云迁移项目要求
- 创建IAM用户组,该用户组具有admin基础权限,并将IAM用户添加到用户组
- 创建VPC,并分别创建两个公有子网和私有子网,规划互联网网关和路由表
- 使用EC2服务分别在两个公有子网创建Web服务器,绑定EIP,使用安全组运行80(Web)和22(SSH)端口通过,自行下载安装好apache服务,并使用ELB进行负载分担
- 创建MySQL数据库服务器,规划安全组只允许位于公有子网的Web服务器能够访问
- 创建公开可读的S3存储桶,并在policy当中允许所有动作
- 创建CloudWatch账单告警,计费超过10美元时告警,并通过SNS发送邮件
代码及说明
Resources:
# 创建IAM用户组,指定policy为允许全部
MyGroup:
Type: AWS::IAM::Group
Properties:
GroupName: MyGroup
Policies:
- PolicyName: MyPolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
- "*"
Resource: "*"
# 创建IAM用户,将他归类到IAM用户组MyGroup
MyUser:
Type: AWS::IAM::User
Properties:
Groups:
- !Ref MyGroup
LoginProfile:
Password: 12345Abc*
PasswordResetRequired: true
UserName: MyUser
# 新建一个VPC
MyVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 192.168.0.0/16
# 新建子网PublicSubnet01和02,给Web服务器使用
PublicSubnet01:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: ap-northeast-1a
VpcId: !Ref MyVPC
CidrBlock: 192.168.10.0/24
PublicSubnet02:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: ap-northeast-1c
VpcId: !Ref MyVPC
CidrBlock: 192.168.11.0/24
# 新建子网PrivateSubnet03和04,给数据库服务器使用
PrivateSubnet03:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: ap-northeast-1a
VpcId: !Ref MyVPC
CidrBlock: 192.168.20.0/24
PrivateSubnet04:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: ap-northeast-1c
VpcId: !Ref MyVPC
CidrBlock: 192.168.21.0/24
# 新建互联网网关IGW
MyIGW:
Type: AWS::EC2::InternetGateway
# 将创建好的IGW与自己的VPC相关联
VPCGatewayAttach:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref MyIGW
VpcId: !Ref MyVPC
# 新建路由表
MyRTB:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref MyVPC
# 创建默认路由,指向互联网网关IGW
RoutetoIGW:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: 0.0.0.0/0
RouteTableId: !Ref MyRTB
GatewayId: !Ref MyIGW
# 将路由表和公有子网显式关联,以使公有子网可以访问外网
AssociateSubnetandRTB:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref MyRTB
SubnetId: !Ref PublicSubnet01
AssociateSubnetandRTB2:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref MyRTB
SubnetId: !Ref PublicSubnet02
# 创建安全组,允许TCP的80(Web)和22(SSH)端口流量通过
# 并将该安全组归到自己的VPC当中
MySG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: MySG
GroupDescription: Enable SSH and Web for EC2
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
VpcId: !Ref MyVPC
# 创建两台Web用的EC2服务器,并从公有子网启动
MyEC2Server01:
Type: AWS::EC2::Instance
Properties:
# 注意这里不是在默认的VPC当中创建,所以只能用ID去指定安全组
SecurityGroupIds:
- !GetAtt MySG.GroupId
InstanceType: t2.micro
AvailabilityZone: ap-northeast-1a
# 我这里选择的镜像是Amazon Linux 2 5.10
ImageId: ami-0de5311b2a443fb89
# 提前在服务器上安装好apache的服务,设置开机自启
UserData: !Base64 |
#!/bin/bash
sudo yum upgrade -y
sudo yum install -y httpd
sudo systemctl start httpd
sudo systemctl enable httpd
SubnetId: !Ref PublicSubnet01
MyEC2Server02:
Type: AWS::EC2::Instance
Properties:
SecurityGroupIds:
- !GetAtt MySG.GroupId
InstanceType: t2.micro
AvailabilityZone: ap-northeast-1c
ImageId: ami-0de5311b2a443fb89
UserData: !Base64 |
#!/bin/bash
sudo yum update -y
sudo yum install -y httpd
sudo systemctl start httpd
sudo systemctl enable httpd
SubnetId: !Ref PublicSubnet02
# 分别创建两个EIP,附属到我们两台Web服务器上
MyEip1:
Type: AWS::EC2::EIP
Properties:
InstanceId: !Ref MyEC2Server01
NetworkBorderGroup: ap-northeast-1
MyEip2:
Type: AWS::EC2::EIP
Properties:
InstanceId: !Ref MyEC2Server02
NetworkBorderGroup: ap-northeast-1
# 创建负载均衡器所用使用的目标组
MyTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
Port: 80
Protocol: HTTP
Targets:
- Id: !Ref MyEC2Server01
Port: 80
- Id: !Ref MyEC2Server02
Port: 80
VpcId: !Ref MyVPC
# 创建应用型负载均衡器ALB
# 注意ELB V1版本是给CLB用的,已经过时了
MyALB:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Type: application
Subnets:
- !Ref PublicSubnet01
- !Ref PublicSubnet02
SecurityGroups:
- !GetAtt MySG2.GroupId
# 创建ALB专用的安全组,允许访问TCP的80(Web)端口流量通过
MySG2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: MySG2
GroupDescription: Enable Web for ELB
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
# 为我们的ALB创建侦听器,一旦有访问我们的目标组的流量
# 我们就给它forward到我们的ALB上进行负载均衡
MyListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- Type: forward
TargetGroupArn: !Ref MyTargetGroup
LoadBalancerArn: !Ref MyALB
Port: 80
Protocol: HTTP
# 创建数据库实例,并选择数据库引擎为MySQL
MySQLServer:
Type: AWS::RDS::DBInstance
Properties:
AllocatedStorage: 20
AvailabilityZone: ap-northeast-1a
MasterUsername: root
MasterUserPassword: 12345Abc*
DBInstanceClass: db.t2.small
DBSubnetGroupName: !Ref MyDBSubnetGroup
Engine: MySQL
VPCSecurityGroups:
- !Ref MySG3
# 创建子网组,以便数据库随时可以开启Multi-AZ
MyDBSubnetGroup:
Type: AWS::RDS::DBSubnetGroup
Properties:
DBSubnetGroupDescription: My SubnetGroup for DB Subnet
SubnetIds:
- !Ref PrivateSubnet03
- !Ref PrivateSubnet04
# 创建数据库服务器专用安全组
MySG3:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: MySG3
GroupDescription: Enable MySQL for EC2
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 3306
ToPort: 3306
# 这里设置为凡是在安全组MySG内的EC2服务器都能访问
SourceSecurityGroupId: !Ref MySG
# 创建S3的存储桶,允许公开可读
MyPublicBucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicRead
# 注意存储桶名称需要全区域唯一
BucketName: mypublicbucket-ap-northeast-1
# 创建存储桶所使用的策略,我这边给的是全部
MyBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref MyPublicBucket
PolicyDocument:
Statement:
Effect: Allow
Action:
- s3:*
Principal: "*"
Resource: !GetAtt MyPublicBucket.Arn
# 创建账单警告,6小时内超过10美元则告警
MyBillingAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
MetricName: EstimatedCharges
Namespace: AWS/Billing
AlarmActions:
- !Ref MySNSTopic
Dimensions:
- Name: Currency
Value: USD
Statistic: Maximum
Period: 21600
EvaluationPeriods: 1
ComparisonOperator: GreaterThanThreshold
Threshold: 10
# 创建消息服务,一旦超过10美元就给我发送邮件
MySNSTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: MySNSTopic
Subscription:
# 在Endpoint中填写可用的邮箱地址,需要去邮箱确认
- Endpoint: [email protected]
Protocol: email