amazon-web-services - 名称为 ExRole 的导出已由堆栈 Root-role 导出

Question

我想重用此模板，但当我使用嵌套堆栈创建此模板时，它会给出错误名称为 ExRole 的导出已由堆栈 Root-role 导出。如何提高模板的可重用性。这样我就可以在生产、开发和其他环境中部署相同的模板。我尝试在角色名称中使用环境变量，但是如何在输出中使用它，如果要在下一个模板中使用输出，语法应该是什么？

角色:

---
AWSTemplateFormatVersion: 2010-09-09 
Parameters:
  Env:
    Type: String
Resources:
  ExRole:
      Type: 'AWS::IAM::Role'
      Properties:
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - ecs-tasks.amazonaws.com
              Action:
                - 'sts:AssumeRole'
        Path: /
        RoleName: !Sub "excutionrole-${Env}"
        ManagedPolicyArns:
          - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
        Policies: 
          - PolicyName: AccessECR
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Action: 
                    - ecr:BatchGetImage
                    - ecr:GetAuthorizationToken
                    - ecr:GetDownloadUrlForLayer 
                  Resource: '*'

  ContainerInstanceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'               
        Statement:
          - Effect: Allow
            Principal: 
                Service: 
                    - ec2.amazonaws.com
            Action: 
                - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
      Path: '/'
      RoleName: !Sub "ContainerInstanceRole-${Env}"
  

  InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties: 
      Roles: 
        - !Ref ContainerInstanceRole      

Outputs:
  
  ExRole:
    Description: Task excution role
    Value: !Ref ExRole
    Export:
        Name: "ExRole"
  InstanceProfile:
    Description: profile for container instances
    Value: !Ref InstanceProfile
    Export:
        Name: "InstanceProfile"            

任务:

---
AWSTemplateFormatVersion: 2010-09-09 
Parameters:
    ExRole:
      Type: String
    RDS:
      Type: String
 
    DBUSER:
      Type: String
      Default: mysqldb

    DBPASSWORD:
      Type: String
      Default: 1234123a 
    
    DBNAME:
      Type: String
      Default: mysqldb 
Resources:
    Task:
        Type: AWS::ECS::TaskDefinition
        Properties:
            Family: wordpress 
            Cpu: 1 vCPU
            ExecutionRoleArn: !Ref ExRole
            Memory: 1 GB
            NetworkMode: bridge
            RequiresCompatibilities:
                - EC2
            TaskRoleArn: !Ref ExRole
            ContainerDefinitions: 
              - Essential: true
                Image: wordpress:latest
                Name: wordpress
                PortMappings:  
                  - ContainerPort: 80
                    HostPort: 0
                    Protocol: tcp 
                Environment:
                  - Name: WORDPRESS_DB_HOST
                    Value: !Ref RDS 
                  - Name: WORDPRESS_DB_USER
                    Value: !Ref DBUSER 
                  - Name: WORDPRESS_DB_PASSWORD
                    Value: !Ref DBPASSWORD
                  - Name: WORDPRESS_DB_NAME
                    Value: !Ref DBNAME
    
Outputs:
  Task:
    Description: Contains all the task specifications
    Value: !Ref Task
    Export:
      Name: "Task"

根:

Resources:
  Vpcstack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: !Sub "https://${bucketname}.s3.us-east-2.amazonaws.com${bucketpath}/vpc.yml"
      Parameters:  
        Env: !Ref Env
        Cidr: !Ref Cidr
        Publicsubnet1: !Ref Publicsubnet1
        Publicsubnet2: !Ref Publicsubnet2
        Privatesubnet1: !Ref Privatesubnet1
        Privatesubnet2: !Ref Privatesubnet2  

  role:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: !Sub "https://${bucketname}.s3.us-east-2.amazonaws.com${bucketpath}/role.yml"
      Parameters:  
        Env: !Ref Env

Answer 1

通常，当人们使用输出时，如果模板在同一父堆栈中多次使用，他们会在导出前添加变量(例如堆栈名称)作为前缀，以使其唯一。

这可以使用 sub intrinsic function 来完成比如下面的例子

Outputs:
  ExRole:
    Description: Task excution role
    Value: !Ref ExRole
    Export:
        Name: !Sub "${AWS::StackName}-ExRole"
  InstanceProfile:
    Description: profile for container instances
    Value: !Ref InstanceProfile
    Export:
        Name: !Sub "${AWS::StackName}-InstanceProfile"

然后您需要将此堆栈 ID 值作为参数传递到需要引用此文件的嵌套堆栈中。这将再次使用子内部函数来引用导出名称。

要在 ImportValue 内部函数中获取此值，您可以像下面这样引用它，为此，您需要将堆栈名称作为参数传递给堆栈:

Fn::ImportValue: !Sub "${NestedStack}-ExRole"

如果您从父堆栈调用另一个堆栈，您可以忽略导出，而是使用 GetAtt 内部函数将输出传递到下一个堆栈。

Resources:
  Vpcstack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: !Sub "https://${bucketname}.s3.us-east-2.amazonaws.com${bucketpath}/vpc.yml"
      Parameters:  
        Env: !Ref Env
        Cidr: !Ref Cidr
        Publicsubnet1: !Ref Publicsubnet1
        Publicsubnet2: !Ref Publicsubnet2
        Privatesubnet1: !Ref Privatesubnet1
        Privatesubnet2: !Ref Privatesubnet2  

  role:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: !Sub "https://${bucketname}.s3.us-east-2.amazonaws.com${bucketpath}/role.yml"
      Parameters:  
        Env: !Ref Env
        
  dbStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: !Sub "https://${bucketname}.s3.us-east-2.amazonaws.com${bucketpath}/db.yml"
      Parameters:  
        Role: !GetAtt role.Outputs.ExRole

您还可以使用 Fn::GetAtt: [role, Outputs.ExRole] 的语法也是有效的语法。