weight": 1
}
],
"NetworkConfiguration": {
"AwsvpcConfiguration": {
"SecurityGroups": [
{
"Ref": "ServiceSecurityGroup"
}
],
"Subnets": {
"Ref": "PrivateSubnetIds"
}
}
},
"DeploymentConfiguration": {
"MaximumPercent": 200,
"MinimumHealthyPercent": 75
},
"DesiredCount": {
"Ref": "DesiredCount"
},
"TaskDefinition": {
"Ref": "TaskDefinition"
},
"LoadBalancers": [
{
"ContainerName": {
"Ref": "ServiceName"
},
"ContainerPort": {
"Ref": "ContainerPort"
},
"TargetGroupArn": {
"Ref": "ServiceTargetGroup"
}
}
]
}
},
"ServiceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security group for service",
"VpcId": {
"Ref": "VpcId"
}
}
},
"ServiceTargetGroup": {
"Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties": {
"HealthCheckIntervalSeconds": 6,
"HealthCheckPath": "/",
"HealthCheckProtocol": "HTTP",
"HealthCheckTimeoutSeconds": 5,
"HealthyThresholdCount": 2,
"TargetType": "ip",
"Port": {
"Ref": "ContainerPort"
},
"Protocol": "HTTP",
"UnhealthyThresholdCount": 10,
"VpcId": {
"Ref": "VpcId"
},
"TargetGroupAttributes": [
{
"Key": "deregistration_delay.timeout_seconds",
"Value": 0
}
]
}
},
"PublicLoadBalancerSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Access to the public facing load balancer",
"VpcId": {
"Ref": "VpcId"
},
"SecurityGroupIngress": [
{
"CidrIp": "0.0.0.0/0",
"IpProtocol": -1
}
]
}
},
"PublicLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Scheme": "internet-facing",
"LoadBalancerAttributes": [
{
"Key": "idle_timeout.timeout_seconds",
"Value": "30"
}
],
"Subnets": {
"Ref": "PublicSubnetIds"
},
"SecurityGroups": [
{
"Ref": "PublicLoadBalancerSG"
}
]
}
},
"PublicLoadBalancerListener": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"DefaultActions": [
{
"Type": "forward",
"ForwardConfig": {
"TargetGroups": [
{
"TargetGroupArn": {
"Ref": "ServiceTargetGroup"
},
"Weight": 100
}
]
}
}
],
"LoadBalancerArn": {
"Ref": "PublicLoadBalancer"
},
"Port": 80,
"Protocol": "HTTP"
}
},
"ServiceIngressfromLoadBalancer": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"Description": "Ingress from the public ALB",
"GroupId": {
"Ref": "ServiceSecurityGroup"
},
"IpProtocol": -1,
"SourceSecurityGroupId": {
"Ref": "PublicLoadBalancerSG"
}
}
},
"LogGroup": {
"Type": "AWS::Logs::LogGroup"
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Description: >-
An example service that deploys in AWS VPC networking mode on EC2 capacity.
Service uses a capacity provider to request EC2 instances to run on. Service
runs with networking in private subnets, but still accessible to the internet
via a load balancer hosted in public subnets.
Parameters:
VpcId:
Type: String
Description: The VPC that the service is running inside of
PublicSubnetIds:
Type: 'List'
Description: List of public subnet ID's to put the load balancer in
PrivateSubnetIds:
Type: 'List'
Description: List of private subnet ID's that the AWS VPC tasks are in
ClusterName:
Type: String
Description: The name of the ECS cluster into which to launch capacity.
ECSTaskExecutionRole:
Type: String
Description: The role used to start up an ECS task
CapacityProvider:
Type: String
Description: >-
The cluster capacity provider that the service should use to request
capacity when it wants to start up a task
ServiceName:
Type: String
Default: web
Description: A name for the service
ImageUrl:
Type: String
Default: 'public.ecr.aws/docker/library/nginx:latest'
Description: >-
The url of a docker image that contains the application process that will
handle the traffic for this service
ContainerCpu:
Type: Number
Default: 256
Description: How much CPU to give the container. 1024 is 1 CPU
ContainerMemory:
Type: Number
Default: 512
Description: How much memory in megabytes to give the container
ContainerPort:
Type: Number
Default: 80
Description: What port that the application expects traffic on
DesiredCount:
Type: Number
Default: 2
Description: How many copies of the service task to run
Resources:
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
Family: !Ref ServiceName
Cpu: !Ref ContainerCpu
Memory: !Ref ContainerMemory
NetworkMode: awsvpc
RequiresCompatibilities:
- EC2
ExecutionRoleArn: !Ref ECSTaskExecutionRole
ContainerDefinitions:
- Name: !Ref ServiceName
Cpu: !Ref ContainerCpu
Memory: !Ref ContainerMemory
Image: !Ref ImageUrl
PortMappings:
- ContainerPort: !Ref ContainerPort
HostPort: !Ref ContainerPort
LogConfiguration:
LogDriver: awslogs
Options:
mode: non-blocking
max-buffer-size: 25m
awslogs-group: !Ref LogGroup
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: !Ref ServiceName
Service:
Type: AWS::ECS::Service
DependsOn: PublicLoadBalancerListener
Properties:
ServiceName: !Ref ServiceName
Cluster: !Ref ClusterName
PlacementStrategies:
- Field: 'attribute:ecs.availability-zone'
Type: spread
- Field: cpu
Type: binpack
CapacityProviderStrategy:
- Base: 0
CapacityProvider: !Ref CapacityProvider
Weight: 1
NetworkConfiguration:
AwsvpcConfiguration:
SecurityGroups:
- !Ref ServiceSecurityGroup
Subnets: !Ref PrivateSubnetIds
DeploymentConfiguration:
MaximumPercent: 200
MinimumHealthyPercent: 75
DesiredCount: !Ref DesiredCount
TaskDefinition: !Ref TaskDefinition
LoadBalancers:
- ContainerName: !Ref ServiceName
ContainerPort: !Ref ContainerPort
TargetGroupArn: !Ref ServiceTargetGroup
ServiceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for service
VpcId: !Ref VpcId
ServiceTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 6
HealthCheckPath: /
HealthCheckProtocol: HTTP
HealthCheckTimeoutSeconds: 5
HealthyThresholdCount: 2
TargetType: ip
Port: !Ref ContainerPort
Protocol: HTTP
UnhealthyThresholdCount: 10
VpcId: !Ref VpcId
TargetGroupAttributes:
- Key: deregistration_delay.timeout_seconds
Value: 0
PublicLoadBalancerSG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Access to the public facing load balancer
VpcId: !Ref VpcId
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
IpProtocol: -1
PublicLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Scheme: internet-facing
LoadBalancerAttributes:
- Key: idle_timeout.timeout_seconds
Value: '30'
Subnets: !Ref PublicSubnetIds
SecurityGroups:
- !Ref PublicLoadBalancerSG
PublicLoadBalancerListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- Type: forward
ForwardConfig:
TargetGroups:
- TargetGroupArn: !Ref ServiceTargetGroup
Weight: 100
LoadBalancerArn: !Ref PublicLoadBalancer
Port: 80
Protocol: HTTP
ServiceIngressfromLoadBalancer:
Type: AWS::EC2::SecurityGroupIngress
Properties:
Description: Ingress from the public ALB
GroupId: !Ref ServiceSecurityGroup
IpProtocol: -1
SourceSecurityGroupId: !Ref PublicLoadBalancerSG
LogGroup:
Type: AWS::Logs::LogGroup
```
# Modello di esempio Amazon Elastic File System
Amazon Elastic File System (Amazon EFS) è un servizio di storage di file per istanze Amazon Elastic Compute Cloud (Amazon EC2). Con Amazon EFS le tue applicazioni dispongono di storage quando serve, perché la capacità di storage aumenta e si riduce automaticamente con l'aggiunta e la rimozione di file.
Il seguente modello di esempio distribuisce EC2 istanze (in un gruppo Auto Scaling) associate a un file system Amazon EFS. Per associare le istanze al file system, le istanze eseguono lo script helper cfn-init, che scarica e installa il pacchetto yum `nfs-utils`, crea una nuova directory e quindi utilizza il nome DNS del file system per montare il file system in tale directory. Il nome DNS del file system si risolve nell'indirizzo IP di una destinazione di montaggio nella zona di disponibilità dell' EC2istanza Amazon. Per ulteriori informazioni sulla struttura del nome DNS, consulta [Montaggio del file system](https://docs.aws.amazon.com/efs/latest/ug/mounting-fs.html) nella *Guida per l'utente di Amazon Elastic File System*.
Per misurare l'attività del Network File System, il modello include CloudWatch metriche Amazon personalizzate. Crea inoltre un VPC, una sottorete e i gruppi di sicurezza. Per consentire alle istanze di comunicare con il file system, il VPC deve avere il DNS abilitato e la destinazione di montaggio e EC2 le istanze devono trovarsi nella stessa zona di disponibilità (AZ), specificata dalla sottorete.
Il gruppo di sicurezza del target di montaggio consente una connessione di rete alla porta TCP 2049, necessaria per consentire a un client di montare un NFSv4 file system. Per ulteriori informazioni sui gruppi di sicurezza per EC2 le istanze e gli obiettivi di montaggio, consulta la sezione [Sicurezza](https://docs.aws.amazon.com/efs/latest/ug/security-considerations.html) nella [https://docs.aws.amazon.com/efs/latest/ug/](https://docs.aws.amazon.com/efs/latest/ug/).
**Nota**
Se effettui un aggiornamento alla destinazione di montaggio che ne causa la sostituzione, le istanze o le applicazioni che utilizzano il file system associato potrebbero venire interrotte. Questo può causare la perdita di scritture non confermate con commit. Per evitare interruzioni, arresta le istanze quando aggiorni la destinazione di montaggio impostando la capacità desiderata su zero. In questo modo le istanze possono disinstallare il file system prima che la destinazione di montaggio venga eliminata. Al termine dell'aggiornamento del montaggio, avvia le istanze in un aggiornamento successivo impostando la capacità desiderata.
## JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "This template creates an Amazon EFS file system and mount target and associates it with Amazon EC2 instances in an Auto Scaling group. **WARNING** This template creates Amazon EC2 instances and related resources. You will be billed for the AWS resources used if you create a stack from this template.",
"Parameters": {
"InstanceType" : {
"Description" : "WebServer EC2 instance type",
"Type" : "String",
"Default" : "t2.small",
"AllowedValues" : [
"t1.micro",
"t2.nano",
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"m1.small",
"m1.medium",
"m1.large",
"m1.xlarge",
"m2.xlarge",
"m2.2xlarge",
"m2.4xlarge",
"m3.medium",
"m3.large",
"m3.xlarge",
"m3.2xlarge",
"m4.large",
"m4.xlarge",
"m4.2xlarge",
"m4.4xlarge",
"m4.10xlarge",
"c1.medium",
"c1.xlarge",
"c3.large",
"c3.xlarge",
"c3.2xlarge",
"c3.4xlarge",
"c3.8xlarge",
"c4.large",
"c4.xlarge",
"c4.2xlarge",
"c4.4xlarge",
"c4.8xlarge",
"g2.2xlarge",
"g2.8xlarge",
"r3.large",
"r3.xlarge",
"r3.2xlarge",
"r3.4xlarge",
"r3.8xlarge",
"i2.xlarge",
"i2.2xlarge",
"i2.4xlarge",
"i2.8xlarge",
"d2.xlarge",
"d2.2xlarge",
"d2.4xlarge",
"d2.8xlarge",
"hi1.4xlarge",
"hs1.8xlarge",
"cr1.8xlarge",
"cc2.8xlarge",
"cg1.4xlarge"
],
"ConstraintDescription" : "must be a valid EC2 instance type."
},
"KeyName": {
"Type": "AWS::EC2::KeyPair::KeyName",
"Description": "Name of an existing EC2 key pair to enable SSH access to the EC2 instances"
},
"AsgMaxSize": {
"Type": "Number",
"Description": "Maximum size and initial desired capacity of Auto Scaling Group",
"Default": "2"
},
"SSHLocation" : {
"Description" : "The IP address range that can be used to connect to the EC2 instances by using SSH",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
},
"VolumeName" : {
"Description" : "The name to be used for the EFS volume",
"Type": "String",
"MinLength": "1",
"Default": "myEFSvolume"
},
"MountPoint" : {
"Description" : "The Linux mount point for the EFS volume",
"Type": "String",
"MinLength": "1",
"Default": "myEFSvolume"
}
},
"Mappings" : {
"AWSInstanceType2Arch" : {
"t1.micro" : { "Arch" : "HVM64" },
"t2.nano" : { "Arch" : "HVM64" },
"t2.micro" : { "Arch" : "HVM64" },
"t2.small" : { "Arch" : "HVM64" },
"t2.medium" : { "Arch" : "HVM64" },
"t2.large" : { "Arch" : "HVM64" },
"m1.small" : { "Arch" : "HVM64" },
"m1.medium" : { "Arch" : "HVM64" },
"m1.large" : { "Arch" : "HVM64" },
"m1.xlarge" : { "Arch" : "HVM64" },
"m2.xlarge" : { "Arch" : "HVM64" },
"m2.2xlarge" : { "Arch" : "HVM64" },
"m2.4xlarge" : { "Arch" : "HVM64" },
"m3.medium" : { "Arch" : "HVM64" },
"m3.large" : { "Arch" : "HVM64" },
"m3.xlarge" : { "Arch" : "HVM64" },
"m3.2xlarge" : { "Arch" : "HVM64" },
"m4.large" : { "Arch" : "HVM64" },
"m4.xlarge" : { "Arch" : "HVM64" },
"m4.2xlarge" : { "Arch" : "HVM64" },
"m4.4xlarge" : { "Arch" : "HVM64" },
"m4.10xlarge" : { "Arch" : "HVM64" },
"c1.medium" : { "Arch" : "HVM64" },
"c1.xlarge" : { "Arch" : "HVM64" },
"c3.large" : { "Arch" : "HVM64" },
"c3.xlarge" : { "Arch" : "HVM64" },
"c3.2xlarge" : { "Arch" : "HVM64" },
"c3.4xlarge" : { "Arch" : "HVM64" },
"c3.8xlarge" : { "Arch" : "HVM64" },
"c4.large" : { "Arch" : "HVM64" },
"c4.xlarge" : { "Arch" : "HVM64" },
"c4.2xlarge" : { "Arch" : "HVM64" },
"c4.4xlarge" : { "Arch" : "HVM64" },
"c4.8xlarge" : { "Arch" : "HVM64" },
"g2.2xlarge" : { "Arch" : "HVMG2" },
"g2.8xlarge" : { "Arch" : "HVMG2" },
"r3.large" : { "Arch" : "HVM64" },
"r3.xlarge" : { "Arch" : "HVM64" },
"r3.2xlarge" : { "Arch" : "HVM64" },
"r3.4xlarge" : { "Arch" : "HVM64" },
"r3.8xlarge" : { "Arch" : "HVM64" },
"i2.xlarge" : { "Arch" : "HVM64" },
"i2.2xlarge" : { "Arch" : "HVM64" },
"i2.4xlarge" : { "Arch" : "HVM64" },
"i2.8xlarge" : { "Arch" : "HVM64" },
"d2.xlarge" : { "Arch" : "HVM64" },
"d2.2xlarge" : { "Arch" : "HVM64" },
"d2.4xlarge" : { "Arch" : "HVM64" },
"d2.8xlarge" : { "Arch" : "HVM64" },
"hi1.4xlarge" : { "Arch" : "HVM64" },
"hs1.8xlarge" : { "Arch" : "HVM64" },
"cr1.8xlarge" : { "Arch" : "HVM64" },
"cc2.8xlarge" : { "Arch" : "HVM64" }
},
"AWSRegionArch2AMI" : {
"us-east-1" : {"HVM64" : "ami-0ff8a91507f77f867", "HVMG2" : "ami-0a584ac55a7631c0c"},
"us-west-2" : {"HVM64" : "ami-a0cfeed8", "HVMG2" : "ami-0e09505bc235aa82d"},
"us-west-1" : {"HVM64" : "ami-0bdb828fd58c52235", "HVMG2" : "ami-066ee5fd4a9ef77f1"},
"eu-west-1" : {"HVM64" : "ami-047bb4163c506cd98", "HVMG2" : "ami-0a7c483d527806435"},
"eu-west-2" : {"HVM64" : "ami-f976839e", "HVMG2" : "NOT_SUPPORTED"},
"eu-west-3" : {"HVM64" : "ami-0ebc281c20e89ba4b", "HVMG2" : "NOT_SUPPORTED"},
"eu-central-1" : {"HVM64" : "ami-0233214e13e500f77", "HVMG2" : "ami-06223d46a6d0661c7"},
"ap-northeast-1" : {"HVM64" : "ami-06cd52961ce9f0d85", "HVMG2" : "ami-053cdd503598e4a9d"},
"ap-northeast-2" : {"HVM64" : "ami-0a10b2721688ce9d2", "HVMG2" : "NOT_SUPPORTED"},
"ap-northeast-3" : {"HVM64" : "ami-0d98120a9fb693f07", "HVMG2" : "NOT_SUPPORTED"},
"ap-southeast-1" : {"HVM64" : "ami-08569b978cc4dfa10", "HVMG2" : "ami-0be9df32ae9f92309"},
"ap-southeast-2" : {"HVM64" : "ami-09b42976632b27e9b", "HVMG2" : "ami-0a9ce9fecc3d1daf8"},
"ap-south-1" : {"HVM64" : "ami-0912f71e06545ad88", "HVMG2" : "ami-097b15e89dbdcfcf4"},
"us-east-2" : {"HVM64" : "ami-0b59bfac6be064b78", "HVMG2" : "NOT_SUPPORTED"},
"ca-central-1" : {"HVM64" : "ami-0b18956f", "HVMG2" : "NOT_SUPPORTED"},
"sa-east-1" : {"HVM64" : "ami-07b14488da8ea02a0", "HVMG2" : "NOT_SUPPORTED"},
"cn-north-1" : {"HVM64" : "ami-0a4eaf6c4454eda75", "HVMG2" : "NOT_SUPPORTED"},
"cn-northwest-1" : {"HVM64" : "ami-6b6a7d09", "HVMG2" : "NOT_SUPPORTED"}
}
},
"Resources": {
"CloudWatchPutMetricsRole" : {
"Type" : "AWS::IAM::Role",
"Properties" : {
"AssumeRolePolicyDocument" : {
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
"Service" : [ "ec2.amazonaws.com" ]
},
"Action" : [ "sts:AssumeRole" ]
} ]
},
"Path" : "/"
}
},
"CloudWatchPutMetricsRolePolicy" : {
"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyName" : "CloudWatch_PutMetricData",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudWatchPutMetricData",
"Effect": "Allow",
"Action": ["cloudwatch:PutMetricData"],
"Resource": ["*"]
}
]
},
"Roles" : [ { "Ref" : "CloudWatchPutMetricsRole" } ]
}
},
"CloudWatchPutMetricsInstanceProfile" : {
"Type" : "AWS::IAM::InstanceProfile",
"Properties" : {
"Path" : "/",
"Roles" : [ { "Ref" : "CloudWatchPutMetricsRole" } ]
}
},
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"EnableDnsSupport" : "true",
"EnableDnsHostnames" : "true",
"CidrBlock": "10.0.0.0/16",
"Tags": [ {"Key": "Application", "Value": { "Ref": "AWS::StackId"} } ]
}
},
"InternetGateway" : {
"Type" : "AWS::EC2::InternetGateway",
"Properties" : {
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackName" } },
{ "Key" : "Network", "Value" : "Public" }
]
}
},
"GatewayToInternet" : {
"Type" : "AWS::EC2::VPCGatewayAttachment",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"InternetGatewayId" : { "Ref" : "InternetGateway" }
}
},
"RouteTable":{
"Type":"AWS::EC2::RouteTable",
"Properties":{
"VpcId": {"Ref":"VPC"}
}
},
"SubnetRouteTableAssoc": {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"RouteTableId" : {"Ref":"RouteTable"},
"SubnetId" : {"Ref":"Subnet"}
}
},
"InternetGatewayRoute": {
"Type":"AWS::EC2::Route",
"Properties":{
"DestinationCidrBlock":"0.0.0.0/0",
"RouteTableId":{"Ref":"RouteTable"},
"GatewayId":{"Ref":"InternetGateway"}
}
},
"Subnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": { "Ref": "VPC" },
"CidrBlock": "10.0.0.0/24",
"Tags": [ { "Key": "Application", "Value": { "Ref": "AWS::StackId" } } ]
}
},
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": { "Ref": "VPC" },
"GroupDescription": "Enable SSH access via port 22",
"SecurityGroupIngress": [
{ "IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "CidrIp": { "Ref": "SSHLocation" } },
{ "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIp": "0.0.0.0/0" }
]
}
},
"MountTargetSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": { "Ref": "VPC" },
"GroupDescription": "Security group for mount target",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 2049,
"ToPort": 2049,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"FileSystem": {
"Type": "AWS::EFS::FileSystem",
"Properties": {
"PerformanceMode": "generalPurpose",
"FileSystemTags": [
{
"Key": "Name",
"Value": { "Ref" : "VolumeName" }
}
]
}
},
"MountTarget": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": { "Ref": "FileSystem" },
"SubnetId": { "Ref": "Subnet" },
"SecurityGroups": [ { "Ref": "MountTargetSecurityGroup" } ]
}
},
"LaunchConfiguration": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Metadata" : {
"AWS::CloudFormation::Init" : {
"configSets" : {
"MountConfig" : [ "setup", "mount" ]
},
"setup" : {
"packages" : {
"yum" : {
"nfs-utils" : []
}
},
"files" : {
"/home/ec2-user/post_nfsstat" : {
"content" : { "Fn::Join" : [ "", [
"#!/bin/bash\n",
"\n",
"INPUT=\"$(cat)\"\n",
"CW_JSON_OPEN='{ \"Namespace\": \"EFS\", \"MetricData\": [ '\n",
"CW_JSON_CLOSE=' ] }'\n",
"CW_JSON_METRIC=''\n",
"METRIC_COUNTER=0\n",
"\n",
"for COL in 1 2 3 4 5 6; do\n",
"\n",
" COUNTER=0\n",
" METRIC_FIELD=$COL\n",
" DATA_FIELD=$(($COL+($COL-1)))\n",
"\n",
" while read line; do\n",
" if [[ COUNTER -gt 0 ]]; then\n",
"\n",
" LINE=`echo $line | tr -s ' ' `\n",
" AWS_COMMAND=\"aws cloudwatch put-metric-data --region ", { "Ref": "AWS::Region" }, "\"\n",
" MOD=$(( $COUNTER % 2))\n",
"\n",
" if [ $MOD -eq 1 ]; then\n",
" METRIC_NAME=`echo $LINE | cut -d ' ' -f $METRIC_FIELD`\n",
" else\n",
" METRIC_VALUE=`echo $LINE | cut -d ' ' -f $DATA_FIELD`\n",
" fi\n",
"\n",
" if [[ -n \"$METRIC_NAME\" && -n \"$METRIC_VALUE\" ]]; then\n",
" INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)\n",
" CW_JSON_METRIC=\"$CW_JSON_METRIC { \\\"MetricName\\\": \\\"$METRIC_NAME\\\", \\\"Dimensions\\\": [{\\\"Name\\\": \\\"InstanceId\\\", \\\"Value\\\": \\\"$INSTANCE_ID\\\"} ], \\\"Value\\\": $METRIC_VALUE },\"\n",
" unset METRIC_NAME\n",
" unset METRIC_VALUE\n",
"\n",
" METRIC_COUNTER=$((METRIC_COUNTER+1))\n",
" if [ $METRIC_COUNTER -eq 20 ]; then\n",
" # 20 is max metric collection size, so we have to submit here\n",
" aws cloudwatch put-metric-data --region ", { "Ref": "AWS::Region" }, " --cli-input-json \"`echo $CW_JSON_OPEN ${CW_JSON_METRIC%?} $CW_JSON_CLOSE`\"\n",
"\n",
" # reset\n",
" METRIC_COUNTER=0\n",
" CW_JSON_METRIC=''\n",
" fi\n",
" fi \n",
"\n",
"\n",
"\n",
" COUNTER=$((COUNTER+1))\n",
" fi\n",
"\n",
" if [[ \"$line\" == \"Client nfs v4:\" ]]; then\n",
" # the next line is the good stuff \n",
" COUNTER=$((COUNTER+1))\n",
" fi\n",
" done <<< \"$INPUT\"\n",
"done\n",
"\n",
"# submit whatever is left\n",
"aws cloudwatch put-metric-data --region ", { "Ref": "AWS::Region" }, " --cli-input-json \"`echo $CW_JSON_OPEN ${CW_JSON_METRIC%?} $CW_JSON_CLOSE`\""
] ] },
"mode": "000755",
"owner": "ec2-user",
"group": "ec2-user"
},
"/home/ec2-user/crontab" : {
"content" : { "Fn::Join" : [ "", [
"* * * * * /usr/sbin/nfsstat | /home/ec2-user/post_nfsstat\n"
] ] },
"owner": "ec2-user",
"group": "ec2-user"
}
},
"commands" : {
"01_createdir" : {
"command" : {"Fn::Join" : [ "", [ "mkdir /", { "Ref" : "MountPoint" }]]}
}
}
},
"mount" : {
"commands" : {
"01_mount" : {
"command" : { "Fn::Sub": "sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 ${FileSystem}.efs.${AWS::Region}.amazonaws.com:/ /${MountPoint}"}
},
"02_permissions" : {
"command" : {"Fn::Join" : [ "", [ "chown ec2-user:ec2-user /", { "Ref" : "MountPoint" }]]}
}
}
}
}
},
"Properties": {
"AssociatePublicIpAddress" : true,
"ImageId": {
"Fn::FindInMap": [ "AWSRegionArch2AMI", { "Ref": "AWS::Region" }, {
"Fn::FindInMap": [ "AWSInstanceType2Arch", { "Ref": "InstanceType" }, "Arch" ]
} ]
},
"InstanceType": { "Ref": "InstanceType" },
"KeyName": { "Ref": "KeyName" },
"SecurityGroups": [ { "Ref": "InstanceSecurityGroup" } ],
"IamInstanceProfile" : { "Ref" : "CloudWatchPutMetricsInstanceProfile" },
"UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
"#!/bin/bash -xe\n",
"yum install -y aws-cfn-bootstrap\n",
"/opt/aws/bin/cfn-init -v ",
" --stack ", { "Ref" : "AWS::StackName" },
" --resource LaunchConfiguration ",
" --configsets MountConfig ",
" --region ", { "Ref" : "AWS::Region" }, "\n",
"crontab /home/ec2-user/crontab\n",
"/opt/aws/bin/cfn-signal -e $? ",
" --stack ", { "Ref" : "AWS::StackName" },
" --resource AutoScalingGroup ",
" --region ", { "Ref" : "AWS::Region" }, "\n"
]]}}
}
},
"AutoScalingGroup": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"DependsOn": ["MountTarget", "GatewayToInternet"],
"CreationPolicy" : {
"ResourceSignal" : {
"Timeout" : "PT15M",
"Count" : { "Ref": "AsgMaxSize" }
}
},
"Properties": {
"VPCZoneIdentifier": [ { "Ref": "Subnet" } ],
"LaunchConfigurationName": { "Ref": "LaunchConfiguration" },
"MinSize": "1",
"MaxSize": { "Ref": "AsgMaxSize" },
"DesiredCapacity": { "Ref": "AsgMaxSize" },
"Tags": [ {
"Key": "Name",
"Value": "EFS FileSystem Mounted Instance",
"PropagateAtLaunch": "true"
} ]
}
}
},
"Outputs" : {
"MountTargetID" : {
"Description" : "Mount target ID",
"Value" : { "Ref" : "MountTarget" }
},
"FileSystemID" : {
"Description" : "File system ID",
"Value" : { "Ref" : "FileSystem" }
}
}
}
```
## YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Description: This template creates an Amazon EFS file system and mount target and
associates it with Amazon EC2 instances in an Auto Scaling group. **WARNING** This
template creates Amazon EC2 instances and related resources. You will be billed
for the AWS resources used if you create a stack from this template.
Parameters:
InstanceType:
Description: WebServer EC2 instance type
Type: String
Default: t2.small
AllowedValues:
- t1.micro
- t2.nano
- t2.micro
- t2.small
- t2.medium
- t2.large
- m1.small
- m1.medium
- m1.large
- m1.xlarge
- m2.xlarge
- m2.2xlarge
- m2.4xlarge
- m3.medium
- m3.large
- m3.xlarge
- m3.2xlarge
- m4.large
- m4.xlarge
- m4.2xlarge
- m4.4xlarge
- m4.10xlarge
- c1.medium
- c1.xlarge
- c3.large
- c3.xlarge
- c3.2xlarge
- c3.4xlarge
- c3.8xlarge
- c4.large
- c4.xlarge
- c4.2xlarge
- c4.4xlarge
- c4.8xlarge
- g2.2xlarge
- g2.8xlarge
- r3.large
- r3.xlarge
- r3.2xlarge
- r3.4xlarge
- r3.8xlarge
- i2.xlarge
- i2.2xlarge
- i2.4xlarge
- i2.8xlarge
- d2.xlarge
- d2.2xlarge
- d2.4xlarge
- d2.8xlarge
- hi1.4xlarge
- hs1.8xlarge
- cr1.8xlarge
- cc2.8xlarge
- cg1.4xlarge
ConstraintDescription: must be a valid EC2 instance type.
KeyName:
Type: AWS::EC2::KeyPair::KeyName
Description: Name of an existing EC2 key pair to enable SSH access to the ECS
instances
AsgMaxSize:
Type: Number
Description: Maximum size and initial desired capacity of Auto Scaling Group
Default: '2'
SSHLocation:
Description: The IP address range that can be used to connect to the EC2 instances
by using SSH
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
VolumeName:
Description: The name to be used for the EFS volume
Type: String
MinLength: '1'
Default: myEFSvolume
MountPoint:
Description: The Linux mount point for the EFS volume
Type: String
MinLength: '1'
Default: myEFSvolume
Mappings:
AWSInstanceType2Arch:
t1.micro:
Arch: HVM64
t2.nano:
Arch: HVM64
t2.micro:
Arch: HVM64
t2.small:
Arch: HVM64
t2.medium:
Arch: HVM64
t2.large:
Arch: HVM64
m1.small:
Arch: HVM64
m1.medium:
Arch: HVM64
m1.large:
Arch: HVM64
m1.xlarge:
Arch: HVM64
m2.xlarge:
Arch: HVM64
m2.2xlarge:
Arch: HVM64
m2.4xlarge:
Arch: HVM64
m3.medium:
Arch: HVM64
m3.large:
Arch: HVM64
m3.xlarge:
Arch: HVM64
m3.2xlarge:
Arch: HVM64
m4.large:
Arch: HVM64
m4.xlarge:
Arch: HVM64
m4.2xlarge:
Arch: HVM64
m4.4xlarge:
Arch: HVM64
m4.10xlarge:
Arch: HVM64
c1.medium:
Arch: HVM64
c1.xlarge:
Arch: HVM64
c3.large:
Arch: HVM64
c3.xlarge:
Arch: HVM64
c3.2xlarge:
Arch: HVM64
c3.4xlarge:
Arch: HVM64
c3.8xlarge:
Arch: HVM64
c4.large:
Arch: HVM64
c4.xlarge:
Arch: HVM64
c4.2xlarge:
Arch: HVM64
c4.4xlarge:
Arch: HVM64
c4.8xlarge:
Arch: HVM64
g2.2xlarge:
Arch: HVMG2
g2.8xlarge:
Arch: HVMG2
r3.large:
Arch: HVM64
r3.xlarge:
Arch: HVM64
r3.2xlarge:
Arch: HVM64
r3.4xlarge:
Arch: HVM64
r3.8xlarge:
Arch: HVM64
i2.xlarge:
Arch: HVM64
i2.2xlarge:
Arch: HVM64
i2.4xlarge:
Arch: HVM64
i2.8xlarge:
Arch: HVM64
d2.xlarge:
Arch: HVM64
d2.2xlarge:
Arch: HVM64
d2.4xlarge:
Arch: HVM64
d2.8xlarge:
Arch: HVM64
hi1.4xlarge:
Arch: HVM64
hs1.8xlarge:
Arch: HVM64
cr1.8xlarge:
Arch: HVM64
cc2.8xlarge:
Arch: HVM64
AWSRegionArch2AMI:
us-east-1:
HVM64: ami-0ff8a91507f77f867
HVMG2: ami-0a584ac55a7631c0c
us-west-2:
HVM64: ami-a0cfeed8
HVMG2: ami-0e09505bc235aa82d
us-west-1:
HVM64: ami-0bdb828fd58c52235
HVMG2: ami-066ee5fd4a9ef77f1
eu-west-1:
HVM64: ami-047bb4163c506cd98
HVMG2: ami-0a7c483d527806435
eu-west-2:
HVM64: ami-f976839e
HVMG2: NOT_SUPPORTED
eu-west-3:
HVM64: ami-0ebc281c20e89ba4b
HVMG2: NOT_SUPPORTED
eu-central-1:
HVM64: ami-0233214e13e500f77
HVMG2: ami-06223d46a6d0661c7
ap-northeast-1:
HVM64: ami-06cd52961ce9f0d85
HVMG2: ami-053cdd503598e4a9d
ap-northeast-2:
HVM64: ami-0a10b2721688ce9d2
HVMG2: NOT_SUPPORTED
ap-northeast-3:
HVM64: ami-0d98120a9fb693f07
HVMG2: NOT_SUPPORTED
ap-southeast-1:
HVM64: ami-08569b978cc4dfa10
HVMG2: ami-0be9df32ae9f92309
ap-southeast-2:
HVM64: ami-09b42976632b27e9b
HVMG2: ami-0a9ce9fecc3d1daf8
ap-south-1:
HVM64: ami-0912f71e06545ad88
HVMG2: ami-097b15e89dbdcfcf4
us-east-2:
HVM64: ami-0b59bfac6be064b78
HVMG2: NOT_SUPPORTED
ca-central-1:
HVM64: ami-0b18956f
HVMG2: NOT_SUPPORTED
sa-east-1:
HVM64: ami-07b14488da8ea02a0
HVMG2: NOT_SUPPORTED
cn-north-1:
HVM64: ami-0a4eaf6c4454eda75
HVMG2: NOT_SUPPORTED
cn-northwest-1:
HVM64: ami-6b6a7d09
HVMG2: NOT_SUPPORTED
Resources:
CloudWatchPutMetricsRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
CloudWatchPutMetricsRolePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: CloudWatch_PutMetricData
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: CloudWatchPutMetricData
Effect: Allow
Action:
- cloudwatch:PutMetricData
Resource:
- "*"
Roles:
- Ref: CloudWatchPutMetricsRole
CloudWatchPutMetricsInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- Ref: CloudWatchPutMetricsRole
VPC:
Type: AWS::EC2::VPC
Properties:
EnableDnsSupport: 'true'
EnableDnsHostnames: 'true'
CidrBlock: 10.0.0.0/16
Tags:
- Key: Application
Value:
Ref: AWS::StackId
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Application
Value:
Ref: AWS::StackName
- Key: Network
Value: Public
GatewayToInternet:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: VPC
InternetGatewayId:
Ref: InternetGateway
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: VPC
SubnetRouteTableAssoc:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: RouteTable
SubnetId:
Ref: Subnet
InternetGatewayRoute:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: 0.0.0.0/0
RouteTableId:
Ref: RouteTable
GatewayId:
Ref: InternetGateway
Subnet:
Type: AWS::EC2::Subnet
Properties:
VpcId:
Ref: VPC
CidrBlock: 10.0.0.0/24
Tags:
- Key: Application
Value:
Ref: AWS::StackId
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId:
Ref: VPC
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp:
Ref: SSHLocation
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
MountTargetSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId:
Ref: VPC
GroupDescription: Security group for mount target
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 2049
ToPort: 2049
CidrIp: 0.0.0.0/0
FileSystem:
Type: AWS::EFS::FileSystem
Properties:
PerformanceMode: generalPurpose
FileSystemTags:
- Key: Name
Value:
Ref: VolumeName
MountTarget:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId:
Ref: FileSystem
SubnetId:
Ref: Subnet
SecurityGroups:
- Ref: MountTargetSecurityGroup
LaunchConfiguration:
Type: AWS::AutoScaling::LaunchConfiguration
Metadata:
AWS::CloudFormation::Init:
configSets:
MountConfig:
- setup
- mount
setup:
packages:
yum:
nfs-utils: []
files:
"/home/ec2-user/post_nfsstat":
content: !Sub |
#!/bin/bash
INPUT="$(cat)"
CW_JSON_OPEN='{ "Namespace": "EFS", "MetricData": [ '
CW_JSON_CLOSE=' ] }'
CW_JSON_METRIC=''
METRIC_COUNTER=0
for COL in 1 2 3 4 5 6; do
COUNTER=0
METRIC_FIELD=$COL
DATA_FIELD=$(($COL+($COL-1)))
while read line; do
if [[ COUNTER -gt 0 ]]; then
LINE=`echo $line | tr -s ' ' `
AWS_COMMAND="aws cloudwatch put-metric-data --region ${AWS::Region}"
MOD=$(( $COUNTER % 2))
if [ $MOD -eq 1 ]; then
METRIC_NAME=`echo $LINE | cut -d ' ' -f $METRIC_FIELD`
else
METRIC_VALUE=`echo $LINE | cut -d ' ' -f $DATA_FIELD`
fi
if [[ -n "$METRIC_NAME" && -n "$METRIC_VALUE" ]]; then
INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
CW_JSON_METRIC="$CW_JSON_METRIC { \"MetricName\": \"$METRIC_NAME\", \"Dimensions\": [{\"Name\": \"InstanceId\", \"Value\": \"$INSTANCE_ID\"} ], \"Value\": $METRIC_VALUE },"
unset METRIC_NAME
unset METRIC_VALUE
METRIC_COUNTER=$((METRIC_COUNTER+1))
if [ $METRIC_COUNTER -eq 20 ]; then
# 20 is max metric collection size, so we have to submit here
aws cloudwatch put-metric-data --region ${AWS::Region} --cli-input-json "`echo $CW_JSON_OPEN ${!CW_JSON_METRIC%?} $CW_JSON_CLOSE`"
# reset
METRIC_COUNTER=0
CW_JSON_METRIC=''
fi
fi
COUNTER=$((COUNTER+1))
fi
if [[ "$line" == "Client nfs v4:" ]]; then
# the next line is the good stuff
COUNTER=$((COUNTER+1))
fi
done <<< "$INPUT"
done
# submit whatever is left
aws cloudwatch put-metric-data --region ${AWS::Region} --cli-input-json "`echo $CW_JSON_OPEN ${!CW_JSON_METRIC%?} $CW_JSON_CLOSE`"
mode: '000755'
owner: ec2-user
group: ec2-user
"/home/ec2-user/crontab":
content: "* * * * * /usr/sbin/nfsstat | /home/ec2-user/post_nfsstat\n"
owner: ec2-user
group: ec2-user
commands:
01_createdir:
command: !Sub "mkdir /${MountPoint}"
mount:
commands:
01_mount:
command: !Sub >
mount -t nfs4 -o nfsvers=4.1 ${FileSystem}.efs.${AWS::Region}.amazonaws.com:/ /${MountPoint}
02_permissions:
command: !Sub "chown ec2-user:ec2-user /${MountPoint}"
Properties:
AssociatePublicIpAddress: true
ImageId:
Fn::FindInMap:
- AWSRegionArch2AMI
- Ref: AWS::Region
- Fn::FindInMap:
- AWSInstanceType2Arch
- Ref: InstanceType
- Arch
InstanceType:
Ref: InstanceType
KeyName:
Ref: KeyName
SecurityGroups:
- Ref: InstanceSecurityGroup
IamInstanceProfile:
Ref: CloudWatchPutMetricsInstanceProfile
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
yum install -y aws-cfn-bootstrap
/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource LaunchConfiguration --configsets MountConfig --region ${AWS::Region}
crontab /home/ec2-user/crontab
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource AutoScalingGroup --region ${AWS::Region}
AutoScalingGroup:
Type: AWS::AutoScaling::AutoScalingGroup
DependsOn:
- MountTarget
- GatewayToInternet
CreationPolicy:
ResourceSignal:
Timeout: PT15M
Count:
Ref: AsgMaxSize
Properties:
VPCZoneIdentifier:
- Ref: Subnet
LaunchConfigurationName:
Ref: LaunchConfiguration
MinSize: '1'
MaxSize:
Ref: AsgMaxSize
DesiredCapacity:
Ref: AsgMaxSize
Tags:
- Key: Name
Value: EFS FileSystem Mounted Instance
PropagateAtLaunch: 'true'
Outputs:
MountTargetID:
Description: Mount target ID
Value:
Ref: MountTarget
FileSystemID:
Description: File system ID
Value:
Ref: FileSystem
```
# Frammenti di modello Elastic Beanstalk
Con Elastic Beanstalk, puoi distribuire e gestire rapidamente le applicazioni senza preoccuparti dell'infrastruttura che esegue tali AWS applicazioni. Il seguente modello di esempio può aiutarti a descrivere le risorse Elastic Beanstalk nel tuo modello. CloudFormation
## PHP di esempio Elastic Beanstalk
Il modello di esempio seguente distribuisce un’applicazione Web PHP di esempio archiviata in un bucket Amazon S3. L'ambiente è anche un ambiente con scalabilità automatica e bilanciamento del carico, con un minimo di due istanze Amazon EC2 e un massimo di sei. Mostra un ambiente Elastic Beanstalk che utilizza una configurazione di avvio legacy. Per informazioni sull’utilizzo di un modello di avvio, consulta [Launch Templates](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-cfg-autoscaling-launch-templates.html) nella *Guida per gli sviluppatori di AWS Elastic Beanstalk *.
Sostituisci `solution-stack` con un nome dello stack di soluzioni (versione della piattaforma). Per un elenco degli stack di soluzioni disponibili, usa il comando. AWS CLI **aws elasticbeanstalk list-available-solution-stacks**
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"sampleApplication": {
"Type": "AWS::ElasticBeanstalk::Application",
"Properties": {
"Description": "AWS Elastic Beanstalk Sample Application"
}
},
"sampleApplicationVersion": {
"Type": "AWS::ElasticBeanstalk::ApplicationVersion",
"Properties": {
"ApplicationName": {
"Ref": "sampleApplication"
},
"Description": "AWS ElasticBeanstalk Sample Application Version",
"SourceBundle": {
"S3Bucket": {
"Fn::Sub": "elasticbeanstalk-samples-${AWS::Region}"
},
"S3Key": "php-newsample-app.zip"
}
}
},
"sampleConfigurationTemplate": {
"Type": "AWS::ElasticBeanstalk::ConfigurationTemplate",
"Properties": {
"ApplicationName": {
"Ref": "sampleApplication"
},
"Description": "AWS ElasticBeanstalk Sample Configuration Template",
"OptionSettings": [
{
"Namespace": "aws:autoscaling:asg",
"OptionName": "MinSize",
"Value": "2"
},
{
"Namespace": "aws:autoscaling:asg",
"OptionName": "MaxSize",
"Value": "6"
},
{
"Namespace": "aws:elasticbeanstalk:environment",
"OptionName": "EnvironmentType",
"Value": "LoadBalanced"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "IamInstanceProfile",
"Value": {
"Ref": "MyInstanceProfile"
}
}
],
"SolutionStackName": "solution-stack"
}
},
"sampleEnvironment": {
"Type": "AWS::ElasticBeanstalk::Environment",
"Properties": {
"ApplicationName": {
"Ref": "sampleApplication"
},
"Description": "AWS ElasticBeanstalk Sample Environment",
"TemplateName": {
"Ref": "sampleConfigurationTemplate"
},
"VersionLabel": {
"Ref": "sampleApplicationVersion"
}
}
},
"MyInstanceRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Description": "Beanstalk EC2 role",
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier",
"arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker",
"arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier"
]
}
},
"MyInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Roles": [
{
"Ref": "MyInstanceRole"
}
]
}
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
sampleApplication:
Type: AWS::ElasticBeanstalk::Application
Properties:
Description: AWS Elastic Beanstalk Sample Application
sampleApplicationVersion:
Type: AWS::ElasticBeanstalk::ApplicationVersion
Properties:
ApplicationName:
Ref: sampleApplication
Description: AWS ElasticBeanstalk Sample Application Version
SourceBundle:
S3Bucket: !Sub "elasticbeanstalk-samples-${AWS::Region}"
S3Key: php-newsample-app.zip
sampleConfigurationTemplate:
Type: AWS::ElasticBeanstalk::ConfigurationTemplate
Properties:
ApplicationName:
Ref: sampleApplication
Description: AWS ElasticBeanstalk Sample Configuration Template
OptionSettings:
- Namespace: aws:autoscaling:asg
OptionName: MinSize
Value: '2'
- Namespace: aws:autoscaling:asg
OptionName: MaxSize
Value: '6'
- Namespace: aws:elasticbeanstalk:environment
OptionName: EnvironmentType
Value: LoadBalanced
- Namespace: aws:autoscaling:launchconfiguration
OptionName: IamInstanceProfile
Value: !Ref MyInstanceProfile
SolutionStackName: solution-stack
sampleEnvironment:
Type: AWS::ElasticBeanstalk::Environment
Properties:
ApplicationName:
Ref: sampleApplication
Description: AWS ElasticBeanstalk Sample Environment
TemplateName:
Ref: sampleConfigurationTemplate
VersionLabel:
Ref: sampleApplicationVersion
MyInstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Description: Beanstalk EC2 role
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier
- arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker
- arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier
MyInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Roles:
- !Ref MyInstanceRole
```
# Frammenti di modello Elastic Load Balancing
Per creare un Application Load Balancer, un Network Load Balancer o un Gateway Load Balancer, utilizza i tipi di risorse V2 che iniziano con `AWS::ElasticLoadBalancingV2`. Per creare un Classic Load Balancer, usa i tipi di risorse che iniziano con `AWS::ElasticLoadBalancing`.
**Topics**
+ [ELBv2 risorse](#scenario-elbv2-load-balancer)
+ [Risorse relative a Classic Load Balancer](#scenario-elb-load-balancer)
## ELBv2 risorse
Questo esempio definisce un Application Load Balancer con un listener HTTP e un’azione predefinita che inoltra il traffico al gruppo di destinazione. Il bilanciatore del carico utilizza le impostazioni predefinite per il controllo dell’integrità. Il gruppo target ha due EC2 istanze registrate.
------
#### [ YAML ]
```
Resources:
myLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: my-alb
Type: application
Scheme: internal
Subnets:
- !Ref subnet-AZ1
- !Ref subnet-AZ2
SecurityGroups:
- !Ref mySecurityGroup
myHTTPlistener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
LoadBalancerArn: !Ref myLoadBalancer
Protocol: HTTP
Port: 80
DefaultActions:
- Type: "forward"
TargetGroupArn: !Ref myTargetGroup
myTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
Name: "my-target-group"
Protocol: HTTP
Port: 80
TargetType: instance
VpcId: !Ref myVPC
Targets:
- Id: !GetAtt Instance1.InstanceId
Port: 80
- Id: !GetAtt Instance2.InstanceId
Port: 80
```
------
#### [ JSON ]
```
{
"Resources": {
"myLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Name": "my-alb",
"Type": "application",
"Scheme": "internal",
"Subnets": [
{
"Ref": "subnet-AZ1"
},
{
"Ref": "subnet-AZ2"
}
],
"SecurityGroups": [
{
"Ref": "mySecurityGroup"
}
]
}
},
"myHTTPlistener": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"LoadBalancerArn": {
"Ref": "myLoadBalancer"
},
"Protocol": "HTTP",
"Port": 80,
"DefaultActions": [
{
"Type": "forward",
"TargetGroupArn": {
"Ref": "myTargetGroup"
}
}
]
}
},
"myTargetGroup": {
"Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties": {
"Name": "my-target-group",
"Protocol": "HTTP",
"Port": 80,
"TargetType": "instance",
"VpcId": {
"Ref": "myVPC"
},
"Targets": [
{
"Id": {
"Fn::GetAtt": [
"Instance1",
"InstanceId"
]
},
"Port": 80
},
{
"Id": {
"Fn::GetAtt": [
"Instance2",
"InstanceId"
]
},
"Port": 80
}
]
}
}
}
}
```
------
## Risorse relative a Classic Load Balancer
Questo esempio definisce un Classic Load Balancer con un listener HTTP e nessuna istanza registrata. EC2 Il bilanciatore del carico utilizza le impostazioni predefinite per il controllo dell’integrità.
------
#### [ YAML ]
```
myLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- "us-east-1a"
Listeners:
- LoadBalancerPort: '80'
InstancePort: '80'
Protocol: HTTP
```
------
#### [ JSON ]
```
"myLoadBalancer" : {
"Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties" : {
"AvailabilityZones" : [ "us-east-1a" ],
"Listeners" : [ {
"LoadBalancerPort" : "80",
"InstancePort" : "80",
"Protocol" : "HTTP"
} ]
}
}
```
------
Questo esempio definisce un Classic Load Balancer con un listener HTTP, due EC2 istanze registrate e impostazioni personalizzate per il controllo dello stato.
------
#### [ YAML ]
```
myClassicLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- "us-east-1a"
Instances:
- Ref: Instance1
- Ref: Instance2
Listeners:
- LoadBalancerPort: '80'
InstancePort: '80'
Protocol: HTTP
HealthCheck:
Target: HTTP:80/
HealthyThreshold: '3'
UnhealthyThreshold: '5'
Interval: '30'
Timeout: '5'
```
------
#### [ JSON ]
```
"myClassicLoadBalancer" : {
"Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties" : {
"AvailabilityZones" : [ "us-east-1a" ],
"Instances" : [
{ "Ref" : "Instance1" },
{ "Ref" : "Instance2" }
],
"Listeners" : [ {
"LoadBalancerPort" : "80",
"InstancePort" : "80",
"Protocol" : "HTTP"
} ],
"HealthCheck" : {
"Target" : "HTTP:80/",
"HealthyThreshold" : "3",
"UnhealthyThreshold" : "5",
"Interval" : "30",
"Timeout" : "5"
}
}
}
```
------
# AWS Identity and Access Management frammenti di modello
Questa sezione contiene frammenti di AWS Identity and Access Management modello.
**Topics**
+ [Dichiarazione di una risorsa utente IAM](#scenario-iam-user)
+ [Dichiarazione di una risorsa chiave di accesso IAM](#scenario-iam-accesskey)
+ [Dichiarazione di una risorsa di gruppo IAM](#scenario-iam-group)
+ [Aggiunta di utenti a un gruppo](#scenario-iam-addusertogroup)
+ [Dichiarazione di una policy IAM](#scenario-iam-policy)
+ [Dichiarazione di una policy di bucket Amazon S3](#scenario-bucket-policy)
+ [Dichiarazione di una policy di un argomento Amazon SNS](#scenario-sns-policy)
+ [Dichiarazione di una policy Amazon SQS](#scenario-sqs-policy)
+ [Esempi di modello per i ruoli IAM](#scenarios-iamroles)
**Importante**
Durante la creazione o l’aggiornamento di uno stack con un modello contenente risorse IAM, devi prendere atto dell’utilizzo delle funzionalità IAM. Per ulteriori informazioni, consulta [Riconoscimento delle risorse IAM nei modelli CloudFormation](control-access-with-iam.md#using-iam-capabilities).
## Dichiarazione di una risorsa utente IAM
Questo frammento di codice mostra come dichiarare una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html) per creare un utente IAM. L’utente viene dichiarato con il percorso (`"/"`) e un profilo di login che utilizza la password (`myP@ssW0rd`).
Il documento di policy `giveaccesstoqueueonly` consente all’utente di eseguire tutte le operazioni di Amazon SQS nella risorsa della coda Amazon SQS `myqueue` e rifiuta l’accesso a tutte le altre risorse della coda Amazon SQS. La funzione `Fn::GetAtt` ottiene l’attributo ARN della risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html) `myqueue`.
Il documento di policy `giveaccesstotopiconly` viene aggiunto all’utente per consentirgli di eseguire tutte le operazioni di Amazon SNS nella risorsa dell’argomento Amazon SNS `mytopic` e rifiutare l’accesso a tutte le altre risorse della coda Amazon SNS. La funzione `Ref` ottiene l’attributo ARN della risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html) `mytopic`.
### JSON
```
"myuser" : {
"Type" : "AWS::IAM::User",
"Properties" : {
"Path" : "/",
"LoginProfile" : {
"Password" : "myP@ssW0rd"
},
"Policies" : [ {
"PolicyName" : "giveaccesstoqueueonly",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [ "sqs:*" ],
"Resource" : [ {
"Fn::GetAtt" : [ "myqueue", "Arn" ]
} ]
}, {
"Effect" : "Deny",
"Action" : [ "sqs:*" ],
"NotResource" : [ {
"Fn::GetAtt" : [ "myqueue", "Arn" ]
} ]
}
] }
}, {
"PolicyName" : "giveaccesstotopiconly",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [ "sns:*" ],
"Resource" : [ { "Ref" : "mytopic" } ]
}, {
"Effect" : "Deny",
"Action" : [ "sns:*" ],
"NotResource" : [ { "Ref" : "mytopic" } ]
} ]
}
} ]
}
}
```
### YAML
```
myuser:
Type: AWS::IAM::User
Properties:
Path: "/"
LoginProfile:
Password: myP@ssW0rd
Policies:
- PolicyName: giveaccesstoqueueonly
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:*
Resource:
- !GetAtt myqueue.Arn
- Effect: Deny
Action:
- sqs:*
NotResource:
- !GetAtt myqueue.Arn
- PolicyName: giveaccesstotopiconly
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sns:*
Resource:
- !Ref mytopic
- Effect: Deny
Action:
- sns:*
NotResource:
- !Ref mytopic
```
## Dichiarazione di una risorsa chiave di accesso IAM
###
Questo frammento mostra una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-accesskey.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-accesskey.html). La risorsa `myaccesskey` crea una chiave di accesso e la assegna a un utente IAM dichiarato come risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html) nel modello.
#### JSON
```
"myaccesskey" : {
"Type" : "AWS::IAM::AccessKey",
"Properties" : {
"UserName" : { "Ref" : "myuser" }
}
}
```
#### YAML
```
myaccesskey:
Type: AWS::IAM::AccessKey
Properties:
UserName:
!Ref myuser
```
###
Puoi ottenere la chiave segreta per una risorsa `AWS::IAM::AccessKey` utilizzando la funzione `Fn::GetAtt`. Uno dei modi per recuperare la chiave segreta è inserirla in un valore `Output`. Puoi ottenere la chiave di accesso utilizzando la funzione `Ref`. Le seguenti dichiarazioni del valore `Output` ottengono la chiave di accesso e la chiave segreta per `myaccesskey`.
#### JSON
```
"AccessKeyformyaccesskey" : {
"Value" : { "Ref" : "myaccesskey" }
},
"SecretKeyformyaccesskey" : {
"Value" : {
"Fn::GetAtt" : [ "myaccesskey", "SecretAccessKey" ]
}
}
```
#### YAML
```
AccessKeyformyaccesskey:
Value:
!Ref myaccesskey
SecretKeyformyaccesskey:
Value: !GetAtt myaccesskey.SecretAccessKey
```
###
Puoi anche passare la chiave di AWS accesso e la chiave segreta a un' EC2 istanza Amazon o a un gruppo di Auto Scaling definito nel modello. La seguente dichiarazione [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) utilizza la proprietà `UserData` per passare la chiave di accesso e quella segreta per la risorsa `myaccesskey`.
#### JSON
```
"myinstance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"AvailabilityZone" : "us-east-1a",
"ImageId" : "ami-0ff8a91507f77f867",
"UserData" : {
"Fn::Base64" : {
"Fn::Join" : [
"", [
"ACCESS_KEY=", {
"Ref" : "myaccesskey"
},
"&",
"SECRET_KEY=",
{
"Fn::GetAtt" : [
"myaccesskey",
"SecretAccessKey"
]
}
]
]
}
}
}
}
```
#### YAML
```
myinstance:
Type: AWS::EC2::Instance
Properties:
AvailabilityZone: "us-east-1a"
ImageId: ami-0ff8a91507f77f867
UserData:
Fn::Base64: !Sub "ACCESS_KEY=${myaccesskey}&SECRET_KEY=${myaccesskey.SecretAccessKey}"
```
## Dichiarazione di una risorsa di gruppo IAM
Questo frammento mostra una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-group.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-group.html). Il gruppo ha un percorso (`"/myapplication/"`). Il documento di policy `myapppolicy` viene aggiunto al gruppo per consentire agli utenti del gruppo di eseguire tutte le operazioni di Amazon SQS nella risorsa della coda Amazon SQS myqueue e rifiutare l’accesso a tutte le altre risorse Amazon SQS eccetto `myqueue`.
Per assegnare una policy a una risorsa, IAM richiede il nome della risorsa Amazon (ARN) per la risorsa. Nel frammento, la funzione `Fn::GetAtt` ottiene l’ARN della coda della risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html).
### JSON
```
"mygroup" : {
"Type" : "AWS::IAM::Group",
"Properties" : {
"Path" : "/myapplication/",
"Policies" : [ {
"PolicyName" : "myapppolicy",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [ "sqs:*" ],
"Resource" : [ {
"Fn::GetAtt" : [ "myqueue", "Arn" ]
} ]
},
{
"Effect" : "Deny",
"Action" : [ "sqs:*" ],
"NotResource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ]
}
] }
} ]
}
}
```
### YAML
```
mygroup:
Type: AWS::IAM::Group
Properties:
Path: "/myapplication/"
Policies:
- PolicyName: myapppolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:*
Resource: !GetAtt myqueue.Arn
- Effect: Deny
Action:
- sqs:*
NotResource: !GetAtt myqueue.Arn
```
## Aggiunta di utenti a un gruppo
La risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-usertogroupaddition.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-usertogroupaddition.html) aggiunge utenti a un gruppo. Nel seguente frammento, la risorsa `addUserToGroup` aggiunge i seguenti utenti a un gruppo esistente denominato `myexistinggroup2`: l’utente esistente `existinguser1` e l’utente `myuser` dichiarato come risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html) nel modello.
### JSON
```
"addUserToGroup" : {
"Type" : "AWS::IAM::UserToGroupAddition",
"Properties" : {
"GroupName" : "myexistinggroup2",
"Users" : [ "existinguser1", { "Ref" : "myuser" } ]
}
}
```
### YAML
```
addUserToGroup:
Type: AWS::IAM::UserToGroupAddition
Properties:
GroupName: myexistinggroup2
Users:
- existinguser1
- !Ref myuser
```
## Dichiarazione di una policy IAM
Questo frammento mostra come creare una policy e applicarla a più gruppi utilizzando una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-policy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-policy.html) denominata `mypolicy`. La risorsa `mypolicy` include una proprietà `PolicyDocument` che consente le operazioni `GetObject`, `PutObject` e `PutObjectAcl` sugli oggetti nel bucket S3 rappresentato dall’ARN `arn:aws:s3:::myAWSBucket`. La risorsa `mypolicy` applica la policy a un gruppo esistente denominato `myexistinggroup1` e a un gruppo `mygroup` che viene dichiarato nel modello come una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-group.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-group.html). Questo esempio mostra come applicare una policy a un gruppo utilizzando la proprietà `Groups`; tuttavia, è anche possibile utilizzare la proprietà `Users` per aggiungere un documento della policy a un elenco di utenti.
### JSON
```
"mypolicy" : {
"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyName" : "mygrouppolicy",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [
"s3:GetObject" , "s3:PutObject" , "s3:PutObjectAcl" ],
"Resource" : "arn:aws:s3:::myAWSBucket/*"
} ]
},
"Groups" : [ "myexistinggroup1", { "Ref" : "mygroup" } ]
}
}
```
### YAML
```
mypolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: mygrouppolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
- s3:PutObjectAcl
Resource: arn:aws:s3:::myAWSBucket/*
Groups:
- myexistinggroup1
- !Ref mygroup
```
## Dichiarazione di una policy di bucket Amazon S3
Questo frammento mostra come creare una policy e applicarla a un bucket Amazon S3 utilizzando la risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucket.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucket.html). La risorsa `mybucketpolicy` dichiara un documento di policy che consente all’utente IAM `user1` di eseguire l’operazione `GetObject` su tutti gli oggetti nel bucket S3 a cui la policy viene applicata. Nel frammento, la funzione `Fn::GetAtt` ottiene l’ARN della risorsa `user1`. La risorsa `mybucketpolicy` applica la policy alla risorsa `AWS::S3::BucketPolicy` mybucket. La funzione `Ref` ottiene il nome del bucket della risorsa `mybucket`.
### JSON
```
"mybucketpolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyPolicy",
"Version": "2012-10-17",
"Statement" : [ {
"Sid" : "ReadAccess",
"Action" : [ "s3:GetObject" ],
"Effect" : "Allow",
"Resource" : { "Fn::Join" : [
"", [ "arn:aws:s3:::", { "Ref" : "mybucket" } , "/*" ]
] },
"Principal" : {
"AWS" : { "Fn::GetAtt" : [ "user1", "Arn" ] }
}
} ]
},
"Bucket" : { "Ref" : "mybucket" }
}
}
```
### YAML
```
mybucketpolicy:
Type: AWS::S3::BucketPolicy
Properties:
PolicyDocument:
Id: MyPolicy
Version: '2012-10-17'
Statement:
- Sid: ReadAccess
Action:
- s3:GetObject
Effect: Allow
Resource: !Sub "arn:aws:s3:::${mybucket}/*"
Principal:
AWS: !GetAtt user1.Arn
Bucket: !Ref mybucket
```
## Dichiarazione di una policy di un argomento Amazon SNS
Questo frammento mostra come creare una policy e applicarla a un argomento Amazon SNS utilizzando la risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topicpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topicpolicy.html). La risorsa `mysnspolicy` include una proprietà `PolicyDocument` che consente alla risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html) `myuser` di eseguire l’operazione `Publish` su una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html) `mytopic`. Nel frammento, la funzione `Fn::GetAtt` ottiene l’ARN per la risorsa `myuser` e la funzione `Ref` ottiene l’ARN per la risorsa `mytopic`.
### JSON
```
"mysnspolicy" : {
"Type" : "AWS::SNS::TopicPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyTopicPolicy",
"Version": "2012-10-17",
"Statement" : [ {
"Sid" : "My-statement-id",
"Effect" : "Allow",
"Principal" : {
"AWS" : { "Fn::GetAtt" : [ "myuser", "Arn" ] }
},
"Action" : "sns:Publish",
"Resource" : "*"
} ]
},
"Topics" : [ { "Ref" : "mytopic" } ]
}
}
```
### YAML
```
mysnspolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: MyTopicPolicy
Version: '2012-10-17'
Statement:
- Sid: My-statement-id
Effect: Allow
Principal:
AWS: !GetAtt myuser.Arn
Action: sns:Publish
Resource: "*"
Topics:
- !Ref mytopic
```
## Dichiarazione di una policy Amazon SQS
Questo frammento mostra come creare una policy e applicarla a una coda Amazon SQS utilizzando la risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queuepolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queuepolicy.html). La proprietà `PolicyDocument` consente all’utente esistente `myapp` (specificato dal relativo ARN) di eseguire l’operazione `SendMessage` su una coda esistente, specificata tramite il relativo URL e su una risorsa [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html) myqueue. La funzione [Ref](resources-section-structure.md#resource-properties-ref) ottiene l’URL per la risorsa `myqueue`.
### JSON
```
"mysqspolicy" : {
"Type" : "AWS::SQS::QueuePolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyQueuePolicy",
"Version": "2012-10-17",
"Statement" : [ {
"Sid" : "Allow-User-SendMessage",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::123456789012:user/myapp"
},
"Action" : [ "sqs:SendMessage" ],
"Resource" : "*"
} ]
},
"Queues" : [
"https://sqs.us-east-2aws-region.amazonaws.com/123456789012/myexistingqueue",
{ "Ref" : "myqueue" }
]
}
}
```
### YAML
```
mysqspolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Id: MyQueuePolicy
Version: '2012-10-17'
Statement:
- Sid: Allow-User-SendMessage
Effect: Allow
Principal:
AWS: arn:aws:iam::123456789012:user/myapp
Action:
- sqs:SendMessage
Resource: "*"
Queues:
- https://sqs.aws-region.amazonaws.com/123456789012/myexistingqueue
- !Ref myqueue
```
## Esempi di modello per i ruoli IAM
Questa sezione fornisce esempi di CloudFormation modelli per i ruoli IAM per le EC2 istanze.
Per ulteriori informazioni, consulta [i ruoli IAM per Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) nella *Amazon EC2 User Guide*.
### Ruolo IAM con EC2
In questo esempio, il profilo dell'istanza è referenziato dalla `IamInstanceProfile` proprietà dell' EC2 istanza. Sia la policy dell’istanza che del ruolo fanno riferimento a [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-role.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-role.html).
#### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myEC2Instance": {
"Type": "AWS::EC2::Instance",
"Version": "2009-05-15",
"Properties": {
"ImageId": "ami-0ff8a91507f77f867",
"InstanceType": "m1.small",
"Monitoring": "true",
"DisableApiTermination": "false",
"IamInstanceProfile": {
"Ref": "RootInstanceProfile"
}
}
},
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "ec2.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
},
"Path": "/"
}
},
"RolePolicies": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]
},
"Roles": [ { "Ref": "RootRole" } ]
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ { "Ref": "RootRole" } ]
}
}
}
}
```
#### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myEC2Instance:
Type: AWS::EC2::Instance
Version: '2009-05-15'
Properties:
ImageId: ami-0ff8a91507f77f867
InstanceType: m1.small
Monitoring: 'true'
DisableApiTermination: 'false'
IamInstanceProfile:
!Ref RootInstanceProfile
RootRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
RolePolicies:
Type: AWS::IAM::Policy
Properties:
PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: "*"
Resource: "*"
Roles:
- !Ref RootRole
RootInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- !Ref RootRole
```
### Ruolo IAM con gruppo Auto Scaling
In questo esempio, il profilo dell'istanza è referenziato dalla `IamInstanceProfile` proprietà di una configurazione di avvio di Amazon EC2 Auto Scaling.
#### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myLCOne": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Version": "2009-05-15",
"Properties": {
"ImageId": "ami-0ff8a91507f77f867",
"InstanceType": "m1.small",
"InstanceMonitoring": "true",
"IamInstanceProfile": { "Ref": "RootInstanceProfile" }
}
},
"myASGrpOne": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"Version": "2009-05-15",
"Properties": {
"AvailabilityZones": [ "us-east-1a" ],
"LaunchConfigurationName": { "Ref": "myLCOne" },
"MinSize": "0",
"MaxSize": "0",
"HealthCheckType": "EC2",
"HealthCheckGracePeriod": "120"
}
},
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "ec2.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
},
"Path": "/"
}
},
"RolePolicies": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]
},
"Roles": [ { "Ref": "RootRole" } ]
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ { "Ref": "RootRole" } ]
}
}
}
}
```
#### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myLCOne:
Type: AWS::AutoScaling::LaunchConfiguration
Version: '2009-05-15'
Properties:
ImageId: ami-0ff8a91507f77f867
InstanceType: m1.small
InstanceMonitoring: 'true'
IamInstanceProfile:
!Ref RootInstanceProfile
myASGrpOne:
Type: AWS::AutoScaling::AutoScalingGroup
Version: '2009-05-15'
Properties:
AvailabilityZones:
- "us-east-1a"
LaunchConfigurationName:
!Ref myLCOne
MinSize: '0'
MaxSize: '0'
HealthCheckType: EC2
HealthCheckGracePeriod: '120'
RootRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
RolePolicies:
Type: AWS::IAM::Policy
Properties:
PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: "*"
Resource: "*"
Roles:
- !Ref RootRole
RootInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- !Ref RootRole
```
# AWS Lambda modello
Il modello seguente utilizza una funzione AWS Lambda (Lambda) e una risorsa personalizzata per aggiungere un nuovo gruppo di sicurezza a un elenco di gruppi di sicurezza esistenti. Questa funzione è utile per creare un elenco di gruppi di sicurezza in modo dinamico, così che l’elenco includa sia i nuovi gruppi di sicurezza sia quelli già esistenti. Ad esempio, è possibile passare un elenco di gruppi di sicurezza esistenti come valore di parametro, aggiungere il nuovo valore all'elenco e quindi associare tutti i valori a un'istanza. EC2 Per ulteriori informazioni sul tipo di risorsa della funzione Lambda, consulta [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html).
Nell'esempio, quando CloudFormation crea la risorsa `AllSecurityGroups` personalizzata, CloudFormation richiama la funzione Lambda`AppendItemToListFunction`. CloudFormation passa l'elenco dei gruppi di sicurezza esistenti e un nuovo gruppo di sicurezza (`NewSecurityGroup`) alla funzione, che aggiunge il nuovo gruppo di sicurezza all'elenco e quindi restituisce l'elenco modificato. CloudFormation utilizza l'elenco modificato per associare tutti i gruppi di sicurezza alla `MyEC2Instance` risorsa.
## JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"ExistingSecurityGroups": {
"Type": "List"
},
"ExistingVPC": {
"Type": "AWS::EC2::VPC::Id",
"Description": "The VPC ID that includes the security groups in the ExistingSecurityGroups parameter."
},
"InstanceType": {
"Type": "String",
"Default": "t2.micro",
"AllowedValues": [
"t2.micro",
"t3.micro"
]
}
},
"Resources": {
"SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow HTTP traffic to the host",
"VpcId": {
"Ref": "ExistingVPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"AllSecurityGroups": {
"Type": "Custom::Split",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"AppendItemToListFunction",
"Arn"
]
},
"List": {
"Ref": "ExistingSecurityGroups"
},
"AppendedItem": {
"Ref": "SecurityGroup"
}
}
},
"AppendItemToListFunction": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Handler": "index.handler",
"Role": {
"Fn::GetAtt": [
"LambdaExecutionRole",
"Arn"
]
},
"Code": {
"ZipFile": {
"Fn::Join": [
"",
[
"var response = require('cfn-response');",
"exports.handler = function(event, context) {",
" var responseData = {Value: event.ResourceProperties.List};",
" responseData.Value.push(event.ResourceProperties.AppendedItem);",
" response.send(event, context, response.SUCCESS, responseData);",
"};"
]
]
}
},
"Runtime": "nodejs20.x"
}
},
"MyEC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}",
"SecurityGroupIds": {
"Fn::GetAtt": [
"AllSecurityGroups",
"Value"
]
},
"InstanceType": {
"Ref": "InstanceType"
}
}
},
"LambdaExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:*:*:*"
}
]
}
}
]
}
}
},
"Outputs": {
"AllSecurityGroups": {
"Description": "Security Groups that are associated with the EC2 instance",
"Value": {
"Fn::Join": [
", ",
{
"Fn::GetAtt": [
"AllSecurityGroups",
"Value"
]
}
]
}
}
}
}
```
## YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
ExistingSecurityGroups:
Type: List
ExistingVPC:
Type: AWS::EC2::VPC::Id
Description: The VPC ID that includes the security groups in the ExistingSecurityGroups parameter.
InstanceType:
Type: String
Default: t2.micro
AllowedValues:
- t2.micro
- t3.micro
Resources:
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow HTTP traffic to the host
VpcId: !Ref ExistingVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
AllSecurityGroups:
Type: Custom::Split
Properties:
ServiceToken: !GetAtt AppendItemToListFunction.Arn
List: !Ref ExistingSecurityGroups
AppendedItem: !Ref SecurityGroup
AppendItemToListFunction:
Type: AWS::Lambda::Function
Properties:
Handler: index.handler
Role: !GetAtt LambdaExecutionRole.Arn
Code:
ZipFile: !Join
- ''
- - var response = require('cfn-response');
- exports.handler = function(event, context) {
- ' var responseData = {Value: event.ResourceProperties.List};'
- ' responseData.Value.push(event.ResourceProperties.AppendedItem);'
- ' response.send(event, context, response.SUCCESS, responseData);'
- '};'
Runtime: nodejs20.x
MyEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}'
SecurityGroupIds: !GetAtt AllSecurityGroups.Value
InstanceType: !Ref InstanceType
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:*
Resource: arn:aws:logs:*:*:*
Outputs:
AllSecurityGroups:
Description: Security Groups that are associated with the EC2 instance
Value: !Join
- ', '
- !GetAtt AllSecurityGroups.Value
```
# Frammenti di modello Amazon Redshift
Amazon Redshift è un servizio di data warehouse nel cloud in scala petabyte interamente gestito. Puoi utilizzare CloudFormation per eseguire il provisioning dei cluster Amazon Redshift e gestirli.
## Cluster Amazon Redshift
Il modello di esempio seguente crea un cluster Amazon Redshift in base ai valori dei parametri specificati durante la creazione dello stack. Il gruppo di parametri di cluster associato al cluster Amazon Redshift attiva la registrazione delle attività degli utenti. Il modello, inoltre, avvia i cluster Amazon Redshift in un Amazon VPC definito nel modello. Il VPC include un gateway Internet in modo che sia possibile accedere ai cluster Amazon Redshift da Internet. Tuttavia, è necessario anche abilitare la comunicazione tra il cluster e il gateway Internet, operazione che viene eseguita dalla voce della tabella di routing.
**Nota**
Il modello include la condizione `IsMultiNodeCluster`, pertanto il parametro `NumberOfNodes` viene dichiarato solo quando il valore del parametro `ClusterType` è impostato su `multi-node`.
L'esempio definisce il parametro `MysqlRootPassword` con la proprietà `NoEcho` impostata su `true`. Se si imposta l'attributo `NoEcho` su `true`, CloudFormation restituisce il valore del parametro mascherato come asterischi (\$1\$1\$1\$1\$1) per tutte le chiamate che descrivono lo stack o gli eventi stack, ad eccezione delle informazioni archiviate nelle posizioni specificate di seguito.
**Importante**
L’utilizzo dell’attributo `NoEcho` non maschera le informazioni memorizzate nei seguenti elementi:
La sezione dei `Metadata` modelli. CloudFormation non trasforma, modifica o oscura le informazioni incluse nella `Metadata` sezione. Per ulteriori informazioni, vedere [Metadati](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html).
Sezione dei modelli `Outputs`. Per ulteriori informazioni, consulta [Output](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html).
Attributo `Metadata` di una definizione di risorsa. Per ulteriori informazioni, consulta [Attributo `Metadata`](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-metadata.html).
Si consiglia vivamente di non utilizzare questi meccanismi per includere informazioni sensibili, come password o segreti.
**Importante**
Invece di incorporare informazioni riservate direttamente nei CloudFormation modelli, consigliamo di utilizzare parametri dinamici nel modello di pila per fare riferimento a informazioni sensibili archiviate e gestite all'esterno CloudFormation, ad esempio nel AWS Systems Manager Parameter Store o. Gestione dei segreti AWS
Per ulteriori informazioni, consulta la best practice [Non incorporare le credenziali nei modelli](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/security-best-practices.html#creds).
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters" : {
"DatabaseName" : {
"Description" : "The name of the first database to be created when the cluster is created",
"Type" : "String",
"Default" : "dev",
"AllowedPattern" : "([a-z]|[0-9])+"
},
"ClusterType" : {
"Description" : "The type of cluster",
"Type" : "String",
"Default" : "single-node",
"AllowedValues" : [ "single-node", "multi-node" ]
},
"NumberOfNodes" : {
"Description" : "The number of compute nodes in the cluster. For multi-node clusters, the NumberOfNodes parameter must be greater than 1",
"Type" : "Number",
"Default" : "1"
},
"NodeType" : {
"Description" : "The type of node to be provisioned",
"Type" : "String",
"Default" : "ds2.xlarge",
"AllowedValues" : [ "ds2.xlarge", "ds2.8xlarge", "dc1.large", "dc1.8xlarge" ]
},
"MasterUsername" : {
"Description" : "The user name that is associated with the master user account for the cluster that is being created",
"Type" : "String",
"Default" : "defaultuser",
"AllowedPattern" : "([a-z])([a-z]|[0-9])*"
},
"MasterUserPassword" : {
"Description" : "The password that is associated with the master user account for the cluster that is being created.",
"Type" : "String",
"NoEcho" : "true"
},
"InboundTraffic" : {
"Description" : "Allow inbound traffic to the cluster from this CIDR range.",
"Type" : "String",
"MinLength": "9",
"MaxLength": "18",
"Default" : "0.0.0.0/0",
"AllowedPattern" : "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription" : "must be a valid CIDR range of the form x.x.x.x/x."
},
"PortNumber" : {
"Description" : "The port number on which the cluster accepts incoming connections.",
"Type" : "Number",
"Default" : "5439"
}
},
"Conditions" : {
"IsMultiNodeCluster" : {
"Fn::Equals" : [{ "Ref" : "ClusterType" }, "multi-node" ]
}
},
"Resources" : {
"RedshiftCluster" : {
"Type" : "AWS::Redshift::Cluster",
"DependsOn" : "AttachGateway",
"Properties" : {
"ClusterType" : { "Ref" : "ClusterType" },
"NumberOfNodes" : { "Fn::If" : [ "IsMultiNodeCluster", { "Ref" : "NumberOfNodes" }, { "Ref" : "AWS::NoValue" }]},
"NodeType" : { "Ref" : "NodeType" },
"DBName" : { "Ref" : "DatabaseName" },
"MasterUsername" : { "Ref" : "MasterUsername" },
"MasterUserPassword" : { "Ref" : "MasterUserPassword" },
"ClusterParameterGroupName" : { "Ref" : "RedshiftClusterParameterGroup" },
"VpcSecurityGroupIds" : [ { "Ref" : "SecurityGroup" } ],
"ClusterSubnetGroupName" : { "Ref" : "RedshiftClusterSubnetGroup" },
"PubliclyAccessible" : "true",
"Port" : { "Ref" : "PortNumber" }
}
},
"RedshiftClusterParameterGroup" : {
"Type" : "AWS::Redshift::ClusterParameterGroup",
"Properties" : {
"Description" : "Cluster parameter group",
"ParameterGroupFamily" : "redshift-1.0",
"Parameters" : [{
"ParameterName" : "enable_user_activity_logging",
"ParameterValue" : "true"
}]
}
},
"RedshiftClusterSubnetGroup" : {
"Type" : "AWS::Redshift::ClusterSubnetGroup",
"Properties" : {
"Description" : "Cluster subnet group",
"SubnetIds" : [ { "Ref" : "PublicSubnet" } ]
}
},
"VPC" : {
"Type" : "AWS::EC2::VPC",
"Properties" : {
"CidrBlock" : "10.0.0.0/16"
}
},
"PublicSubnet" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"CidrBlock" : "10.0.0.0/24",
"VpcId" : { "Ref" : "VPC" }
}
},
"SecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Security group",
"SecurityGroupIngress" : [ {
"CidrIp" : { "Ref": "InboundTraffic" },
"FromPort" : { "Ref" : "PortNumber" },
"ToPort" : { "Ref" : "PortNumber" },
"IpProtocol" : "tcp"
} ],
"VpcId" : { "Ref" : "VPC" }
}
},
"myInternetGateway" : {
"Type" : "AWS::EC2::InternetGateway"
},
"AttachGateway" : {
"Type" : "AWS::EC2::VPCGatewayAttachment",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"InternetGatewayId" : { "Ref" : "myInternetGateway" }
}
},
"PublicRouteTable" : {
"Type" : "AWS::EC2::RouteTable",
"Properties" : {
"VpcId" : {
"Ref" : "VPC"
}
}
},
"PublicRoute" : {
"Type" : "AWS::EC2::Route",
"DependsOn" : "AttachGateway",
"Properties" : {
"RouteTableId" : {
"Ref" : "PublicRouteTable"
},
"DestinationCidrBlock" : "0.0.0.0/0",
"GatewayId" : {
"Ref" : "myInternetGateway"
}
}
},
"PublicSubnetRouteTableAssociation" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : {
"Ref" : "PublicSubnet"
},
"RouteTableId" : {
"Ref" : "PublicRouteTable"
}
}
}
},
"Outputs" : {
"ClusterEndpoint" : {
"Description" : "Cluster endpoint",
"Value" : { "Fn::Join" : [ ":", [ { "Fn::GetAtt" : [ "RedshiftCluster", "Endpoint.Address" ] }, { "Fn::GetAtt" : [ "RedshiftCluster", "Endpoint.Port" ] } ] ] }
},
"ClusterName" : {
"Description" : "Name of cluster",
"Value" : { "Ref" : "RedshiftCluster" }
},
"ParameterGroupName" : {
"Description" : "Name of parameter group",
"Value" : { "Ref" : "RedshiftClusterParameterGroup" }
},
"RedshiftClusterSubnetGroupName" : {
"Description" : "Name of cluster subnet group",
"Value" : { "Ref" : "RedshiftClusterSubnetGroup" }
},
"RedshiftClusterSecurityGroupName" : {
"Description" : "Name of cluster security group",
"Value" : { "Ref" : "SecurityGroup" }
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
DatabaseName:
Description: The name of the first database to be created when the cluster is
created
Type: String
Default: dev
AllowedPattern: "([a-z]|[0-9])+"
ClusterType:
Description: The type of cluster
Type: String
Default: single-node
AllowedValues:
- single-node
- multi-node
NumberOfNodes:
Description: The number of compute nodes in the cluster. For multi-node clusters,
the NumberOfNodes parameter must be greater than 1
Type: Number
Default: '1'
NodeType:
Description: The type of node to be provisioned
Type: String
Default: ds2.xlarge
AllowedValues:
- ds2.xlarge
- ds2.8xlarge
- dc1.large
- dc1.8xlarge
MasterUsername:
Description: The user name that is associated with the master user account for
the cluster that is being created
Type: String
Default: defaultuser
AllowedPattern: "([a-z])([a-z]|[0-9])*"
MasterUserPassword:
Description: The password that is associated with the master user account for
the cluster that is being created.
Type: String
NoEcho: 'true'
InboundTraffic:
Description: Allow inbound traffic to the cluster from this CIDR range.
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: must be a valid CIDR range of the form x.x.x.x/x.
PortNumber:
Description: The port number on which the cluster accepts incoming connections.
Type: Number
Default: '5439'
Conditions:
IsMultiNodeCluster:
Fn::Equals:
- Ref: ClusterType
- multi-node
Resources:
RedshiftCluster:
Type: AWS::Redshift::Cluster
DependsOn: AttachGateway
Properties:
ClusterType:
Ref: ClusterType
NumberOfNodes:
Fn::If:
- IsMultiNodeCluster
- Ref: NumberOfNodes
- Ref: AWS::NoValue
NodeType:
Ref: NodeType
DBName:
Ref: DatabaseName
MasterUsername:
Ref: MasterUsername
MasterUserPassword:
Ref: MasterUserPassword
ClusterParameterGroupName:
Ref: RedshiftClusterParameterGroup
VpcSecurityGroupIds:
- Ref: SecurityGroup
ClusterSubnetGroupName:
Ref: RedshiftClusterSubnetGroup
PubliclyAccessible: 'true'
Port:
Ref: PortNumber
RedshiftClusterParameterGroup:
Type: AWS::Redshift::ClusterParameterGroup
Properties:
Description: Cluster parameter group
ParameterGroupFamily: redshift-1.0
Parameters:
- ParameterName: enable_user_activity_logging
ParameterValue: 'true'
RedshiftClusterSubnetGroup:
Type: AWS::Redshift::ClusterSubnetGroup
Properties:
Description: Cluster subnet group
SubnetIds:
- Ref: PublicSubnet
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
PublicSubnet:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.0.0/24
VpcId:
Ref: VPC
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group
SecurityGroupIngress:
- CidrIp:
Ref: InboundTraffic
FromPort:
Ref: PortNumber
ToPort:
Ref: PortNumber
IpProtocol: tcp
VpcId:
Ref: VPC
myInternetGateway:
Type: AWS::EC2::InternetGateway
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: VPC
InternetGatewayId:
Ref: myInternetGateway
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: VPC
PublicRoute:
Type: AWS::EC2::Route
DependsOn: AttachGateway
Properties:
RouteTableId:
Ref: PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: myInternetGateway
PublicSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId:
Ref: PublicSubnet
RouteTableId:
Ref: PublicRouteTable
Outputs:
ClusterEndpoint:
Description: Cluster endpoint
Value: !Sub "${RedshiftCluster.Endpoint.Address}:${RedshiftCluster.Endpoint.Port}"
ClusterName:
Description: Name of cluster
Value:
Ref: RedshiftCluster
ParameterGroupName:
Description: Name of parameter group
Value:
Ref: RedshiftClusterParameterGroup
RedshiftClusterSubnetGroupName:
Description: Name of cluster subnet group
Value:
Ref: RedshiftClusterSubnetGroup
RedshiftClusterSecurityGroupName:
Description: Name of cluster security group
Value:
Ref: SecurityGroup
```
## Consulta anche
[AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-redshift-cluster.html)
# Frammenti di modello Amazon RDS
**Topics**
+ [Risorsa di un’istanza database Amazon RDS](#scenario-rds-instance)
+ [Risorsa di un’istanza database (DB) Oracle Database Amazon RDS](#scenario-rds-oracleinstance)
+ [Risorsa del DBSecurity gruppo Amazon RDS per la gamma CIDR](#scenario-rds-security-group-cidr)
+ [Gruppo Amazon RDS con un DBSecurity gruppo di EC2 sicurezza Amazon](#scenario-rds-security-group-ec2)
+ [Gruppi di sicurezza VPC multipli](#scenario-multiple-vpc-security-groups)
+ [Istanza database Amazon RDS in un gruppo di sicurezza VPC](#w2aac11c41c76c15)
## Risorsa di un’istanza database Amazon RDS
In questo esempio viene visualizzata una risorsa dell’istanza database Amazon RDS con password utente principale gestita. Per ulteriori informazioni, consulta [Gestione delle password con Amazon RDS e Gestione dei segreti AWS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html) nella *Guida per l’utente di Amazon RDS* e [Gestione delle password con Amazon Aurora e Gestione dei segreti AWS](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-secrets-manager.html) nella *Guida per l’utente di Amazon Aurora*. Poiché la proprietà `EngineVersion` opzionale non è specificata, viene utilizzata la versione del motore predefinito per questa istanza database. Per dettagli sulla versione del motore di default e altre impostazioni predefinite, consultate [Create DBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html). La `DBSecurityGroups` proprietà autorizza l'accesso alla rete alle `AWS::RDS::DBSecurityGroup` risorse `MyDbSecurityByEC2SecurityGroup` denominate and. MyDbSecurityBy CIDRIPGroup Per informazioni dettagliate, vedi [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html). La risorsa dell’istanza database, inoltre, include un attributo `DeletionPolicy` impostato su `Snapshot`. Con il `Snapshot` `DeletionPolicy` set, CloudFormation scatterà un'istantanea di questa istanza DB prima di eliminarla durante l'eliminazione dello stack.
### JSON
```
1. "MyDB" : {
2. "Type" : "AWS::RDS::DBInstance",
3. "Properties" : {
4. "DBSecurityGroups" : [
5. {"Ref" : "MyDbSecurityByEC2SecurityGroup"}, {"Ref" : "MyDbSecurityByCIDRIPGroup"} ],
6. "AllocatedStorage" : "5",
7. "DBInstanceClass" : "db.t2.small",
8. "Engine" : "MySQL",
9. "MasterUsername" : "MyName",
10. "ManageMasterUserPassword" : true,
11. "MasterUserSecret" : {
12. "KmsKeyId" : {"Ref" : "KMSKey"}
13. }
14. },
15. "DeletionPolicy" : "Snapshot"
16. }
```
### YAML
```
1. MyDB:
2. Type: AWS::RDS::DBInstance
3. Properties:
4. DBSecurityGroups:
5. - Ref: MyDbSecurityByEC2SecurityGroup
6. - Ref: MyDbSecurityByCIDRIPGroup
7. AllocatedStorage: '5'
8. DBInstanceClass: db.t2.small
9. Engine: MySQL
10. MasterUsername: MyName
11. ManageMasterUserPassword: true
12. MasterUserSecret:
13. KmsKeyId: !Ref KMSKey
14. DeletionPolicy: Snapshot
```
## Risorsa di un’istanza database (DB) Oracle Database Amazon RDS
In questo esempio viene creata una risorsa dell’istanza database Oracle Database con password utente principale gestita. Per ulteriori informazioni, consulta la sezione [Gestione delle password con Amazon Gestione dei segreti AWS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html) nella *Guida per l’utente di Amazon RDS*. L'esempio specifica l'`Engine`as `oracle-ee` con un modello di licenza di. bring-your-own-license [Per i dettagli sulle impostazioni per le istanze di Oracle Database DB, vedere Create. DBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html) La proprietà DBSecurity Groups autorizza l'accesso alla rete alle `AWS::RDS::DBSecurityGroup` risorse denominate and. MyDbSecurityBy EC2 SecurityGroup MyDbSecurityBy CIDRIPGroup Per informazioni dettagliate, vedi [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html). La risorsa dell’istanza database, inoltre, include un attributo `DeletionPolicy` impostato su `Snapshot`. Con il `Snapshot` `DeletionPolicy` set, CloudFormation scatterà un'istantanea di questa istanza DB prima di eliminarla durante l'eliminazione dello stack.
### JSON
```
1. "MyDB" : {
2. "Type" : "AWS::RDS::DBInstance",
3. "Properties" : {
4. "DBSecurityGroups" : [
5. {"Ref" : "MyDbSecurityByEC2SecurityGroup"}, {"Ref" : "MyDbSecurityByCIDRIPGroup"} ],
6. "AllocatedStorage" : "5",
7. "DBInstanceClass" : "db.t2.small",
8. "Engine" : "oracle-ee",
9. "LicenseModel" : "bring-your-own-license",
10. "MasterUsername" : "master",
11. "ManageMasterUserPassword" : true,
12. "MasterUserSecret" : {
13. "KmsKeyId" : {"Ref" : "KMSKey"}
14. }
15. },
16. "DeletionPolicy" : "Snapshot"
17. }
```
### YAML
```
1. MyDB:
2. Type: AWS::RDS::DBInstance
3. Properties:
4. DBSecurityGroups:
5. - Ref: MyDbSecurityByEC2SecurityGroup
6. - Ref: MyDbSecurityByCIDRIPGroup
7. AllocatedStorage: '5'
8. DBInstanceClass: db.t2.small
9. Engine: oracle-ee
10. LicenseModel: bring-your-own-license
11. MasterUsername: master
12. ManageMasterUserPassword: true
13. MasterUserSecret:
14. KmsKeyId: !Ref KMSKey
15. DeletionPolicy: Snapshot
```
## Risorsa del DBSecurity gruppo Amazon RDS per la gamma CIDR
Questo esempio mostra una risorsa `DBSecurityGroup` Amazon RDS con autorizzazioni di ingresso per l’intervallo CIDR specificato nel formato `ddd.ddd.ddd.ddd/dd`. [Per i dettagli, consulta [AWS: :RDS:: DBSecurity Group and Ingress](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbsecuritygroup.html).](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-rds-dbsecuritygroup-ingress.html)
### JSON
```
1. "MyDbSecurityByCIDRIPGroup" : {
2. "Type" : "AWS::RDS::DBSecurityGroup",
3. "Properties" : {
4. "GroupDescription" : "Ingress for CIDRIP",
5. "DBSecurityGroupIngress" : {
6. "CIDRIP" : "192.168.0.0/32"
7. }
8. }
9. }
```
### YAML
```
1. MyDbSecurityByCIDRIPGroup:
2. Type: AWS::RDS::DBSecurityGroup
3. Properties:
4. GroupDescription: Ingress for CIDRIP
5. DBSecurityGroupIngress:
6. CIDRIP: "192.168.0.0/32"
```
## Gruppo Amazon RDS con un DBSecurity gruppo di EC2 sicurezza Amazon
Questo esempio mostra una risorsa [AWS: :RDS:: DBSecurity Group](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbsecuritygroup.html) con autorizzazione all'ingresso da un gruppo di EC2 sicurezza Amazon a cui fa riferimento. `MyEc2SecurityGroup`
Per fare ciò, definisci un gruppo di EC2 sicurezza e poi usi la `Ref` funzione intrinseca per fare riferimento al gruppo di sicurezza all'interno del tuo. EC2 `DBSecurityGroup`
### JSON
```
"DBInstance" : {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBName" : { "Ref" : "DBName" },
"Engine" : "MySQL",
"MasterUsername" : { "Ref" : "DBUsername" },
"DBInstanceClass" : { "Ref" : "DBClass" },
"DBSecurityGroups" : [ { "Ref" : "DBSecurityGroup" } ],
"AllocatedStorage" : { "Ref" : "DBAllocatedStorage" },
"MasterUserPassword": { "Ref" : "DBPassword" }
}
},
"DBSecurityGroup": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"DBSecurityGroupIngress": {
"EC2SecurityGroupName": {
"Fn::GetAtt": ["WebServerSecurityGroup", "GroupName"]
}
},
"GroupDescription" : "Frontend Access"
}
},
"WebServerSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Enable HTTP access via port 80 and SSH access",
"SecurityGroupIngress" : [
{"IpProtocol" : "tcp", "FromPort" : 80, "ToPort" : 80, "CidrIp" : "0.0.0.0/0"},
{"IpProtocol" : "tcp", "FromPort" : 22, "ToPort" : 22, "CidrIp" : "0.0.0.0/0"}
]
}
}
```
### YAML
Questo esempio è estratto dal seguente esempio completo: [Drupal\$1Single\$1Instance\$1With\$1RDS.template](https://s3.amazonaws.com/cloudformation-templates-us-east-1/Drupal_Single_Instance_With_RDS.template)
```
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
DBName:
Ref: DBName
Engine: MySQL
MasterUsername:
Ref: DBUsername
DBInstanceClass:
Ref: DBClass
DBSecurityGroups:
- Ref: DBSecurityGroup
AllocatedStorage:
Ref: DBAllocatedStorage
MasterUserPassword:
Ref: DBPassword
DBSecurityGroup:
Type: AWS::RDS::DBSecurityGroup
Properties:
DBSecurityGroupIngress:
EC2SecurityGroupName:
Ref: WebServerSecurityGroup
GroupDescription: Frontend Access
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP access via port 80 and SSH access
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
```
## Gruppi di sicurezza VPC multipli
Questo esempio mostra una risorsa [AWS: :RDS:: DBSecurity Group](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbsecuritygroup.html) con autorizzazione all'ingresso per più gruppi di EC2 sicurezza Amazon VPC in [AWS](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbsecuritygroupingress.html): :RDS::. DBSecurity GroupIngress
### JSON
```
{
"Resources" : {
"DBinstance" : {
"Type" : "AWS::RDS::DBInstance",
"Properties" : {
"AllocatedStorage" : "5",
"DBInstanceClass" : "db.t2.small",
"DBName" : {"Ref": "MyDBName" },
"DBSecurityGroups" : [ { "Ref" : "DbSecurityByEC2SecurityGroup" } ],
"DBSubnetGroupName" : { "Ref" : "MyDBSubnetGroup" },
"Engine" : "MySQL",
"MasterUserPassword": { "Ref" : "MyDBPassword" },
"MasterUsername" : { "Ref" : "MyDBUsername" }
},
"DeletionPolicy" : "Snapshot"
},
"DbSecurityByEC2SecurityGroup" : {
"Type" : "AWS::RDS::DBSecurityGroup",
"Properties" : {
"GroupDescription" : "Ingress for Amazon EC2 security group",
"EC2VpcId" : { "Ref" : "MyVPC" },
"DBSecurityGroupIngress" : [ {
"EC2SecurityGroupId" : "sg-b0ff1111",
"EC2SecurityGroupOwnerId" : "111122223333"
}, {
"EC2SecurityGroupId" : "sg-ffd722222",
"EC2SecurityGroupOwnerId" : "111122223333"
} ]
}
}
}
}
```
### YAML
```
Resources:
DBinstance:
Type: AWS::RDS::DBInstance
Properties:
AllocatedStorage: '5'
DBInstanceClass: db.t2.small
DBName:
Ref: MyDBName
DBSecurityGroups:
- Ref: DbSecurityByEC2SecurityGroup
DBSubnetGroupName:
Ref: MyDBSubnetGroup
Engine: MySQL
MasterUserPassword:
Ref: MyDBPassword
MasterUsername:
Ref: MyDBUsername
DeletionPolicy: Snapshot
DbSecurityByEC2SecurityGroup:
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: Ingress for Amazon EC2 security group
EC2VpcId:
Ref: MyVPC
DBSecurityGroupIngress:
- EC2SecurityGroupId: sg-b0ff1111
EC2SecurityGroupOwnerId: '111122223333'
- EC2SecurityGroupId: sg-ffd722222
EC2SecurityGroupOwnerId: '111122223333'
```
## Istanza database Amazon RDS in un gruppo di sicurezza VPC
Questo esempio mostra un'istanza di database Amazon RDS associata a un gruppo di sicurezza Amazon EC2 VPC.
### JSON
```
{
"DBEC2SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription": "Open database for access",
"SecurityGroupIngress" : [{
"IpProtocol" : "tcp",
"FromPort" : 3306,
"ToPort" : 3306,
"SourceSecurityGroupName" : { "Ref" : "WebServerSecurityGroup" }
}]
}
},
"DBInstance" : {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBName" : { "Ref" : "DBName" },
"Engine" : "MySQL",
"MultiAZ" : { "Ref": "MultiAZDatabase" },
"MasterUsername" : { "Ref" : "DBUser" },
"DBInstanceClass" : { "Ref" : "DBClass" },
"AllocatedStorage" : { "Ref" : "DBAllocatedStorage" },
"MasterUserPassword": { "Ref" : "DBPassword" },
"VPCSecurityGroups" : [ { "Fn::GetAtt": [ "DBEC2SecurityGroup", "GroupId" ] } ]
}
}
}
```
### YAML
```
DBEC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Open database for access
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 3306
ToPort: 3306
SourceSecurityGroupName:
Ref: WebServerSecurityGroup
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
DBName:
Ref: DBName
Engine: MySQL
MultiAZ:
Ref: MultiAZDatabase
MasterUsername:
Ref: DBUser
DBInstanceClass:
Ref: DBClass
AllocatedStorage:
Ref: DBAllocatedStorage
MasterUserPassword:
Ref: DBPassword
VPCSecurityGroups:
- !GetAtt DBEC2SecurityGroup.GroupId
```
# Frammenti di modello Route 53
**Topics**
+ [Set di record della risorsa Amazon Route 53 che utilizza il nome o l’ID della zona ospitata](#scenario-route53-recordset-by-host)
+ [Utilizzo RecordSetGroup per impostare set di record di risorse ponderati](#scenario-recordsetgroup-weighted)
+ [Utilizzo RecordSetGroup per impostare un set di record di risorse alias](#scenario-recordsetgroup-zoneapex)
+ [Alias: record di risorse impostato per una distribuzione CloudFront](#scenario-user-friendly-url-for-cloudfront-distribution)
## Set di record della risorsa Amazon Route 53 che utilizza il nome o l’ID della zona ospitata
Quando crei un set di record di risorse Amazon Route 53, devi specificare la zona ospitata in cui desideri aggiungerlo. CloudFormation fornisce due modi per specificare una zona ospitata:
+ Puoi specificare esplicitamente la zona ospitata utilizzando la proprietà `HostedZoneId`.
+ È possibile CloudFormation trovare la zona ospitata utilizzando la `HostedZoneName` proprietà. Se si utilizza la `HostedZoneName` proprietà e sono presenti più zone ospitate con lo stesso nome, CloudFormation non crea lo stack.
### Aggiungere utilizzando RecordSet HostedZoneId
In questo esempio viene aggiunto un set di record della risorsa Amazon Route 53 che contiene un record `SPF` per il nome di dominio `mysite.example.com` utilizzando la proprietà `HostedZoneId` per specificare la zona ospitata.
#### JSON
```
1. "myDNSRecord" : {
2. "Type" : "AWS::Route53::RecordSet",
3. "Properties" :
4. {
5. "HostedZoneId" : "Z3DG6IL3SJCGPX",
6. "Name" : "mysite.example.com.",
7. "Type" : "SPF",
8. "TTL" : "900",
9. "ResourceRecords" : [ "\"v=spf1 ip4:192.168.0.1/16 -all\"" ]
10. }
11. }
```
#### YAML
```
1. myDNSRecord:
2. Type: AWS::Route53::RecordSet
3. Properties:
4. HostedZoneId: Z3DG6IL3SJCGPX
5. Name: mysite.example.com.
6. Type: SPF
7. TTL: '900'
8. ResourceRecords:
9. - '"v=spf1 ip4:192.168.0.1/16 -all"'
```
### Aggiungere RecordSet usando HostedZoneName
In questo esempio viene aggiunto un set di record della risorsa Amazon Route 53 per il nome di dominio "mysite.example.com" utilizzando la proprietà `HostedZoneName` per specificare la zona ospitata.
#### JSON
```
1. "myDNSRecord2" : {
2. "Type" : "AWS::Route53::RecordSet",
3. "Properties" : {
4. "HostedZoneName" : "example.com.",
5. "Name" : "mysite.example.com.",
6. "Type" : "A",
7. "TTL" : "900",
8. "ResourceRecords" : [
9. "192.168.0.1",
10. "192.168.0.2"
11. ]
12. }
13. }
```
#### YAML
```
1. myDNSRecord2:
2. Type: AWS::Route53::RecordSet
3. Properties:
4. HostedZoneName: example.com.
5. Name: mysite.example.com.
6. Type: A
7. TTL: '900'
8. ResourceRecords:
9. - 192.168.0.1
10. - 192.168.0.2
```
## Utilizzo RecordSetGroup per impostare set di record di risorse ponderati
Questo esempio utilizza un [AWS::Route53::RecordSetgruppo](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-route53-recordsetgroup.html) per impostare due record CNAME per «example.com». zona ospitata. La proprietà `RecordSets` contiene il set di record CNAME per il nome DNS "mysite.example.com". Ogni set di record contiene un identificatore (`SetIdentifier`) e un peso (`Weight`). La proporzione di traffico Internet instradato alle risorse si basa sui seguenti calcoli:
+ `Frontend One`: `140/(140+60)` = `140/200` = 70%
+ `Frontend Two`: `60/(140+60)` = `60/200` = 30%
Per ulteriori informazioni sui set di record di risorse ponderati, consulta [routing ponderato](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-weighted.html) nella *Guida per lo sviluppatore di Amazon Route 53*.
### JSON
```
1. "myDNSOne" : {
2. "Type" : "AWS::Route53::RecordSetGroup",
3. "Properties" : {
4. "HostedZoneName" : "example.com.",
5. "Comment" : "Weighted RR for my frontends.",
6. "RecordSets" : [
7. {
8. "Name" : "mysite.example.com.",
9. "Type" : "CNAME",
10. "TTL" : "900",
11. "SetIdentifier" : "Frontend One",
12. "Weight" : "140",
13. "ResourceRecords" : ["example-ec2.amazonaws.com"]
14. },
15. {
16. "Name" : "mysite.example.com.",
17. "Type" : "CNAME",
18. "TTL" : "900",
19. "SetIdentifier" : "Frontend Two",
20. "Weight" : "60",
21. "ResourceRecords" : ["example-ec2-larger.amazonaws.com"]
22. }
23. ]
24. }
25. }
```
### YAML
```
1. myDNSOne:
2. Type: AWS::Route53::RecordSetGroup
3. Properties:
4. HostedZoneName: example.com.
5. Comment: Weighted RR for my frontends.
6. RecordSets:
7. - Name: mysite.example.com.
8. Type: CNAME
9. TTL: '900'
10. SetIdentifier: Frontend One
11. Weight: '140'
12. ResourceRecords:
13. - example-ec2.amazonaws.com
14. - Name: mysite.example.com.
15. Type: CNAME
16. TTL: '900'
17. SetIdentifier: Frontend Two
18. Weight: '60'
19. ResourceRecords:
20. - example-ec2-larger.amazonaws.com
```
## Utilizzo RecordSetGroup per impostare un set di record di risorse alias
Negli esempi seguenti viene utilizzato un [AWS::Route53::RecordSetgruppo](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-route53-recordsetgroup.html) per impostare un set di record di risorse alias denominato `example.com` che indirizza il traffico verso un sistema di bilanciamento del carico ELB versione 1 (classico) e un sistema di bilanciamento del carico versione 2 (applicazione o rete). La [AliasTarget](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-route53-recordset-aliastarget.html)proprietà specifica l'ID e il nome DNS della zona ospitata utilizzando la `myELB` `LoadBalancer` funzione intrinseca. `GetAtt` `GetAtt`recupera diverse proprietà della `myELB` risorsa, a seconda che si stia indirizzando il traffico verso un sistema di bilanciamento del carico della versione 1 o della versione 2:
+ load balancer Versione 1: `CanonicalHostedZoneNameID` e `DNSName`
+ load balancer Versione 2: `CanonicalHostedZoneID` e `DNSName`
Per ulteriori informazioni sui set di record di risorse alias, consulta [Scelta tra record alias e non alias](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html) nella *Guida per gli sviluppatori di Route 53*.
### JSON per il load balancer Versione 1
```
1. "myELB" : {
2. "Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
3. "Properties" : {
4. "AvailabilityZones" : [ "us-east-1a" ],
5. "Listeners" : [ {
6. "LoadBalancerPort" : "80",
7. "InstancePort" : "80",
8. "Protocol" : "HTTP"
9. } ]
10. }
11. },
12. "myDNS" : {
13. "Type" : "AWS::Route53::RecordSetGroup",
14. "Properties" : {
15. "HostedZoneName" : "example.com.",
16. "Comment" : "Zone apex alias targeted to myELB LoadBalancer.",
17. "RecordSets" : [
18. {
19. "Name" : "example.com.",
20. "Type" : "A",
21. "AliasTarget" : {
22. "HostedZoneId" : { "Fn::GetAtt" : ["myELB", "CanonicalHostedZoneNameID"] },
23. "DNSName" : { "Fn::GetAtt" : ["myELB","DNSName"] }
24. }
25. }
26. ]
27. }
28. }
```
### YAML per il load balancer Versione 1
```
1. myELB:
2. Type: AWS::ElasticLoadBalancing::LoadBalancer
3. Properties:
4. AvailabilityZones:
5. - "us-east-1a"
6. Listeners:
7. - LoadBalancerPort: '80'
8. InstancePort: '80'
9. Protocol: HTTP
10. myDNS:
11. Type: AWS::Route53::RecordSetGroup
12. Properties:
13. HostedZoneName: example.com.
14. Comment: Zone apex alias targeted to myELB LoadBalancer.
15. RecordSets:
16. - Name: example.com.
17. Type: A
18. AliasTarget:
19. HostedZoneId: !GetAtt 'myELB.CanonicalHostedZoneNameID'
20. DNSName: !GetAtt 'myELB.DNSName'
```
### JSON per il load balancer Versione 2
```
1. "myELB" : {
2. "Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
3. "Properties" : {
4. "Subnets" : [
5. {"Ref": "SubnetAZ1"},
6. {"Ref" : "SubnetAZ2"}
7. ]
8. }
9. },
10. "myDNS" : {
11. "Type" : "AWS::Route53::RecordSetGroup",
12. "Properties" : {
13. "HostedZoneName" : "example.com.",
14. "Comment" : "Zone apex alias targeted to myELB LoadBalancer.",
15. "RecordSets" : [
16. {
17. "Name" : "example.com.",
18. "Type" : "A",
19. "AliasTarget" : {
20. "HostedZoneId" : { "Fn::GetAtt" : ["myELB", "CanonicalHostedZoneID"] },
21. "DNSName" : { "Fn::GetAtt" : ["myELB","DNSName"] }
22. }
23. }
24. ]
25. }
26. }
```
### YAML per il load balancer Versione 2
```
1. myELB:
2. Type: AWS::ElasticLoadBalancingV2::LoadBalancer
3. Properties:
4. Subnets:
5. - Ref: SubnetAZ1
6. - Ref: SubnetAZ2
7. myDNS:
8. Type: AWS::Route53::RecordSetGroup
9. Properties:
10. HostedZoneName: example.com.
11. Comment: Zone apex alias targeted to myELB LoadBalancer.
12. RecordSets:
13. - Name: example.com.
14. Type: A
15. AliasTarget:
16. HostedZoneId: !GetAtt 'myELB.CanonicalHostedZoneID'
17. DNSName: !GetAtt 'myELB.DNSName'
```
## Alias: record di risorse impostato per una distribuzione CloudFront
L'esempio seguente crea un alias A record che indirizza un nome di dominio personalizzato a una distribuzione esistente CloudFront . `myHostedZoneID`si presume che sia un riferimento a una `AWS::Route53::HostedZone` risorsa effettiva nello stesso modello o un parametro. `myCloudFrontDistribution`si riferisce a una `AWS::CloudFront::Distribution` risorsa all'interno dello stesso modello. Il record di alias utilizza lo standard CloudFront hosted zone ID (`Z2FDTNDATAQYW2`) e risolve automaticamente il nome di dominio della distribuzione utilizzando. `Fn::GetAtt` Questa configurazione consente di instradare il traffico web dal dominio personalizzato alla CloudFront distribuzione senza richiedere un indirizzo IP.
**Nota**
Quando crei set di record della risorsa alias, devi specificare `Z2FDTNDATAQYW2` per la proprietà `HostedZoneId`. I set di record di risorse alias per non CloudFront possono essere creati in un'area privata.
### JSON
```
1. {
2. "myDNS": {
3. "Type": "AWS::Route53::RecordSetGroup",
4. "Properties": {
5. "HostedZoneId": {
6. "Ref": "myHostedZoneID"
7. },
8. "RecordSets": [
9. {
10. "Name": {
11. "Ref": "myRecordSetDomainName"
12. },
13. "Type": "A",
14. "AliasTarget": {
15. "HostedZoneId": "Z2FDTNDATAQYW2",
16. "DNSName": {
17. "Fn::GetAtt": [
18. "myCloudFrontDistribution",
19. "DomainName"
20. ]
21. },
22. "EvaluateTargetHealth": false
23. }
24. }
25. ]
26. }
27. }
28. }
```
### YAML
```
1. myDNS:
2. Type: AWS::Route53::RecordSetGroup
3. Properties:
4. HostedZoneId: !Ref myHostedZoneID
5. RecordSets:
6. - Name: !Ref myRecordSetDomainName
7. Type: A
8. AliasTarget:
9. HostedZoneId: Z2FDTNDATAQYW2
10. DNSName: !GetAtt
11. - myCloudFrontDistribution
12. - DomainName
13. EvaluateTargetHealth: false
```
# Frammenti di modello Amazon S3
Usa questi modelli di esempio di Amazon S3 per descrivere i tuoi bucket Amazon S3 con. CloudFormation Per altri esempi, consulta la sezione [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucket.html#aws-resource-s3-bucket--examples) nella risorsa `AWS::S3::Bucket`.
**Topics**
+ [Creazione di un bucket Amazon S3 con impostazioni predefinite](#scenario-s3-bucket)
+ [Creazione di un bucket Amazon S3 per l’hosting di siti Web con `DeletionPolicy`](#scenario-s3-bucket-website)
+ [Creazione di un sito Web statico utilizzando un dominio personalizzato](#scenario-s3-bucket-website-customdomain)
## Creazione di un bucket Amazon S3 con impostazioni predefinite
Questo esempio utilizza [AWS::S3::Bucket](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucket.html) per creare un bucket con impostazioni predefinite.
### JSON
```
1. "myS3Bucket" : {
2. "Type" : "AWS::S3::Bucket"
3. }
```
### YAML
```
1. MyS3Bucket:
2. Type: AWS::S3::Bucket
```
## Creazione di un bucket Amazon S3 per l’hosting di siti Web con `DeletionPolicy`
Questo esempio crea un bucket come sito Web e disabilita il Blocco dell’accesso pubblico (sono necessarie le autorizzazioni di lettura pubblica per la configurazione di bucket per l’hosting di siti Web). Al bucket viene quindi aggiunta una policy di bucket pubblica. Poiché questa risorsa bucket ha un `DeletionPolicy` attributo impostato su`Retain`, non CloudFormation eliminerà questo bucket quando elimina lo stack. La sezione `Output` utilizza `Fn::GetAtt` per recuperare gli attributi `WebsiteURL` e `DomainName` della risorsa `S3Bucket`.
**Nota**
Gli esempi seguenti presuppongono che le impostazioni del Blocco dell’accesso pubblico `BlockPublicPolicy` e `RestrictPublicBuckets` siano state disabilitate a livello di account.
### JSON
```
1. {
2. "AWSTemplateFormatVersion": "2010-09-09",
3. "Resources": {
4. "S3Bucket": {
5. "Type": "AWS::S3::Bucket",
6. "Properties": {
7. "PublicAccessBlockConfiguration": {
8. "BlockPublicAcls": false,
9. "BlockPublicPolicy": false,
10. "IgnorePublicAcls": false,
11. "RestrictPublicBuckets": false
12. },
13. "WebsiteConfiguration": {
14. "IndexDocument": "index.html",
15. "ErrorDocument": "error.html"
16. }
17. },
18. "DeletionPolicy": "Retain",
19. "UpdateReplacePolicy": "Retain"
20. },
21. "BucketPolicy": {
22. "Type": "AWS::S3::BucketPolicy",
23. "Properties": {
24. "PolicyDocument": {
25. "Id": "MyPolicy",
26. "Version": "2012-10-17",
27. "Statement": [
28. {
29. "Sid": "PublicReadForGetBucketObjects",
30. "Effect": "Allow",
31. "Principal": "*",
32. "Action": "s3:GetObject",
33. "Resource": {
34. "Fn::Join": [
35. "",
36. [
37. "arn:aws:s3:::",
38. {
39. "Ref": "S3Bucket"
40. },
41. "/*"
42. ]
43. ]
44. }
45. }
46. ]
47. },
48. "Bucket": {
49. "Ref": "S3Bucket"
50. }
51. }
52. }
53. },
54. "Outputs": {
55. "WebsiteURL": {
56. "Value": {
57. "Fn::GetAtt": [
58. "S3Bucket",
59. "WebsiteURL"
60. ]
61. },
62. "Description": "URL for website hosted on S3"
63. },
64. "S3BucketSecureURL": {
65. "Value": {
66. "Fn::Join": [
67. "",
68. [
69. "https://",
70. {
71. "Fn::GetAtt": [
72. "S3Bucket",
73. "DomainName"
74. ]
75. }
76. ]
77. ]
78. },
79. "Description": "Name of S3 bucket to hold website content"
80. }
81. }
82. }
```
### YAML
```
1. AWSTemplateFormatVersion: 2010-09-09
2. Resources:
3. S3Bucket:
4. Type: AWS::S3::Bucket
5. Properties:
6. PublicAccessBlockConfiguration:
7. BlockPublicAcls: false
8. BlockPublicPolicy: false
9. IgnorePublicAcls: false
10. RestrictPublicBuckets: false
11. WebsiteConfiguration:
12. IndexDocument: index.html
13. ErrorDocument: error.html
14. DeletionPolicy: Retain
15. UpdateReplacePolicy: Retain
16. BucketPolicy:
17. Type: AWS::S3::BucketPolicy
18. Properties:
19. PolicyDocument:
20. Id: MyPolicy
21. Version: 2012-10-17
22. Statement:
23. - Sid: PublicReadForGetBucketObjects
24. Effect: Allow
25. Principal: '*'
26. Action: 's3:GetObject'
27. Resource: !Join
28. - ''
29. - - 'arn:aws:s3:::'
30. - !Ref S3Bucket
31. - /*
32. Bucket: !Ref S3Bucket
33. Outputs:
34. WebsiteURL:
35. Value: !GetAtt
36. - S3Bucket
37. - WebsiteURL
38. Description: URL for website hosted on S3
39. S3BucketSecureURL:
40. Value: !Join
41. - ''
42. - - 'https://'
43. - !GetAtt
44. - S3Bucket
45. - DomainName
46. Description: Name of S3 bucket to hold website content
```
## Creazione di un sito Web statico utilizzando un dominio personalizzato
Puoi utilizzare Route 53 con un dominio registrato. L’esempio seguente presuppone che tu abbia già creato una zona ospitata in Route 53 per il dominio. L’esempio crea due bucket per l’hosting di siti Web. Il root bucket ospita i contenuti, mentre l’altro bucket reindirizza le richieste `www.domainname.com` al root bucket. I set di record eseguono la mappatura del nome di dominio all’endpoint Amazon S3.
Sarà necessario aggiungere una policy di bucket, come illustrato negli esempi precedenti.
Per ulteriori informazioni sull’utilizzo di un dominio personalizzato, consulta [Tutorial: Configuring a static website using a custom domain registered with Route 53](https://docs.aws.amazon.com/AmazonS3/latest/userguide/website-hosting-custom-domain-walkthrough.html) nella *Guida per l’utente di Amazon Simple Storage Service*.
**Nota**
Gli esempi seguenti presuppongono che le impostazioni del Blocco dell’accesso pubblico `BlockPublicPolicy` e `RestrictPublicBuckets` siano state disabilitate a livello di account.
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Mappings" : {
"RegionMap" : {
"us-east-1" : { "S3hostedzoneID" : "Z3AQBSTGFYJSTF", "websiteendpoint" : "s3-website-us-east-1.amazonaws.com" },
"us-west-1" : { "S3hostedzoneID" : "Z2F56UZL2M1ACD", "websiteendpoint" : "s3-website-us-west-1.amazonaws.com" },
"us-west-2" : { "S3hostedzoneID" : "Z3BJ6K6RIION7M", "websiteendpoint" : "s3-website-us-west-2.amazonaws.com" },
"eu-west-1" : { "S3hostedzoneID" : "Z1BKCTXD74EZPE", "websiteendpoint" : "s3-website-eu-west-1.amazonaws.com" },
"ap-southeast-1" : { "S3hostedzoneID" : "Z3O0J2DXBE1FTB", "websiteendpoint" : "s3-website-ap-southeast-1.amazonaws.com" },
"ap-southeast-2" : { "S3hostedzoneID" : "Z1WCIGYICN2BYD", "websiteendpoint" : "s3-website-ap-southeast-2.amazonaws.com" },
"ap-northeast-1" : { "S3hostedzoneID" : "Z2M4EHUR26P7ZW", "websiteendpoint" : "s3-website-ap-northeast-1.amazonaws.com" },
"sa-east-1" : { "S3hostedzoneID" : "Z31GFT0UA1I2HV", "websiteendpoint" : "s3-website-sa-east-1.amazonaws.com" }
}
},
"Parameters": {
"RootDomainName": {
"Description": "Domain name for your website (example.com)",
"Type": "String"
}
},
"Resources": {
"RootBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName" : {"Ref":"RootDomainName"},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": false,
"RestrictPublicBuckets": false
},
"WebsiteConfiguration": {
"IndexDocument":"index.html",
"ErrorDocument":"404.html"
}
}
},
"WWWBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": {
"Fn::Join": ["", ["www.", {"Ref":"RootDomainName"}]]
},
"AccessControl": "BucketOwnerFullControl",
"WebsiteConfiguration": {
"RedirectAllRequestsTo": {
"HostName": {"Ref": "RootBucket"}
}
}
}
},
"myDNS": {
"Type": "AWS::Route53::RecordSetGroup",
"Properties": {
"HostedZoneName": {
"Fn::Join": ["", [{"Ref": "RootDomainName"}, "."]]
},
"Comment": "Zone apex alias.",
"RecordSets": [
{
"Name": {"Ref": "RootDomainName"},
"Type": "A",
"AliasTarget": {
"HostedZoneId": {"Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "S3hostedzoneID"]},
"DNSName": {"Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "websiteendpoint"]}
}
},
{
"Name": {
"Fn::Join": ["", ["www.", {"Ref":"RootDomainName"}]]
},
"Type": "CNAME",
"TTL" : "900",
"ResourceRecords" : [
{"Fn::GetAtt":["WWWBucket", "DomainName"]}
]
}
]
}
}
},
"Outputs": {
"WebsiteURL": {
"Value": {"Fn::GetAtt": ["RootBucket", "WebsiteURL"]},
"Description": "URL for website hosted on S3"
}
}
}
```
### YAML
```
Parameters:
RootDomainName:
Description: Domain name for your website (example.com)
Type: String
Mappings:
RegionMap:
us-east-1:
S3hostedzoneID: Z3AQBSTGFYJSTF
websiteendpoint: s3-website-us-east-1.amazonaws.com
us-west-1:
S3hostedzoneID: Z2F56UZL2M1ACD
websiteendpoint: s3-website-us-west-1.amazonaws.com
us-west-2:
S3hostedzoneID: Z3BJ6K6RIION7M
websiteendpoint: s3-website-us-west-2.amazonaws.com
eu-west-1:
S3hostedzoneID: Z1BKCTXD74EZPE
websiteendpoint: s3-website-eu-west-1.amazonaws.com
ap-southeast-1:
S3hostedzoneID: Z3O0J2DXBE1FTB
websiteendpoint: s3-website-ap-southeast-1.amazonaws.com
ap-southeast-2:
S3hostedzoneID: Z1WCIGYICN2BYD
websiteendpoint: s3-website-ap-southeast-2.amazonaws.com
ap-northeast-1:
S3hostedzoneID: Z2M4EHUR26P7ZW
websiteendpoint: s3-website-ap-northeast-1.amazonaws.com
sa-east-1:
S3hostedzoneID: Z31GFT0UA1I2HV
websiteendpoint: s3-website-sa-east-1.amazonaws.com
Resources:
RootBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref RootDomainName
PublicAccessBlockConfiguration:
BlockPublicAcls: false
BlockPublicPolicy: false
IgnorePublicAcls: false
RestrictPublicBuckets: false
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: 404.html
WWWBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub
- www.${Domain}
- Domain: !Ref RootDomainName
AccessControl: BucketOwnerFullControl
WebsiteConfiguration:
RedirectAllRequestsTo:
HostName: !Ref RootBucket
myDNS:
Type: AWS::Route53::RecordSetGroup
Properties:
HostedZoneName: !Sub
- ${Domain}.
- Domain: !Ref RootDomainName
Comment: Zone apex alias.
RecordSets:
- Name: !Ref RootDomainName
Type: A
AliasTarget:
HostedZoneId: !FindInMap [ RegionMap, !Ref 'AWS::Region', S3hostedzoneID]
DNSName: !FindInMap [ RegionMap, !Ref 'AWS::Region', websiteendpoint]
- Name: !Sub
- www.${Domain}
- Domain: !Ref RootDomainName
Type: CNAME
TTL: 900
ResourceRecords:
- !GetAtt WWWBucket.DomainName
Outputs:
WebsiteURL:
Value: !GetAtt RootBucket.WebsiteURL
Description: URL for website hosted on S3
```
# Frammenti di modello Amazon SNS
Questo esempio illustra una risorsa di argomento Amazon SNS. È necessario un indirizzo e-mail valido.
## JSON
```
1. "MySNSTopic" : {
2. "Type" : "AWS::SNS::Topic",
3. "Properties" : {
4. "Subscription" : [ {
5. "Endpoint" : "add valid email address",
6. "Protocol" : "email"
7. } ]
8. }
9. }
```
## YAML
```
1. MySNSTopic:
2. Type: AWS::SNS::Topic
3. Properties:
4. Subscription:
5. - Endpoint: "add valid email address"
6. Protocol: email
```
# Frammenti di modello Amazon SQS
Questo esempio illustra una coda Amazon SQS.
## JSON
```
1. "MyQueue" : {
2. "Type" : "AWS::SQS::Queue",
3. "Properties" : {
4. "VisibilityTimeout" : "value"
5. }
6. }
```
## YAML
```
1. MyQueue:
2. Type: AWS::SQS::Queue
3. Properties:
4. VisibilityTimeout: value
```
# Frammenti di modello Amazon Timestream
Amazon Timestream for InfluxDB consente agli sviluppatori di applicazioni DevOps e ai team di eseguire facilmente database AWS InfluxDB completamente gestiti su applicazioni di serie temporali in tempo reale utilizzando l'open source. APIs Puoi creare rapidamente un database InfluxDB che gestisca carichi di lavoro impegnativi in serie temporali. Con poche semplici chiamate API, puoi configurare, migrare, gestire e scalare un database InfluxDB con patch, backup e ripristino automatici del software. AWS [Puoi trovare questi esempi anche su -influxdb on. awslabs/amazon-timestream-tools/tree/mainline/integrations/cloudformation/timestream](https://github.com/awslabs/amazon-timestream-tools/tree/mainline/integrations/cloudformation/timestream-influxdb) GitHub
**Topics**
+ [Esempio minimo con valori predefiniti](#scenario-timestream-influxdb-example-1)
+ [Esempio più completo con parametri](#scenario-timestream-influxdb-example-2)
Questi CloudFormation modelli creano le seguenti risorse necessarie per creare, connettersi e monitorare correttamente un'istanza Amazon Timestream for InfluxDB:
**Amazon VPC**
+ `VPC`
+ Una o più `Subnet`
+ `InternetGateway`
+ `RouteTable`
+ `SecurityGroup`
**Simple Storage Service (Amazon S3)**
+ `Bucket`
**Amazon Timestream**
+ `InfluxDBInstance`
## Esempio minimo con valori predefiniti
Questo esempio implementa un’istanza multi-AZ accessibile pubblicamente utilizzando valori predefiniti quando possibile.
### JSON
```
{
"Metadata": {
"AWS::CloudFormation::Interface": {
"ParameterGroups": [
{
"Label": {"default": "Amazon Timestream for InfluxDB Configuration"},
"Parameters": [
"DbInstanceName",
"InfluxDBPassword"
]
}
],
"ParameterLabels": {
"VPCCIDR": {"default": "VPC CIDR"}
}
}
},
"Parameters": {
"DbInstanceName": {
"Description": "The name that uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and CLI commands. This name will also be a prefix included in the endpoint. DB instance names must be unique per customer and per Region.",
"Type": "String",
"Default": "mydbinstance",
"MinLength": 3,
"MaxLength": 40,
"AllowedPattern": "^[a-zA-z][a-zA-Z0-9]*(-[a-zA-Z0-9]+)*$"
},
"InfluxDBPassword": {
"Description": "The password of the initial admin user created in InfluxDB. This password will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in Gestione dei segreti AWS in your account.",
"Type": "String",
"NoEcho": true,
"MinLength": 8,
"MaxLength": 64,
"AllowedPattern": "^[a-zA-Z0-9]+$"
}
},
"Resources": {
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {"CidrBlock": "10.0.0.0/16"}
},
"InternetGateway": {"Type": "AWS::EC2::InternetGateway"},
"InternetGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"InternetGatewayId": {"Ref": "InternetGateway"},
"VpcId": {"Ref": "VPC"}
}
},
"Subnet1": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {"Ref": "VPC"},
"AvailabilityZone": {
"Fn::Select": [
0,
{"Fn::GetAZs": ""}
]
},
"CidrBlock": {
"Fn::Select": [
0,
{
"Fn::Cidr": [
{
"Fn::GetAtt": [
"VPC",
"CidrBlock"
]
},
2,
12
]
}
]
},
"MapPublicIpOnLaunch": true
}
},
"Subnet2": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {"Ref": "VPC"},
"AvailabilityZone": {
"Fn::Select": [
1,
{"Fn::GetAZs": ""}
]
},
"CidrBlock": {
"Fn::Select": [
1,
{
"Fn::Cidr": [
{
"Fn::GetAtt": [
"VPC",
"CidrBlock"
]
},
2,
12
]
}
]
},
"MapPublicIpOnLaunch": true
}
},
"RouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {"Ref": "VPC"}
}
},
"DefaultRoute": {
"Type": "AWS::EC2::Route",
"DependsOn": "InternetGatewayAttachment",
"Properties": {
"RouteTableId": {"Ref": "RouteTable"},
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {"Ref": "InternetGateway"}
}
},
"Subnet1RouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {"Ref": "RouteTable"},
"SubnetId": {"Ref": "Subnet1"}
}
},
"Subnet2RouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {"Ref": "RouteTable"},
"SubnetId": {"Ref": "Subnet2"}
}
},
"InfluxDBSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupName": "influxdb-sg",
"GroupDescription": "Security group allowing port 8086 ingress for InfluxDB",
"VpcId": {"Ref": "VPC"}
}
},
"InfluxDBSecurityGroupIngress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {"Ref": "InfluxDBSecurityGroup"},
"IpProtocol": "tcp",
"CidrIp": "0.0.0.0/0",
"FromPort": 8086,
"ToPort": 8086
}
},
"InfluxDBLogsS3Bucket": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Retain"
},
"InfluxDBLogsS3BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {"Ref": "InfluxDBLogsS3Bucket"},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": {"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}/InfluxLogs/*"},
"Principal": {"Service": "timestream-influxdb.amazonaws.com"}
},
{
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
{"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}/*"},
{"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}"}
],
"Principal": "*",
"Condition": {
"Bool": {"aws:SecureTransport": false}
}
}
]
}
}
},
"DbInstance": {
"Type": "AWS::Timestream::InfluxDBInstance",
"DependsOn": "InfluxDBLogsS3BucketPolicy",
"Properties": {
"AllocatedStorage": 20,
"DbInstanceType": "db.influx.medium",
"Name": {"Ref": "DbInstanceName"},
"Password": {"Ref": "InfluxDBPassword"},
"PubliclyAccessible": true,
"DeploymentType": "WITH_MULTIAZ_STANDBY",
"VpcSecurityGroupIds": [
{"Ref": "InfluxDBSecurityGroup"}
],
"VpcSubnetIds": [
{"Ref": "Subnet1"},
{"Ref": "Subnet2"}
],
"LogDeliveryConfiguration": {
"S3Configuration": {
"BucketName": {"Ref": "InfluxDBLogsS3Bucket"},
"Enabled": true
}
}
}
}
},
"Outputs": {
"VPC": {
"Description": "A reference to the VPC used to create network resources",
"Value": {"Ref": "VPC"}
},
"Subnets": {
"Description": "A list of the subnets created",
"Value": {
"Fn::Join": [
",",
[
{"Ref": "Subnet1"},
{"Ref": "Subnet2"}
]
]
}
},
"Subnet1": {
"Description": "A reference to the subnet in the 1st Availability Zone",
"Value": {"Ref": "Subnet1"}
},
"Subnet2": {
"Description": "A reference to the subnet in the 2nd Availability Zone",
"Value": {"Ref": "Subnet2"}
},
"InfluxDBSecurityGroup": {
"Description": "Security group with port 8086 ingress rule",
"Value": {"Ref": "InfluxDBSecurityGroup"}
},
"InfluxDBLogsS3Bucket": {
"Description": "S3 Bucket containing InfluxDB logs from the DB instance",
"Value": {"Ref": "InfluxDBLogsS3Bucket"}
},
"DbInstance": {
"Description": "A reference to the Timestream for InfluxDB DB instance",
"Value": {"Ref": "DbInstance"}
},
"InfluxAuthParametersSecretArn": {
"Description": "The Amazon Resource Name (ARN) of the Gestione dei segreti AWS secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password.",
"Value": {
"Fn::GetAtt": [
"DbInstance",
"InfluxAuthParametersSecretArn"
]
}
},
"Endpoint": {
"Description": "The endpoint URL to connect to InfluxDB",
"Value": {
"Fn::Join": [
"",
[
"https://",
{
"Fn::GetAtt": [
"DbInstance",
"Endpoint"
]
},
":8086"
]
]
}
}
}
}
```
### YAML
```
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
-
Label:
default: "Amazon Timestream for InfluxDB Configuration"
Parameters:
- DbInstanceName
- InfluxDBPassword
ParameterLabels:
VPCCIDR:
default: VPC CIDR
Parameters:
DbInstanceName:
Description: The name that uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and CLI commands. This name will also be a prefix included in the endpoint. DB instance names must be unique per customer and per Region.
Type: String
Default: mydbinstance
MinLength: 3
MaxLength: 40
AllowedPattern: ^[a-zA-z][a-zA-Z0-9]*(-[a-zA-Z0-9]+)*$
InfluxDBPassword:
Description: The password of the initial admin user created in InfluxDB. This password will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in Gestione dei segreti AWS in your account.
Type: String
NoEcho: true
MinLength: 8
MaxLength: 64
AllowedPattern: ^[a-zA-Z0-9]+$
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
InternetGateway:
Type: AWS::EC2::InternetGateway
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
Subnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [0, !GetAZs '']
CidrBlock: !Select [0, !Cidr [!GetAtt VPC.CidrBlock, 2, 12 ]]
MapPublicIpOnLaunch: true
Subnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [1, !GetAZs '']
CidrBlock: !Select [1, !Cidr [!GetAtt VPC.CidrBlock, 2, 12 ]]
MapPublicIpOnLaunch: true
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
DefaultRoute:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref RouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
Subnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref Subnet1
Subnet2RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref Subnet2
InfluxDBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "influxdb-sg"
GroupDescription: "Security group allowing port 8086 ingress for InfluxDB"
VpcId: !Ref VPC
InfluxDBSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref InfluxDBSecurityGroup
IpProtocol: tcp
CidrIp: 0.0.0.0/0
FromPort: 8086
ToPort: 8086
InfluxDBLogsS3Bucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
InfluxDBLogsS3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref InfluxDBLogsS3Bucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action: "s3:PutObject"
Effect: Allow
Resource: !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}/InfluxLogs/*
Principal:
Service: timestream-influxdb.amazonaws.com
- Action: "s3:*"
Effect: Deny
Resource:
- !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}/*
- !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}
Principal: "*"
Condition:
Bool:
aws:SecureTransport: false
DbInstance:
Type: AWS::Timestream::InfluxDBInstance
DependsOn: InfluxDBLogsS3BucketPolicy
Properties:
AllocatedStorage: 20
DbInstanceType: db.influx.medium
Name: !Ref DbInstanceName
Password: !Ref InfluxDBPassword
PubliclyAccessible: true
DeploymentType: WITH_MULTIAZ_STANDBY
VpcSecurityGroupIds:
- !Ref InfluxDBSecurityGroup
VpcSubnetIds:
- !Ref Subnet1
- !Ref Subnet2
LogDeliveryConfiguration:
S3Configuration:
BucketName: !Ref InfluxDBLogsS3Bucket
Enabled: true
Outputs:
# Network Resources
VPC:
Description: A reference to the VPC used to create network resources
Value: !Ref VPC
Subnets:
Description: A list of the subnets created
Value: !Join [",", [!Ref Subnet1, !Ref Subnet2]]
Subnet1:
Description: A reference to the subnet in the 1st Availability Zone
Value: !Ref Subnet1
Subnet2:
Description: A reference to the subnet in the 2nd Availability Zone
Value: !Ref Subnet2
InfluxDBSecurityGroup:
Description: Security group with port 8086 ingress rule
Value: !Ref InfluxDBSecurityGroup
# Timestream for InfluxDB Resources
InfluxDBLogsS3Bucket:
Description: S3 Bucket containing InfluxDB logs from the DB instance
Value: !Ref InfluxDBLogsS3Bucket
DbInstance:
Description: A reference to the Timestream for InfluxDB DB instance
Value: !Ref DbInstance
InfluxAuthParametersSecretArn:
Description: "The Amazon Resource Name (ARN) of the Gestione dei segreti AWS secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password."
Value: !GetAtt DbInstance.InfluxAuthParametersSecretArn
Endpoint:
Description: The endpoint URL to connect to InfluxDB
Value: !Join ["", ["https://", !GetAtt DbInstance.Endpoint, ":8086"]]
```
## Esempio più completo con parametri
Questo modello di esempio modifica dinamicamente le risorse di rete in base ai parametri forniti. I parametri includono `PubliclyAccessible` e `DeploymentType`.
### JSON
```
{
"Metadata": {
"AWS::CloudFormation::Interface": {
"ParameterGroups": [
{
"Label": {"default": "Network Configuration"},
"Parameters": ["VPCCIDR"]
},
{
"Label": {"default": "Amazon Timestream for InfluxDB Configuration"},
"Parameters": [
"DbInstanceName",
"InfluxDBUsername",
"InfluxDBPassword",
"InfluxDBOrganization",
"InfluxDBBucket",
"DbInstanceType",
"DbStorageType",
"AllocatedStorage",
"PubliclyAccessible",
"DeploymentType"
]
}
],
"ParameterLabels": {
"VPCCIDR": {"default": "VPC CIDR"}
}
}
},
"Parameters": {
"VPCCIDR": {
"Description": "Please enter the IP range (CIDR notation) for the new VPC",
"Type": "String",
"Default": "10.0.0.0/16"
},
"DbInstanceName": {
"Description": "The name that uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and CLI commands. This name will also be a prefix included in the endpoint. DB instance names must be unique per customer and per Region.",
"Type": "String",
"Default": "mydbinstance",
"MinLength": 3,
"MaxLength": 40,
"AllowedPattern": "^[a-zA-z][a-zA-Z0-9]*(-[a-zA-Z0-9]+)*$"
},
"InfluxDBUsername": {
"Description": "The username of the initial admin user created in InfluxDB. Must start with a letter and can't end with a hyphen or contain two consecutive hyphens. For example, my-user1. This username will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in Gestione dei segreti AWS in your account.",
"Type": "String",
"Default": "admin",
"MinLength": 1,
"MaxLength": 64
},
"InfluxDBPassword": {
"Description": "The password of the initial admin user created in InfluxDB. This password will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in Gestione dei segreti AWS in your account.",
"Type": "String",
"NoEcho": true,
"MinLength": 8,
"MaxLength": 64,
"AllowedPattern": "^[a-zA-Z0-9]+$"
},
"InfluxDBOrganization": {
"Description": "The name of the initial organization for the initial admin user in InfluxDB. An InfluxDB organization is a workspace for a group of users.",
"Type": "String",
"Default": "org",
"MinLength": 1,
"MaxLength": 64
},
"InfluxDBBucket": {
"Description": "The name of the initial InfluxDB bucket. All InfluxDB data is stored in a bucket. A bucket combines the concept of a database and a retention period (the duration of time that each data point persists). A bucket belongs to an organization.",
"Type": "String",
"Default": "bucket",
"MinLength": 2,
"MaxLength": 64,
"AllowedPattern": "^[^_\\\"][^\\\"]*$"
},
"DeploymentType": {
"Description": "Specifies whether the Timestream for InfluxDB is deployed as Single-AZ or with a MultiAZ Standby for High availability",
"Type": "String",
"Default": "WITH_MULTIAZ_STANDBY",
"AllowedValues": [
"SINGLE_AZ",
"WITH_MULTIAZ_STANDBY"
]
},
"AllocatedStorage": {
"Description": "The amount of storage to allocate for your DB storage type in GiB (gibibytes).",
"Type": "Number",
"Default": 400,
"MinValue": 20,
"MaxValue": 16384
},
"DbInstanceType": {
"Description": "The Timestream for InfluxDB DB instance type to run InfluxDB on.",
"Type": "String",
"Default": "db.influx.medium",
"AllowedValues": [
"db.influx.medium",
"db.influx.large",
"db.influx.xlarge",
"db.influx.2xlarge",
"db.influx.4xlarge",
"db.influx.8xlarge",
"db.influx.12xlarge",
"db.influx.16xlarge"
]
},
"DbStorageType": {
"Description": "The Timestream for InfluxDB DB storage type to read and write InfluxDB data.",
"Type": "String",
"Default": "InfluxIOIncludedT1",
"AllowedValues": [
"InfluxIOIncludedT1",
"InfluxIOIncludedT2",
"InfluxIOIncludedT3"
]
},
"PubliclyAccessible": {
"Description": "Configures the DB instance with a public IP to facilitate access.",
"Type": "String",
"Default": true,
"AllowedValues": [
true,
false
]
}
},
"Conditions": {
"IsMultiAZ": {
"Fn::Equals": [
{"Ref": "DeploymentType"},
"WITH_MULTIAZ_STANDBY"
]
},
"IsPublic": {
"Fn::Equals": [
{"Ref": "PubliclyAccessible"},
true
]
}
},
"Resources": {
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": {"Ref": "VPCCIDR"}
}
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway",
"Condition": "IsPublic"
},
"InternetGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Condition": "IsPublic",
"Properties": {
"InternetGatewayId": {"Ref": "InternetGateway"},
"VpcId": {"Ref": "VPC"}
}
},
"Subnet1": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {"Ref": "VPC"},
"AvailabilityZone": {
"Fn::Select": [
0,
{"Fn::GetAZs": ""}
]
},
"CidrBlock": {
"Fn::Select": [
0,
{
"Fn::Cidr": [
{
"Fn::GetAtt": [
"VPC",
"CidrBlock"
]
},
2,
12
]
}
]
},
"MapPublicIpOnLaunch": {
"Fn::If": [
"IsPublic",
true,
false
]
}
}
},
"Subnet2": {
"Type": "AWS::EC2::Subnet",
"Condition": "IsMultiAZ",
"Properties": {
"VpcId": {"Ref": "VPC"},
"AvailabilityZone": {
"Fn::Select": [
1,
{"Fn::GetAZs": ""}
]
},
"CidrBlock": {
"Fn::Select": [
1,
{
"Fn::Cidr": [
{
"Fn::GetAtt": [
"VPC",
"CidrBlock"
]
},
2,
12
]
}
]
},
"MapPublicIpOnLaunch": {
"Fn::If": [
"IsPublic",
true,
false
]
}
}
},
"RouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {"Ref": "VPC"}
}
},
"DefaultRoute": {
"Type": "AWS::EC2::Route",
"Condition": "IsPublic",
"DependsOn": "InternetGatewayAttachment",
"Properties": {
"RouteTableId": {"Ref": "RouteTable"},
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {"Ref": "InternetGateway"}
}
},
"Subnet1RouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {"Ref": "RouteTable"},
"SubnetId": {"Ref": "Subnet1"}
}
},
"Subnet2RouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Condition": "IsMultiAZ",
"Properties": {
"RouteTableId": {"Ref": "RouteTable"},
"SubnetId": {"Ref": "Subnet2"}
}
},
"InfluxDBSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupName": "influxdb-sg",
"GroupDescription": "Security group allowing port 8086 ingress for InfluxDB",
"VpcId": {"Ref": "VPC"}
}
},
"InfluxDBSecurityGroupIngress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {"Ref": "InfluxDBSecurityGroup"},
"IpProtocol": "tcp",
"CidrIp": "0.0.0.0/0",
"FromPort": 8086,
"ToPort": 8086
}
},
"InfluxDBLogsS3Bucket": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Retain"
},
"InfluxDBLogsS3BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {"Ref": "InfluxDBLogsS3Bucket"},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": {"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}/InfluxLogs/*"},
"Principal": {"Service": "timestream-influxdb.amazonaws.com"}
},
{
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
{"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}/*"},
{"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}"}
],
"Principal": "*",
"Condition": {
"Bool": {"aws:SecureTransport": false}
}
}
]
}
}
},
"DbInstance": {
"Type": "AWS::Timestream::InfluxDBInstance",
"DependsOn": "InfluxDBLogsS3BucketPolicy",
"Properties": {
"DbStorageType": {"Ref": "DbStorageType"},
"AllocatedStorage": {"Ref": "AllocatedStorage"},
"DbInstanceType": {"Ref": "DbInstanceType"},
"Name": {"Ref": "DbInstanceName"},
"Username": {"Ref": "InfluxDBUsername"},
"Password": {"Ref": "InfluxDBPassword"},
"Organization": {"Ref": "InfluxDBOrganization"},
"Bucket": {"Ref": "InfluxDBBucket"},
"PubliclyAccessible": {
"Fn::If": [
"IsPublic",
true,
false
]
},
"DeploymentType": {"Ref": "DeploymentType"},
"VpcSecurityGroupIds": [
{"Ref": "InfluxDBSecurityGroup"}
],
"VpcSubnetIds": {
"Fn::If": [
"IsMultiAZ",
[
{"Ref": "Subnet1"},
{"Ref": "Subnet2"}
],
[
{"Ref": "Subnet1"}
]
]
},
"LogDeliveryConfiguration": {
"S3Configuration": {
"BucketName": {"Ref": "InfluxDBLogsS3Bucket"},
"Enabled": true
}
}
}
}
},
"Outputs": {
"VPC": {
"Description": "A reference to the VPC used to create network resources",
"Value": {"Ref": "VPC"}
},
"Subnets": {
"Description": "A list of the subnets created",
"Value": {
"Fn::If": [
"IsMultiAZ",
{
"Fn::Join": [
",",
[
{"Ref": "Subnet1"},
{"Ref": "Subnet2"}
]
]
},
{"Ref": "Subnet1"}
]
}
},
"Subnet1": {
"Description": "A reference to the subnet in the 1st Availability Zone",
"Value": {"Ref": "Subnet1"}
},
"Subnet2": {
"Condition": "IsMultiAZ",
"Description": "A reference to the subnet in the 2nd Availability Zone",
"Value": {"Ref": "Subnet2"}
},
"InfluxDBSecurityGroup": {
"Description": "Security group with port 8086 ingress rule",
"Value": {"Ref": "InfluxDBSecurityGroup"}
},
"InfluxDBLogsS3Bucket": {
"Description": "S3 Bucket containing InfluxDB logs from the DB instance",
"Value": {"Ref": "InfluxDBLogsS3Bucket"}
},
"DbInstance": {
"Description": "A reference to the Timestream for InfluxDB DB instance",
"Value": {"Ref": "DbInstance"}
},
"InfluxAuthParametersSecretArn": {
"Description": "The Amazon Resource Name (ARN) of the Gestione dei segreti AWS secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password.",
"Value": {
"Fn::GetAtt": [
"DbInstance",
"InfluxAuthParametersSecretArn"
]
}
},
"Endpoint": {
"Description": "The endpoint URL to connect to InfluxDB",
"Value": {
"Fn::Join": [
"",
[
"https://",
{
"Fn::GetAtt": [
"DbInstance",
"Endpoint"
]
},
":8086"
]
]
}
}
}
}
```
### YAML
```
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
-
Label:
default: "Network Configuration"
Parameters:
- VPCCIDR
-
Label:
default: "Amazon Timestream for InfluxDB Configuration"
Parameters:
- DbInstanceName
- InfluxDBUsername
- InfluxDBPassword
- InfluxDBOrganization
- InfluxDBBucket
- DbInstanceType
- DbStorageType
- AllocatedStorage
- PubliclyAccessible
- DeploymentType
ParameterLabels:
VPCCIDR:
default: VPC CIDR
Parameters:
# Network Configuration
VPCCIDR:
Description: Please enter the IP range (CIDR notation) for the new VPC
Type: String
Default: 10.0.0.0/16
# Timestream for InfluxDB Configuration
DbInstanceName:
Description: The name that uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and CLI commands. This name will also be a prefix included in the endpoint. DB instance names must be unique per customer and per Region.
Type: String
Default: mydbinstance
MinLength: 3
MaxLength: 40
AllowedPattern: ^[a-zA-z][a-zA-Z0-9]*(-[a-zA-Z0-9]+)*$
# InfluxDB initial user configurations
InfluxDBUsername:
Description: The username of the initial admin user created in InfluxDB. Must start with a letter and can't end with a hyphen or contain two consecutive hyphens. For example, my-user1. This username will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in Gestione dei segreti AWS in your account.
Type: String
Default: admin
MinLength: 1
MaxLength: 64
InfluxDBPassword:
Description: The password of the initial admin user created in InfluxDB. This password will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in AWS in your account.
Type: String
NoEcho: true
MinLength: 8
MaxLength: 64
AllowedPattern: ^[a-zA-Z0-9]+$
InfluxDBOrganization:
Description: The name of the initial organization for the initial admin user in InfluxDB. An InfluxDB organization is a workspace for a group of users.
Type: String
Default: org
MinLength: 1
MaxLength: 64
InfluxDBBucket:
Description: The name of the initial InfluxDB bucket. All InfluxDB data is stored in a bucket. A bucket combines the concept of a database and a retention period (the duration of time that each data point persists). A bucket belongs to an organization.
Type: String
Default: bucket
MinLength: 2
MaxLength: 64
AllowedPattern: ^[^_\"][^\"]*$
DeploymentType:
Description: Specifies whether the Timestream for InfluxDB is deployed as Single-AZ or with a MultiAZ Standby for High availability
Type: String
Default: WITH_MULTIAZ_STANDBY
AllowedValues:
- SINGLE_AZ
- WITH_MULTIAZ_STANDBY
AllocatedStorage:
Description: The amount of storage to allocate for your DB storage type in GiB (gibibytes).
Type: Number
Default: 400
MinValue: 20
MaxValue: 16384
DbInstanceType:
Description: The Timestream for InfluxDB DB instance type to run InfluxDB on.
Type: String
Default: db.influx.medium
AllowedValues:
- db.influx.medium
- db.influx.large
- db.influx.xlarge
- db.influx.2xlarge
- db.influx.4xlarge
- db.influx.8xlarge
- db.influx.12xlarge
- db.influx.16xlarge
DbStorageType:
Description: The Timestream for InfluxDB DB storage type to read and write InfluxDB data.
Type: String
Default: InfluxIOIncludedT1
AllowedValues:
- InfluxIOIncludedT1
- InfluxIOIncludedT2
- InfluxIOIncludedT3
PubliclyAccessible:
Description: Configures the DB instance with a public IP to facilitate access.
Type: String
Default: true
AllowedValues:
- true
- false
Conditions:
IsMultiAZ: !Equals [!Ref DeploymentType, WITH_MULTIAZ_STANDBY]
IsPublic: !Equals [!Ref PubliclyAccessible, true]
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref VPCCIDR
InternetGateway:
Type: AWS::EC2::InternetGateway
Condition: IsPublic
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Condition: IsPublic
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
Subnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [0, !GetAZs '']
CidrBlock: !Select [0, !Cidr [!GetAtt VPC.CidrBlock, 2, 12 ]]
MapPublicIpOnLaunch: !If [IsPublic, true, false]
Subnet2:
Type: AWS::EC2::Subnet
Condition: IsMultiAZ
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [1, !GetAZs '']
CidrBlock: !Select [1, !Cidr [!GetAtt VPC.CidrBlock, 2, 12 ]]
MapPublicIpOnLaunch: !If [IsPublic, true, false]
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
DefaultRoute:
Type: AWS::EC2::Route
Condition: IsPublic
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref RouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
Subnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref Subnet1
Subnet2RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Condition: IsMultiAZ
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref Subnet2
InfluxDBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "influxdb-sg"
GroupDescription: "Security group allowing port 8086 ingress for InfluxDB"
VpcId: !Ref VPC
InfluxDBSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref InfluxDBSecurityGroup
IpProtocol: tcp
CidrIp: 0.0.0.0/0
FromPort: 8086
ToPort: 8086
InfluxDBLogsS3Bucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
InfluxDBLogsS3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref InfluxDBLogsS3Bucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action: "s3:PutObject"
Effect: Allow
Resource: !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}/InfluxLogs/*
Principal:
Service: timestream-influxdb.amazonaws.com
- Action: "s3:*"
Effect: Deny
Resource:
- !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}/*
- !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}
Principal: "*"
Condition:
Bool:
aws:SecureTransport: false
DbInstance:
Type: AWS::Timestream::InfluxDBInstance
DependsOn: InfluxDBLogsS3BucketPolicy
Properties:
DbStorageType: !Ref DbStorageType
AllocatedStorage: !Ref AllocatedStorage
DbInstanceType: !Ref DbInstanceType
Name: !Ref DbInstanceName
Username: !Ref InfluxDBUsername
Password: !Ref InfluxDBPassword
Organization: !Ref InfluxDBOrganization
Bucket: !Ref InfluxDBBucket
PubliclyAccessible: !If [IsPublic, true, false]
DeploymentType: !Ref DeploymentType
VpcSecurityGroupIds:
- !Ref InfluxDBSecurityGroup
VpcSubnetIds: !If
- IsMultiAZ
-
- !Ref Subnet1
- !Ref Subnet2
-
- !Ref Subnet1
LogDeliveryConfiguration:
S3Configuration:
BucketName: !Ref InfluxDBLogsS3Bucket
Enabled: true
Outputs:
# Network Resources
VPC:
Description: A reference to the VPC used to create network resources
Value: !Ref VPC
Subnets:
Description: A list of the subnets created
Value: !If
- IsMultiAZ
- !Join [",", [!Ref Subnet1, !Ref Subnet2]]
- !Ref Subnet1
Subnet1:
Description: A reference to the subnet in the 1st Availability Zone
Value: !Ref Subnet1
Subnet2:
Condition: IsMultiAZ
Description: A reference to the subnet in the 2nd Availability Zone
Value: !Ref Subnet2
InfluxDBSecurityGroup:
Description: Security group with port 8086 ingress rule
Value: !Ref InfluxDBSecurityGroup
# Timestream for InfluxDB Resources
InfluxDBLogsS3Bucket:
Description: S3 Bucket containing InfluxDB logs from the DB instance
Value: !Ref InfluxDBLogsS3Bucket
DbInstance:
Description: A reference to the Timestream for InfluxDB DB instance
Value: !Ref DbInstance
InfluxAuthParametersSecretArn:
Description: "The Amazon Resource Name (ARN) of the Gestione dei segreti AWS secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password."
Value: !GetAtt DbInstance.InfluxAuthParametersSecretArn
Endpoint:
Description: The endpoint URL to connect to InfluxDB
Value: !Join ["", ["https://", !GetAtt DbInstance.Endpoint, ":8086"]]
```