amazon-ec2 - 将 SSM 参数设置为 EC2 的环境变量 - 不起作用

Question

我正在尝试使用 Cloudformation 的 UserData 部分获取 SSM 参数并将其作为环境变量导出到 EC2。

该脚本正在尝试将导出 WHATS_HER_NAME=Sherlyn 附加到 /etc/profile 文件中。但我在 /etc/profile 中看到的只是 export WHATS_HER_NAME=。该值不存在。我使用 amazon linux 2 ami。

这是我的云信息模板。

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "Ec2Instance": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "IamInstanceProfile": {
          "Ref": "Ec2instanceProfileTest"
        },
        "UserData": {
          "Fn::Base64": {
            "Fn::Join": [
              "\n",
              [
                "#!/bin/bash -xe",
                "yum update -y aws-cfn-bootstrap",
                {
                  "Fn::Sub": "/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource Ec2Instance --configsets default --region ${AWS::Region}"
                },
                {
                  "Fn::Sub": "/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource EC2Instance --region ${AWS::Region}"
                },
                {
                  "Fn::Sub": "echo \"export WHATS_HER_NAME=$(aws ssm get-parameter --name WhatsHerName --region ${AWS::Region} --query 'Parameter.Value')\" >> /etc/profile"
                }
              ]
            ]
          }
        }
      }
    },
    "GetSSMParameterPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "GetSsmProperty",
        "PolicyDocument": {
          "Statement": [
            {
              "Effect": "Allow",
              "Resource": "arn:aws:ssm:ap-southeast-2:012345678901:parameter/WhatsHerName",
              "Action": [
                "ssm:GetParameters",
                "ssm:GetParameter"
              ]
            },
            {
              "Effect": "Allow",
              "Resource": "*",
              "Action": [
                "ssm:DescribeParameters"
              ]
            }
          ]
        },
        "Roles": [
          {
            "Ref": "InstanceRole"
          }
        ]
      }
    },
    "InstanceRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "ec2.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/"
      }
    },
    "BasicParameter": {
      "Type": "AWS::SSM::Parameter",
      "Properties": {
        "Name": "WhatsHerName",
        "Type": "String",
        "Value": "Sherlyn"
      }
    }
  }
}

任何帮助将不胜感激。

Answer 1

我不喜欢将 JSON 用于 CloudFormation 模板，因此我无法提供 JSON 格式的解决方案，但这里提供的是 YAML 格式的解决方案。

UserData:
  Fn::Base64: !Sub
  - |
    #!/bin/bash -xe
    yum update -y aws-cfn-bootstrap
    /opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource Ec2Instance --configsets default --region ${AWS::Region}
    /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource EC2Instance --region ${AWS::Region}
    echo export WHATS_HER_NAME=${WhatsHerNameParameter} >> /etc/profile
  - WhatsHerNameParameter: {{resolve:ssm:WhatsHerName:1}}

您可以阅读有关 using AWS Systems Manager Parameter Store Secure String parameters in AWS CloudFormation templates 的更多信息

上面的代码片段替换了 ${AWS::StackName} 和 ${AWS::Region} ，当它到达 ${WhatsHerNameParameter} 它检查 SSM 参数并将其替换为 UserData。

这意味着 UserData 在到达 EC2 实例之前就已完成。