-
AWS Cloudformation入门项目实践
云迁移项目要求
- 创建IAM用户组,该用户组具有admin基础权限,并将IAM用户添加到用户组
- 创建VPC,并分别创建两个公有子网和私有子网,规划互联网网关和路由表
- 使用EC2服务分别在两个公有子网创建Web服务器,绑定EIP,使用安全组运行80(Web)和22(SSH)端口通过,自行下载安装好apache服务,并使用ELB进行负载分担
- 创建MySQL数据库服务器,规划安全组只允许位于公有子网的Web服务器能够访问
- 创建公开可读的S3存储桶,并在policy当中允许所有动作
- 创建CloudWatch账单告警,计费超过10美元时告警,并通过SNS发送邮件
代码及说明
Resources: # 创建IAM用户组,指定policy为允许全部 MyGroup: Type: AWS::IAM::Group Properties: GroupName: MyGroup Policies: - PolicyName: MyPolicy PolicyDocument: Statement: - Effect: Allow Action: - "*" Resource: "*" # 创建IAM用户,将他归类到IAM用户组MyGroup MyUser: Type: AWS::IAM::User Properties: Groups: - !Ref MyGroup LoginProfile: Password: 12345Abc* PasswordResetRequired: true UserName: MyUser # 新建一个VPC MyVPC: Type: AWS::EC2::VPC Properties: CidrBlock: 192.168.0.0/16 # 新建子网PublicSubnet01和02,给Web服务器使用 PublicSubnet01: Type: AWS::EC2::Subnet Properties: AvailabilityZone: ap-northeast-1a VpcId: !Ref MyVPC CidrBlock: 192.168.10.0/24 PublicSubnet02: Type: AWS::EC2::Subnet Properties: AvailabilityZone: ap-northeast-1c VpcId: !Ref MyVPC CidrBlock: 192.168.11.0/24 # 新建子网PrivateSubnet03和04,给数据库服务器使用 PrivateSubnet03: Type: AWS::EC2::Subnet Properties: AvailabilityZone: ap-northeast-1a VpcId: !Ref MyVPC CidrBlock: 192.168.20.0/24 PrivateSubnet04: Type: AWS::EC2::Subnet Properties: AvailabilityZone: ap-northeast-1c VpcId: !Ref MyVPC CidrBlock: 192.168.21.0/24 # 新建互联网网关IGW MyIGW: Type: AWS::EC2::InternetGateway # 将创建好的IGW与自己的VPC相关联 VPCGatewayAttach: Type: AWS::EC2::VPCGatewayAttachment Properties: InternetGatewayId: !Ref MyIGW VpcId: !Ref MyVPC # 新建路由表 MyRTB: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref MyVPC # 创建默认路由,指向互联网网关IGW RoutetoIGW: Type: AWS::EC2::Route Properties: DestinationCidrBlock: 0.0.0.0/0 RouteTableId: !Ref MyRTB GatewayId: !Ref MyIGW # 将路由表和公有子网显式关联,以使公有子网可以访问外网 AssociateSubnetandRTB: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref MyRTB SubnetId: !Ref PublicSubnet01 AssociateSubnetandRTB2: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref MyRTB SubnetId: !Ref PublicSubnet02 # 创建安全组,允许TCP的80(Web)和22(SSH)端口流量通过 # 并将该安全组归到自己的VPC当中 MySG: Type: AWS::EC2::SecurityGroup Properties: GroupName: MySG GroupDescription: Enable SSH and Web for EC2 SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 VpcId: !Ref MyVPC # 创建两台Web用的EC2服务器,并从公有子网启动 MyEC2Server01: Type: AWS::EC2::Instance Properties: # 注意这里不是在默认的VPC当中创建,所以只能用ID去指定安全组 SecurityGroupIds: - !GetAtt MySG.GroupId InstanceType: t2.micro AvailabilityZone: ap-northeast-1a # 我这里选择的镜像是Amazon Linux 2 5.10 ImageId: ami-0de5311b2a443fb89 # 提前在服务器上安装好apache的服务,设置开机自启 UserData: !Base64 | #!/bin/bash sudo yum upgrade -y sudo yum install -y httpd sudo systemctl start httpd sudo systemctl enable httpd SubnetId: !Ref PublicSubnet01 MyEC2Server02: Type: AWS::EC2::Instance Properties: SecurityGroupIds: - !GetAtt MySG.GroupId InstanceType: t2.micro AvailabilityZone: ap-northeast-1c ImageId: ami-0de5311b2a443fb89 UserData: !Base64 | #!/bin/bash sudo yum update -y sudo yum install -y httpd sudo systemctl start httpd sudo systemctl enable httpd SubnetId: !Ref PublicSubnet02 # 分别创建两个EIP,附属到我们两台Web服务器上 MyEip1: Type: AWS::EC2::EIP Properties: InstanceId: !Ref MyEC2Server01 NetworkBorderGroup: ap-northeast-1 MyEip2: Type: AWS::EC2::EIP Properties: InstanceId: !Ref MyEC2Server02 NetworkBorderGroup: ap-northeast-1 # 创建负载均衡器所用使用的目标组 MyTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Port: 80 Protocol: HTTP Targets: - Id: !Ref MyEC2Server01 Port: 80 - Id: !Ref MyEC2Server02 Port: 80 VpcId: !Ref MyVPC # 创建应用型负载均衡器ALB # 注意ELB V1版本是给CLB用的,已经过时了 MyALB: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Type: application Subnets: - !Ref PublicSubnet01 - !Ref PublicSubnet02 SecurityGroups: - !GetAtt MySG2.GroupId # 创建ALB专用的安全组,允许访问TCP的80(Web)端口流量通过 MySG2: Type: AWS::EC2::SecurityGroup Properties: GroupName: MySG2 GroupDescription: Enable Web for ELB VpcId: !Ref MyVPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 # 为我们的ALB创建侦听器,一旦有访问我们的目标组的流量 # 我们就给它forward到我们的ALB上进行负载均衡 MyListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: DefaultActions: - Type: forward TargetGroupArn: !Ref MyTargetGroup LoadBalancerArn: !Ref MyALB Port: 80 Protocol: HTTP # 创建数据库实例,并选择数据库引擎为MySQL MySQLServer: Type: AWS::RDS::DBInstance Properties: AllocatedStorage: 20 AvailabilityZone: ap-northeast-1a MasterUsername: root MasterUserPassword: 12345Abc* DBInstanceClass: db.t2.small DBSubnetGroupName: !Ref MyDBSubnetGroup Engine: MySQL VPCSecurityGroups: - !Ref MySG3 # 创建子网组,以便数据库随时可以开启Multi-AZ MyDBSubnetGroup: Type: AWS::RDS::DBSubnetGroup Properties: DBSubnetGroupDescription: My SubnetGroup for DB Subnet SubnetIds: - !Ref PrivateSubnet03 - !Ref PrivateSubnet04 # 创建数据库服务器专用安全组 MySG3: Type: AWS::EC2::SecurityGroup Properties: GroupName: MySG3 GroupDescription: Enable MySQL for EC2 VpcId: !Ref MyVPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 3306 ToPort: 3306 # 这里设置为凡是在安全组MySG内的EC2服务器都能访问 SourceSecurityGroupId: !Ref MySG # 创建S3的存储桶,允许公开可读 MyPublicBucket: Type: AWS::S3::Bucket Properties: AccessControl: PublicRead # 注意存储桶名称需要全区域唯一 BucketName: mypublicbucket-ap-northeast-1 # 创建存储桶所使用的策略,我这边给的是全部 MyBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref MyPublicBucket PolicyDocument: Statement: Effect: Allow Action: - s3:* Principal: "*" Resource: !GetAtt MyPublicBucket.Arn # 创建账单警告,6小时内超过10美元则告警 MyBillingAlarm: Type: AWS::CloudWatch::Alarm Properties: MetricName: EstimatedCharges Namespace: AWS/Billing AlarmActions: - !Ref MySNSTopic Dimensions: - Name: Currency Value: USD Statistic: Maximum Period: 21600 EvaluationPeriods: 1 ComparisonOperator: GreaterThanThreshold Threshold: 10 # 创建消息服务,一旦超过10美元就给我发送邮件 MySNSTopic: Type: AWS::SNS::Topic Properties: TopicName: MySNSTopic Subscription: # 在Endpoint中填写可用的邮箱地址,需要去邮箱确认 - Endpoint: XXXXX@gmail.com Protocol: email- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
- 263
- 264
- 265
- 266
- 267
- 268
- 269
- 270
- 271
- 272
- 273
- 274
- 275
- 276
- 277
- 278
- 279
- 280
- 281
- 282
- 283
- 284
- 285
- 286
- 287
- 288
- 289
- 290
- 291
- 292
- 293
- 294
- 295
- 296
- 297
- 298
- 299
- 300
- 301
-
相关阅读:
根据json文件生成mask图像
3D可视化字母出现频率_vtkLinearExtrusionFilter
图学习初探Paddle Graph Learning 构建属于自己的图【系列三】
Servlet的请求和响应
docker自定义镜像与上传
SU-03T语音模块使用简介
项目经理必备思维之整合思维
c和c++静态库之间如何相互调用
第六章 内存管理之实战案例分析
项目经验3
- 原文地址:https://blog.csdn.net/weixin_41656968/article/details/127837735
