Amazon web services 是否可以在适当的位置定义云信息资源?
我有一个资源定义Amazon web services 是否可以在适当的位置定义云信息资源?,amazon-web-services,amazon-cloudformation,amazon-iam,Amazon Web Services,Amazon Cloudformation,Amazon Iam,我有一个资源定义 APITaskDefinition: Type: 'AWS::ECS::TaskDefinition' Properties: ... ExecutionRoleArn: <RoleADefinition here> ... TaskRoleArn: <RoleBDefinition here> ... APITaskDefinition: 类型:“AWS::ECS::TaskDe
APITaskDefinition:
Type: 'AWS::ECS::TaskDefinition'
Properties:
...
ExecutionRoleArn:
<RoleADefinition here>
...
TaskRoleArn:
<RoleBDefinition here>
...
APITaskDefinition:
类型:“AWS::ECS::TaskDefinition”
特性:
...
执行官学习:
...
TaskRoleArn:
...
考虑到这些角色只将由该资源使用,这将是非常棒的
APITaskDefinition
,并且对于每个需要一个角色的资源使用特定角色被认为是最佳实践我不相信我们可以通过CloudFormation做到这一点
标准实践是在单个模板中一起定义所有资源并引用它
EcsTaskExecutionRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: ecs-taskExecution
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'ecr:GetAuthorizationToken'
- 'ecr:BatchCheckLayerAvailability'
- 'ecr:GetDownloadUrlForLayer'
- 'ecr:BatchGetImage'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: '*'
还有!GetAtt执行角色。Arn
ContainerTaskdefinition:
Type: 'AWS::ECS::TaskDefinition'
Properties:
Family: !Ref 'AWS::StackName'
ExecutionRoleArn: !GetAtt EcsTaskExecutionRole.Arn <-- refer to task Arn
TaskRoleArn: !GetAtt EcsTaskExecutionRole.Arn <-- refer to task Arn
Cpu: '256'
Memory: 1GB
NetworkMode: awsvpc
RequiresCompatibilities:
- EC2
- FARGATE
ContainerDefinitions:
- Name: !Ref 'AWS::StackName'
Cpu: 10
Essential: 'true'
Image: !Ref Image
Memory: '1024'
containerTaskId定义:
类型:“AWS::ECS::TaskDefinition”
特性:
家庭:!参考“AWS::StackName”
刽子手学习:!GetAtt执行角色。Arn