本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
範例範本
按條件為生產、開發或測試堆疊來建立資源
在某些情況下,建議您建立類似但略有不同的堆疊。例如,您可能有一個讓您用於生產應用程式的範本。您想要建立相同的生產堆疊,所以您可以使用它來進行開發或測試。不過,針對開發和測試,您不一定需要包含在生產層級堆疊中的所有額外容量。反之,您可以使用環境類型輸入參數,按條件建立特定於資源生產、開發或測試的堆疊資源,如下例所示:
範例 JSON
{ "AWSTemplateFormatVersion" : "2010-09-09", "Mappings" : { "RegionMap" : { "us-east-1" : { "AMI" : "ami-0ff8a91507f77f867"}, "us-west-1" : { "AMI" : "ami-0bdb828fd58c52235"}, "us-west-2" : { "AMI" : "ami-a0cfeed8"}, "eu-west-1" : { "AMI" : "ami-047bb4163c506cd98"}, "sa-east-1" : { "AMI" : "ami-07b14488da8ea02a0"}, "ap-southeast-1" : { "AMI" : "ami-08569b978cc4dfa10"}, "ap-southeast-2" : { "AMI" : "ami-09b42976632b27e9b"}, "ap-northeast-1" : { "AMI" : "ami-06cd52961ce9f0d85"} } }, "Parameters" : { "EnvType" : { "Description" : "Environment type.", "Default" : "test", "Type" : "String", "AllowedValues" : ["prod", "dev", "test"], "ConstraintDescription" : "must specify prod, dev, or test." } }, "Conditions" : { "CreateProdResources" : {"Fn::Equals" : [{"Ref" : "EnvType"}, "prod"]}, "CreateDevResources" : {"Fn::Equals" : [{"Ref" : "EnvType"}, "dev"]} }, "Resources" : { "EC2Instance" : { "Type" : "AWS::EC2::Instance", "Properties" : { "ImageId" : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "AMI" ]}, "InstanceType" : { "Fn::If" : [ "CreateProdResources", "c1.xlarge", {"Fn::If" : [ "CreateDevResources", "m1.large", "m1.small" ]} ]} } }, "MountPoint" : { "Type" : "AWS::EC2::VolumeAttachment", "Condition" : "CreateProdResources", "Properties" : { "InstanceId" : { "Ref" : "EC2Instance" }, "VolumeId" : { "Ref" : "NewVolume" }, "Device" : "/dev/sdh" } }, "NewVolume" : { "Type" : "AWS::EC2::Volume", "Condition" : "CreateProdResources", "Properties" : { "Size" : "100", "AvailabilityZone" : { "Fn::GetAtt" : [ "EC2Instance", "AvailabilityZone" ]} } } } }
範例 YAML
AWSTemplateFormatVersion: "2010-09-09" Mappings: RegionMap: us-east-1: AMI: "ami-0ff8a91507f77f867" us-west-1: AMI: "ami-0bdb828fd58c52235" us-west-2: AMI: "ami-a0cfeed8" eu-west-1: AMI: "ami-047bb4163c506cd98" sa-east-1: AMI: "ami-07b14488da8ea02a0" ap-southeast-1: AMI: "ami-08569b978cc4dfa10" ap-southeast-2: AMI: "ami-09b42976632b27e9b" ap-northeast-1: AMI: "ami-06cd52961ce9f0d85" Parameters: EnvType: Description: Environment type. Default: test Type: String AllowedValues: [prod, dev, test] ConstraintDescription: must specify prod, dev, or test. Conditions: CreateProdResources: !Equals [!Ref EnvType, prod] CreateDevResources: !Equals [!Ref EnvType, "dev"] Resources: EC2Instance: Type: "AWS::EC2::Instance" Properties: ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", AMI] InstanceType: !If [CreateProdResources, c1.xlarge, !If [CreateDevResources, m1.large, m1.small]] MountPoint: Type: "AWS::EC2::VolumeAttachment" Condition: CreateProdResources Properties: InstanceId: !Ref EC2Instance VolumeId: !Ref NewVolume Device: /dev/sdh NewVolume: Type: "AWS::EC2::Volume" Condition: CreateProdResources Properties: Size: 100 AvailabilityZone: !GetAtt EC2Instance.AvailabilityZone
您可以為 prod 參數指定 dev、test 或 EnvType。針對每種環境類型,範本都會指定不同的執行個體類型。執行個體類型可以從大型、運算優化執行個體,到小型一般用途執行個體類型。為了按條件指定執行個體類型,範本會在範本的條件區段中定義兩個條件:CreateProdResources,如果 EnvType 參數值等於 prod 和 CreateDevResources,則計算為 true;如果該參數值等於 dev,則評估為 true。
在 InstanceType 屬性中,範本會巢狀化兩個 Fn::If 內部函數來判斷要使用哪個執行個體類型。如果 CreateProdResources 條件為 true,則執行個體類型為 c1.xlarge。如果條件為 false,則計算 CreateDevResources 條件。如果 CreateDevResources 條件為 true,則執行個體類型為 m1.large;否則執行個體類型為 m1.small。
除了執行個體類型之外,生產環境也會為執行個體建立並連接一個 Amazon EC2 磁碟區。MountPoint 和 NewVolume 資源與 CreateProdResources 條件相關聯,因此僅在條件計算為 true 時才會建立資源。
按條件指派資源屬性
在此範例中,您可以從快照建立 Amazon RDS 資料庫執行個體。如果您指定 DBSnapshotName 參數,則 CloudFormation 會在建立資料庫執行個體時將參數值用作快照名稱。如果您保留預設值 (空白字串),CloudFormation 會移除 DBSnapshotIdentifier 屬性並從頭開始建立資料庫執行個體。
範例定義的 DBUser 和 DBPassword 參數已將其 NoEcho 屬性設為 true。若您將 NoEcho 屬性設為 true,CloudFormation 會將任何描述堆疊或堆疊事件呼叫所傳回的參數值以星號 (*****) 遮罩,但儲存在以下指定位置中的資訊除外。
重要
使用 NoEcho 屬性不會遮罩任何儲存在下列資訊中的資訊:
-
Metadata範本區段。CloudFormation 不會轉換、修改或標記您在Metadata區段中包含的任何資訊。如需詳細資訊,請參閱CloudFormation 範本 Metadata 語法。 -
Outputs範本區段。如需詳細資訊,請參閱CloudFormation 範本 Outputs 語法。 -
資源定義的
Metadata屬性。如需詳細資訊,請參閱Metadata 屬性。
我們強烈建議您不要使用這些機制來包含敏感資訊,例如密碼或秘密。
重要
我們建議您不要直接在 CloudFormation 範本中嵌入敏感資訊,而是在堆疊範本中使用動態參數,以參考在 CloudFormation 外部存放和管理的敏感資訊,例如 AWS Systems Manager 參數存放區或 AWS Secrets Manager。
如需詳細資訊,請參閱請勿在您的範本中內嵌憑證最佳實務。
範例 JSON
{ "AWSTemplateFormatVersion" : "2010-09-09", "Parameters": { "DBUser": { "NoEcho": "true", "Description" : "The database admin account username", "Type": "String", "MinLength": "1", "MaxLength": "16", "AllowedPattern" : "[a-zA-Z][a-zA-Z0-9]*", "ConstraintDescription" : "must begin with a letter and contain only alphanumeric characters." }, "DBPassword": { "NoEcho": "true", "Description" : "The database admin account password", "Type": "String", "MinLength": "1", "MaxLength": "41", "AllowedPattern" : "[a-zA-Z0-9]*", "ConstraintDescription" : "must contain only alphanumeric characters." }, "DBSnapshotName": { "Description": "The name of a DB snapshot (optional)", "Default": "", "Type": "String" } }, "Conditions": { "UseDBSnapshot": {"Fn::Not": [{"Fn::Equals" : [{"Ref" : "DBSnapshotName"}, ""]}]} }, "Resources" : { "MyDB" : { "Type" : "AWS::RDS::DBInstance", "Properties" : { "AllocatedStorage" : "5", "DBInstanceClass" : "db.t2.small", "Engine" : "MySQL", "EngineVersion" : "5.5", "MasterUsername" : { "Ref" : "DBUser" }, "MasterUserPassword" : { "Ref" : "DBPassword" }, "DBParameterGroupName" : { "Ref" : "MyRDSParamGroup" }, "DBSnapshotIdentifier" : { "Fn::If" : [ "UseDBSnapshot", {"Ref" : "DBSnapshotName"}, {"Ref" : "AWS::NoValue"} ] } } }, "MyRDSParamGroup" : { "Type": "AWS::RDS::DBParameterGroup", "Properties" : { "Family" : "MySQL5.5", "Description" : "CloudFormation Sample Database Parameter Group", "Parameters" : { "autocommit" : "1" , "general_log" : "1", "old_passwords" : "0" } } } } }
範例 YAML
AWSTemplateFormatVersion: "2010-09-09" Parameters: DBUser: NoEcho: true Description: The database admin account username Type: String MinLength: 1 MaxLength: 16 AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*" ConstraintDescription: must begin with a letter and contain only alphanumeric characters. DBPassword: NoEcho: true Description: The database admin account password Type: String MinLength: 1 MaxLength: 41 AllowedPattern: "[a-zA-Z0-9]*" ConstraintDescription: must contain only alphanumeric characters. DBSnapshotName: Description: The name of a DB snapshot (optional) Default: "" Type: String Conditions: UseDBSnapshot: !Not [!Equals [!Ref DBSnapshotName, ""]] Resources: MyDB: Type: "AWS::RDS::DBInstance" Properties: AllocatedStorage: 5 DBInstanceClass: db.t2.small Engine: MySQL EngineVersion: 5.5 MasterUsername: !Ref DBUser MasterUserPassword: !Ref DBPassword DBParameterGroupName: !Ref MyRDSParamGroup DBSnapshotIdentifier: !If [UseDBSnapshot, !Ref DBSnapshotName, !Ref "AWS::NoValue"] MyRDSParamGroup: Type: "AWS::RDS::DBParameterGroup" Properties: Family: MySQL5.5 Description: CloudFormation Sample Database Parameter Group Parameters: autocommit: 1 general_log: 1 old_passwords: 0
當 UseDBSnapshot 不是空白字串時,DBSnapshotName 條件才會評估為 true。若 UseDBSnapshot 條件評估為 true,CloudFormation 會對 DBSnapshotIdentifier 屬性使用 DBSnapshotName 參數值。若條件評估為 false,CloudFormation 即會移除 DBSnapshotIdentifier 屬性。用作傳回值時,AWS::NoValue 虛擬參數會移除對應的資源屬性。
按條件使用現有資源
在此範例中,您可以使用已建立的 Amazon EC2 安全群組或建立新安全群組,這是在範本中指定。針對 ExistingSecurityGroup 參數,您可以指定 default 安全群組名稱或 NONE。如果您指定 default,CloudFormation 會使用已建立且命名為 default 的安全群組。如果您指定 NONE,CloudFormation 會建立範本中定義的安全群組。
範例 JSON
{ "Parameters" : { "ExistingSecurityGroup" : { "Description" : "An existing security group ID (optional).", "Default" : "NONE", "Type" : "String", "AllowedValues" : ["default", "NONE"] } }, "Conditions" : { "CreateNewSecurityGroup" : {"Fn::Equals" : [{"Ref" : "ExistingSecurityGroup"}, "NONE"] } }, "Resources" : { "MyInstance" : { "Type" : "AWS::EC2::Instance", "Properties" : { "ImageId" : "ami-0ff8a91507f77f867", "SecurityGroups" : [{ "Fn::If" : [ "CreateNewSecurityGroup", {"Ref" : "NewSecurityGroup"}, {"Ref" : "ExistingSecurityGroup"} ] }] } }, "NewSecurityGroup" : { "Type" : "AWS::EC2::SecurityGroup", "Condition" : "CreateNewSecurityGroup", "Properties" : { "GroupDescription" : "Enable HTTP access via port 80", "SecurityGroupIngress" : [ { "IpProtocol" : "tcp", "FromPort" : 80, "ToPort" : 80, "CidrIp" : "0.0.0.0/0" } ] } } }, "Outputs" : { "SecurityGroupId" : { "Description" : "Group ID of the security group used.", "Value" : { "Fn::If" : [ "CreateNewSecurityGroup", {"Ref" : "NewSecurityGroup"}, {"Ref" : "ExistingSecurityGroup"} ] } } } }
範例 YAML
Parameters: ExistingSecurityGroup: Description: An existing security group ID (optional). Default: NONE Type: String AllowedValues: - default - NONE Conditions: CreateNewSecurityGroup: !Equals [!Ref ExistingSecurityGroup, NONE] Resources: MyInstance: Type: "AWS::EC2::Instance" Properties: ImageId: "ami-0ff8a91507f77f867" SecurityGroups: !If [CreateNewSecurityGroup, !Ref NewSecurityGroup, !Ref ExistingSecurityGroup] NewSecurityGroup: Type: "AWS::EC2::SecurityGroup" Condition: CreateNewSecurityGroup Properties: GroupDescription: Enable HTTP access via port 80 SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 Outputs: SecurityGroupId: Description: Group ID of the security group used. Value: !If [CreateNewSecurityGroup, !Ref NewSecurityGroup, !Ref ExistingSecurityGroup]
為了判斷 NewSecurityGroup 資源是否已建立,該資源與 CreateNewSecurityGroup 條件相關聯。僅在條件為 true (當 ExistingSecurityGroup 參數等於 NONE) 時,才會建立資源。
在 SecurityGroups 屬性中,範本會使用 Fn::If 內部函數來判斷要使用哪個安全群組。如果 CreateNewSecurityGroup 條件計算為 true,則安全群組屬性會參考 NewSecurityGroup 資源。如果 CreateNewSecurityGroup 條件計算為 false,則安全群組屬性會參考 ExistingSecurityGroup 參數 (default 安全群組)。
最後,範本會按條件輸出安全群組 ID。如果 CreateNewSecurityGroup 條件評估為 true,則 CloudFormation 會輸出 NewSecurityGroup 的安全群組 ID。如果條件為 false,則 ExistingSecurityGroup 會輸出 CloudFormation 資源的安全群組 ID。
