本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
透過 CloudFormation 建立啟動範本
本節提供一個透過 CloudFormation 建立 Amazon EC2 啟動範本的範例。啟動範本可讓您建立用於在 AWS 中設定和佈建 Amazon EC2 執行個體的範本。使用啟動範本,您可以來存放啟動參數,如此您就不需要在每次啟動執行個體時指定參數。如需更多範例,請參閱 AWS::EC2::LaunchTemplate 中的範例區段。
如需有關啟動範本的詳細資訊,請參閱《Amazon EC2 使用者指南》中的在 Amazon EC2 啟動範本中儲存執行個體啟動參數。
如需有關使用 Auto Scaling 群組建立啟動範本的資訊,請參閱《Amazon EC2 Auto Scaling 使用者指南》中的 Auto Scaling 啟動範本。
建立指定安全群組、標籤、使用者資料及 IAM 角色的啟動範本
此程式碼片段顯示 AWS::EC2::LaunchTemplate 資源,其中包含啟動執行個體的組態資訊。您可為 ImageId、InstanceType、SecurityGroups、UserData 以及 TagSpecifications 屬性指定值。SecurityGroups 屬性指定現有 EC2 安全群組以及新的安全群組。Ref 函數取得在堆疊範本中其他處宣告的 AWS::EC2::SecurityGroup 資源 myNewEC2SecurityGroup 之 ID。
啟動範本包含自訂使用者資料的區段。您可以在本區段中執行個體啟動時傳入執行的組態任務和指令碼。在此範例中,使用者資料會安裝 AWS Systems Manager代理程式並啟動 代理程式。
啟動範本還包含 IAM 角色,該角色允許在執行個體上執行的應用程式代表您執行動作。此範例顯示啟動範本的 AWS::IAM::Role 資源,此資源使用 IamInstanceProfile 屬性指定 IAM 角色。Ref 函數取得 AWS::IAM::InstanceProfile 資源 myInstanceProfile 的名稱。若要設定 IAM 角色的許可,請為 ManagedPolicyArns 屬性指定值。
JSON
{ "Resources":{ "myLaunchTemplate":{ "Type":"AWS::EC2::LaunchTemplate", "Properties":{ "LaunchTemplateName":{ "Fn::Sub": "${AWS::StackName}-launch-template" }, "LaunchTemplateData":{ "ImageId":"ami-02354e95b3example", "InstanceType":"t3.micro", "IamInstanceProfile":{ "Name":{ "Ref":"myInstanceProfile" } }, "SecurityGroupIds":[ { "Ref":"myNewEC2SecurityGroup" }, "sg-083cd3bfb8example" ], "UserData":{ "Fn::Base64":{ "Fn::Join": [ "", [ "#!/bin/bash\n", "cd /tmp\n", "yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm\n", "systemctl enable amazon-ssm-agent\n", "systemctl start amazon-ssm-agent\n" ] ] } }, "TagSpecifications":[ { "ResourceType":"instance", "Tags":[ { "Key":"environment", "Value":"development" } ] }, { "ResourceType":"volume", "Tags":[ { "Key":"environment", "Value":"development" } ] } ] } } }, "myInstanceRole":{ "Type":"AWS::IAM::Role", "Properties":{ "RoleName":"InstanceRole", "AssumeRolePolicyDocument":{ "Version": "2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":[ "ec2.amazonaws.com" ] }, "Action":[ "sts:AssumeRole" ] } ] }, "ManagedPolicyArns":[ "arn:aws:iam::aws:policy/myCustomerManagedPolicy" ] } }, "myInstanceProfile":{ "Type":"AWS::IAM::InstanceProfile", "Properties":{ "Path":"/", "Roles":[ { "Ref":"myInstanceRole" } ] } } } }
YAML
--- Resources: myLaunchTemplate: Type: AWS::EC2::LaunchTemplate Properties: LaunchTemplateName: !Sub ${AWS::StackName}-launch-template LaunchTemplateData: ImageId:ami-02354e95b3exampleInstanceType:t3.microIamInstanceProfile: Name: !Ref myInstanceProfile SecurityGroupIds: - !RefmyNewEC2SecurityGroup-sg-083cd3bfb8exampleUserData: Fn::Base64: !Sub |#!/bin/bash cd /tmp yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm systemctl enable amazon-ssm-agent systemctl start amazon-ssm-agentTagSpecifications: - ResourceType: instance Tags: - Key:environmentValue:development- ResourceType: volume Tags: - Key:environmentValue:developmentmyInstanceRole: Type: AWS::IAM::Role Properties: RoleName: InstanceRole AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: 'Allow' Principal: Service: - 'ec2.amazonaws.com' Action: - 'sts:AssumeRole' ManagedPolicyArns: - 'arn:aws:iam::aws:policy/myCustomerManagedPolicy' myInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: '/' Roles: - !Ref myInstanceRole
