本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
透過 CloudFormation 建立啟動範本
本節提供一個透過 CloudFormation 建立 Amazon EC2 啟動範本的範例。啟動範本可讓您建立用於在 AWS中設定和佈建 Amazon EC2 執行個體的範本。使用啟動範本,您可以來存放啟動參數,如此您就不需要在每次啟動執行個體時指定參數。如需更多範例,請參閱 AWS::EC2::LaunchTemplate 中的範例區段。
如需有關啟動範本的詳細資訊,請參閱《Amazon EC2 使用者指南》中的在 Amazon EC2 啟動範本中儲存執行個體啟動參數。
如需建立與 Amazon EC2 Auto Scaling 群組搭配使用的啟動範本的相關資訊,請參閱《Amazon EC2 Auto Scaling 使用者指南》中的 Amazon EC2 Auto Scaling 啟動範本。 Amazon EC2 Auto Scaling
建立指定安全群組、標籤、使用者資料及 IAM 角色的啟動範本
此程式碼片段顯示 AWS::EC2::LaunchTemplate 資源,其中包含啟動執行個體的組態資訊。您可為 ImageId、InstanceType、SecurityGroups、UserData 以及 TagSpecifications 屬性指定值。SecurityGroups 屬性指定現有 EC2 安全群組以及新的安全群組。Ref 函數取得在堆疊範本中其他處宣告的 AWS::EC2::SecurityGroup 資源 myNewEC2SecurityGroup 之 ID。
啟動範本包含自訂使用者資料的區段。您可以在本區段中執行個體啟動時傳入執行的組態任務和指令碼。在此範例中,使用者資料會安裝 AWS Systems Manager 代理程式並啟動 代理程式。
啟動範本還包含 IAM 角色,該角色允許在執行個體上執行的應用程式代表您執行動作。此範例顯示啟動範本的 AWS::IAM::Role 資源,此資源使用 IamInstanceProfile 屬性指定 IAM 角色。Ref 函數取得 AWS::IAM::InstanceProfile 資源 myInstanceProfile 的名稱。若要設定 IAM 角色的許可,請為 ManagedPolicyArns 屬性指定值。
JSON
{ "Resources":{ "myLaunchTemplate":{ "Type":"AWS::EC2::LaunchTemplate", "Properties":{ "LaunchTemplateName":{ "Fn::Sub": "${AWS::StackName}-launch-template" }, "LaunchTemplateData":{ "ImageId":"ami-02354e95b3example", "InstanceType":"t3.micro", "IamInstanceProfile":{ "Name":{ "Ref":"myInstanceProfile" } }, "SecurityGroupIds":[ { "Ref":"myNewEC2SecurityGroup" }, "sg-083cd3bfb8example" ], "UserData":{ "Fn::Base64":{ "Fn::Join": [ "", [ "#!/bin/bash\n", "cd /tmp\n", "yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm\n", "systemctl enable amazon-ssm-agent\n", "systemctl start amazon-ssm-agent\n" ] ] } }, "TagSpecifications":[ { "ResourceType":"instance", "Tags":[ { "Key":"environment", "Value":"development" } ] }, { "ResourceType":"volume", "Tags":[ { "Key":"environment", "Value":"development" } ] } ] } } }, "myInstanceRole":{ "Type":"AWS::IAM::Role", "Properties":{ "RoleName":"InstanceRole", "AssumeRolePolicyDocument":{ "Version": "2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":[ "ec2.amazonaws.com" ] }, "Action":[ "sts:AssumeRole" ] } ] }, "ManagedPolicyArns":[ "arn:aws:iam::aws:policy/myCustomerManagedPolicy" ] } }, "myInstanceProfile":{ "Type":"AWS::IAM::InstanceProfile", "Properties":{ "Path":"/", "Roles":[ { "Ref":"myInstanceRole" } ] } } } }
YAML
--- Resources: myLaunchTemplate: Type: AWS::EC2::LaunchTemplate Properties: LaunchTemplateName: !Sub ${AWS::StackName}-launch-template LaunchTemplateData: ImageId:ami-02354e95b3exampleInstanceType:t3.microIamInstanceProfile: Name: !Ref myInstanceProfile SecurityGroupIds: - !RefmyNewEC2SecurityGroup-sg-083cd3bfb8exampleUserData: Fn::Base64: !Sub |#!/bin/bash cd /tmp yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm systemctl enable amazon-ssm-agent systemctl start amazon-ssm-agentTagSpecifications: - ResourceType: instance Tags: - Key:environmentValue:development- ResourceType: volume Tags: - Key:environmentValue:developmentmyInstanceRole: Type: AWS::IAM::Role Properties: RoleName: InstanceRole AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Principal: Service: - 'ec2.amazonaws.com' Action: - 'sts:AssumeRole' ManagedPolicyArns: - 'arn:aws:iam::aws:policy/myCustomerManagedPolicy' myInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: '/' Roles: - !Ref myInstanceRole
