如何解决我正在部署一个 awscloudformaton 模板来自动管理 Active Directory 中的用户的 Amazon Workspaces 生命周期
我正在部署一个 awscloudformaton 模板,以便与 Active Directory 中的用户一起自动管理 Amazon Workspaces 生命周期
我正在关注一篇文章来做到这一点。但是我在部署这个时遇到错误。
检测到 1 个验证错误:“targets.1.member.values”处的值“[]” 未能满足约束:成员必须满足约束:[成员 长度必须小于或等于 300,成员必须有长度 大于或等于 1](服务:AmazonSSM;状态代码:400; 错误代码:验证异常;请求 ID: cdf3c71c-9059-4e7e-a818-7e87f6e17385;代理:空)
cloudformation代码如下
AWstemplateFormatVersion:'2010-09-09' 描述:'这 CloudFormation 模板创建自动化 Amazon 的解决方案 WorkSpaces 实例生命周期根据用户在 AD OU。'
模板参数参数:
S3 存储桶唯一名称 UsersBucketName:
Type: String
Description: 'xxx-ws-dr-bucket-080119'
域控制器或成员服务器实例 ID AdInstanceID:
Type: String
Description: 'i-078faa4q745c032dg'
WorkSpaces 用户 UsersOU 的 OU 路径:
Type: String
Description: 'CN=workspace,CN=Users,DC=abc,DC=com'
AD 连接器或 Microsoft AD 目录 ID DirectoryID:
Type: String
Description: 'd-90674434b6'
WorkSpaces 捆绑 ID BundleID:
Type: String
Description: 'wsb-clj83ezj1'
用于 PS1 脚本 DriveLetter 的 Windows 驱动器:
Type: String
Description: 'C' Resources:
创建 S3 存储桶 UsersBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref UsersBucketName
NotificationConfiguration:
LambdaConfigurations:
- Event: 's3:ObjectCreated:Put'
Function: !GetAtt LambdaCompare.Arn
Filter:
S3Key:
Rules:
-
Name: suffix
Value: .csv
DependsOn:
- LambdaComparePermission
创建维护时段角色 MaintenanceWindowRole:
Type: AWS::IAM::Role
Properties:
RoleName: 'ws-automation-window-role'
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ssm.amazonaws.com
Action:
- sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonSSMMaintenanceWindowRole
Policies:
- PolicyName: pass-role
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- iam:PassRole
Resource:
- '*'
创建维护窗口维护窗口:
Type: AWS::SSM::MaintenanceWindow
Properties:
Name: 'ws-automation-maintenance-window'
Schedule: 'cron(0 */5 * ? * *)'
Duration: 3
Cutoff: 1
AllowUnassociatedTargets: true
DependsOn:
- MaintenanceWindowRole
- UsersBucket
创建维护窗口任务MaintenanceWindowTask:
Type: AWS::SSM::MaintenanceWindowTask
Properties:
Name: 'ws-automation-maintenance-window-task'
WindowId: !Sub '${MaintenanceWindow}'
Targets:
- Key: InstanceIds
Values:
- !Ref AdInstanceID
TaskType: 'RUN_COMMAND'
ServiceRoleArn: !GetAtt MaintenanceWindowRole.Arn
TaskArn: 'AWS-RunPowerShellScript'
TaskInvocationParameters:
MaintenanceWindowruncommandParameters:
Parameters:
commands:
- !Sub "New-Item -Path ${DriveLetter}:\\workspaces-users -ItemType directory\nGet-ADUser -Filter * -SearchBase '${UsersOU}' -Properties SamAccountname | % {New-Object PSObject -Property @{oSamAccountname= $_.SamAccountname}} | Select oSamAccountname |
export-CSV ${DriveLetter}:\workspaces-users\workspaces-users1.csv -NoTypeinformation -Encoding UTF8\nGet-Content ${DriveLetter}:\workspaces-users\workspaces-users1.csv |选择 -跳过 1 |设置内容 ${DriveLetter}:\workspaces-users\workspaces-users.csv\nWrite-S3Object -BucketName ${UsersBucketName} -File ${DriveLetter}:\workspaces-users\workspaces-users.csv" 工作目录: ——《》 执行超时: - 《3600》 最大并发数:1 最大错误数:1 优先级:10 依赖于取决于: - 维护窗口
为 Lambda 比较函数 LambdaCompareRole 创建角色:
Type: AWS::IAM::Role
Properties:
RoleName: 'ws-automation-lambda-compare-role'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: 'Allow'
Principal:
Service:
- 'lambda.amazonaws.com'
Action:
- 'sts:AssumeRole'
创建策略并附加到 Lambda 比较函数 LambdaCompareRolePolicy 的角色:
Type: AWS::IAM::Policy
Properties:
PolicyName: 'ws-automation-lambda-compare-role-policy'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: 'Allow'
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
- 'workspaces:CreateWorkspaces'
- 'workspaces:TerminateWorkspaces'
- 'workspaces:DescribeWorkspaces'
Resource: '*'
-
Effect: 'Allow'
Action:
- 's3:PutObject'
- 's3:Getobject'
Resource: !Sub '${UsersBucket.Arn}/*'
Roles:
- !Ref LambdaCompareRole
创建 Lambda 比较函数 LambdaCompare:
Type: AWS::Lambda::Function
Properties:
FunctionName: 'ws-automation-lambda-compare'
Handler: 'index.lambda_handler'
Role: !Sub '${LambdaCompareRole.Arn}'
Code:
ZipFile:
"Fn::Sub": |
import csv
import logging
import os
import boto3
s3_client = boto3.client('s3')
ws_client = boto3.client('workspaces')
DIRECTORY_ID = os.getenv('DIRECTORY_ID')
BUNDLE_ID = os.getenv('BUNDLE_ID',)
RUNNING_MODE = 'AUTO_STOP'
logging.basicConfig(format='%(asctime)s [%(levelname)+8s]%(module)s: %(message)s',datefmt='%Y-%m-%d
%H:%M:%s') logger = logging.getLogger(名称) logger.setLevel(getattr(logging,os.getenv('LOG_LEVEL','INFO'))) # --- 主处理程序 --- def lambda_handler(事件,上下文): bucket = event['Records'][0]['s3']['bucket']['name'] key = event['Records'][0]['s3']['object']['key'] # 从 S3 获取 CSV 文件并将其转换为 JSON csv_object = s3_client.get_object(Bucket=bucket,Key=key) csv_users = csv.reader(csv_object['Body'].read().decode('utf-8').splitlines()) ad_users = set() 对于 csv_users 中的项目: 如果项目: logger.debug('添加用户:{}'.format(item[0])) ad_users.add(item[0]) # 获取当前工作空间 响应 = ws_client.describe_workspaces() 工作区 = 响应['工作区'] current_ws = set() 对于工作区中的工作区: current_ws.add(工作区['用户名']) # 如果用户存在于广告用户列表中但不在 WorkSpaces 列表中,则终止 WorkSpace users_to_add = ad_users - current_ws logger.debug('要添加的用户:{}'.format(users_to_add)) 对于 users_to_add 中的用户: 尝试: logger.info('为用户创建工作区:{}'.format(user)) create_ws = ws_client.create_workspaces( 工作区=[ { 'DirectoryId': DIRECTORY_ID,'用户名':用户, 'BundleId':BUNDLE_ID, '工作区属性':{ '运行模式':RUNNING_MODE, 'RunningModeAutoStopTimeoutInMinutes':60 } } ] ) 除了作为 e 的例外: logger.error('无法创建工作区') logger.debug('错误:{}'.format(e)) # 如果用户存在于 WorkSpaces 列表中但不在 AD 用户列表中,则终止 WorkSpace ws_to_terminate = current_ws - ad_users logger.debug('要终止的工作区:{}'.format(ws_to_terminate)) 对于 ws_to_terminate 中的用户: 尝试: logger.info('终止用户的工作区:{}'.format(user)) describe_ws = ws_client.describe_workspaces( DirectoryId=DIRECTORY_ID, 用户名=用户 ) workspace_id = describe_ws['Workspaces'][0]['WorkspaceId'] Terminate_ws = ws_client.terminate_workspaces( TerminateWorkspaceRequests=[ { 'WorkspaceId':workspace_id },]) 除了作为 e 的例外: logger.error('执行describe_workspaces 或terminate_workspaces 时出错') logger.debug('错误:{}'.format(e)) 运行时:'python2.7' 超时:600 环境: 变量: DIRECTORY_ID: !Ref DirectoryID BUNDLE_ID: !Ref BundleID
为 S3 存储桶 LambdaComparePermission 创建 Lambda 比较函数权限:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !Ref LambdaCompare
Action: 'lambda:InvokeFunction'
Principal: 's3.amazonaws.com'
SourceAccount: !Ref 'AWS::AccountId'
SourceArn: !Sub 'arn:aws:s3:::${UsersBucketName}'
资源输出输出:堆栈名称:
Description: Stack name.
Value: !Sub '${AWS::StackName}' UsersBucket:
Description: S3 bucket name.
Value: !Ref UsersBucket MaintenanceWindowRole:
Description: Maintenance Window Role name.
Value: !Ref MaintenanceWindowRole MaintenanceWindow:
Description: Systems Manager Maintenance Window ID.
Value: !Ref MaintenanceWindow MaintenanceWindowTask:
Description: Maintenance Window Task ID.
Value: !Ref MaintenanceWindowTask LambdaCompareRole:
Description: Lambda Compare Role name.
Value: !Ref LambdaCompareRole LambdaCompareRolePolicy:
Description: Lambda Compare Policy ID.
Value: !Ref LambdaCompareRolePolicy LambdaCompare:
Description: Lambda Compare function name.
Value: !Ref LambdaCompare
我只是想知道我在这里做错了什么以及需要改变什么。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
