第一个问题是的代码
https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-awsutilities-commandrunner.git
不起作用…存储库已废弃。
如果您提取了正确的分支(也在这个shell脚本中),那么附带的shell中列出的maslick的存储库确实可以工作。如果你拔出正确的树枝。同样在这篇文章中,你也需要正确的角色。
使用cloudshell安装commandrunner的Shell脚本:
############################################################################
# This script Configures Cloudshell and Builds and Deploys CommandRunner
# This script should work on a Linux Box
# Cloudshell resets when you change Roles
# Cloudshell invokes AWS Client using the current Portal Role.
# You must be in the correct Role before attempting to deploy.
# Use the IAMManagement role depoyed by IAMManagement.yaml
# if you do not specify a Subnet you must have a Default VPC
# The subnet must be in an AZ that can support t3.micro
#############################################################################
#install java
sudo yum install java-1.8.0-openjdk-devel.x86_64 -y
java -version
#Following are the set of commands need to be executed sequentially to install maven.
sudo wget http://repos.fedorapeople.org/repos/dchen/apache-maven/epel-apache-maven.repo -O /etc/yum.repos.d/epel-apache-maven.repo
sudo sed -i s/\$releasever/6/g /etc/yum.repos.d/epel-apache-maven.repo
sudo yum install -y apache-maven
mvn âv
#Install Git
# --> GIT is already present in cloudshell
#sudo yum install git
#git version
# Install Python(LINUX box)
# https://tecadmin.net/install-python-3-8-amazon-linux/#:~:text=Installing%20Python%20on%20Amazon%20Linux%201%20Step%201,Environment%20on%20Ubuntu%2018.04%20%26%2016.04.%20See%20More.
cd /
sudo yum install gcc openssl-devel bzip2-devel libffi-devel zlib-devel -y
cd /opt
sudo wget https://www.python.org/ftp/python/3.8.12/Python-3.8.12.tgz
sudo tar xzf Python-3.8.12.tgz
cd Python-3.8.12
sudo ./configure --enable-optimizations
sudo make altinstall
sudo rm -f /opt/Python-3.8.12.tgz
python3.8 --version
python3 --version #(should be 3.8)
# Make Python3.8 default
# https://tech.serhatteker.com/post/2019-12/upgrade-python38-on-ubuntu/
whereis python3.8.12
sudo update-alternatives --install /usr/bin/python3 python3 /usr/local/bin/python3.8 1
sudo update-alternatives --set python3 /usr/local/bin/python3.8
python3 --version #(should be 3.8)
#Install cfn
pip3 install cloudformation-cli cloudformation-cli-java-plugin cloudformation-cli-go-plugin cloudformation-cli-python-plugin cloudformation-cli-typescript-plugin
#Install AWS CLI 2
# --> AWS CLI is already present in cloudshell
#curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
#unzip awscliv2.zip
#sudo yum install awscli -y
#aws --version
# AWAS CLI is already using current role in cloudshell
#aws configure
#get the source
#maslick has the working version.
#the git referred to in AWS docs is unmaintained and does not work.
cd ~
git clone https://github.com/maslick/aws-cloudformation-resource-providers-awsutilities-commandrunner.git
cd ~/aws-cloudformation-resource-providers-awsutilities-commandrunner
git checkout fix-null-sg
#build it
alias python="/usr/bin/Python-3.8.12/python"
clear
cd ~/aws-cloudformation-resource-providers-awsutilities-commandrunner
./scripts/build.sh
还包括YAML,它可以让CloudShell在其中运行(我是从另一个项目中提取的,如果你必须进行管理安装,它会很方便)
AWSTemplateFormatVersion: "2010-09-09"
Metadata:
Generator: "former2"
Description: "Provides permissions for managing Roles and Policies. Reqired by IAMTouchworks.yaml. Disable these roles by re-deploying and setting allowIAMAssumption=No"
Parameters:
environment:
Description: "Environment Name"
Type: String
Default: "Sandbox-1"
environmentShort:
Description: "Environment Name (Short)"
Type: String
Default: "S1"
allowIAMAssumption:
Description: "Allow IAM Assumption Policy"
Type: String
Default: "No"
AllowedValues:
- "No"
- "YES"
ConstraintDescription: "Yes or No"
Conditions:
IAMAssumptionCondition: !Equals
- !Ref allowIAMAssumption
- "YES"
Resources:
IAMManagementPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: IAMManagement
Path: "/"
PolicyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:*",
"cloudshell:*",
"s3:*",
"sns:*",
"kms:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"sts:GetCallerIdentity",
"access-analyzer:ListPolicyGenerations"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:List*",
"iam:Get*",
"iam:Update*",
"iam:Delete*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteRolePolicy",
"iam:ListPolicies",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:CreateAccessKey",
"iam:UpdateAccessKey",
"iam:TagUser",
"iam:PutUserPolicy",
"iam:ListEntitiesForPolicy",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:ListAttachedUserPolicies",
"iam:ListSigningCertificates",
"iam:ListSSHPublicKeys",
"iam:ListServiceSpecificCredentials",
"iam:DeleteUserPolicy",
"iam:GenerateServiceLastAccessedDetails"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:AddUserToGroup",
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:CreateGroup",
"iam:CreateRole",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateUser",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:DetachUserPolicy",
"iam:DeleteGroup",
"iam:DeleteGroupPolicy",
"iam:DeleteUser",
"iam:GetGroup",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetPolicy",
"iam:GetUser",
"iam:DeletePolicy",
"iam:GetPolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:ListPolicyVersions",
"iam:ListGroups",
"iam:ListUsers",
"iam:DeletePolicyVersion",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:PutGroupPolicy",
"iam:RemoveUserFromGroup",
"iam:TagRole"
],
"Resource": "*"
}]
}
IAMManagementRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
RoleName: "IAMManagement"
AssumeRolePolicyDocument:
Fn::If:
- IAMAssumptionCondition
- Fn::Sub: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::${AWS::AccountId}:role/CSS-Customer-Admin"]
},
"Action": "sts:AssumeRole"
}
]
}
- Fn::Sub: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": [
"*"
]
},
"Action": "sts:AssumeRole"
}
]
}
MaxSessionDuration: 3600
ManagedPolicyArns:
- !Ref IAMManagementPolicy
Tags:
- Key: "Environment"
Value:
Ref: environment
- Key: "Environment-Short"
Value:
Ref: environmentShort
- Key: "Purpose"
Value: "Role"
- Key: "Application"
Value: "Infrastructure"
- Key: "Description"
Value: "Allows IAM Role-Policy Management"
一个非常简单的测试CF来验证commandRunner可以使用AWS CLI。
#!!! THE RELEASE DOES NOT WORK !!!!
#To actually get this to work, you have to follow these instructions to build the tool yourself.
#https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-awsutilities-commandrunner/issues/24
#https://github.com/maslick/aws-cloudformation-resource-providers-awsutilities-commandrunner/tree/fix-null-sg
#CommandRunner Documentation
#https://aws.amazon.com/premiumsupport/knowledge-center/cloudformation-commandrunner-stack/
#https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-awsutilities-commandrunner#prerequisites
# This script Assumes Default VPC Exists
AWSTemplateFormatVersion: 2010-09-09
Description: AWS CLI version
Resources:
LogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub "/command-runner/${AWS::StackName}/"
RetentionInDays: 14
Role:
Type: AWS::IAM::Role
Properties:
Description: "Role assumed by Command Runnner"
MaxSessionDuration: 14400
Path: "/"
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
- arn:aws:iam::aws:policy/AmazonS3FullAccess
InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref Role
CommandRunner:
Type: AWSUtility::CloudFormation::CommandRunner
Properties:
LogGroup: !Ref LogGroup
Role: !Ref InstanceProfile
#SubnetId: YOUR_SUBNET_ID
Command: |
aws s3 ls | sed -n 1p | cut -d " " -f3 \
> /command-output.txt
# aws --version 2>&1 \
# | tail -1 \
# | head -n 1 \
# > /command-output.txt
# aws s3 ls | sed -n 1p | cut -d " " -f3 > /command-output.txt
Outputs:
CommandRunnerOutput:
Description: CommandRunnerOutput
Value: !GetAtt CommandRunner.Output
