本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
使用 的 AWS CLI 命令建立 Amazon ECS 資源 CloudFormation
搭配 使用 Amazon ECS 的另一種方法是 CloudFormation 透過 AWS CLI。您可以使用 命令為任務定義、叢集和服務等 Amazon ECS 元件建立 CloudFormation 堆疊,並進行部署。下列教學課程說明如何使用 範本 AWS CLI 來建立 Amazon ECS 資源 CloudFormation 。
先決條件
-
已完成「設定以使用 Amazon ECS。」中的步驟。
-
您的 IAM 使用者擁有 AmazonECS_FullAccess IAM 政策範例中指定的所需許可。
步驟 1:建立堆疊
若要使用 AWS CLI 儲存在名為 的檔案中的 建立堆疊ecs-tutorial-template.yaml,請執行下列命令。
cat << 'EOF' > ecs-tutorial-template.yaml AWSTemplateFormatVersion: '2010-09-09' Description: '[AWSDocs] ECS: load-balanced-web-application' Parameters: VpcCidr: Type: String Default: '10.0.0.0/16' Description: CIDR block for the VPC ContainerImage: Type: String Default: 'public.ecr.aws/ecs-sample-image/amazon-ecs-sample:latest' Description: Container image to use in task definition PublicSubnet1Cidr: Type: String Default: '10.0.1.0/24' Description: CIDR block for public subnet 1 PublicSubnet2Cidr: Type: String Default: '10.0.2.0/24' Description: CIDR block for public subnet 2 PrivateSubnet1Cidr: Type: String Default: '10.0.3.0/24' Description: CIDR block for private subnet 1 PrivateSubnet2Cidr: Type: String Default: '10.0.4.0/24' Description: CIDR block for private subnet 2 ServiceName: Type: String Default: 'tutorial-app' Description: Name of the ECS service ContainerPort: Type: Number Default: 80 Description: Port on which the container listens DesiredCount: Type: Number Default: 2 Description: Desired number of tasks MinCapacity: Type: Number Default: 1 Description: Minimum number of tasks for auto scaling MaxCapacity: Type: Number Default: 10 Description: Maximum number of tasks for auto scaling Resources: # VPC and Networking VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VpcCidr EnableDnsHostnames: true EnableDnsSupport: true Tags: - Key: Name Value: !Sub '${AWS::StackName}-vpc' # Internet Gateway InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: !Sub '${AWS::StackName}-igw' InternetGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: InternetGatewayId: !Ref InternetGateway VpcId: !Ref VPC # Public Subnets for ALB PublicSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [0, !GetAZs ''] CidrBlock: !Ref PublicSubnet1Cidr MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub '${AWS::StackName}-public-subnet-1' PublicSubnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [1, !GetAZs ''] CidrBlock: !Ref PublicSubnet2Cidr MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub '${AWS::StackName}-public-subnet-2' # Private Subnets for ECS Tasks PrivateSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [0, !GetAZs ''] CidrBlock: !Ref PrivateSubnet1Cidr Tags: - Key: Name Value: !Sub '${AWS::StackName}-private-subnet-1' PrivateSubnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [1, !GetAZs ''] CidrBlock: !Ref PrivateSubnet2Cidr Tags: - Key: Name Value: !Sub '${AWS::StackName}-private-subnet-2' # NAT Gateways for private subnet internet access NatGateway1EIP: Type: AWS::EC2::EIP DependsOn: InternetGatewayAttachment Properties: Domain: vpc Tags: - Key: Name Value: !Sub '${AWS::StackName}-nat-eip-1' NatGateway2EIP: Type: AWS::EC2::EIP DependsOn: InternetGatewayAttachment Properties: Domain: vpc Tags: - Key: Name Value: !Sub '${AWS::StackName}-nat-eip-2' NatGateway1: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NatGateway1EIP.AllocationId SubnetId: !Ref PublicSubnet1 Tags: - Key: Name Value: !Sub '${AWS::StackName}-nat-1' NatGateway2: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NatGateway2EIP.AllocationId SubnetId: !Ref PublicSubnet2 Tags: - Key: Name Value: !Sub '${AWS::StackName}-nat-2' # Route Tables PublicRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub '${AWS::StackName}-public-routes' DefaultPublicRoute: Type: AWS::EC2::Route DependsOn: InternetGatewayAttachment Properties: RouteTableId: !Ref PublicRouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway PublicSubnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PublicRouteTable SubnetId: !Ref PublicSubnet1 PublicSubnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PublicRouteTable SubnetId: !Ref PublicSubnet2 PrivateRouteTable1: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub '${AWS::StackName}-private-routes-1' DefaultPrivateRoute1: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTable1 DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: !Ref NatGateway1 PrivateSubnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PrivateRouteTable1 SubnetId: !Ref PrivateSubnet1 PrivateRouteTable2: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub '${AWS::StackName}-private-routes-2' DefaultPrivateRoute2: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTable2 DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: !Ref NatGateway2 PrivateSubnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PrivateRouteTable2 SubnetId: !Ref PrivateSubnet2 # Security Groups ALBSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub '${AWS::StackName}-alb-sg' GroupDescription: Security group for Application Load Balancer VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 Description: Allow HTTP traffic from internet SecurityGroupEgress: - IpProtocol: -1 CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic Tags: - Key: Name Value: !Sub '${AWS::StackName}-alb-sg' ECSSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub '${AWS::StackName}-ecs-sg' GroupDescription: Security group for ECS tasks VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: !Ref ContainerPort ToPort: !Ref ContainerPort SourceSecurityGroupId: !Ref ALBSecurityGroup Description: Allow traffic from ALB SecurityGroupEgress: - IpProtocol: -1 CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic Tags: - Key: Name Value: !Sub '${AWS::StackName}-ecs-sg' # Application Load Balancer ApplicationLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: !Sub '${AWS::StackName}-alb' Scheme: internet-facing Type: application Subnets: - !Ref PublicSubnet1 - !Ref PublicSubnet2 SecurityGroups: - !Ref ALBSecurityGroup Tags: - Key: Name Value: !Sub '${AWS::StackName}-alb' ALBTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Name: !Sub '${AWS::StackName}-tg' Port: !Ref ContainerPort Protocol: HTTP VpcId: !Ref VPC TargetType: ip HealthCheckIntervalSeconds: 30 HealthCheckPath: / HealthCheckProtocol: HTTP HealthCheckTimeoutSeconds: 5 HealthyThresholdCount: 2 UnhealthyThresholdCount: 5 Tags: - Key: Name Value: !Sub '${AWS::StackName}-tg' ALBListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: DefaultActions: - Type: forward TargetGroupArn: !Ref ALBTargetGroup LoadBalancerArn: !Ref ApplicationLoadBalancer Port: 80 Protocol: HTTP # ECS Cluster ECSCluster: Type: AWS::ECS::Cluster Properties: ClusterName: !Sub '${AWS::StackName}-cluster' CapacityProviders: - FARGATE - FARGATE_SPOT DefaultCapacityProviderStrategy: - CapacityProvider: FARGATE Weight: 1 - CapacityProvider: FARGATE_SPOT Weight: 4 ClusterSettings: - Name: containerInsights Value: enabled Tags: - Key: Name Value: !Sub '${AWS::StackName}-cluster' # IAM Roles ECSTaskExecutionRole: Type: AWS::IAM::Role Properties: RoleName: !Sub '${AWS::StackName}-task-execution-role' AssumeRolePolicyDocument: Version: '2012-10-17 ' Statement: - Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy Tags: - Key: Name Value: !Sub '${AWS::StackName}-task-execution-role' ECSTaskRole: Type: AWS::IAM::Role Properties: RoleName: !Sub '${AWS::StackName}-task-role' AssumeRolePolicyDocument: Version: '2012-10-17 ' Statement: - Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Action: sts:AssumeRole Tags: - Key: Name Value: !Sub '${AWS::StackName}-task-role' # CloudWatch Log Group LogGroup: Type: AWS::Logs::LogGroup Properties: LogGroupName: !Sub '/ecs/${AWS::StackName}' RetentionInDays: 7 # ECS Task Definition TaskDefinition: Type: AWS::ECS::TaskDefinition Properties: Family: !Sub '${AWS::StackName}-task' Cpu: '256' Memory: '512' NetworkMode: awsvpc RequiresCompatibilities: - FARGATE ExecutionRoleArn: !GetAtt ECSTaskExecutionRole.Arn TaskRoleArn: !GetAtt ECSTaskRole.Arn ContainerDefinitions: - Name: !Ref ServiceName Image: !Ref ContainerImage PortMappings: - ContainerPort: !Ref ContainerPort Protocol: tcp Essential: true LogConfiguration: LogDriver: awslogs Options: awslogs-group: !Ref LogGroup awslogs-region: !Ref AWS::Region awslogs-stream-prefix: ecs HealthCheck: Command: - CMD-SHELL - curl -f http://localhost/ || exit 1 Interval: 30 Timeout: 5 Retries: 3 StartPeriod: 60 Tags: - Key: Name Value: !Sub '${AWS::StackName}-task' # ECS Service ECSService: Type: AWS::ECS::Service DependsOn: ALBListener Properties: ServiceName: !Sub '${AWS::StackName}-service' Cluster: !Ref ECSCluster TaskDefinition: !Ref TaskDefinition DesiredCount: !Ref DesiredCount LaunchType: FARGATE PlatformVersion: LATEST NetworkConfiguration: AwsvpcConfiguration: AssignPublicIp: DISABLED SecurityGroups: - !Ref ECSSecurityGroup Subnets: - !Ref PrivateSubnet1 - !Ref PrivateSubnet2 LoadBalancers: - ContainerName: !Ref ServiceName ContainerPort: !Ref ContainerPort TargetGroupArn: !Ref ALBTargetGroup DeploymentConfiguration: MaximumPercent: 200 MinimumHealthyPercent: 50 DeploymentCircuitBreaker: Enable: true Rollback: true EnableExecuteCommand: true # For debugging Tags: - Key: Name Value: !Sub '${AWS::StackName}-service' # Auto Scaling Target ServiceScalingTarget: Type: AWS::ApplicationAutoScaling::ScalableTarget Properties: MaxCapacity: !Ref MaxCapacity MinCapacity: !Ref MinCapacity ResourceId: !Sub 'service/${ECSCluster}/${ECSService.Name}' RoleARN: !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService' ScalableDimension: ecs:service:DesiredCount ServiceNamespace: ecs # Auto Scaling Policy - CPU Utilization ServiceScalingPolicy: Type: AWS::ApplicationAutoScaling::ScalingPolicy Properties: PolicyName: !Sub '${AWS::StackName}-cpu-scaling-policy' PolicyType: TargetTrackingScaling ScalingTargetId: !Ref ServiceScalingTarget TargetTrackingScalingPolicyConfiguration: PredefinedMetricSpecification: PredefinedMetricType: ECSServiceAverageCPUUtilization TargetValue: 70.0 ScaleOutCooldown: 300 ScaleInCooldown: 300 Outputs: VPCId: Description: VPC ID Value: !Ref VPC Export: Name: !Sub '${AWS::StackName}-VPC-ID' LoadBalancerURL: Description: URL of the Application Load Balancer Value: !Sub 'http://${ApplicationLoadBalancer.DNSName}' Export: Name: !Sub '${AWS::StackName}-ALB-URL' ECSClusterName: Description: Name of the ECS Cluster Value: !Ref ECSCluster Export: Name: !Sub '${AWS::StackName}-ECS-Cluster' ECSServiceName: Description: Name of the ECS Service Value: !GetAtt ECSService.Name Export: Name: !Sub '${AWS::StackName}-ECS-Service' PrivateSubnet1: Description: Private Subnet 1 ID Value: !Ref PrivateSubnet1 Export: Name: !Sub '${AWS::StackName}-Private-Subnet-1' PrivateSubnet2: Description: Private Subnet 2 ID Value: !Ref PrivateSubnet2 Export: Name: !Sub '${AWS::StackName}-Private-Subnet-2' EOF
本教學課程中使用的範本會建立 Amazon ECS 服務,其中包含兩項在 Fargate 上執行的任務。每項任務都會執行範例 Amazon ECS 應用程式。範本也會建立一個 Application Load Balancer (用於分配應用程式流量),以及一個根據 CPU 使用率擴展應用程式的應用程式自動擴展政策。該範本還會建立部署應用程式所需的聯網資源、容器日誌的記錄資源,以及 Amazon ECS 任務執行 IAM 角色。如需任務執行角色的詳細資訊,請參閱「Amazon ECS 任務執行 IAM 角色」。如需有關自動擴展的詳細資訊,請參閱自動擴展 Amazon ECS 服務。
建立範本檔案之後,請使用下列命令來建立堆疊。建立範本中指定的 Amazon ECS 任務執行角色需要 --capabilities 旗標。您也可以指定 --parameters 旗標來自訂範本參數。
aws cloudformation create-stack \ --stack-nameecs-tutorial-stack\ --template-body file://ecs-tutorial-template.yaml\ --regionaws-region\ --capabilities CAPABILITY_NAMED_IAM
執行 create-stack 命令後,您可以使用 describe-stacks 來檢查堆疊建立的狀態。
aws cloudformation describe-stacks \ --stack-nameecs-tutorial-stack\ --regionaws-region
步驟 2:驗證 Amazon ECS 資源建立
若要確保正確建立 Amazon ECS 資源,請遵循下列步驟。
-
執行下列指令以列出 AWS 區域中的所有任務定義。
aws ecs list-task-definitions此命令會傳回任務定義 Amazon Resource Name (ARN) 的清單。您使用範本建立的任務定義的 ARN 會以下列格式顯示。
{ "taskDefinitionArns": [ ..... "arn:aws:ecs:aws-region:111122223333:task-definition/ecs-tutorial-stack-task:1", ..... ] } -
執行下列命令以列出 AWS 區域中的所有叢集。
aws ecs list-clusters該命令會傳回叢集 ARN 的清單。您使用範本建立的叢集的 ARN 會以下列格式顯示。
{ "clusterArns": [ ..... "arn:aws:ecs:aws-region:111122223333:cluster/ecs-tutorial-stack-cluster", ..... ] } -
執行下列指令以列出叢集
ecs-tutorial-stack-cluster中的所有服務。aws ecs list-services \ --clusterecs-tutorial-stack-cluster該命令會傳回服務 ARN 的清單。您使用範本建立的服務的 ARN 會以下列格式顯示。
{ "serviceArns": [ "arn:aws:ecs:aws-region:111122223333:service/ecs-tutorial-stack-cluster/ecs-tutorial-stack-service" ] }
您也可以取得已建立之 Application Load Balancer 的 DNS 名稱,並使用它來驗證資源是否已建立。若要取得 DNS 名稱,請執行下列命令:
執行下列命令以擷取已建立堆疊的輸出。
aws cloudformation describe-stacks \ --stack-nameecs-tutorial-stack\ --regionaws-region\ --query 'Stacks[0].Outputs[?OutputKey==`LoadBalancerURL`].OutputValue' \ --output text
輸出:
http://ecs-tutorial-stack-alb-0123456789.aws-region.elb.amazonaws.com將 DNS 名稱貼到瀏覽器中,以檢視顯示範例 Amazon ECS 應用程式的網頁。
步驟 3:清理
若要清理您建立的資源,請執行下列命令。
aws cloudformation delete-stack \ --stack-nameecs-stack
delete-stack 命令會啟動刪除在本教學課程中建立的 CloudFormation 堆疊,刪除堆疊中的所有資源。若要驗證是否已刪除,您可以重複步驟 2:驗證 Amazon ECS 資源建立中的程序。輸出中的 ARN 清單將不再包含名為 ecs-tutorial-stack-task 的任務定義或名為 ecs-tutorial-stack-cluster 的叢集。list-services 呼叫將會失敗。
