1. 首頁
  2. 問答
  3. 讓CloudFormation堆棧自我刪除的最佳方式是什麼?

讓CloudFormation堆棧自我刪除的最佳方式是什麼?

2015-10-05 74 views
0

我試圖讓我的CloudFormation堆棧在完成時自行刪除。當我在我的模板中嘗試下面的代碼時,日誌顯示我沒有找到該文件或命令。讓CloudFormation堆棧自我刪除的最佳方式是什麼?

當我使用runuser執行其他AWS CLI命令時,我沒有任何問題(只要該命令不需要以「 - 」開頭的選項)。

我正在使用基本的AWS IAM。

  "06_delete_stack": { "command": { "Fn::Join": [ "", [ 
      "runuser -u fhwa 'aws cloudformation delete-stack --stack-name ", { "Ref": "StackName" }, "'" 
      ] ] }, 
      "cwd": "/var/log"}

來源

2015-10-05 Joel no not that Joel

+0

有沒有機會建立Jenkins實例?它有一個插件,允許您創建一個堆棧,然後(可選)在作業完成時將其刪除。 –

+0

沒有Jenkis,只是Thoughtworks去。 –

回答

0

我能夠讓堆棧刪除自己。

我讓堆棧構建了一個包含AWS CLI命令的附加shell腳本來刪除堆棧。然後我調整了runuser命令來執行shell腳本。

然後,我必須添加IAM權限才能將堆棧刪除到生成的用戶角色。

來源

2015-10-29 21:16:32

3

擴大在Joel's answer,這裏有一個最小的CloudFormation堆棧的EC2實例自毀運行aws cloudformation delete-stack,與AWS::IAM::Role至少授予權限刪除自己:

Launch Stack

Description: Cloudformation stack that self-destructs 
Mappings: 
    # amzn-ami-hvm-2016.09.1.20161221-x86_64-gp2 
    RegionMap: 
    us-east-1: 
     "64": "ami-9be6f38c" 
Resources: 
    EC2Role: 
    Type: AWS::IAM::Role 
    Properties: 
     RoleName: !Sub "EC2Role-${AWS::StackName}" 
     AssumeRolePolicyDocument: 
     Version: 2012-10-17 
     Statement: 
     - Effect: Allow 
      Principal: 
      Service: [ ec2.amazonaws.com ] 
      Action: [ "sts:AssumeRole" ] 
     Path:/
     Policies: 
     - PolicyName: EC2Policy 
     PolicyDocument: 
      Version: 2012-10-17 
      Statement: 
      - Effect: Allow 
      Action: 
      - "cloudformation:DeleteStack" 
      Resource: !Ref "AWS::StackId" 
      - Effect: Allow 
      Action: [ "ec2:TerminateInstances" ] 
      Resource: "*" 
      Condition: 
       StringEquals: 
       "ec2:ResourceTag/aws:cloudformation:stack-id": !Ref AWS::StackId 
      - Effect: Allow 
      Action: [ "ec2:DescribeInstances" ] 
      Resource: "*" 
      - Effect: Allow 
      Action: 
      - "iam:RemoveRoleFromInstanceProfile" 
      - "iam:DeleteInstanceProfile" 
      Resource: !Sub "arn:aws:iam::${AWS::AccountId}:instance-profile/*" 
      - Effect: Allow 
      Action: 
      - "iam:DeleteRole" 
      - "iam:DeleteRolePolicy" 
      Resource: !Sub "arn:aws:iam::${AWS::AccountId}:role/EC2Role-${AWS::StackName}" 
    RootInstanceProfile: 
    Type: AWS::IAM::InstanceProfile 
    Properties: 
     Path:/
     Roles: [ !Ref EC2Role ] 
    WebServer: 
    Type: AWS::EC2::Instance 
    Properties: 
     ImageId: !FindInMap [ RegionMap, !Ref "AWS::Region", 64 ] 
     InstanceType: m3.medium 
     IamInstanceProfile: !Ref RootInstanceProfile 
     UserData: 
     "Fn::Base64": 
      !Sub | 
      #!/bin/bash 
      aws cloudformation delete-stack --stack-name ${AWS::StackId} --region ${AWS::Region}

注意,如果您向該模板添加任何其他資源,則需要將相應的「刪除」IAM權限添加到EC2Policy聲明列表中。

來源

2017-02-09 17:19:27 wjordan

相關問題

 相關問題