amazon-web-services - 是否可以就地定义 Cloudformation 资源？

我不相信我们可以使用 CloudFormation 做到这一点。

标准做法是将所有资源一起定义在单个模板中并引用。

  EcsTaskExecutionRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ecs-tasks.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: ecs-taskExecution
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'ecr:GetAuthorizationToken'
                  - 'ecr:BatchCheckLayerAvailability'
                  - 'ecr:GetDownloadUrlForLayer'
                  - 'ecr:BatchGetImage'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                Resource: '*'

和 !GetAtt EcsTaskExecutionRole.Arn

      ContainerTaskdefinition:
        Type: 'AWS::ECS::TaskDefinition'
        Properties:
          Family: !Ref 'AWS::StackName'
          ExecutionRoleArn: !GetAtt EcsTaskExecutionRole.Arn <-- refer to task Arn
          TaskRoleArn: !GetAtt EcsTaskExecutionRole.Arn <-- refer to task Arn
          Cpu: '256'
          Memory: 1GB
          NetworkMode: awsvpc
          RequiresCompatibilities:
            - EC2
            - FARGATE
          ContainerDefinitions:
            - Name: !Ref 'AWS::StackName'
              Cpu: 10
              Essential: 'true'
              Image: !Ref Image
              Memory: '1024'

但是，使用 AWS CDK，我们可以使用更高级别的构造，它在大多数情况下创建具有默认权限的角色，并且可以在编译创建上述 cloudformation 时轻松添加所需的额外权限。这是 ECS 构造