Amazon web services 是否可以在适当的位置定义云信息资源？

我有一个资源定义

APITaskDefinition:
  Type: 'AWS::ECS::TaskDefinition'
  Properties:
    ...
    ExecutionRoleArn:
      <RoleADefinition here>
    ...
    TaskRoleArn:
      <RoleBDefinition here>
    ...

APITaskDefinition:
类型：“AWS:：ECS:：TaskDefinition”
特性：
...
执行官学习：
...
TaskRoleArn：
...

---

考虑到这些角色只将由该资源使用，这将是非常棒的

APITaskDefinition

，并且对于每个需要一个角色的资源使用特定角色被认为是最佳实践我不相信我们可以通过CloudFormation做到这一点

标准实践是在单个模板中一起定义所有资源并引用它

  EcsTaskExecutionRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ecs-tasks.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: ecs-taskExecution
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'ecr:GetAuthorizationToken'
                  - 'ecr:BatchCheckLayerAvailability'
                  - 'ecr:GetDownloadUrlForLayer'
                  - 'ecr:BatchGetImage'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                Resource: '*'

还有！GetAtt执行角色。Arn

      ContainerTaskdefinition:
        Type: 'AWS::ECS::TaskDefinition'
        Properties:
          Family: !Ref 'AWS::StackName'
          ExecutionRoleArn: !GetAtt EcsTaskExecutionRole.Arn <-- refer to task Arn
          TaskRoleArn: !GetAtt EcsTaskExecutionRole.Arn <-- refer to task Arn
          Cpu: '256'
          Memory: 1GB
          NetworkMode: awsvpc
          RequiresCompatibilities:
            - EC2
            - FARGATE
          ContainerDefinitions:
            - Name: !Ref 'AWS::StackName'
              Cpu: 10
              Essential: 'true'
              Image: !Ref Image
              Memory: '1024'

containerTaskId定义：
类型：“AWS:：ECS:：TaskDefinition”
特性：
家庭：！参考“AWS:：StackName”
刽子手学习：！GetAtt执行角色。Arn