作为 CI/CD Jenkins 管道的一部分,我正在使用 dockerhub 上提供的镜像中的 cloudformation 将 springboot 应用程序部署到 AWS EC2/Fargate。我有我的访问 key 、 secret 、区域和子网,定义为在运行时传递的 secret 。 cloudformation 部署失败,状态为 CREATE_FAILED 并出现以下错误:
Invalid request provided: CreateService error: Security group
sg-0da667222da8a6eb2 does not appear to belong to the same VPC as the
input subnets. (Service: Ecs, Status Code: 400, Request ID:
503ce486-c3db-4d35-bb92-5f4770662c05, Extended Request ID: null)
这是我的 cloudformation yaml 文件内容:
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
SubnetID:
Type: String
ServiceName:
Type: String
ServiceVersion:
Type: String
DockerHubUsername:
Type: String
Resources:
Cluster:
Type: AWS::ECS::Cluster
Properties:
ClusterName: deployment-example-cluster
ServiceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: ServiceSecurityGroup
GroupDescription: Security group for service
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 8080
ToPort: 8080
CidrIp: 0.0.0.0/0
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
Family: !Sub ${ServiceName}-task
Cpu: 256
Memory: 512
NetworkMode: awsvpc
ContainerDefinitions:
- Name: !Sub ${ServiceName}-container
Image: !Sub ${DockerHubUsername}/${ServiceName}:${ServiceVersion}
PortMappings:
- ContainerPort: 8080
RequiresCompatibilities:
- EC2
- FARGATE
Service:
Type: AWS::ECS::Service
Properties:
ServiceName: !Sub ${ServiceName}-service
Cluster: !Ref Cluster
TaskDefinition: !Ref TaskDefinition
DesiredCount: 1
LaunchType: FARGATE
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: ENABLED
Subnets:
- !Ref SubnetID
SecurityGroups:
- !GetAtt ServiceSecurityGroup.GroupId
这是cloudformation堆栈构建过程的屏幕截图:
令人惊讶的是,sg-0da667222da8a6eb2 不是我的安全组之一。任何帮助将不胜感激。
最佳答案
您的 ServiceSecurityGroup 根据定义,是在默认 VPC 中创建的。但是,您的 SubnetID 可能属于自定义 VPC。因此,您必须提供VpcId对于您的 ServiceSecurityGroup:
Parameters:
VpcId:
Type: AWS::EC2::VPC::Id
# others not shown
Resources:
# only relevant part shown
ServiceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: ServiceSecurityGroup
GroupDescription: Security group for service
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 8080
ToPort: 8080
CidrIp: 0.0.0.0/0
VpcId: !Ref VpcId
Service:
Type: AWS::ECS::Service
Properties:
ServiceName: !Sub ${ServiceName}-service
Cluster: !Ref Cluster
TaskDefinition: !Ref TaskDefinition
DesiredCount: 1
LaunchType: FARGATE
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: ENABLED
Subnets:
- !Ref SubnetID
SecurityGroups:
- !GetAtt ServiceSecurityGroup.GroupId
关于amazon-web-services - 安全组 sg-0da667222da8a6eb2 似乎不属于与输入子网相同的 VPC,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/64218657/