堆疊重構 - AWS CloudFormation
堆疊重構的運作方式堆疊重構考量AWS CLI 命令使用 重構堆疊 AWS CLI資源限制

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

堆疊重構

透過堆疊重構,您可以在 CloudFormation 堆疊中重組資源,同時保留現有的資源屬性和資料。您可以在堆疊之間移動資源、將大型堆疊分割為較小的堆疊,或將多個堆疊合併為一個堆疊。

堆疊重構的運作方式

重構堆疊涉及以下階段:

  1. 評估您目前的基礎設施 – 檢閱您現有的 CloudFormation 堆疊和資源,以識別堆疊重構機會。

  2. 規劃您的重構 – 定義應如何組織資源。考慮您的相依性、命名慣例和操作限制。這些稍後可能會影響 CloudFormation 驗證。

  3. 決定目的地堆疊 – 決定您要重構資源的堆疊。您可以在至少 2 個堆疊之間移動資源,最多 5 個堆疊。您可以在巢狀堆疊之間移動資源。

  4. 更新您的範本 – 變更您的 CloudFormation 範本以反映計劃的變更,例如在範本之間移動資源定義。您可以在此程序期間重新命名邏輯 IDs。

  5. 建立堆疊重構 – 提供您要重構的堆疊名稱和範本清單。

  6. 檢閱重構影響並解決任何衝突 – CloudFormation 會驗證您提供的範本,並檢查跨堆疊相依性、具有標籤更新問題的資源類型,以及資源邏輯 ID 衝突。

    如果驗證成功,CloudFormation 將產生執行期間將發生的重構動作預覽。

    如果驗證失敗,請解決已識別的問題並重試。對於衝突,請提供資源邏輯 ID 映射,以顯示衝突資源的來源和目的地。

  7. 執行重構 – 確認變更符合您重構目標後,請完成堆疊重構。

  8. 監控 – 追蹤執行狀態,以確保操作成功完成。

堆疊重構考量

當您重構堆疊時,請記住下列事項:

  • 重構操作不允許新資源建立、資源刪除或變更資源組態。

  • 您無法在堆疊重構期間變更或新增參數、條件或映射。可能的解決方法是在執行重構之前更新您的堆疊。

  • 您無法將相同的資源重構為多個堆疊。

  • 您無法重構參考虛擬參數的資源,其值在來源和目的地堆疊之間不同,例如 AWS::StackName

  • CloudFormation 不支援空白堆疊。如果重構會讓堆疊沒有資源,您必須先將至少一個資源新增至該堆疊,然後才能執行 create-stack-refactor。這可以是簡單的資源,例如 AWS::SNS::TopicAWS::CloudFormation::WaitCondition。例如:

    Resources:
  MySimpleSNSTopic:
    Type: AWS::SNS::Topic
    Properties:
      DisplayName: MySimpleTopic

  • 堆疊重構不支援已連接堆疊政策的堆疊,無論政策允許或拒絕哪些項目。

AWS CLI 用於堆疊重構的 命令

用於堆疊重構的 AWS CLI 命令包括:

使用 重構堆疊 AWS CLI

使用下列程序來重構使用 的堆疊 AWS CLI。

  1. 使用 get-template 命令來擷取您要重構之堆疊的 CloudFormation 範本。

    aws cloudformation get-template --stack-name Stack1

    當您有範本時,請使用您選擇的整合開發環境 (IDE) 來更新它們,以使用所需的結構和資源組織。

  2. 使用 create-stack-refactor 命令,並提供堆疊名稱和更新的範本供堆疊重構。包含允許 CloudFormation 在堆疊不存在時建立新堆疊--enable-stack-creation的選項。

    aws cloudformation create-stack-refactor \
  --stack-definitions \
    StackName=Stack1,TemplateBody@=file://template1-updated.yaml \
    StackName=Stack2,TemplateBody@=file://template2-updated.yaml \
  --enable-stack-creation

    命令會傳回StackRefactorId您將在後續步驟中使用的 。

    {
    "StackRefactorId": "9c384f70-4e07-4ed7-a65d-fee5eb430841"
}

    如果在範本驗證期間偵測到衝突 (您可以在下一個步驟中確認),請使用 create-stack-refactor 命令搭配 --resource-mappings選項。

    aws cloudformation create-stack-refactor \
  --stack-definitions \
    StackName=Stack1,TemplateBody@=file://template1-updated.yaml \
    StackName=Stack2,TemplateBody@=file://template2-updated.yaml \
  --enable-stack-creation \ 
  --resource-mappings file://resource-mapping.json

    以下是範例 resource-mapping.json 檔案。

    [
    {
        "Source": {
            "StackName": "Stack1",
            "LogicalResourceId": "MySNSTopic"
        },
        "Destination": {
            "StackName": "Stack2",
            "LogicalResourceId": "MyLambdaSNSTopic"
        }
    }
]

  3. 使用 describe-stack-refactor 命令來確定 StatusCREATE_COMPLETE。這會驗證驗證是否已完成。

    aws cloudformation describe-stack-refactor \
  --stack-refactor-id 9c384f70-4e07-4ed7-a65d-fee5eb430841

    輸出範例:

    {
    "StackRefactorId": "9c384f70-4e07-4ed7-a65d-fee5eb430841",
    "StackIds": [
        "arn:aws:cloudformation:us-east-1:123456789012:stack/Stack1/3e6a1ff0-94b1-11f0-aa6f-0a88d2e03acf",
        "arn:aws:cloudformation:us-east-1:123456789012:stack/Stack2/5da91650-94b1-11f0-81cf-0a23500e151b"
    ],
    "ExecutionStatus": "AVAILABLE",
    "Status": "CREATE_COMPLETE"
}

  4. 使用 list-stack-refactor-actions 命令來預覽將執行的特定動作。

    aws cloudformation list-stack-refactor-actions \
  --stack-refactor-id 9c384f70-4e07-4ed7-a65d-fee5eb430841

    輸出範例:

    {
    "StackRefactorActions": [
        {
            "Action": "MOVE",
            "Entity": "RESOURCE",
            "PhysicalResourceId": "MyTestLambdaRole",
            "Description": "No configuration changes detected.",
            "Detection": "AUTO",
            "TagResources": [],
            "UntagResources": [],
            "ResourceMapping": {
                "Source": {
                    "StackName": "arn:aws:cloudformation:us-east-1:123456789012:stack/Stack1/3e6a1ff0-94b1-11f0-aa6f-0a88d2e03acf",
                    "LogicalResourceId": "MyLambdaRole"
                },
                "Destination": {
                    "StackName": "arn:aws:cloudformation:us-east-1:123456789012:stack/Stack2/5da91650-94b1-11f0-81cf-0a23500e151b",
                    "LogicalResourceId": "MyLambdaRole"
                }
            }
        },
        {
            "Action": "MOVE",
            "Entity": "RESOURCE",
            "PhysicalResourceId": "MyTestFunction",
            "Description": "Resource configuration changes will be validated during refactor execution.",
            "Detection": "AUTO",
            "TagResources": [
                {
                    "Key": "aws:cloudformation:stack-name",
                    "Value": "Stack2"
                },
                {
                    "Key": "aws:cloudformation:logical-id",
                    "Value": "MyFunction"
                },
                {
                    "Key": "aws:cloudformation:stack-id",
                    "Value": "arn:aws:cloudformation:us-east-1:123456789012:stack/Stack2/5da91650-94b1-11f0-81cf-0a23500e151b"
                }
            ],
            "UntagResources": [
                "aws:cloudformation:stack-name",
                "aws:cloudformation:logical-id",
                "aws:cloudformation:stack-id"
            ],
            "ResourceMapping": {
                "Source": {
                    "StackName": "arn:aws:cloudformation:us-east-1:123456789012:stack/Stack1/3e6a1ff0-94b1-11f0-aa6f-0a88d2e03acf",
                    "LogicalResourceId": "MyFunction"
                },
                "Destination": {
                    "StackName": "arn:aws:cloudformation:us-east-1:123456789012:stack/Stack2/5da91650-94b1-11f0-81cf-0a23500e151b",
                    "LogicalResourceId": "MyFunction"
                }
            }
        }
    ]
}

  5. 檢閱並確認變更後,請使用 execute-stack-refactor 命令來完成堆疊重構操作。

    aws cloudformation execute-stack-refactor \
  --stack-refactor-id 9c384f70-4e07-4ed7-a65d-fee5eb430841

  6. 使用 describe-stack-refactor 命令來監控執行狀態。

    aws cloudformation describe-stack-refactor \
  --stack-refactor-id 9c384f70-4e07-4ed7-a65d-fee5eb430841

    輸出範例:

    {
    "StackRefactorId": "9c384f70-4e07-4ed7-a65d-fee5eb430841",
    "StackIds": [
        "arn:aws:cloudformation:us-east-1:123456789012:stack/Stack1/3e6a1ff0-94b1-11f0-aa6f-0a88d2e03acf",
        "arn:aws:cloudformation:us-east-1:123456789012:stack/Stack2/5da91650-94b1-11f0-81cf-0a23500e151b"
    ],
    "ExecutionStatus": "SUCCEEDED",
    "Status": "COMPLETE"
}

資源限制

  • 堆疊重構僅支援具有 provisioningType之 的資源類型FULLY_MUTABLE,您可以使用 describe-type 命令進行檢查。

  • CloudFormation 將在重構建立期間驗證資源資格,並在 describe-stack-refactor 命令的輸出中報告任何不支援的資源。

  • 下列資源不支援堆疊重構:

    • AWS::ACMPCA::Certificate

    • AWS::ACMPCA::CertificateAuthority

    • AWS::ACMPCA::CertificateAuthorityActivation

    • AWS::ApiGateway::BasePathMapping

    • AWS::ApiGateway::Method

    • AWS::AppConfig::ConfigurationProfile

    • AWS::AppConfig::Deployment

    • AWS::AppConfig::Environment

    • AWS::AppConfig::Extension

    • AWS::AppConfig::ExtensionAssociation

    • AWS::AppStream::DirectoryConfig

    • AWS::AppStream::StackFleetAssociation

    • AWS::AppStream::StackUserAssociation

    • AWS::AppStream::User

    • AWS::BackupGateway::Hypervisor

    • AWS::CertificateManager::Certificate

    • AWS::CloudFormation::CustomResource

    • AWS::CloudFormation::Macro

    • AWS::CloudFormation::WaitCondition

    • AWS::CloudFormation::WaitConditionHandle

    • AWS::CodeDeploy::DeploymentGroup

    • AWS::CodePipeline::CustomActionType

    • AWS::Cognito::UserPoolRiskConfigurationAttachment

    • AWS::Cognito::UserPoolUICustomizationAttachment

    • AWS::Cognito::UserPoolUserToGroupAttachment

    • AWS::Config::ConfigRule

    • AWS::Config::ConfigurationRecorder

    • AWS::Config::DeliveryChannel

    • AWS::DataBrew::Dataset

    • AWS::DataBrew::Job

    • AWS::DataBrew::Project

    • AWS::DataBrew::Recipe

    • AWS::DataBrew::Ruleset

    • AWS::DataBrew::Schedule

    • AWS::DataZone::DataSource

    • AWS::DataZone::Environment

    • AWS::DataZone::EnvironmentBlueprintConfiguration

    • AWS::DataZone::EnvironmentProfile

    • AWS::DataZone::Project

    • AWS::DataZone::SubscriptionTarget

    • AWS::DirectoryService::MicrosoftAD

    • AWS::DynamoDB::GlobalTable

    • AWS::EC2::LaunchTemplate

    • AWS::EC2::NetworkInterfacePermission

    • AWS::EC2::SpotFleet

    • AWS::EC2::VPCDHCPOptionsAssociation

    • AWS::EC2::VolumeAttachment

    • AWS::EMR::Cluster

    • AWS::EMR::InstanceFleetConfig

    • AWS::EMR::InstanceGroupConfig

    • AWS::ElastiCache::CacheCluster

    • AWS::ElastiCache::ReplicationGroup

    • AWS::ElastiCache::SecurityGroup

    • AWS::ElastiCache::SecurityGroupIngress

    • AWS::ElasticBeanstalk::ConfigurationTemplate

    • AWS::ElasticLoadBalancing::LoadBalancer

    • AWS::ElasticLoadBalancingV2::ListenerCertificate

    • AWS::Elasticsearch::Domain

    • AWS::FIS::ExperimentTemplate

    • AWS::Glue::Schema

    • AWS::GuardDuty::IPSet

    • AWS::GuardDuty::PublishingDestination

    • AWS::GuardDuty::ThreatIntelSet

    • AWS::IAM::AccessKey

    • AWS::IAM::UserToGroupAddition

    • AWS::ImageBuilder::Component

    • AWS::IoT::PolicyPrincipalAttachment

    • AWS::IoT::ThingPrincipalAttachment

    • AWS::IoTFleetWise::Campaign

    • AWS::IoTWireless::WirelessDeviceImportTask

    • AWS::Lambda::EventInvokeConfig

    • AWS::Lex::BotVersion

    • AWS::M2::Application

    • AWS::MSK::Configuration

    • AWS::MSK::ServerlessCluster

    • AWS::Maester::DocumentType

    • AWS::MediaTailor::Channel

    • AWS::NeptuneGraph::PrivateGraphEndpoint

    • AWS::Omics::AnnotationStore

    • AWS::Omics::ReferenceStore

    • AWS::Omics::SequenceStore

    • AWS::OpenSearchServerless::Collection

    • AWS::OpsWorks::App

    • AWS::OpsWorks::ElasticLoadBalancerAttachment

    • AWS::OpsWorks::Instance

    • AWS::OpsWorks::Layer

    • AWS::OpsWorks::Stack

    • AWS::OpsWorks::UserProfile

    • AWS::OpsWorks::Volume

    • AWS::PCAConnectorAD::Connector

    • AWS::PCAConnectorAD::DirectoryRegistration

    • AWS::PCAConnectorAD::Template

    • AWS::PCAConnectorAD::TemplateGroupAccessControlEntry

    • AWS::Panorama::PackageVersion

    • AWS::QuickSight::Theme

    • AWS::RDS::DBSecurityGroup

    • AWS::RDS::DBSecurityGroupIngress

    • AWS::Redshift::ClusterSecurityGroup

    • AWS::Redshift::ClusterSecurityGroupIngress

    • AWS::RefactorSpaces::Environment

    • AWS::RefactorSpaces::Route

    • AWS::RefactorSpaces::Service

    • AWS::RoboMaker::RobotApplication

    • AWS::RoboMaker::SimulationApplication

    • AWS::Route53::RecordSet

    • AWS::Route53::RecordSetGroup

    • AWS::SDB::Domain

    • AWS::SageMaker::InferenceComponen

    • AWS::ServiceCatalog::PortfolioPrincipalAssociation

    • AWS::ServiceCatalog::PortfolioProductAssociation

    • AWS::ServiceCatalog::PortfolioShare

    • AWS::ServiceCatalog::TagOptionAssociation

    • AWS::ServiceCatalogAppRegistry::AttributeGroupAssociation

    • AWS::ServiceCatalogAppRegistry::ResourceAssociation

    • AWS::StepFunctions::StateMachineVersion

    • AWS::Synthetics::Canary

    • AWS::VoiceID::Domain

    • AWS::WAF::ByteMatchSet

    • AWS::WAF::IPSet

    • AWS::WAF::Rule

    • AWS::WAF::SizeConstraintSet

    • AWS::WAF::SqlInjectionMatchSet

    • AWS::WAF::WebACL

    • AWS::WAF::XssMatchSet

    • AWS::WAFv2::IPSet

    • AWS::WAFv2::RegexPatternSet

    • AWS::WAFv2::RuleGroup

    • AWS::WAFv2::WebACL

    • AWS::WorkSpaces::Workspace