Cloudformation KeyValuePair列表作为参数 [英] Cloudformation KeyValuePair List as a parameter
问题描述
在创建ECS基础架构时,我们描述任务CloudFormation定义。我们希望能够动态地将环境变量作为参数传递给模板。根据文档,环境具有 KeyValuePair 类型,但是CloudFormation参数没有这种类型。
我们不能将环境变量硬编码到模板中,因为此模板用作嵌套堆栈,因此环境变量将在其中动态传递。
When creating ECS infrastructure we describe our Task Definitions with CloudFormation. We want to be able to dynamically pass environment variables as a parameter to the template. According to the docs, Environment has a KeyValuePair type, but CloudFormation parameters do not have this type. We can not hardcode Environment variables to the template, because this template is used as a nested stack so environment variables will be dynamically passed inside it.
到目前为止,我可能看到的方法是将所有参数作为CommaDelimitedList传递,然后以某种方式使用 CloudFormation函数。我可以Fn :: Split每个实体的键和值,但是如何在CloudFormation中动态构建KeyValuePair数组?
The only possible way I see so far is to pass all arguments as a CommaDelimitedList, and then somehow parse and map it using CloudFormation functions. I can Fn::Split every entity in key and value, but how to dynamically build an array of KeyValuePair in CloudFormation?
或者也许有一种更简单的方法,而我缺少了什么?
Or maybe there is an easier way, and I'm missing something? Thanks in advance for any ideas.
推荐答案
您可能要考虑使用EC2参数存储来创建安全的键/值对,在CloudFormation中受支持,并且可以与ECS环境集成。
You may want to consider using the EC2 Parameter Store to create secured key/value pairs, which is supported in CloudFormation, and can be integrated with ECS environments.
AWS Systems Manager参数存储提供安全的分层
存储,用于配置数据管理和机密管理。您
可以存储诸如密码,数据库字符串和许可证代码
之类的数据作为参数值。您可以将值存储为纯文本或加密的
数据。然后,您可以使用在创建参数时
指定的唯一名称来引用值。高度可扩展,可用,
且持久的Parameter Store由AWS云提供支持。参数
存储是免费提供的。
AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, and license codes as parameter values. You can store values as plain text or encrypted data. You can then reference values by using the unique name that you specified when you created the parameter. Highly scalable, available, and durable, Parameter Store is backed by the AWS Cloud. Parameter Store is offered at no additional charge.
尽管参数存储具有强大的安全性,可以存储应用程序秘密,但它可以还可以用于存储非敏感的应用程序字符串,例如公用密钥,环境设置,许可证代码等。
While Parameter Store has great security features for storing application secrets, it can also be used to store nonsensitive application strings such as public keys, environment settings, license codes, etc.
CloudFormation直接支持它,使您可以轻松捕获,存储和管理ECS可以访问的应用程序配置字符串。
此模板允许您在创建堆栈时通过控制台或CLI提供参数存储键值:
And it is supported directly by CloudFormation, allowing you to easily capture, store and manage application configuration strings which can be accessed by ECS. This template allows you provide the Parameter store key values at stack creation time via the console or CLI:
Description: Simple SSM parameter example
Parameters:
pSMTPServer:
Description: SMTP Server URL eg [email-smtp.us-east-1.amazonaws.com]:587
Type: String
NoEcho: false
SMTPServer:
Type: AWS::SSM::Parameter
Properties:
Name: my-smtp-server
Type: String
Value: !Ref pSMTPServer
任何AWS运行时环境(EC2,ECS,Lambda)都可以轻松安全地检索值。从控制台方面来看,有一个很棒的Parameter Manager界面,用于维护参数版本历史记录。它与IAM集成在一起,因此权限由标准IAM策略语法控制:
Any AWS runtime environment (EC2, ECS, Lambda) can easily securely retrieve the values. From the console side, there is great Parameter manager interface that maintains parameter version history. Its intergated with IAM, so permissions are controlled with standard IAM policy syntax:
{
"Action": [
"ssm:GetParameterHistory",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource": [
"arn:aws:ssm:us-west-2:555513456471:parameter/smtp-server"
],
"Effect": "Allow"
},
{
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-west-2:555513456471:key/36235f94-19b5-4649-84e0-978f52242aa0a"
],
"Effect": "Allow"
}
最后,此博客文章显示了一种在运行时将权限读取到Dockerfile中的技术。他们建议使用AWS Parameter Store在Docker中处理环境变量的安全方法。作为参考,我在这里包括其Dockerfile:
Finally, this blog article shows a technique to read the permissions into a Dockerfile at runtime. They suggest a secure way to handle environment variables in Docker with AWS Parameter Store. For reference, I am including their Dockerfile here:
FROM grafana/grafana:master
RUN curl -L -o /bin/aws-env https://github.com/Droplr/aws-env/raw/master/bin/aws-env-linux-amd64 && \
chmod +x /bin/aws-env
ENTRYPOINT ["/bin/bash", "-c", "eval $(/bin/aws-env) && /run.sh"]
通过该调用,每个参数都可以作为环境使用容器中的变量。您的应用程序可能需要包装器,也可能不需要包装器,以从环境变量中读取参数。
With that invocation, each of the parameters are available as an environment variable in the container. You app may or may not need a wrapper to read the parameters from the environment variables.
这篇关于Cloudformation KeyValuePair列表作为参数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
