windows - Cloudformation CFN-Init Windows Powershell 问题

Question

通过 Cloudformation 启动堡垒主机时，我们在 CFN-Init 中传递多个 Powershell 命令时遇到问题。

安装 Windows 功能的第一个命令正在运行，但第二个命令(以及后续命令)未运行。我们尝试过基本的“echo hello> file.txt”，但它不起作用。我们尝试过使用反斜杠来转义引号。此时，我们不知所措。

这是资源

  BastionServer:
    Type: AWS::EC2::Instance
    Metadata:
      AWS::Cloudformation::Init:
        configSets:
          config:
            - setup
            - installADDS
            - finalize
        setup:
          files:
            c:\cfn\cfn-hup.conf:
              content: !Sub |
                [main]
                stack=${AWS::StackId}
                region=${AWS::Region}
            c:\cfn\hooks.d\cfn-auto-reloader.conf:
              content: !Sub |
                [cfn-auto-reloader-hook]
                triggers=post.update
                path=Resources.BastionServer.Metadata.AWS::CloudFormation::Init
                action=/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource LaunchConfig --configsets full_install --region ${AWS::Region}
          services:
            windows:
              cfn-hup:
                enabled: 'true'
                ensureRunning: 'true'
                files:
                  - c:\cfn\cfn-hup.conf
                  - c:\cfn\hooks.d\cfn-auto-reloader.conf


        installADDS:
          commands:
            1-install-prereqs:
              command: powershell.exe -Command "Install-WindowsFeature RSAT-AD-Powershell RSAT-ADDS-Tools; "
              waitAfterCompletion: '0'

            2-create-user:
              command: powershell.exe -ExecutionPolicy Bypass -Command "New-ADUser -Name '${DomainAdminUser}' -UserPrincipalName '${DomainAdminUser}'@'{$DomainDNSName}' -AccountPassword (ConvertTo-SecureString ${DomainAdminPassword} -AsPlainText -Force) -Enabled:$true -PasswordNeverExpires:$true"


        finalize:
            1-signal-success:
              command: powershell.exe -Command "Write-AWSQuickStartStatus"
              waitAfterCompletion: '0'

    Properties:
      ImageId:
        Fn::FindInMap:
        - "AWSAMIRegionMap"
        - Ref: "AWS::Region"
        - "WS2016FULLBASE"
      InstanceType: t2.medium
      SsmAssociations: 
        -
          DocumentName: 
            Ref: "SSMDoc"

      KeyName: !Ref 'KeyPair'
      UserData: !Base64
        Fn::Join:
          - ''
          - - "<script>\n"
            - 'cfn-init.exe -v -c config -s '
            - !Ref 'AWS::StackId'
            - ' -r BastionServer'
            - ' --region '
            - !Ref 'AWS::Region'
            - "\n"
            - "</script>\n"

Answer 1

假设您将所需的变量(DomainAdminUser、DomainDNSName 和 DomainAdminPassword)作为模板中的参数传递，那么您只需使用 intrinsic substitution function以便 CloudFormation 知道用什么替换变量:

installADDS:
  commands:
    1-install-prereqs: ...
    2-create-user:
      command: !Sub >-
        powershell.exe -ExecutionPolicy Bypass -Command
        "New-ADUser -Name '${DomainAdminUser}' -UserPrincipalName '${DomainAdminUser}'@'${DomainDNSName}' -AccountPassword (ConvertTo-SecureString ${DomainAdminPassword} -AsPlainText -Force) -Enabled:$true -PasswordNeverExpires:$true"

为了帮助排除故障，您可以将脚本保存在堡垒上，以查看替换是否按预期工作:

installADDS:
  files:
    'C:\cfn\scripts\CreateUser.ps1':
      content: !Join
        - ''
        - - "New-ADUser -Name '${"
          - !Ref DomainAdminUser
          - "}' -UserPrincipalName '${"
          - !Ref DomainAdminUser
          - "}'@'${"
          - !Ref DomainDNSName
          - "}' -AccountPassword (ConvertTo-SecureString ${"
          - !Ref DomainAdminPassword
          - "} -AsPlainText -Force) -Enabled:$true -PasswordNeverExpires:$true"
  commands:
    1-install-prereqs: ...
    2-create-user:
      command: >-
        powershell.exe -ExecutionPolicy Bypass -Command
        C:\cfn\scripts\CreateUser.ps1