使用云形成模板的 AWS 系统管理器

我开始为 AWS Systems Manager 编写一些东西，以便：

1. 创建自定义 Windows 和 Linux 映像，以及
2. 如何将 Windows 和 Linux 更新应用于有用的 AMI...

我正在遵循此示例，但在运行它时无法获得结果。

这是我收到的错误：

模板格式错误：必须至少定义一个资源成员。

请让我知道我在这里做错了什么，我已经浏览了代码，但无法找到我做错了什么。

#description: Create a Golden AMI with Linux distribution packages(ClamAV) and Amazon
#software(SSM & Inspector). For details,see https://github.com/miztiik/AWS-Demos/tree/master/How-To/setup-ami-lifecycle-management-using-ssm
Resources:
Ec2Instance:
Type: 'AWS::EC2::Instance'  
assumeRole: "{{AutomationAssumeRole}}"
parameters:
SourceAmiId:
type: String
description: "(Required) The source Amazon Machine Image ID."
default: ami-0d2692b6acea72ee6
InstanceIamRole:
type: String
description: "(Required) The name of the role that enables Systems Manager (SSM)
to manage the instance."
default: ManagedInstanceRole
AutomationAssumeRole:
type: String
description: "(Required) The ARN of the role that allows Automation to perform
the actions on your behalf."
default: arn:aws:iam::{{global:ACCOUNT_ID}}:role/AutomationServiceRole
SubnetId:
type: String
description: "(Required) The subnet that the created instance will be placed into."
default: subnet-0a72519be8028a56c
TargetAmiName:
type: String
description: "(Optional) The name of the new AMI that will be created. Default
is a system-generated string including the source AMI id, and the creation time
and date."
default: GoldenAMI-RH-7_on_{{global:DATE_TIME}}
InstanceType:
type: String
description: "(Optional) Type of instance to launch as the workspace host. Instance
types vary by region. Default is t2.micro."
default: t2.micro
PreUpdateScript:
type: String
description: (Optional) URL of a script to run before updates are applied. Default
("none") is to not run a script.
default: none
PostUpdateScript:
type: String
description: (Optional) URL of a script to run after package updates are applied.
Default ("none") is to not run a script.
default: none
IncludePackages:
type: String
description: (Optional) Only update these named packages. By default ("all"),
all available updates are applied.
default: all
ExcludePackages:
type: String
description: (Optional) Names of packages to hold back from updates, under all
conditions. By default ("none"), no package is excluded.
default: none
lambdaFunctionName:
type: String
description: "(Required) The name of the lambda function. Default ('none') is
to not run a script."
default: Automation-UpdateSsmParam
mainSteps:
- name: launchInstance
action: aws:runInstances
maxAttempts: 5
timeoutSeconds: 1200
onFailure: Abort
inputs:
ImageId: "{{SourceAmiId}}"
InstanceType: "{{InstanceType}}"
SubnetId: "{{ SubnetId }}"
UserData: IyEvYmluL2Jhc2gNCg0KZnVuY3Rpb24gZ2V0X2NvbnRlbnRzKCkgew0KICAgIGlmIFsgLXggIiQod2hpY2ggY3VybCkiIF07IHRoZW4NCiAgICAgICAgY3VybCAtcyAtZiAiJDEiDQogICAgZWxpZiBbIC14ICIkKHdoaWNoIHdnZXQpIiBdOyB0aGVuDQogICAgICAgIHdnZXQgIiQxIiAtTyAtDQogICAgZWxzZQ0KICAgICAgICBkaWUgIk5vIGRvd25sb2FkIHV0aWxpdHkgKGN1cmwsIHdnZXQpIg0KICAgIGZpDQp9DQoNCnJlYWRvbmx5IElERU5USVRZX1VSTD0iaHR0cDovLzE2OS4yNTQuMTY5LjI1NC8yMDE2LTA2LTMwL2R5bmFtaWMvaW5zdGFuY2UtaWRlbnRpdHkvZG9jdW1lbnQvIg0KcmVhZG9ubHkgVFJVRV9SRUdJT049JChnZXRfY29udGVudHMgIiRJREVOVElUWV9VUkwiIHwgYXdrIC1GXCIgJy9yZWdpb24vIHsgcHJpbnQgJDQgfScpDQpyZWFkb25seSBERUZBVUxUX1JFR0lPTj0idXMtZWFzdC0xIg0KcmVhZG9ubHkgUkVHSU9OPSIke1RSVUVfUkVHSU9OOi0kREVGQVVMVF9SRUdJT059Ig0KDQpyZWFkb25seSBTQ1JJUFRfTkFNRT0iYXdzLWluc3RhbGwtc3NtLWFnZW50Ig0KIFNDUklQVF9VUkw9Imh0dHBzOi8vYXdzLXNzbS1kb3dubG9hZHMtJFJFR0lPTi5zMy5hbWF6b25hd3MuY29tL3NjcmlwdHMvJFNDUklQVF9OQU1FIg0KDQppZiBbICIkUkVHSU9OIiA9ICJjbi1ub3J0aC0xIiBdOyB0aGVuDQogIFNDUklQVF9VUkw9Imh0dHBzOi8vYXdzLXNzbS1kb3dubG9hZHMtJFJFR0lPTi5zMy5jbi1ub3J0aC0xLmFtYXpvbmF3cy5jb20uY24vc2NyaXB0cy8kU0NSSVBUX05BTUUiDQpmaQ0KDQppZiBbICIkUkVHSU9OIiA9ICJ1cy1nb3Ytd2VzdC0xIiBdOyB0aGVuDQogIFNDUklQVF9VUkw9Imh0dHBzOi8vYXdzLXNzbS1kb3dubG9hZHMtJFJFR0lPTi5zMy11cy1nb3Ytd2VzdC0xLmFtYXpvbmF3cy5jb20vc2NyaXB0cy8kU0NSSVBUX05BTUUiDQpmaQ0KDQpjZCAvdG1wDQpGSUxFX1NJWkU9MA0KTUFYX1JFVFJZX0NPVU5UPTMNClJFVFJZX0NPVU5UPTANCg0Kd2hpbGUgWyAkUkVUUllfQ09VTlQgLWx0ICRNQVhfUkVUUllfQ09VTlQgXSA7IGRvDQogIGVjaG8gQVdTLVVwZGF0ZUxpbnV4QW1pOiBEb3dubG9hZGluZyBzY3JpcHQgZnJvbSAkU0NSSVBUX1VSTA0KICBnZXRfY29udGVudHMgIiRTQ1JJUFRfVVJMIiA+ICIkU0NSSVBUX05BTUUiDQogIEZJTEVfU0laRT0kKGR1IC1rIC90bXAvJFNDUklQVF9OQU1FIHwgY3V0IC1mMSkNCiAgZWNobyBBV1MtVXBkYXRlTGludXhBbWk6IEZpbmlzaGVkIGRvd25sb2FkaW5nIHNjcmlwdCwgc2l6ZTogJEZJTEVfU0laRQ0KICBpZiBbICRGSUxFX1NJWkUgLWd0IDAgXTsgdGhlbg0KICAgIGJyZWFrDQogIGVsc2UNCiAgICBpZiBbWyAkUkVUUllfQ09VTlQgLWx0IE1BWF9SRVRSWV9DT1VOVCBdXTsgdGhlbg0KICAgICAgUkVUUllfQ09VTlQ9JCgoUkVUUllfQ09VTlQrMSkpOw0KICAgICAgZWNobyBBV1MtVXBkYXRlTGludXhBbWk6IEZpbGVTaXplIGlzIDAsIHJldHJ5Q291bnQ6ICRSRVRSWV9DT1VOVA0KICAgIGZpDQogIGZpIA0KZG9uZQ0KDQppZiBbICRGSUxFX1NJWkUgLWd0IDAgXTsgdGhlbg0KICBjaG1vZCAreCAiJFNDUklQVF9OQU1FIg0KICBlY2hvIEFXUy1VcGRhdGVMaW51eEFtaTogUnVubmluZyBVcGRhdGVTU01BZ2VudCBzY3JpcHQgbm93IC4uLi4NCiAgLi8iJFNDUklQVF9OQU1FIiAtLXJlZ2lvbiAiJFJFR0lPTiINCmVsc2UNCiAgZWNobyBBV1MtVXBkYXRlTGludXhBbWk6IFVuYWJsZSB0byBkb3dubG9hZCBzY3JpcHQsIHF1aXR0aW5nIC4uLi4NCmZp
MinInstanceCount: 1
MaxInstanceCount: 3
IamInstanceProfileName: "{{InstanceIamRole}}"
- name: updateOSSoftware
action: aws:runCommand
maxAttempts: 3
timeoutSeconds: 3600
onFailure: Abort
inputs:
DocumentName: AWS-RunShellScript
InstanceIds:
- "{{launchInstance.InstanceIds}}"
Parameters:
commands:
- set -e
- '[ -x "$(which wget)" ] && get_contents=''wget $1 -O -'''
- '[ -x "$(which curl)" ] && get_contents=''curl -s -f $1'''
- eval $get_contents https://aws-ssm-downloads-{{global:REGION}}.s3.amazonaws.com/scripts/aws-update-linux-instance
> /tmp/aws-update-linux-instance
- chmod +x /tmp/aws-update-linux-instance
- "/tmp/aws-update-linux-instance --pre-update-script '{{PreUpdateScript}}'
--post-update-script '{{PostUpdateScript}}' --include-packages '{{IncludePackages}}'
--exclude-packages '{{ExcludePackages}}' 2>&1 | tee /tmp/aws-update-linux-instance.log"
- name: installCustomizations
action: aws:runCommand
maxAttempts: 3
timeoutSeconds: 600
onFailure: Abort
inputs:
DocumentName: AWS-RunShellScript
InstanceIds:
- "{{launchInstance.InstanceIds}}"
Parameters:
commands:
- curl -O http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
- rpm -ivh epel-release-latest-7.noarch.rpm
- yum -y install httpd
- systemctl enable httpd
- systemctl restart httpd
- sudo yum --enablerepo=epel install -y clamav
- yum-config-manager --disable epel
- cat /etc/motd >> /var/www/html/index.html
- echo 'Welcome' >> /var/www/html/index.html
- cat > /etc/motd <<- EOF
- "           __  __ _                 _                        _   _             "
- "     /\   |  \/  (_)     /\        | |                      | | (_)            "
- "    /  \  | \  / |_     /  \  _   _| |_ ___  _ __ ___   __ _| |_ _  ___
 _ __  "
- "   / /\ \ | |\/| | |   / /\ \| | | | __/ _ \| '_ ` _ \ / _` | __|
|/ _ \| '_ \ "
- "  / ____ \| |  | | |  / ____ \ |_| | || (_) | | | | | | (_| | |_| | (_)
| | | |"
- " /_/    \_\_|  |_|_| /_/    \_\__,_|\__\___/|_| |_| |_|\__,_|\__|_|\___/|_|
|_|"
- "   "
- "   "
- EOF
- name: installInspectorAgent
action: aws:runCommand
maxAttempts: 3
timeoutSeconds: 600
onFailure: Abort
inputs:
DocumentName: AmazonInspector-ManageAWSAgent
InstanceIds:
- "{{launchInstance.InstanceIds}}"
Parameters:
Operation: Install
- name: installUnifiedCloudWatchAgent
action: aws:runCommand
maxAttempts: 3
timeoutSeconds: 600
onFailure: Abort
inputs:
DocumentName: AWS-ConfigureAWSPackage
InstanceIds:
- "{{launchInstance.InstanceIds}}"
Parameters:
name: AmazonCloudWatchAgent
action: Install
- name: stopInstance
action: aws:changeInstanceState
maxAttempts: 3
timeoutSeconds: 1200
onFailure: Abort
inputs:
InstanceIds:
- "{{launchInstance.InstanceIds}}"
DesiredState: stopped
- name: createImage
action: aws:createImage
maxAttempts: 3
onFailure: Abort
inputs:
InstanceId: "{{launchInstance.InstanceIds}}"
ImageName: "{{TargetAmiName}}"
NoReboot: true
ImageDescription: AMI Generated by EC2 Automation on {{global:DATE_TIME}} from
{{SourceAmiId}}
- name: createEncryptedCopy
action: aws:copyImage
maxAttempts: 3
onFailure: Abort
inputs:
SourceImageId: "{{createImage.ImageId}}"
SourceRegion: "{{global:REGION}}"
ImageName: Encrypted-{{TargetAmiName}}
ImageDescription: Encrypted GoldenAMI by SSM Automation on {{global:DATE_TIME}}
from source AMI {{createImage.ImageId}}
Encrypted: true
- name: createTagsForEncryptedImage
action: aws:createTags
maxAttempts: 1
onFailure: Continue
inputs:
ResourceType: EC2
ResourceIds:
- "{{createEncryptedCopy.ImageId}}"
Tags:
- Key: Automation-Id
Value: "{{automation:EXECUTION_ID}}"
- Key: Owner
Value: Mystique
- Key: SourceAMI
Value: "{{SourceAmiId}}"
- Key: Amazon-Inspector
Value: 'true'
- Key: Amazon-SSM
Value: 'true'
- Key: Encrypted
Value: 'true'
- name: updateSsmParam
action: aws:invokeLambdaFunction
timeoutSeconds: 1200
maxAttempts: 1
onFailure: Abort
inputs:
FunctionName: Automation-UpdateSsmParam
Payload: '{"parameterName":"/GoldenAMI/Linux/RedHat-7/latest", "parameterValue":"{{createEncryptedCopy.ImageId}}"}'
- name: terminateInstance
action: aws:changeInstanceState
maxAttempts: 3
onFailure: Continue
inputs:
InstanceIds:
- "{{launchInstance.InstanceIds}}"
DesiredState: terminated
- name: deleteUnEcryptedImage
action: aws:deleteImage
maxAttempts: 3
timeoutSeconds: 180
onFailure: Abort
inputs:
ImageId: "{{createImage.ImageId}}"
outputs:
- createImage.ImageId

我希望它在 AWS SSM 中运行并创建参数存储和文档。