# CloudFormation template snippets This section provides a number of example scenarios that you can use to understand how to declare various CloudFormation template parts. You can also use the snippets as a starting point for sections of your custom templates. **Topics** + [General template snippets](quickref-general.md) + [Auto scaling CloudFormation template snippets](quickref-autoscaling.md) + [AWS Billing Console template snippets](quickref-billingconductor.md) + [CloudFormation template snippets](quickref-cloudformation.md) + [Amazon CloudFront template snippets](quickref-cloudfront.md) + [Amazon CloudWatch template snippets](quickref-cloudwatch.md) + [Amazon CloudWatch Logs template snippets](quickref-cloudwatchlogs.md) + [Amazon DynamoDB template snippets](quickref-dynamodb.md) + [Amazon EC2 CloudFormation template snippets](quickref-ec2.md) + [Amazon Elastic Container Service sample templates](quickref-ecs.md) + [Amazon Elastic File System Sample Template](quickref-efs.md) + [Elastic Beanstalk template snippets](quickref-elasticbeanstalk.md) + [Elastic Load Balancing template snippets](quickref-elb.md) + [AWS Identity and Access Management template snippets](quickref-iam.md) + [AWS Lambda template](quickref-lambda.md) + [Amazon Redshift template snippets](quickref-redshift.md) + [Amazon RDS template snippets](quickref-rds.md) + [Route 53 template snippets](quickref-route53.md) + [Amazon S3 template snippets](quickref-s3.md) + [Amazon SNS template snippets](quickref-sns.md) + [Amazon SQS template snippets](scenario-sqs-queue.md) + [Amazon Timestream template snippets](scenario-timestream-queue.md) # General template snippets The following examples show different CloudFormation template features that aren't specific to an AWS service. **Topics** + [Base64 encoded UserData property](#scenario-userdata-base64) + [Base64 encoded UserData property with AccessKey and SecretKey](#scenario-userdata-base64-with-keys) + [Parameters section with one literal string parameter](#scenario-one-string-parameter) + [Parameters section with string parameter with regular expression constraint](#scenario-constraint-string-parameter) + [Parameters section with number parameter with MinValue and MaxValue constraints](#scenario-one-number-min-parameter) + [Parameters section with number parameter with AllowedValues constraint](#scenario-one-number-parameter) + [Parameters section with one literal CommaDelimitedList parameter](#scenario-one-list-parameter) + [Parameters section with parameter value based on pseudo parameter](#scenario-one-pseudo-parameter) + [Mapping section with three mappings](#scenario-mapping-with-four-maps) + [Description based on literal string](#scenario-description-from-literal-string) + [Outputs section with one literal string output](#scenario-output-with-literal-string) + [Outputs section with one resource reference and one pseudo reference output](#scenario-output-with-ref-and-pseudo-ref) + [Outputs section with an output based on a function, a literal string, a reference, and a pseudo parameter](#scenario-output-with-complex-spec) + [Template format version](#scenario-format-version) + [AWS Tags property](#scenario-format-aws-tag) ## Base64 encoded UserData property This example shows the assembly of a `UserData` property using the `Fn::Base64` and `Fn::Join` functions. The references `MyValue` and `MyName` are parameters that must be defined in the `Parameters` section of the template. The literal string `Hello World` is just another value this example passes in as part of the `UserData`. ### JSON ``` 1. "UserData" : { 2. "Fn::Base64" : { 3. "Fn::Join" : [ ",", [ 4. { "Ref" : "MyValue" }, 5. { "Ref" : "MyName" }, 6. "Hello World" ] ] 7. } 8. } ``` ### YAML ``` 1. UserData: 2. Fn::Base64: !Sub | 3. Ref: MyValue 4. Ref: MyName 5. Hello World ``` ## Base64 encoded UserData property with AccessKey and SecretKey This example shows the assembly of a `UserData` property using the `Fn::Base64` and `Fn::Join` functions. It includes the `AccessKey` and `SecretKey` information. The references `AccessKey` and `SecretKey` are parameters that must be defined in the Parameters section of the template. ### JSON ``` 1. "UserData" : { 2. "Fn::Base64" : { 3. "Fn::Join" : [ "", [ 4. "ACCESS_KEY=", { "Ref" : "AccessKey" }, 5. "SECRET_KEY=", { "Ref" : "SecretKey" } ] 6. ] 7. } 8. } ``` ### YAML ``` 1. UserData: 2. Fn::Base64: !Sub | 3. ACCESS_KEY=${AccessKey} 4. SECRET_KEY=${SecretKey} ``` ## Parameters section with one literal string parameter The following example depicts a valid Parameters section declaration in which a single `String` type parameter is declared. ### JSON ``` 1. "Parameters" : { 2. "UserName" : { 3. "Type" : "String", 4. "Default" : "nonadmin", 5. "Description" : "Assume a vanilla user if no command-line spec provided" 6. } 7. } ``` ### YAML ``` 1. Parameters: 2. UserName: 3. Type: String 4. Default: nonadmin 5. Description: Assume a vanilla user if no command-line spec provided ``` ## Parameters section with string parameter with regular expression constraint The following example depicts a valid Parameters section declaration in which a single `String` type parameter is declared. The `AdminUserAccount` parameter has a default of `admin`. The parameter value must have a minimum length of 1, a maximum length of 16, and contains alphabetical characters and numbers but must begin with an alphabetical character. ### JSON ``` 1. "Parameters" : { 2. "AdminUserAccount": { 3. "Default": "admin", 4. "NoEcho": "true", 5. "Description" : "The admin account user name", 6. "Type": "String", 7. "MinLength": "1", 8. "MaxLength": "16", 9. "AllowedPattern" : "[a-zA-Z][a-zA-Z0-9]*" 10. } 11. } ``` ### YAML ``` 1. Parameters: 2. AdminUserAccount: 3. Default: admin 4. NoEcho: true 5. Description: The admin account user name 6. Type: String 7. MinLength: 1 8. MaxLength: 16 9. AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' ``` ## Parameters section with number parameter with MinValue and MaxValue constraints The following example depicts a valid Parameters section declaration in which a single `Number` type parameter is declared. The `WebServerPort` parameter has a default of 80 and a minimum value 1 and maximum value 65535. ### JSON ``` 1. "Parameters" : { 2. "WebServerPort": { 3. "Default": "80", 4. "Description" : "TCP/IP port for the web server", 5. "Type": "Number", 6. "MinValue": "1", 7. "MaxValue": "65535" 8. } 9. } ``` ### YAML ``` 1. Parameters: 2. WebServerPort: 3. Default: 80 4. Description: TCP/IP port for the web server 5. Type: Number 6. MinValue: 1 7. MaxValue: 65535 ``` ## Parameters section with number parameter with AllowedValues constraint The following example depicts a valid Parameters section declaration in which a single `Number` type parameter is declared. The `WebServerPort` parameter has a default of 80 and allows only values of 80 and 8888. ### JSON ``` 1. "Parameters" : { 2. "WebServerPortLimited": { 3. "Default": "80", 4. "Description" : "TCP/IP port for the web server", 5. "Type": "Number", 6. "AllowedValues" : ["80", "8888"] 7. } 8. } ``` ### YAML ``` 1. Parameters: 2. WebServerPortLimited: 3. Default: 80 4. Description: TCP/IP port for the web server 5. Type: Number 6. AllowedValues: 7. - 80 8. - 8888 ``` ## Parameters section with one literal CommaDelimitedList parameter The following example depicts a valid `Parameters` section declaration in which a single `CommaDelimitedList` type parameter is declared. The `NoEcho` property is set to `TRUE`, which will mask its value with asterisks (\$1\$1\$1\$1\$1) in the **describe-stacks** output, except for information stored in the locations specified below. **Important** Using the `NoEcho` attribute does not mask any information stored in the following: The `Metadata` template section. CloudFormation does not transform, modify, or redact any information you include in the `Metadata` section. For more information, see [Metadata](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html). The `Outputs` template section. For more information, see [Outputs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html). The `Metadata` attribute of a resource definition. For more information, see [`Metadata` attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-metadata.html). We strongly recommend you do not use these mechanisms to include sensitive information, such as passwords or secrets. **Important** Rather than embedding sensitive information directly in your CloudFormation templates, we recommend you use dynamic parameters in the stack template to reference sensitive information that is stored and managed outside of CloudFormation, such as in the AWS Systems Manager Parameter Store or AWS Secrets Manager. For more information, see the [Do not embed credentials in your templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/security-best-practices.html#creds) best practice. ### JSON ``` 1. "Parameters" : { 2. "UserRoles" : { 3. "Type" : "CommaDelimitedList", 4. "Default" : "guest,newhire", 5. "NoEcho" : "TRUE" 6. } 7. } ``` ### YAML ``` 1. Parameters: 2. UserRoles: 3. Type: CommaDelimitedList 4. Default: "guest,newhire" 5. NoEcho: true ``` ## Parameters section with parameter value based on pseudo parameter The following example shows commands in the EC2 user data that use the pseudo parameters `AWS::StackName` and `AWS::Region`. For more information about pseudo parameters, see [Get AWS values using pseudo parameters](pseudo-parameter-reference.md). ### JSON ``` 1. "UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [ 2. "#!/bin/bash -xe\n", 3. "yum install -y aws-cfn-bootstrap\n", 4. 5. "/opt/aws/bin/cfn-init -v ", 6. " --stack ", { "Ref" : "AWS::StackName" }, 7. " --resource LaunchConfig ", 8. " --region ", { "Ref" : "AWS::Region" }, "\n", 9. 10. "/opt/aws/bin/cfn-signal -e $? ", 11. " --stack ", { "Ref" : "AWS::StackName" }, 12. " --resource WebServerGroup ", 13. " --region ", { "Ref" : "AWS::Region" }, "\n" 14. ]]}} 15. } ``` ### YAML ``` 1. UserData: 2. Fn::Base64: !Sub | 3. #!/bin/bash -xe 4. yum update -y aws-cfn-bootstrap 5. /opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource LaunchConfig --region ${AWS::Region} 6. /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource WebServerGroup --region ${AWS::Region} ``` ## Mapping section with three mappings The following example depicts a valid `Mapping` section declaration that contains three mappings. The map, when matched with a mapping key of `Stop`, `SlowDown`, or `Go`, provides the RGB values assigned to the corresponding `RGBColor` attribute. ### JSON ``` 1. "Mappings" : { 2. "LightColor" : { 3. "Stop" : { 4. "Description" : "red", 5. "RGBColor" : "RED 255 GREEN 0 BLUE 0" 6. }, 7. "SlowDown" : { 8. "Description" : "yellow", 9. "RGBColor" : "RED 255 GREEN 255 BLUE 0" 10. }, 11. "Go" : { 12. "Description" : "green", 13. "RGBColor" : "RED 0 GREEN 128 BLUE 0" 14. } 15. } 16. } ``` ### YAML ``` 1. Mappings: 2. LightColor: 3. Stop: 4. Description: red 5. RGBColor: "RED 255 GREEN 0 BLUE 0" 6. SlowDown: 7. Description: yellow 8. RGBColor: "RED 255 GREEN 255 BLUE 0" 9. Go: 10. Description: green 11. RGBColor: "RED 0 GREEN 128 BLUE 0" ``` ## Description based on literal string The following example depicts a valid `Description` section declaration where the value is based on a literal string. This snippet can be for templates, parameters, resources, properties, or outputs. ### JSON ``` 1. "Description" : "Replace this value" ``` ### YAML ``` 1. Description: "Replace this value" ``` ## Outputs section with one literal string output This example shows a output assignment based on a literal string. ### JSON ``` 1. "Outputs" : { 2. "MyPhone" : { 3. "Value" : "Please call 555-5555", 4. "Description" : "A random message for aws cloudformation describe-stacks" 5. } 6. } ``` ### YAML ``` 1. Outputs: 2. MyPhone: 3. Value: Please call 555-5555 4. Description: A random message for aws cloudformation describe-stacks ``` ## Outputs section with one resource reference and one pseudo reference output This example shows an `Outputs` section with two output assignments. One is based on a resource, and the other is based on a pseudo reference. ### JSON ``` 1. "Outputs" : { 2. "SNSTopic" : { "Value" : { "Ref" : "MyNotificationTopic" } }, 3. "StackName" : { "Value" : { "Ref" : "AWS::StackName" } } 4. } ``` ### YAML ``` 1. Outputs: 2. SNSTopic: 3. Value: !Ref MyNotificationTopic 4. StackName: 5. Value: !Ref AWS::StackName ``` ## Outputs section with an output based on a function, a literal string, a reference, and a pseudo parameter This example shows an Outputs section with one output assignment. The Join function is used to concatenate the value, using a percent sign as the delimiter. ### JSON ``` 1. "Outputs" : { 2. "MyOutput" : { 3. "Value" : { "Fn::Join" : 4. [ "%", [ "A-string", {"Ref" : "AWS::StackName" } ] ] 5. } 6. } 7. } ``` ### YAML ``` 1. Outputs: 2. MyOutput: 3. Value: !Join [ %, [ 'A-string', !Ref 'AWS::StackName' ]] ``` ## Template format version The following snippet depicts a valid `AWSTemplateFormatVersion` section declaration. ### JSON ``` 1. "AWSTemplateFormatVersion" : "2010-09-09" ``` ### YAML ``` 1. AWSTemplateFormatVersion: '2010-09-09' ``` ## AWS Tags property This example shows an AWS `Tags` property. You would specify this property within the Properties section of a resource. When the resource is created, it will be tagged with the tags you declare. ### JSON ``` 1. "Tags" : [ 2. { 3. "Key" : "keyname1", 4. "Value" : "value1" 5. }, 6. { 7. "Key" : "keyname2", 8. "Value" : "value2" 9. } 10. ] ``` ### YAML ``` 1. Tags: 2. - 3. Key: "keyname1" 4. Value: "value1" 5. - 6. Key: "keyname2" 7. Value: "value2" ``` # Auto scaling CloudFormation template snippets With Amazon EC2 Auto Scaling, you can automatically scale Amazon EC2 instances, either with scaling policies or with scheduled scaling. Auto Scaling groups are collections of Amazon EC2 instances that enable automatic scaling and fleet management features, such as scaling policies, scheduled actions, health checks, lifecycle hooks, and load balancing. Application Auto Scaling provides automatic scaling of different resources beyond Amazon EC2, either with scaling policies or with scheduled scaling. You can create and configure Auto Scaling groups, scaling policies, scheduled actions, and other auto scaling resources as part of your infrastructure using CloudFormation templates. Templates make it easy to manage and automate the deployment of auto scaling resources in a repeatable and consistent manner. The following example template snippets describe CloudFormation resources or components for Amazon EC2 Auto Scaling and Application Auto Scaling. These snippets are designed to be integrated into a template and are not intended to be run independently. **Topics** + [Configure Amazon EC2 Auto Scaling resources](quickref-ec2-auto-scaling.md) + [Configure Application Auto Scaling resources](quickref-application-auto-scaling.md) # Configure Amazon EC2 Auto Scaling resources with CloudFormation The following examples show different snippets to include in templates for use with Amazon EC2 Auto Scaling. **Topics** + [Create a single instance Auto Scaling group](#scenario-single-instance-as-group) + [Create an Auto Scaling group with an attached load balancer](#scenario-as-group) + [Create an Auto Scaling group with notifications](#scenario-as-notification) + [Create an Auto Scaling group that uses a `CreationPolicy` and an `UpdatePolicy`](#scenario-as-updatepolicy) + [Create a step scaling policy](#scenario-step-scaling-policy) + [Mixed instances group examples](#scenario-mixed-instances-group-template-examples) + [Launch configuration examples](#scenario-launch-config-template-examples) ## Create a single instance Auto Scaling group This example shows an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) resource with a single instance to help you get started. The `VPCZoneIdentifier` property of the Auto Scaling group specifies a list of existing subnets in three different Availability Zones. You must specify the applicable subnet IDs from your account before you create your stack. The `LaunchTemplate` property references an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) resource with the logical name `myLaunchTemplate` that is defined elsewhere in your template. **Note** For examples of launch templates, see [Create launch templates with CloudFormation](quickref-ec2-launch-templates.md) in the Amazon EC2 snippets section and the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html#aws-resource-ec2-launchtemplate--examples) section in the `AWS::EC2::LaunchTemplate` resource. ### JSON ``` 1. "myASG" : { 2. "Type" : "AWS::AutoScaling::AutoScalingGroup", 3. "Properties" : { 4. "VPCZoneIdentifier" : [ "subnetIdAz1", "subnetIdAz2", "subnetIdAz3" ], 5. "LaunchTemplate" : { 6. "LaunchTemplateId" : { 7. "Ref" : "myLaunchTemplate" 8. }, 9. "Version" : { 10. "Fn::GetAtt" : [ 11. "myLaunchTemplate", 12. "LatestVersionNumber" 13. ] 14. } 15. }, 16. "MaxSize" : "1", 17. "MinSize" : "1" 18. } 19. } ``` ### YAML ``` 1. myASG: 2. Type: AWS::AutoScaling::AutoScalingGroup 3. Properties: 4. VPCZoneIdentifier: 5. - subnetIdAz1 6. - subnetIdAz2 7. - subnetIdAz3 8. LaunchTemplate: 9. LaunchTemplateId: !Ref myLaunchTemplate 10. Version: !GetAtt myLaunchTemplate.LatestVersionNumber 11. MaxSize: '1' 12. MinSize: '1' ``` ## Create an Auto Scaling group with an attached load balancer This example shows an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) resource for load balancing over multiple servers. It specifies the logical names of AWS resources declared elsewhere in the same template. 1. The `VPCZoneIdentifier` property specifies the logical names of two [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-subnet.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-subnet.html) resources where the Auto Scaling group's EC2 instances will be created: `myPublicSubnet1` and `myPublicSubnet2`. 1. The `LaunchTemplate` property specifies an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) resource with the logical name `myLaunchTemplate`. 1. The `TargetGroupARNs` property lists the target groups for an Application Load Balancer or Network Load Balancer used to route traffic to the Auto Scaling group. In this example, one target group is specified, an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html) resource with the logical name `myTargetGroup`. ### JSON ``` 1. "myServerGroup" : { 2. "Type" : "AWS::AutoScaling::AutoScalingGroup", 3. "Properties" : { 4. "VPCZoneIdentifier" : [ { "Ref" : "myPublicSubnet1" }, { "Ref" : "myPublicSubnet2" } ], 5. "LaunchTemplate" : { 6. "LaunchTemplateId" : { 7. "Ref" : "myLaunchTemplate" 8. }, 9. "Version" : { 10. "Fn::GetAtt" : [ 11. "myLaunchTemplate", 12. "LatestVersionNumber" 13. ] 14. } 15. }, 16. "MaxSize" : "5", 17. "MinSize" : "1", 18. "TargetGroupARNs" : [ { "Ref" : "myTargetGroup" } ] 19. } 20. } ``` ### YAML ``` 1. myServerGroup: 2. Type: AWS::AutoScaling::AutoScalingGroup 3. Properties: 4. VPCZoneIdentifier: 5. - !Ref myPublicSubnet1 6. - !Ref myPublicSubnet2 7. LaunchTemplate: 8. LaunchTemplateId: !Ref myLaunchTemplate 9. Version: !GetAtt myLaunchTemplate.LatestVersionNumber 10. MaxSize: '5' 11. MinSize: '1' 12. TargetGroupARNs: 13. - !Ref myTargetGroup ``` ### See also For a detailed example that creates an Auto Scaling group with a target tracking scaling policy based on the `ALBRequestCountPerTarget` predefined metric for your Application Load Balancer, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-scalingpolicy.html#aws-resource-autoscaling-scalingpolicy--examples) section in the `AWS::AutoScaling::ScalingPolicy` resource. ## Create an Auto Scaling group with notifications This example shows an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) resource that sends Amazon SNS notifications when the specified events take place. The `NotificationConfigurations` property specifies the SNS topic where CloudFormation sends a notification and the events that will cause CloudFormation to send notifications. When the events specified by `NotificationTypes` occur, CloudFormation will send a notification to the SNS topic specified by `TopicARN`. When you launch the stack, CloudFormation creates an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-subscription.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-subscription.html) resource (`snsTopicForAutoScalingGroup`) that's declared within the same template. The `VPCZoneIdentifier` property of the Auto Scaling group specifies a list of existing subnets in three different Availability Zones. You must specify the applicable subnet IDs from your account before you create your stack. The `LaunchTemplate` property references the logical name of an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) resource declared elsewhere in the same template. ### JSON ``` 1. "myASG" : { 2. "Type" : "AWS::AutoScaling::AutoScalingGroup", 3. "DependsOn": [ 4. "snsTopicForAutoScalingGroup" 5. ], 6. "Properties" : { 7. "VPCZoneIdentifier" : [ "subnetIdAz1", "subnetIdAz2", "subnetIdAz3" ], 8. "LaunchTemplate" : { 9. "LaunchTemplateId" : { 10. "Ref" : "logicalName" 11. }, 12. "Version" : { 13. "Fn::GetAtt" : [ 14. "logicalName", 15. "LatestVersionNumber" 16. ] 17. } 18. }, 19. "MaxSize" : "5", 20. "MinSize" : "1", 21. "NotificationConfigurations" : [ 22. { 23. "TopicARN" : { "Ref" : "snsTopicForAutoScalingGroup" }, 24. "NotificationTypes" : [ 25. "autoscaling:EC2_INSTANCE_LAUNCH", 26. "autoscaling:EC2_INSTANCE_LAUNCH_ERROR", 27. "autoscaling:EC2_INSTANCE_TERMINATE", 28. "autoscaling:EC2_INSTANCE_TERMINATE_ERROR", 29. "autoscaling:TEST_NOTIFICATION" 30. ] 31. } 32. ] 33. } 34. } ``` ### YAML ``` 1. myASG: 2. Type: AWS::AutoScaling::AutoScalingGroup 3. DependsOn: 4. - snsTopicForAutoScalingGroup 5. Properties: 6. VPCZoneIdentifier: 7. - subnetIdAz1 8. - subnetIdAz2 9. - subnetIdAz3 10. LaunchTemplate: 11. LaunchTemplateId: !Ref logicalName 12. Version: !GetAtt logicalName.LatestVersionNumber 13. MaxSize: '5' 14. MinSize: '1' 15. NotificationConfigurations: 16. - TopicARN: !Ref snsTopicForAutoScalingGroup 17. NotificationTypes: 18. - autoscaling:EC2_INSTANCE_LAUNCH 19. - autoscaling:EC2_INSTANCE_LAUNCH_ERROR 20. - autoscaling:EC2_INSTANCE_TERMINATE 21. - autoscaling:EC2_INSTANCE_TERMINATE_ERROR 22. - autoscaling:TEST_NOTIFICATION ``` ## Create an Auto Scaling group that uses a `CreationPolicy` and an `UpdatePolicy` The following example shows how to add `CreationPolicy` and `UpdatePolicy` attributes to an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) resource. The sample creation policy prevents the Auto Scaling group from reaching `CREATE_COMPLETE` status until CloudFormation receives `Count` number of success signals when the group is ready. To signal that the Auto Scaling group is ready, a `cfn-signal` helper script added to the launch template's user data (not shown) is run on the instances. If the instances don't send a signal within the specified `Timeout`, CloudFormation assumes that the instances were not created, the resource creation fails, and CloudFormation rolls the stack back. The sample update policy instructs CloudFormation to perform a rolling update using the `AutoScalingRollingUpdate` property. The rolling update makes changes to the Auto Scaling group in small batches (for this example, instance by instance) based on the `MaxBatchSize` and a pause time between batches of updates based on the `PauseTime`. The `MinInstancesInService` attribute specifies the minimum number of instances that must be in service within the Auto Scaling group while CloudFormation updates old instances. The `WaitOnResourceSignals` attribute is set to `true`. CloudFormation must receive a signal from each new instance within the specified `PauseTime` before continuing the update. While the stack update is in progress, the following EC2 Auto Scaling processes are suspended: `HealthCheck`, `ReplaceUnhealthy`, `AZRebalance`, `AlarmNotification`, and `ScheduledActions`. Note: Don't suspend the `Launch`, `Terminate`, or `AddToLoadBalancer` (if the Auto Scaling group is being used with Elastic Load Balancing) process types because doing so can prevent the rolling update from functioning properly. The `VPCZoneIdentifier` property of the Auto Scaling group specifies a list of existing subnets in three different Availability Zones. You must specify the applicable subnet IDs from your account before you create your stack. The `LaunchTemplate` property references the logical name of an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) resource declared elsewhere in the same template. For more information about the `CreationPolicy` and `UpdatePolicy` attributes, see [Resource attribute reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-product-attribute-reference.html). ### JSON ``` { "Resources":{ "myASG":{ "CreationPolicy":{ "ResourceSignal":{ "Count":"3", "Timeout":"PT15M" } }, "UpdatePolicy":{ "AutoScalingRollingUpdate":{ "MinInstancesInService":"3", "MaxBatchSize":"1", "PauseTime":"PT12M5S", "WaitOnResourceSignals":"true", "SuspendProcesses":[ "HealthCheck", "ReplaceUnhealthy", "AZRebalance", "AlarmNotification", "ScheduledActions", "InstanceRefresh" ] } }, "Type":"AWS::AutoScaling::AutoScalingGroup", "Properties":{ "VPCZoneIdentifier":[ "subnetIdAz1", "subnetIdAz2", "subnetIdAz3" ], "LaunchTemplate":{ "LaunchTemplateId":{ "Ref":"logicalName" }, "Version":{ "Fn::GetAtt":[ "logicalName", "LatestVersionNumber" ] } }, "MaxSize":"5", "MinSize":"3" } } } } ``` ### YAML ``` --- Resources: myASG: CreationPolicy: ResourceSignal: Count: '3' Timeout: PT15M UpdatePolicy: AutoScalingRollingUpdate: MinInstancesInService: '3' MaxBatchSize: '1' PauseTime: PT12M5S WaitOnResourceSignals: true SuspendProcesses: - HealthCheck - ReplaceUnhealthy - AZRebalance - AlarmNotification - ScheduledActions - InstanceRefresh Type: AWS::AutoScaling::AutoScalingGroup Properties: VPCZoneIdentifier: - subnetIdAz1 - subnetIdAz2 - subnetIdAz3 LaunchTemplate: LaunchTemplateId: !Ref logicalName Version: !GetAtt logicalName.LatestVersionNumber MaxSize: '5' MinSize: '3' ``` ## Create a step scaling policy This example shows an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-scalingpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-scalingpolicy.html) resource that scales out the Auto Scaling group using a step scaling policy. The `AdjustmentType` property specifies `ChangeInCapacity`, which means that the `ScalingAdjustment` represents the number of instances to add (if `ScalingAdjustment` is positive) or delete (if it is negative). In this example, `ScalingAdjustment` is 1; therefore, the policy increments the number of EC2 instances in the group by 1 when the alarm threshold is breached. The [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudwatch-alarm.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudwatch-alarm.html) resource `CPUAlarmHigh` specifies the scaling policy `ASGScalingPolicyHigh` as the action to run when the alarm is in an ALARM state (`AlarmActions`). The `Dimensions` property references the logical name of an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) resource declared elsewhere in the same template. ### JSON ``` 1. { 2. "Resources":{ 3. "ASGScalingPolicyHigh":{ 4. "Type":"AWS::AutoScaling::ScalingPolicy", 5. "Properties":{ 6. "AutoScalingGroupName":{ "Ref":"logicalName" }, 7. "PolicyType":"StepScaling", 8. "AdjustmentType":"ChangeInCapacity", 9. "StepAdjustments":[ 10. { 11. "MetricIntervalLowerBound":0, 12. "ScalingAdjustment":1 13. } 14. ] 15. } 16. }, 17. "CPUAlarmHigh":{ 18. "Type":"AWS::CloudWatch::Alarm", 19. "Properties":{ 20. "EvaluationPeriods":"2", 21. "Statistic":"Average", 22. "Threshold":"90", 23. "AlarmDescription":"Scale out if CPU > 90% for 2 minutes", 24. "Period":"60", 25. "AlarmActions":[ { "Ref":"ASGScalingPolicyHigh" } ], 26. "Namespace":"AWS/EC2", 27. "Dimensions":[ 28. { 29. "Name":"AutoScalingGroupName", 30. "Value":{ "Ref":"logicalName" } 31. } 32. ], 33. "ComparisonOperator":"GreaterThanThreshold", 34. "MetricName":"CPUUtilization" 35. } 36. } 37. } 38. } ``` ### YAML ``` 1. --- 2. Resources: 3. ASGScalingPolicyHigh: 4. Type: AWS::AutoScaling::ScalingPolicy 5. Properties: 6. AutoScalingGroupName: !Ref logicalName 7. PolicyType: StepScaling 8. AdjustmentType: ChangeInCapacity 9. StepAdjustments: 10. - MetricIntervalLowerBound: 0 11. ScalingAdjustment: 1 12. CPUAlarmHigh: 13. Type: AWS::CloudWatch::Alarm 14. Properties: 15. EvaluationPeriods: 2 16. Statistic: Average 17. Threshold: 90 18. AlarmDescription: 'Scale out if CPU > 90% for 2 minutes' 19. Period: 60 20. AlarmActions: 21. - !Ref ASGScalingPolicyHigh 22. Namespace: AWS/EC2 23. Dimensions: 24. - Name: AutoScalingGroupName 25. Value: 26. !Ref logicalName 27. ComparisonOperator: GreaterThanThreshold 28. MetricName: CPUUtilization ``` ### See also For more example templates for scaling policies, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-scalingpolicy.html#aws-resource-autoscaling-scalingpolicy--examples) section in the `AWS::AutoScaling::ScalingPolicy` resource. ## Mixed instances group examples ### Create an Auto Scaling group using attribute-based instance type selection This example shows an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) resource that contains the information to launch a mixed instances group using attribute-based instance type selection. You specify the minimum and maximum values for the `VCpuCount` property and the minimum value for the `MemoryMiB` property. Any instance types used by the Auto Scaling group must match your required instance attributes. The `VPCZoneIdentifier` property of the Auto Scaling group specifies a list of existing subnets in three different Availability Zones. You must specify the applicable subnet IDs from your account before you create your stack. The `LaunchTemplate` property references the logical name of an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) resource declared elsewhere in the same template. #### JSON ``` 1. { 2. "Resources":{ 3. "myASG":{ 4. "Type":"AWS::AutoScaling::AutoScalingGroup", 5. "Properties":{ 6. "VPCZoneIdentifier":[ 7. "subnetIdAz1", 8. "subnetIdAz2", 9. "subnetIdAz3" 10. ], 11. "MixedInstancesPolicy":{ 12. "LaunchTemplate":{ 13. "LaunchTemplateSpecification":{ 14. "LaunchTemplateId":{ 15. "Ref":"logicalName" 16. }, 17. "Version":{ 18. "Fn::GetAtt":[ 19. "logicalName", 20. "LatestVersionNumber" 21. ] 22. } 23. }, 24. "Overrides":[ 25. { 26. "InstanceRequirements":{ 27. "VCpuCount":{ 28. "Min":2, 29. "Max":4 30. }, 31. "MemoryMiB":{ 32. "Min":2048 33. } 34. } 35. } 36. ] 37. } 38. }, 39. "MaxSize":"5", 40. "MinSize":"1" 41. } 42. } 43. } 44. } ``` #### YAML ``` 1. --- 2. Resources: 3. myASG: 4. Type: AWS::AutoScaling::AutoScalingGroup 5. Properties: 6. VPCZoneIdentifier: 7. - subnetIdAz1 8. - subnetIdAz2 9. - subnetIdAz3 10. MixedInstancesPolicy: 11. LaunchTemplate: 12. LaunchTemplateSpecification: 13. LaunchTemplateId: !Ref logicalName 14. Version: !GetAtt logicalName.LatestVersionNumber 15. Overrides: 16. - InstanceRequirements: 17. VCpuCount: 18. Min: 2 19. Max: 4 20. MemoryMiB: 21. Min: 2048 22. MaxSize: '5' 23. MinSize: '1' ``` ## Launch configuration examples ### Create a launch configuration This example shows an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-launchconfiguration.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-launchconfiguration.html) resource for an Auto Scaling group where you specify values for the `ImageId`, `InstanceType`, and `SecurityGroups` properties. The `SecurityGroups` property specifies both the logical name of an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) resource that's specified elsewhere in the template, and an existing EC2 security group named `myExistingEC2SecurityGroup`. #### JSON ``` 1. "mySimpleConfig" : { 2. "Type" : "AWS::AutoScaling::LaunchConfiguration", 3. "Properties" : { 4. "ImageId" : "ami-02354e95b3example", 5. "InstanceType" : "t3.micro", 6. "SecurityGroups" : [ { "Ref" : "logicalName" }, "myExistingEC2SecurityGroup" ] 7. } 8. } ``` #### YAML ``` 1. mySimpleConfig: 2. Type: AWS::AutoScaling::LaunchConfiguration 3. Properties: 4. ImageId: ami-02354e95b3example 5. InstanceType: t3.micro 6. SecurityGroups: 7. - !Ref logicalName 8. - myExistingEC2SecurityGroup ``` ### Create an Auto Scaling group that uses a launch configuration This example shows an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) resource with a single instance. The `VPCZoneIdentifier` property of the Auto Scaling group specifies a list of existing subnets in three different Availability Zones. You must specify the applicable subnet IDs from your account before you create your stack. The `LaunchConfigurationName` property references an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-launchconfiguration.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-launchconfiguration.html) resource with the logical name `mySimpleConfig` that is defined in your template. #### JSON ``` 1. "myASG" : { 2. "Type" : "AWS::AutoScaling::AutoScalingGroup", 3. "Properties" : { 4. "VPCZoneIdentifier" : [ "subnetIdAz1", "subnetIdAz2", "subnetIdAz3" ], 5. "LaunchConfigurationName" : { "Ref" : "mySimpleConfig" }, 6. "MaxSize" : "1", 7. "MinSize" : "1" 8. } 9. } ``` #### YAML ``` 1. myASG: 2. Type: AWS::AutoScaling::AutoScalingGroup 3. Properties: 4. VPCZoneIdentifier: 5. - subnetIdAz1 6. - subnetIdAz2 7. - subnetIdAz3 8. LaunchConfigurationName: !Ref mySimpleConfig 9. MaxSize: '1' 10. MinSize: '1' ``` # Configure Application Auto Scaling resources with CloudFormation This section provides CloudFormation template examples for Application Auto Scaling scaling policies and scheduled actions for different AWS resources. **Important** When an Application Auto Scaling snippet is included in the template, you might need to declare a dependency on the specific scalable resource that's created through the template using the `DependsOn` attribute. This overrides the default parallelism and directs CloudFormation to operate on resources in a specified order. Otherwise, the scaling configuration might be applied before the resource has been set up completely. For more information, see [DependsOn attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-dependson.html). **Topics** + [Create a scaling policy for an AppStream fleet](#w2aac11c41c15c19b9) + [Create a scaling policy for an Aurora DB cluster](#w2aac11c41c15c19c11) + [Create a scaling policy for a DynamoDB table](#w2aac11c41c15c19c13) + [Create a scaling policy for an Amazon ECS service (metrics: average CPU and memory)](#w2aac11c41c15c19c15) + [Create a scaling policy for an Amazon ECS service (metric: average request count per target)](#w2aac11c41c15c19c17) + [Create a scheduled action with a cron expression for a Lambda function](#w2aac11c41c15c19c19) + [Create a scheduled action with an `at` expression for a Spot Fleet](#w2aac11c41c15c19c21) ## Create a scaling policy for an AppStream fleet This snippet shows how to create a policy and apply it to an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-appstream-fleet.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-appstream-fleet.html) resource using the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html) resource. The [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) resource declares a scalable target to which this policy is applied. Application Auto Scaling can scale the number of fleet instances at a minimum of 1 instance and a maximum of 20. The policy keeps the average capacity utilization of the fleet at 75 percent, with scale-out and scale-in cooldown periods of 300 seconds (5 minutes). It uses the `Fn::Join` and `Rev` intrinsic functions to construct the `ResourceId` property with the logical name of the `AWS::AppStream::Fleet` resource that's specified in the same template. For more information, see [Intrinsic function reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html). ### JSON ``` { "Resources" : { "ScalableTarget" : { "Type" : "AWS::ApplicationAutoScaling::ScalableTarget", "Properties" : { "MaxCapacity" : 20, "MinCapacity" : 1, "RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/appstream.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_AppStreamFleet" }, "ServiceNamespace" : "appstream", "ScalableDimension" : "appstream:fleet:DesiredCapacity", "ResourceId" : { "Fn::Join" : [ "/", [ "fleet", { "Ref" : "logicalName" } ] ] } } }, "ScalingPolicyAppStreamFleet" : { "Type" : "AWS::ApplicationAutoScaling::ScalingPolicy", "Properties" : { "PolicyName" : { "Fn::Sub" : "${AWS::StackName}-target-tracking-cpu75" }, "PolicyType" : "TargetTrackingScaling", "ServiceNamespace" : "appstream", "ScalableDimension" : "appstream:fleet:DesiredCapacity", "ResourceId" : { "Fn::Join" : [ "/", [ "fleet", { "Ref" : "logicalName" } ] ] }, "TargetTrackingScalingPolicyConfiguration" : { "TargetValue" : 75, "PredefinedMetricSpecification" : { "PredefinedMetricType" : "AppStreamAverageCapacityUtilization" }, "ScaleInCooldown" : 300, "ScaleOutCooldown" : 300 } } } } } ``` ### YAML ``` --- Resources: ScalableTarget: Type: AWS::ApplicationAutoScaling::ScalableTarget Properties: MaxCapacity: 20 MinCapacity: 1 RoleARN: Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/appstream.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_AppStreamFleet' ServiceNamespace: appstream ScalableDimension: appstream:fleet:DesiredCapacity ResourceId: !Join - / - - fleet - !Ref logicalName ScalingPolicyAppStreamFleet: Type: AWS::ApplicationAutoScaling::ScalingPolicy Properties: PolicyName: !Sub ${AWS::StackName}-target-tracking-cpu75 PolicyType: TargetTrackingScaling ServiceNamespace: appstream ScalableDimension: appstream:fleet:DesiredCapacity ResourceId: !Join - / - - fleet - !Ref logicalName TargetTrackingScalingPolicyConfiguration: TargetValue: 75 PredefinedMetricSpecification: PredefinedMetricType: AppStreamAverageCapacityUtilization ScaleInCooldown: 300 ScaleOutCooldown: 300 ``` ## Create a scaling policy for an Aurora DB cluster In this snippet, you register an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbcluster.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbcluster.html) resource. The [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) resource indicates that the DB cluster should be dynamically scaled to have from one to eight Aurora Replicas. You also apply a target tracking scaling policy to the cluster using the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html) resource. In this configuration, the `RDSReaderAverageCPUUtilization` predefined metric is used to adjust an Aurora DB cluster based on an average CPU utilization of 40 percent across all Aurora Replicas in that Aurora DB cluster. The configuration provides a scale-in cooldown period of 10 minutes and a scale-out cooldown period of 5 minutes. This example uses the `Fn::Sub` intrinsic function to construct the `ResourceId` property with the logical name of the `AWS::RDS::DBCluster` resource that is specified in the same template. For more information, see [Intrinsic function reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html). ### JSON ``` { "Resources" : { "ScalableTarget" : { "Type" : "AWS::ApplicationAutoScaling::ScalableTarget", "Properties" : { "MaxCapacity" : 8, "MinCapacity" : 1, "RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/rds.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_RDSCluster" }, "ServiceNamespace" : "rds", "ScalableDimension" : "rds:cluster:ReadReplicaCount", "ResourceId" : { "Fn::Sub" : "cluster:${logicalName}" } } }, "ScalingPolicyDBCluster" : { "Type" : "AWS::ApplicationAutoScaling::ScalingPolicy", "Properties" : { "PolicyName" : { "Fn::Sub" : "${AWS::StackName}-target-tracking-cpu40" }, "PolicyType" : "TargetTrackingScaling", "ServiceNamespace" : "rds", "ScalableDimension" : "rds:cluster:ReadReplicaCount", "ResourceId" : { "Fn::Sub" : "cluster:${logicalName}" }, "TargetTrackingScalingPolicyConfiguration" : { "TargetValue" : 40, "PredefinedMetricSpecification" : { "PredefinedMetricType" : "RDSReaderAverageCPUUtilization" }, "ScaleInCooldown" : 600, "ScaleOutCooldown" : 300 } } } } } ``` ### YAML ``` --- Resources: ScalableTarget: Type: AWS::ApplicationAutoScaling::ScalableTarget Properties: MaxCapacity: 8 MinCapacity: 1 RoleARN: Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/rds.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_RDSCluster' ServiceNamespace: rds ScalableDimension: rds:cluster:ReadReplicaCount ResourceId: !Sub cluster:${logicalName} ScalingPolicyDBCluster: Type: AWS::ApplicationAutoScaling::ScalingPolicy Properties: PolicyName: !Sub ${AWS::StackName}-target-tracking-cpu40 PolicyType: TargetTrackingScaling ServiceNamespace: rds ScalableDimension: rds:cluster:ReadReplicaCount ResourceId: !Sub cluster:${logicalName} TargetTrackingScalingPolicyConfiguration: TargetValue: 40 PredefinedMetricSpecification: PredefinedMetricType: RDSReaderAverageCPUUtilization ScaleInCooldown: 600 ScaleOutCooldown: 300 ``` ## Create a scaling policy for a DynamoDB table This snippet shows how to create a policy with the `TargetTrackingScaling` policy type and apply it to an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-table.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-table.html) resource using the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html) resource. The [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) resource declares a scalable target to which this policy is applied, with a minimum of five write capacity units and a maximum of 15. The scaling policy scales the table's write capacity throughput to maintain the target utilization at 50 percent based on the `DynamoDBWriteCapacityUtilization` predefined metric. It uses the `Fn::Join` and `Ref` intrinsic functions to construct the `ResourceId` property with the logical name of the `AWS::DynamoDB::Table` resource that's specified in the same template. For more information, see [Intrinsic function reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html). **Note** For more information about how to create an CloudFormation template for DynamoDB resources, see the blog post [How to use CloudFormation to configure auto scaling for Amazon DynamoDB tables and indexes](https://aws.amazon.com/blogs/database/how-to-use-aws-cloudformation-to-configure-auto-scaling-for-amazon-dynamodb-tables-and-indexes/) on the AWS Database Blog. ### JSON ``` { "Resources" : { "WriteCapacityScalableTarget" : { "Type" : "AWS::ApplicationAutoScaling::ScalableTarget", "Properties" : { "MaxCapacity" : 15, "MinCapacity" : 5, "RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable" }, "ServiceNamespace" : "dynamodb", "ScalableDimension" : "dynamodb:table:WriteCapacityUnits", "ResourceId" : { "Fn::Join" : [ "/", [ "table", { "Ref" : "logicalName" } ] ] } } }, "WriteScalingPolicy" : { "Type" : "AWS::ApplicationAutoScaling::ScalingPolicy", "Properties" : { "PolicyName" : "WriteScalingPolicy", "PolicyType" : "TargetTrackingScaling", "ScalingTargetId" : { "Ref" : "WriteCapacityScalableTarget" }, "TargetTrackingScalingPolicyConfiguration" : { "TargetValue" : 50.0, "ScaleInCooldown" : 60, "ScaleOutCooldown" : 60, "PredefinedMetricSpecification" : { "PredefinedMetricType" : "DynamoDBWriteCapacityUtilization" } } } } } } ``` ### YAML ``` --- Resources: WriteCapacityScalableTarget: Type: AWS::ApplicationAutoScaling::ScalableTarget Properties: MaxCapacity: 15 MinCapacity: 5 RoleARN: Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable' ServiceNamespace: dynamodb ScalableDimension: dynamodb:table:WriteCapacityUnits ResourceId: !Join - / - - table - !Ref logicalName WriteScalingPolicy: Type: AWS::ApplicationAutoScaling::ScalingPolicy Properties: PolicyName: WriteScalingPolicy PolicyType: TargetTrackingScaling ScalingTargetId: !Ref WriteCapacityScalableTarget TargetTrackingScalingPolicyConfiguration: TargetValue: 50.0 ScaleInCooldown: 60 ScaleOutCooldown: 60 PredefinedMetricSpecification: PredefinedMetricType: DynamoDBWriteCapacityUtilization ``` ## Create a scaling policy for an Amazon ECS service (metrics: average CPU and memory) This snippet shows how to create a policy and apply it to an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-service.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-service.html) resource using the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html) resource. The [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) resource declares a scalable target to which this policy is applied. Application Auto Scaling can scale the number of tasks at a minimum of 1 task and a maximum of 6. It creates two scaling policies with the `TargetTrackingScaling` policy type. The policies are used to scale the ECS service based on the service's average CPU and memory usage. It uses the `Fn::Join` and `Ref` intrinsic functions to construct the `ResourceId` property with the logical names of the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-cluster.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-cluster.html) (`myContainerCluster`) and `AWS::ECS::Service` (`myService`) resources that are specified in the same template. For more information, see [Intrinsic function reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html). ### JSON ``` { "Resources" : { "ECSScalableTarget" : { "Type" : "AWS::ApplicationAutoScaling::ScalableTarget", "Properties" : { "MaxCapacity" : "6", "MinCapacity" : "1", "RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService" }, "ServiceNamespace" : "ecs", "ScalableDimension" : "ecs:service:DesiredCount", "ResourceId" : { "Fn::Join" : [ "/", [ "service", { "Ref" : "myContainerCluster" }, { "Fn::GetAtt" : [ "myService", "Name" ] } ] ] } } }, "ServiceScalingPolicyCPU" : { "Type" : "AWS::ApplicationAutoScaling::ScalingPolicy", "Properties" : { "PolicyName" : { "Fn::Sub" : "${AWS::StackName}-target-tracking-cpu70" }, "PolicyType" : "TargetTrackingScaling", "ScalingTargetId" : { "Ref" : "ECSScalableTarget" }, "TargetTrackingScalingPolicyConfiguration" : { "TargetValue" : 70.0, "ScaleInCooldown" : 180, "ScaleOutCooldown" : 60, "PredefinedMetricSpecification" : { "PredefinedMetricType" : "ECSServiceAverageCPUUtilization" } } } }, "ServiceScalingPolicyMem" : { "Type" : "AWS::ApplicationAutoScaling::ScalingPolicy", "Properties" : { "PolicyName" : { "Fn::Sub" : "${AWS::StackName}-target-tracking-mem90" }, "PolicyType" : "TargetTrackingScaling", "ScalingTargetId" : { "Ref" : "ECSScalableTarget" }, "TargetTrackingScalingPolicyConfiguration" : { "TargetValue" : 90.0, "ScaleInCooldown" : 180, "ScaleOutCooldown" : 60, "PredefinedMetricSpecification" : { "PredefinedMetricType" : "ECSServiceAverageMemoryUtilization" } } } } } } ``` ### YAML ``` --- Resources: ECSScalableTarget: Type: AWS::ApplicationAutoScaling::ScalableTarget Properties: MaxCapacity: 6 MinCapacity: 1 RoleARN: Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService' ServiceNamespace: ecs ScalableDimension: 'ecs:service:DesiredCount' ResourceId: !Join - / - - service - !Ref myContainerCluster - !GetAtt myService.Name ServiceScalingPolicyCPU: Type: AWS::ApplicationAutoScaling::ScalingPolicy Properties: PolicyName: !Sub ${AWS::StackName}-target-tracking-cpu70 PolicyType: TargetTrackingScaling ScalingTargetId: !Ref ECSScalableTarget TargetTrackingScalingPolicyConfiguration: TargetValue: 70.0 ScaleInCooldown: 180 ScaleOutCooldown: 60 PredefinedMetricSpecification: PredefinedMetricType: ECSServiceAverageCPUUtilization ServiceScalingPolicyMem: Type: AWS::ApplicationAutoScaling::ScalingPolicy Properties: PolicyName: !Sub ${AWS::StackName}-target-tracking-mem90 PolicyType: TargetTrackingScaling ScalingTargetId: !Ref ECSScalableTarget TargetTrackingScalingPolicyConfiguration: TargetValue: 90.0 ScaleInCooldown: 180 ScaleOutCooldown: 60 PredefinedMetricSpecification: PredefinedMetricType: ECSServiceAverageMemoryUtilization ``` ## Create a scaling policy for an Amazon ECS service (metric: average request count per target) The following example applies a target tracking scaling policy with the `ALBRequestCountPerTarget` predefined metric to an ECS service. The policy is used to add capacity to the ECS service when the request count per target (per minute) exceeds the target value. Because the value of `DisableScaleIn` is set to `true`, the target tracking policy won't remove capacity from the scalable target. It uses the `Fn::Join` and `Fn::GetAtt` intrinsic functions to construct the `ResourceLabel` property with the logical names of the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-loadbalancer.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-loadbalancer.html) (`myLoadBalancer`) and [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html) (`myTargetGroup`) resources that are specified in the same template. For more information, see [Intrinsic function reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html). The `MaxCapacity` and `MinCapacity` properties of the scalable target and the `TargetValue` property of the scaling policy reference parameter values that you pass to the template when creating or updating a stack. ### JSON ``` { "Resources" : { "ECSScalableTarget" : { "Type" : "AWS::ApplicationAutoScaling::ScalableTarget", "Properties" : { "MaxCapacity" : { "Ref" : "MaxCount" }, "MinCapacity" : { "Ref" : "MinCount" }, "RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService" }, "ServiceNamespace" : "ecs", "ScalableDimension" : "ecs:service:DesiredCount", "ResourceId" : { "Fn::Join" : [ "/", [ "service", { "Ref" : "myContainerCluster" }, { "Fn::GetAtt" : [ "myService", "Name" ] } ] ] } } }, "ServiceScalingPolicyALB" : { "Type" : "AWS::ApplicationAutoScaling::ScalingPolicy", "Properties" : { "PolicyName" : "alb-requests-per-target-per-minute", "PolicyType" : "TargetTrackingScaling", "ScalingTargetId" : { "Ref" : "ECSScalableTarget" }, "TargetTrackingScalingPolicyConfiguration" : { "TargetValue" : { "Ref" : "ALBPolicyTargetValue" }, "ScaleInCooldown" : 180, "ScaleOutCooldown" : 30, "DisableScaleIn" : true, "PredefinedMetricSpecification" : { "PredefinedMetricType" : "ALBRequestCountPerTarget", "ResourceLabel" : { "Fn::Join" : [ "/", [ { "Fn::GetAtt" : [ "myLoadBalancer", "LoadBalancerFullName" ] }, { "Fn::GetAtt" : [ "myTargetGroup", "TargetGroupFullName" ] } ] ] } } } } } } } ``` ### YAML ``` --- Resources: ECSScalableTarget: Type: AWS::ApplicationAutoScaling::ScalableTarget Properties: MaxCapacity: !Ref MaxCount MinCapacity: !Ref MinCount RoleARN: Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService' ServiceNamespace: ecs ScalableDimension: 'ecs:service:DesiredCount' ResourceId: !Join - / - - service - !Ref myContainerCluster - !GetAtt myService.Name ServiceScalingPolicyALB: Type: AWS::ApplicationAutoScaling::ScalingPolicy Properties: PolicyName: alb-requests-per-target-per-minute PolicyType: TargetTrackingScaling ScalingTargetId: !Ref ECSScalableTarget TargetTrackingScalingPolicyConfiguration: TargetValue: !Ref ALBPolicyTargetValue ScaleInCooldown: 180 ScaleOutCooldown: 30 DisableScaleIn: true PredefinedMetricSpecification: PredefinedMetricType: ALBRequestCountPerTarget ResourceLabel: !Join - '/' - - !GetAtt myLoadBalancer.LoadBalancerFullName - !GetAtt myTargetGroup.TargetGroupFullName ``` ## Create a scheduled action with a cron expression for a Lambda function This snippet registers the provisioned concurrency for a function alias ([https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-alias.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-alias.html)) named `BLUE` using the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) resource. It also creates a scheduled action with a recurring schedule using a cron expression. The time zone for the recurring schedule is UTC. It uses the `Fn::Join` and `Ref` intrinsic functions in the `RoleARN` property to specify the ARN of the service-linked role. It uses the `Fn::Sub` intrinsic function to construct the `ResourceId` property with the logical name of the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html) or [https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html) resource that is specified in the same template. For more information, see [Intrinsic function reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html). **Note** You can't allocate provisioned concurrency on an alias that points to the unpublished version (`$LATEST`). For more information about how to create an CloudFormation template for Lambda resources, see the blog post [Scheduling AWS Lambda Provisioned Concurrency for recurring peak usage](https://aws.amazon.com/blogs/compute/scheduling-aws-lambda-provisioned-concurrency-for-recurring-peak-usage/) on the AWS Compute Blog. ### JSON ``` { "ScalableTarget" : { "Type" : "AWS::ApplicationAutoScaling::ScalableTarget", "Properties" : { "MaxCapacity" : 250, "MinCapacity" : 0, "RoleARN" : { "Fn::Join" : [ ":", [ "arn:aws:iam:", { "Ref" : "AWS::AccountId" }, "role/aws-service-role/lambda.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_LambdaConcurrency" ] ] }, "ServiceNamespace" : "lambda", "ScalableDimension" : "lambda:function:ProvisionedConcurrency", "ResourceId" : { "Fn::Sub" : "function:${logicalName}:BLUE" }, "ScheduledActions" : [ { "ScalableTargetAction" : { "MinCapacity" : "250" }, "ScheduledActionName" : "my-scale-out-scheduled-action", "Schedule" : "cron(0 18 * * ? *)", "EndTime" : "2022-12-31T12:00:00.000Z" } ] } } } ``` ### YAML ``` ScalableTarget: Type: AWS::ApplicationAutoScaling::ScalableTarget Properties: MaxCapacity: 250 MinCapacity: 0 RoleARN: !Join - ':' - - 'arn:aws:iam:' - !Ref 'AWS::AccountId' - role/aws-service-role/lambda.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_LambdaConcurrency ServiceNamespace: lambda ScalableDimension: lambda:function:ProvisionedConcurrency ResourceId: !Sub function:${logicalName}:BLUE ScheduledActions: - ScalableTargetAction: MinCapacity: 250 ScheduledActionName: my-scale-out-scheduled-action Schedule: 'cron(0 18 * * ? *)' EndTime: '2022-12-31T12:00:00.000Z' ``` ## Create a scheduled action with an `at` expression for a Spot Fleet This snippet shows how to create two scheduled actions that occur only once for an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-spotfleet.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-spotfleet.html) resource using the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) resource. The time zone for each one-time scheduled action is UTC. It uses the `Fn::Join` and `Ref` intrinsic functions to construct the `ResourceId` property with the logical name of the `AWS::EC2::SpotFleet` resource that is specified in the same template. For more information, see [Intrinsic function reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html). **Note** The Spot Fleet request must have a request type of `maintain`. Automatic scaling isn't supported for one-time requests or Spot blocks. ### JSON ``` { "Resources" : { "SpotFleetScalableTarget" : { "Type" : "AWS::ApplicationAutoScaling::ScalableTarget", "Properties" : { "MaxCapacity" : 0, "MinCapacity" : 0, "RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ec2.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest" }, "ServiceNamespace" : "ec2", "ScalableDimension" : "ec2:spot-fleet-request:TargetCapacity", "ResourceId" : { "Fn::Join" : [ "/", [ "spot-fleet-request", { "Ref" : "logicalName" } ] ] }, "ScheduledActions" : [ { "ScalableTargetAction" : { "MaxCapacity" : "10", "MinCapacity" : "10" }, "ScheduledActionName" : "my-scale-out-scheduled-action", "Schedule" : "at(2022-05-20T13:00:00)" }, { "ScalableTargetAction" : { "MaxCapacity" : "0", "MinCapacity" : "0" }, "ScheduledActionName" : "my-scale-in-scheduled-action", "Schedule" : "at(2022-05-20T21:00:00)" } ] } } } } ``` ### YAML ``` --- Resources: SpotFleetScalableTarget: Type: AWS::ApplicationAutoScaling::ScalableTarget Properties: MaxCapacity: 0 MinCapacity: 0 RoleARN: Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ec2.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest' ServiceNamespace: ec2 ScalableDimension: 'ec2:spot-fleet-request:TargetCapacity' ResourceId: !Join - / - - spot-fleet-request - !Ref logicalName ScheduledActions: - ScalableTargetAction: MaxCapacity: 10 MinCapacity: 10 ScheduledActionName: my-scale-out-scheduled-action Schedule: 'at(2022-05-20T13:00:00)' - ScalableTargetAction: MaxCapacity: 0 MinCapacity: 0 ScheduledActionName: my-scale-in-scheduled-action Schedule: 'at(2022-05-20T21:00:00)' ``` # AWS Billing Console template snippets This example creates one pricing plan with a 10% global markup pricing rule. This pricing plan is attached to the billing group. The billing group also has two custom line items which applies a \$110 charge and a 10% charge on top of the billing group total cost. ## JSON ``` 1. { 2. "Parameters": { 3. "LinkedAccountIds": { 4. "Type": "ListNumber" 5. }, 6. "PrimaryAccountId": { 7. "Type": "Number" 8. } 9. }, 10. "Resources": { 11. "TestPricingRule": { 12. "Type": "AWS::BillingConductor::PricingRule", 13. "Properties": { 14. "Name": "TestPricingRule", 15. "Description": "Test pricing rule created through Cloudformation. Mark everything by 10%.", 16. "Type": "MARKUP", 17. "Scope": "GLOBAL", 18. "ModifierPercentage": 10 19. } 20. }, 21. "TestPricingPlan": { 22. "Type": "AWS::BillingConductor::PricingPlan", 23. "Properties": { 24. "Name": "TestPricingPlan", 25. "Description": "Test pricing plan created through Cloudformation.", 26. "PricingRuleArns": [ 27. {"Fn::GetAtt": ["TestPricingRule", "Arn"]} 28. ] 29. } 30. }, 31. "TestBillingGroup": { 32. "Type": "AWS::BillingConductor::BillingGroup", 33. "Properties": { 34. "Name": "TestBillingGroup", 35. "Description": "Test billing group created through Cloudformation with 1 linked account. The linked account is also the primary account.", 36. "PrimaryAccountId": { 37. "Ref": "PrimaryAccountId" 38. }, 39. "AccountGrouping": { 40. "LinkedAccountIds": null 41. }, 42. "ComputationPreference": { 43. "PricingPlanArn": { 44. "Fn::GetAtt": ["TestPricingPlan", "Arn"] 45. } 46. } 47. } 48. }, 49. "TestFlatCustomLineItem": { 50. "Type": "AWS::BillingConductor::CustomLineItem", 51. "Properties": { 52. "Name": "TestFlatCustomLineItem", 53. "Description": "Test flat custom line item created through Cloudformation for a $10 charge.", 54. "BillingGroupArn": { 55. "Fn::GetAtt": ["TestBillingGroup", "Arn"] 56. }, 57. "CustomLineItemChargeDetails": { 58. "Flat": { 59. "ChargeValue": 10 60. }, 61. "Type": "FEE" 62. } 63. } 64. }, 65. "TestPercentageCustomLineItem": { 66. "Type": "AWS::BillingConductor::CustomLineItem", 67. "Properties": { 68. "Name": "TestPercentageCustomLineItem", 69. "Description": "Test percentage custom line item created through Cloudformation for a %10 additional charge on the overall total bill of the billing group.", 70. "BillingGroupArn": { 71. "Fn::GetAtt": ["TestBillingGroup", "Arn"] 72. }, 73. "CustomLineItemChargeDetails": { 74. "Percentage": { 75. "PercentageValue": 10, 76. "ChildAssociatedResources": [ 77. {"Fn::GetAtt": ["TestBillingGroup", "Arn"]} 78. ] 79. }, 80. "Type": "FEE" 81. } 82. } 83. } 84. } 85. } ``` ## YAML ``` 1. Parameters: 2. LinkedAccountIds: 3. Type: ListNumber 4. PrimaryAccountId: 5. Type: Number 6. Resources: 7. TestPricingRule: 8. Type: AWS::BillingConductor::PricingRule 9. Properties: 10. Name: 'TestPricingRule' 11. Description: 'Test pricing rule created through Cloudformation. Mark everything by 10%.' 12. Type: 'MARKUP' 13. Scope: 'GLOBAL' 14. ModifierPercentage: 10 15. TestPricingPlan: 16. Type: AWS::BillingConductor::PricingPlan 17. Properties: 18. Name: 'TestPricingPlan' 19. Description: 'Test pricing plan created through Cloudformation.' 20. PricingRuleArns: 21. - !GetAtt TestPricingRule.Arn 22. TestBillingGroup: 23. Type: AWS::BillingConductor::BillingGroup 24. Properties: 25. Name: 'TestBillingGroup' 26. Description: 'Test billing group created through Cloudformation with 1 linked account. The linked account is also the primary account.' 27. PrimaryAccountId: !Ref PrimaryAccountId 28. AccountGrouping: 29. LinkedAccountIds: !Ref LinkedAccountIds 30. ComputationPreference: 31. PricingPlanArn: !GetAtt TestPricingPlan.Arn 32. TestFlatCustomLineItem: 33. Type: AWS::BillingConductor::CustomLineItem 34. Properties: 35. Name: 'TestFlatCustomLineItem' 36. Description: 'Test flat custom line item created through Cloudformation for a $10 charge.' 37. BillingGroupArn: !GetAtt TestBillingGroup.Arn 38. CustomLineItemChargeDetails: 39. Flat: 40. ChargeValue: 10 41. Type: 'FEE' 42. TestPercentageCustomLineItem: 43. Type: AWS::BillingConductor::CustomLineItem 44. Properties: 45. Name: 'TestPercentageCustomLineItem' 46. Description: 'Test percentage custom line item created through Cloudformation for a %10 additional charge on the overall total bill of the billing group.' 47. BillingGroupArn: !GetAtt TestBillingGroup.Arn 48. CustomLineItemChargeDetails: 49. Percentage: 50. PercentageValue: 10 51. ChildAssociatedResources: 52. - !GetAtt TestBillingGroup.Arn 53. Type: 'FEE' ``` # CloudFormation template snippets **Topics** + [Nested stacks](#w2aac11c41c23b5) + [Wait condition](#w2aac11c41c23b7) ## Nested stacks ### Nesting a stack in a template This example template contains a nested stack resource called `myStack`. When CloudFormation creates a stack from the template, it creates the `myStack`, whose template is specified in the `TemplateURL` property. The output value `StackRef` returns the stack ID for `myStack` and the value `OutputFromNestedStack` returns the output value `BucketName` from within the `myStack` resource. The `Outputs.nestedstackoutputname` format is reserved for specifying output values from nested stacks and can be used anywhere within the containing template. For more information, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudformation-stack.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudformation-stack.html). #### JSON ``` 1. { 2. "AWSTemplateFormatVersion" : "2010-09-09", 3. "Resources" : { 4. "myStack" : { 5. "Type" : "AWS::CloudFormation::Stack", 6. "Properties" : { 7. "TemplateURL" : "https://s3.amazonaws.com/cloudformation-templates-us-east-1/S3_Bucket.template", 8. "TimeoutInMinutes" : "60" 9. } 10. } 11. }, 12. "Outputs": { 13. "StackRef": {"Value": { "Ref" : "myStack"}}, 14. "OutputFromNestedStack" : { 15. "Value" : { "Fn::GetAtt" : [ "myStack", "Outputs.BucketName" ] } 16. } 17. } 18. } ``` #### YAML ``` 1. AWSTemplateFormatVersion: '2010-09-09' 2. Resources: 3. myStack: 4. Type: AWS::CloudFormation::Stack 5. Properties: 6. TemplateURL: https://s3.amazonaws.com/cloudformation-templates-us-east-1/S3_Bucket.template 7. TimeoutInMinutes: '60' 8. Outputs: 9. StackRef: 10. Value: !Ref myStack 11. OutputFromNestedStack: 12. Value: !GetAtt myStack.Outputs.BucketName ``` ### Nesting a stack with input parameters in a template This example template contains a stack resource that specifies input parameters. When CloudFormation creates a stack from this template, it uses the value pairs declared within the `Parameters` property as the input parameters for the template used to create the `myStackWithParams` stack. In this example, the `InstanceType` and `KeyName` parameters are specified. For more information, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudformation-stack.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudformation-stack.html). #### JSON ``` 1. { 2. "AWSTemplateFormatVersion" : "2010-09-09", 3. "Resources" : { 4. "myStackWithParams" : { 5. "Type" : "AWS::CloudFormation::Stack", 6. "Properties" : { 7. "TemplateURL" : "https://s3.amazonaws.com/cloudformation-templates-us-east-1/EC2ChooseAMI.template", 8. "Parameters" : { 9. "InstanceType" : "t2.micro", 10. "KeyName" : "mykey" 11. } 12. } 13. } 14. } 15. } ``` #### YAML ``` 1. AWSTemplateFormatVersion: '2010-09-09' 2. Resources: 3. myStackWithParams: 4. Type: AWS::CloudFormation::Stack 5. Properties: 6. TemplateURL: https://s3.amazonaws.com/cloudformation-templates-us-east-1/EC2ChooseAMI.template 7. Parameters: 8. InstanceType: t2.micro 9. KeyName: mykey ``` ## Wait condition ### Using a wait condition with an Amazon EC2 instance **Important** For Amazon EC2 and Auto Scaling resources, we recommend that you use a CreationPolicy attribute instead of wait conditions. Add a CreationPolicy attribute to those resources, and use the cfn-signal helper script to signal when an instance creation process has completed successfully. If you can't use a creation policy, you view the following example template, which declares an Amazon EC2 instance with a wait condition. The `myWaitCondition` wait condition uses `myWaitConditionHandle` for signaling, uses the `DependsOn` attribute to specify that the wait condition will trigger after the Amazon EC2 instance resource has been created, and uses the `Timeout` property to specify a duration of 4500 seconds for the wait condition. In addition, the presigned URL that signals the wait condition is passed to the Amazon EC2 instance with the `UserData` property of the `Ec2Instance` resource, thus allowing an application or script running on that Amazon EC2 instance to retrieve the presigned URL and employ it to signal a success or failure to the wait condition. You need to use `cfn-signal` or create the application or script that signals the wait condition. The output value `ApplicationData` contains the data passed back from the wait condition signal. For more information, see [Create wait conditions in a CloudFormation template](using-cfn-waitcondition.md). #### JSON ``` 1. { 2. "AWSTemplateFormatVersion" : "2010-09-09", 3. "Mappings" : { 4. "RegionMap" : { 5. "us-east-1" : { 6. "AMI" : "ami-0123456789abcdef0" 7. }, 8. "us-west-1" : { 9. "AMI" : "ami-0987654321fedcba0" 10. }, 11. "eu-west-1" : { 12. "AMI" : "ami-0abcdef123456789a" 13. }, 14. "ap-northeast-1" : { 15. "AMI" : "ami-0fedcba987654321b" 16. }, 17. "ap-southeast-1" : { 18. "AMI" : "ami-0c1d2e3f4a5b6c7d8" 19. } 20. } 21. }, 22. "Resources" : { 23. "Ec2Instance" : { 24. "Type" : "AWS::EC2::Instance", 25. "Properties" : { 26. "UserData" : { "Fn::Base64" : {"Ref" : "myWaitHandle"}}, 27. "ImageId" : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "AMI" ]} 28. } 29. }, 30. "myWaitHandle" : { 31. "Type" : "AWS::CloudFormation::WaitConditionHandle", 32. "Properties" : { 33. } 34. }, 35. "myWaitCondition" : { 36. "Type" : "AWS::CloudFormation::WaitCondition", 37. "DependsOn" : "Ec2Instance", 38. "Properties" : { 39. "Handle" : { "Ref" : "myWaitHandle" }, 40. "Timeout" : "4500" 41. } 42. } 43. }, 44. "Outputs" : { 45. "ApplicationData" : { 46. "Value" : { "Fn::GetAtt" : [ "myWaitCondition", "Data" ]}, 47. "Description" : "The data passed back as part of signalling the WaitCondition." 48. } 49. } 50. } ``` #### YAML ``` 1. AWSTemplateFormatVersion: '2010-09-09' 2. Mappings: 3. RegionMap: 4. us-east-1: 5. AMI: ami-0123456789abcdef0 6. us-west-1: 7. AMI: ami-0987654321fedcba0 8. eu-west-1: 9. AMI: ami-0abcdef123456789a 10. ap-northeast-1: 11. AMI: ami-0fedcba987654321b 12. ap-southeast-1: 13. AMI: ami-0c1d2e3f4a5b6c7d8 14. Resources: 15. Ec2Instance: 16. Type: AWS::EC2::Instance 17. Properties: 18. UserData: 19. Fn::Base64: !Ref myWaitHandle 20. ImageId: 21. Fn::FindInMap: 22. - RegionMap 23. - Ref: AWS::Region 24. - AMI 25. myWaitHandle: 26. Type: AWS::CloudFormation::WaitConditionHandle 27. Properties: {} 28. myWaitCondition: 29. Type: AWS::CloudFormation::WaitCondition 30. DependsOn: Ec2Instance 31. Properties: 32. Handle: !Ref myWaitHandle 33. Timeout: '4500' 34. Outputs: 35. ApplicationData: 36. Value: !GetAtt myWaitCondition.Data 37. Description: The data passed back as part of signalling the WaitCondition. ``` ### Using the cfn-signal helper script to signal a wait condition This example shows a `cfn-signal` command line that signals success to a wait condition. You need to define the command line in the `UserData` property of the EC2 instance. #### JSON ``` "UserData": { "Fn::Base64": { "Fn::Join": [ "", [ "#!/bin/bash -xe\n", "/opt/aws/bin/cfn-signal --exit-code 0 '", { "Ref": "myWaitHandle" }, "'\n" ] ] } } ``` #### YAML ``` UserData: Fn::Base64: !Sub | #!/bin/bash -xe /opt/aws/bin/cfn-signal --exit-code 0 '${myWaitHandle}' ``` ### Using Curl to signal a wait condition This example shows a Curl command line that signals success to a wait condition. ``` 1. curl -T /tmp/a "https://cloudformation-waitcondition-test.s3.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-east-1%3A034017226601%3Astack%2Fstack-gosar-20110427004224-test-stack-with-WaitCondition--VEYW%2Fe498ce60-70a1-11e0-81a7-5081d0136786%2FmyWaitConditionHandle?Expires=1303976584&AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE&Signature=ik1twT6hpS4cgNAw7wyOoRejVoo%3D" ``` Where the file /tmp/a contains the following JSON structure: ``` 1. { 2. "Status" : "SUCCESS", 3. "Reason" : "Configuration Complete", 4. "UniqueId" : "ID1234", 5. "Data" : "Application has completed configuration." 6. } ``` This example shows a Curl command line that sends the same success signal except it sends the JSON as a parameter on the command line. ``` 1. curl -X PUT -H 'Content-Type:' --data-binary '{"Status" : "SUCCESS","Reason" : "Configuration Complete","UniqueId" : "ID1234","Data" : "Application has completed configuration."}' "https://cloudformation-waitcondition-test.s3.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-east-1%3A034017226601%3Astack%2Fstack-gosar-20110427004224-test-stack-with-WaitCondition--VEYW%2Fe498ce60-70a1-11e0-81a7-5081d0136786%2FmyWaitConditionHandle?Expires=1303976584&AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE&Signature=ik1twT6hpS4cgNAw7wyOoRejVoo%3D" ``` # Amazon CloudFront template snippets Use these sample template snippets with your Amazon CloudFront distribution resource in CloudFormation. For more information, see the [Amazon CloudFront resource type reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/AWS_CloudFront.html). **Topics** + [Amazon CloudFront distribution resource with an Amazon S3 origin](#scenario-cloudfront-s3origin) + [Amazon CloudFront distribution resource with custom origin](#scenario-cloudfront-customorigin) + [Amazon CloudFront distribution with multi-origin support](#scenario-cloudfront-multiorigin) + [Amazon CloudFront distribution with a Lambda function as origin](#scenario-cloudfront-lambda-origin) + [See also](#w2aac11c41c27c15) ## Amazon CloudFront distribution resource with an Amazon S3 origin The following example template shows an Amazon CloudFront [Distribution](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.html) using an [S3Origin](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-s3originconfig.html) and legacy origin access identity (OAI). For information about using origin access control (OAC) instead, see [Restricting access to an Amazon Simple Storage Service origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) in the *Amazon CloudFront Developer Guide*. ### JSON ``` 1. { 2. "AWSTemplateFormatVersion" : "2010-09-09", 3. "Resources" : { 4. "myDistribution" : { 5. "Type" : "AWS::CloudFront::Distribution", 6. "Properties" : { 7. "DistributionConfig" : { 8. "Origins" : [ { 9. "DomainName" : "amzn-s3-demo-bucket.s3.amazonaws.com", 10. "Id" : "myS3Origin", 11. "S3OriginConfig" : { 12. "OriginAccessIdentity" : "origin-access-identity/cloudfront/E127EXAMPLE51Z" 13. } 14. }], 15. "Enabled" : "true", 16. "Comment" : "Some comment", 17. "DefaultRootObject" : "index.html", 18. "Logging" : { 19. "IncludeCookies" : "false", 20. "Bucket" : "amzn-s3-demo-logging-bucket.s3.amazonaws.com", 21. "Prefix" : "myprefix" 22. }, 23. "Aliases" : [ "mysite.example.com", "yoursite.example.com" ], 24. "DefaultCacheBehavior" : { 25. "AllowedMethods" : [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ], 26. "TargetOriginId" : "myS3Origin", 27. "ForwardedValues" : { 28. "QueryString" : "false", 29. "Cookies" : { "Forward" : "none" } 30. }, 31. "TrustedSigners" : [ "1234567890EX", "1234567891EX" ], 32. "ViewerProtocolPolicy" : "allow-all" 33. }, 34. "PriceClass" : "PriceClass_200", 35. "Restrictions" : { 36. "GeoRestriction" : { 37. "RestrictionType" : "whitelist", 38. "Locations" : [ "AQ", "CV" ] 39. } 40. }, 41. "ViewerCertificate" : { "CloudFrontDefaultCertificate" : "true" } 42. } 43. } 44. } 45. } 46. } ``` ### YAML ``` 1. AWSTemplateFormatVersion: '2010-09-09' 2. Resources: 3. myDistribution: 4. Type: AWS::CloudFront::Distribution 5. Properties: 6. DistributionConfig: 7. Origins: 8. - DomainName: amzn-s3-demo-bucket.s3.amazonaws.com 9. Id: myS3Origin 10. S3OriginConfig: 11. OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z 12. Enabled: 'true' 13. Comment: Some comment 14. DefaultRootObject: index.html 15. Logging: 16. IncludeCookies: 'false' 17. Bucket: amzn-s3-demo-logging-bucket.s3.amazonaws.com 18. Prefix: myprefix 19. Aliases: 20. - mysite.example.com 21. - yoursite.example.com 22. DefaultCacheBehavior: 23. AllowedMethods: 24. - DELETE 25. - GET 26. - HEAD 27. - OPTIONS 28. - PATCH 29. - POST 30. - PUT 31. TargetOriginId: myS3Origin 32. ForwardedValues: 33. QueryString: 'false' 34. Cookies: 35. Forward: none 36. TrustedSigners: 37. - 1234567890EX 38. - 1234567891EX 39. ViewerProtocolPolicy: allow-all 40. PriceClass: PriceClass_200 41. Restrictions: 42. GeoRestriction: 43. RestrictionType: whitelist 44. Locations: 45. - AQ 46. - CV 47. ViewerCertificate: 48. CloudFrontDefaultCertificate: 'true' ``` ## Amazon CloudFront distribution resource with custom origin The following example template shows an Amazon CloudFront [Distribution](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.html) using a [CustomOrigin](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-customoriginconfig.html). ### JSON ``` 1. { 2. "AWSTemplateFormatVersion" : "2010-09-09", 3. "Resources" : { 4. "myDistribution" : { 5. "Type" : "AWS::CloudFront::Distribution", 6. "Properties" : { 7. "DistributionConfig" : { 8. "Origins" : [ { 9. "DomainName" : "www.example.com", 10. "Id" : "myCustomOrigin", 11. "CustomOriginConfig" : { 12. "HTTPPort" : "80", 13. "HTTPSPort" : "443", 14. "OriginProtocolPolicy" : "http-only" 15. } 16. } ], 17. "Enabled" : "true", 18. "Comment" : "Somecomment", 19. "DefaultRootObject" : "index.html", 20. "Logging" : { 21. "IncludeCookies" : "true", 22. "Bucket" : "amzn-s3-demo-logging-bucket.s3.amazonaws.com", 23. "Prefix": "myprefix" 24. }, 25. "Aliases" : [ 26. "mysite.example.com", 27. "*.yoursite.example.com" 28. ], 29. "DefaultCacheBehavior" : { 30. "TargetOriginId" : "myCustomOrigin", 31. "SmoothStreaming" : "false", 32. "ForwardedValues" : { 33. "QueryString" : "false", 34. "Cookies" : { "Forward" : "all" } 35. }, 36. "TrustedSigners" : [ 37. "1234567890EX", 38. "1234567891EX" 39. ], 40. "ViewerProtocolPolicy" : "allow-all" 41. }, 42. "CustomErrorResponses" : [ { 43. "ErrorCode" : "404", 44. "ResponsePagePath" : "/error-pages/404.html", 45. "ResponseCode" : "200", 46. "ErrorCachingMinTTL" : "30" 47. } ], 48. "PriceClass" : "PriceClass_200", 49. "Restrictions" : { 50. "GeoRestriction" : { 51. "RestrictionType" : "whitelist", 52. "Locations" : [ "AQ", "CV" ] 53. } 54. }, 55. "ViewerCertificate": { "CloudFrontDefaultCertificate" : "true" } 56. } 57. } 58. } 59. } 60. } ``` ### YAML ``` 1. AWSTemplateFormatVersion: '2010-09-09' 2. Resources: 3. myDistribution: 4. Type: AWS::CloudFront::Distribution 5. Properties: 6. DistributionConfig: 7. Origins: 8. - DomainName: www.example.com 9. Id: myCustomOrigin 10. CustomOriginConfig: 11. HTTPPort: '80' 12. HTTPSPort: '443' 13. OriginProtocolPolicy: http-only 14. Enabled: 'true' 15. Comment: Somecomment 16. DefaultRootObject: index.html 17. Logging: 18. IncludeCookies: 'true' 19. Bucket: amzn-s3-demo-logging-bucket.s3.amazonaws.com 20. Prefix: myprefix 21. Aliases: 22. - mysite.example.com 23. - "*.yoursite.example.com" 24. DefaultCacheBehavior: 25. TargetOriginId: myCustomOrigin 26. SmoothStreaming: 'false' 27. ForwardedValues: 28. QueryString: 'false' 29. Cookies: 30. Forward: all 31. TrustedSigners: 32. - 1234567890EX 33. - 1234567891EX 34. ViewerProtocolPolicy: allow-all 35. CustomErrorResponses: 36. - ErrorCode: '404' 37. ResponsePagePath: "/error-pages/404.html" 38. ResponseCode: '200' 39. ErrorCachingMinTTL: '30' 40. PriceClass: PriceClass_200 41. Restrictions: 42. GeoRestriction: 43. RestrictionType: whitelist 44. Locations: 45. - AQ 46. - CV 47. ViewerCertificate: 48. CloudFrontDefaultCertificate: 'true' ``` ## Amazon CloudFront distribution with multi-origin support The following example template shows how to declare a CloudFront [Distribution](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.html) with multi-origin support. In the [DistributionConfig](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-distributionconfig.html), a list of origins is provided and a [DefaultCacheBehavior](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-defaultcachebehavior.html) is set. ### JSON ``` { "AWSTemplateFormatVersion" : "2010-09-09", "Resources" : { "myDistribution" : { "Type" : "AWS::CloudFront::Distribution", "Properties" : { "DistributionConfig" : { "Origins" : [ { "Id" : "myS3Origin", "DomainName" : "amzn-s3-demo-bucket.s3.amazonaws.com", "S3OriginConfig" : { "OriginAccessIdentity" : "origin-access-identity/cloudfront/E127EXAMPLE51Z" } }, { "Id" : "myCustomOrigin", "DomainName" : "www.example.com", "CustomOriginConfig" : { "HTTPPort" : "80", "HTTPSPort" : "443", "OriginProtocolPolicy" : "http-only" } } ], "Enabled" : "true", "Comment" : "Some comment", "DefaultRootObject" : "index.html", "Logging" : { "IncludeCookies" : "true", "Bucket" : "amzn-s3-demo-logging-bucket.s3.amazonaws.com", "Prefix" : "myprefix" }, "Aliases" : [ "mysite.example.com", "yoursite.example.com" ], "DefaultCacheBehavior" : { "TargetOriginId" : "myS3Origin", "ForwardedValues" : { "QueryString" : "false", "Cookies" : { "Forward" : "all" } }, "TrustedSigners" : [ "1234567890EX", "1234567891EX" ], "ViewerProtocolPolicy" : "allow-all", "MinTTL" : "100", "SmoothStreaming" : "true" }, "CacheBehaviors" : [ { "AllowedMethods" : [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ], "TargetOriginId" : "myS3Origin", "ForwardedValues" : { "QueryString" : "true", "Cookies" : { "Forward" : "none" } }, "TrustedSigners" : [ "1234567890EX", "1234567891EX" ], "ViewerProtocolPolicy" : "allow-all", "MinTTL" : "50", "PathPattern" : "images1/*.jpg" }, { "AllowedMethods" : [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ], "TargetOriginId" : "myCustomOrigin", "ForwardedValues" : { "QueryString" : "true", "Cookies" : { "Forward" : "none" } }, "TrustedSigners" : [ "1234567890EX", "1234567891EX" ], "ViewerProtocolPolicy" : "allow-all", "MinTTL" : "50", "PathPattern" : "images2/*.jpg" } ], "CustomErrorResponses" : [ { "ErrorCode" : "404", "ResponsePagePath" : "/error-pages/404.html", "ResponseCode" : "200", "ErrorCachingMinTTL" : "30" } ], "PriceClass" : "PriceClass_All", "ViewerCertificate" : { "CloudFrontDefaultCertificate" : "true" } } } } } } ``` ### YAML ``` AWSTemplateFormatVersion: '2010-09-09' Resources: myDistribution: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: Origins: - Id: myS3Origin DomainName: amzn-s3-demo-bucket.s3.amazonaws.com S3OriginConfig: OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z - Id: myCustomOrigin DomainName: www.example.com CustomOriginConfig: HTTPPort: '80' HTTPSPort: '443' OriginProtocolPolicy: http-only Enabled: 'true' Comment: Some comment DefaultRootObject: index.html Logging: IncludeCookies: 'true' Bucket: amzn-s3-demo-logging-bucket.s3.amazonaws.com Prefix: myprefix Aliases: - mysite.example.com - yoursite.example.com DefaultCacheBehavior: TargetOriginId: myS3Origin ForwardedValues: QueryString: 'false' Cookies: Forward: all TrustedSigners: - 1234567890EX - 1234567891EX ViewerProtocolPolicy: allow-all MinTTL: '100' SmoothStreaming: 'true' CacheBehaviors: - AllowedMethods: - DELETE - GET - HEAD - OPTIONS - PATCH - POST - PUT TargetOriginId: myS3Origin ForwardedValues: QueryString: 'true' Cookies: Forward: none TrustedSigners: - 1234567890EX - 1234567891EX ViewerProtocolPolicy: allow-all MinTTL: '50' PathPattern: images1/*.jpg - AllowedMethods: - DELETE - GET - HEAD - OPTIONS - PATCH - POST - PUT TargetOriginId: myCustomOrigin ForwardedValues: QueryString: 'true' Cookies: Forward: none TrustedSigners: - 1234567890EX - 1234567891EX ViewerProtocolPolicy: allow-all MinTTL: '50' PathPattern: images2/*.jpg CustomErrorResponses: - ErrorCode: '404' ResponsePagePath: "/error-pages/404.html" ResponseCode: '200' ErrorCachingMinTTL: '30' PriceClass: PriceClass_All ViewerCertificate: CloudFrontDefaultCertificate: 'true' ``` ## Amazon CloudFront distribution with a Lambda function as origin The following example creates a CloudFront distribution that fronts a specified Lambda function URL (provided as a parameter), enabling HTTPS-only access, caching, compression, and global delivery. It configures the Lambda URL as a custom HTTPS origin and applies a standard AWS caching policy. The distribution is optimized for performance with HTTP/2 and IPv6 support and outputs the CloudFront domain name, allowing users to access the Lambda function through a secure, CDN-backed endpoint. For more information, see [Using Amazon CloudFront with AWS Lambda as origin to accelerate your web applications](https://aws.amazon.com/blogs/networking-and-content-delivery/using-amazon-cloudfront-with-aws-lambda-as-origin-to-accelerate-your-web-applications/) on the AWS Blog. ### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { "LambdaEndpoint": { "Type": "String", "Description": "The Lambda function URL endpoint without the 'https://'" } }, "Resources": { "MyDistribution": { "Type": "AWS::CloudFront::Distribution", "Properties": { "DistributionConfig": { "PriceClass": "PriceClass_All", "HttpVersion": "http2", "IPV6Enabled": true, "Origins": [ { "DomainName": { "Ref": "LambdaEndpoint" }, "Id": "LambdaOrigin", "CustomOriginConfig": { "HTTPSPort": 443, "OriginProtocolPolicy": "https-only" } } ], "Enabled": "true", "DefaultCacheBehavior": { "TargetOriginId": "LambdaOrigin", "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6", "ViewerProtocolPolicy": "redirect-to-https", "SmoothStreaming": "false", "Compress": "true" } } } } }, "Outputs": { "CloudFrontDomain": { "Description": "CloudFront default domain name configured", "Value": { "Fn::Sub": "https://${MyDistribution.DomainName}/" } } } } ``` ### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Parameters: LambdaEndpoint: Type: String Description: The Lambda function URL endpoint without the 'https://' Resources: MyDistribution: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: PriceClass: PriceClass_All HttpVersion: http2 IPV6Enabled: true Origins: - DomainName: !Ref LambdaEndpoint Id: LambdaOrigin CustomOriginConfig: HTTPSPort: 443 OriginProtocolPolicy: https-only Enabled: 'true' DefaultCacheBehavior: TargetOriginId: LambdaOrigin CachePolicyId: '658327ea-f89d-4fab-a63d-7e88639e58f6' ViewerProtocolPolicy: redirect-to-https SmoothStreaming: 'false' Compress: 'true' Outputs: CloudFrontDomain: Description: CloudFront default domain name configured Value: !Sub https://${MyDistribution.DomainName}/ ``` ## See also For an example of adding a custom alias to a Route 53 record to make a friendly name for a CloudFront distribution, see [Alias resource record set for a CloudFront distribution](quickref-route53.md#scenario-user-friendly-url-for-cloudfront-distribution). # Amazon CloudWatch template snippets Use these sample template snippets to help describe your Amazon CloudWatch resources in CloudFormation. For more information, see the [Amazon CloudWatch resource type reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/AWS_CloudWatch.html). **Topics** + [Billing alarm](#cloudwatch-sample-billing-alarm) + [CPU utilization alarm](#cloudwatch-sample-cpu-utilization-alarm) + [Recover an Amazon Elastic Compute Cloud instance](#cloudwatch-sample-recover-instance) + [Create a basic dashboard](#cloudwatch-sample-dashboard-basic) + [Create a dashboard with side-by-side widgets](#cloudwatch-sample-dashboard-sidebyside) ## Billing alarm In the following sample, Amazon CloudWatch sends an email notification when charges to your AWS account exceed the alarm threshold. To receive usage notifications, enable billing alerts. For more information, see [Create a billing alarm to monitor your estimated AWS charges](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/monitor_estimated_charges_with_cloudwatch.html) in the *Amazon CloudWatch User Guide*.> ### JSON ``` "SpendingAlarm": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmDescription": { "Fn::Join": ["", [ "Alarm if AWS spending is over $", { "Ref": "AlarmThreshold" } ]]}, "Namespace": "AWS/Billing", "MetricName": "EstimatedCharges", "Dimensions": [{ "Name": "Currency", "Value" : "USD" }], "Statistic": "Maximum", "Period": "21600", "EvaluationPeriods": "1", "Threshold": { "Ref": "AlarmThreshold" }, "ComparisonOperator": "GreaterThanThreshold", "AlarmActions": [{ "Ref": "BillingAlarmNotification" }], "InsufficientDataActions": [{ "Ref": "BillingAlarmNotification" }] } } ``` ### YAML ``` SpendingAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmDescription: 'Fn::Join': - '' - - Alarm if AWS spending is over $ - !Ref: AlarmThreshold Namespace: AWS/Billing MetricName: EstimatedCharges Dimensions: - Name: Currency Value: USD Statistic: Maximum Period: '21600' EvaluationPeriods: '1' Threshold: !Ref: "AlarmThreshold" ComparisonOperator: GreaterThanThreshold AlarmActions: - !Ref: "BillingAlarmNotification" InsufficientDataActions: - !Ref: "BillingAlarmNotification" ``` ## CPU utilization alarm The following sample snippet creates an alarm that sends a notification when the average CPU utilization of an Amazon EC2 instance exceeds 90 percent for more than 60 seconds over three evaluation periods. ### JSON ``` 1. "CPUAlarm" : { 2. "Type" : "AWS::CloudWatch::Alarm", 3. "Properties" : { 4. "AlarmDescription" : "CPU alarm for my instance", 5. "AlarmActions" : [ { "Ref" : "logical name of an AWS::SNS::Topic resource" } ], 6. "MetricName" : "CPUUtilization", 7. "Namespace" : "AWS/EC2", 8. "Statistic" : "Average", 9. "Period" : "60", 10. "EvaluationPeriods" : "3", 11. "Threshold" : "90", 12. "ComparisonOperator" : "GreaterThanThreshold", 13. "Dimensions" : [ { 14. "Name" : "InstanceId", 15. "Value" : { "Ref" : "logical name of an AWS::EC2::Instance resource" } 16. } ] 17. } 18. } ``` ### YAML ``` 1. CPUAlarm: 2. Type: AWS::CloudWatch::Alarm 3. Properties: 4. AlarmDescription: CPU alarm for my instance 5. AlarmActions: 6. - !Ref: "logical name of an AWS::SNS::Topic resource" 7. MetricName: CPUUtilization 8. Namespace: AWS/EC2 9. Statistic: Average 10. Period: '60' 11. EvaluationPeriods: '3' 12. Threshold: '90' 13. ComparisonOperator: GreaterThanThreshold 14. Dimensions: 15. - Name: InstanceId 16. Value: !Ref: "logical name of an AWS::EC2::Instance resource" ``` ## Recover an Amazon Elastic Compute Cloud instance The following CloudWatch alarm recovers an EC2 instance when it has status check failures for 15 consecutive minutes. For more information about alarm actions, see [Create alarms to stop, terminate, reboot, or recover an EC2 instance](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/UsingAlarmActions.html) in the *Amazon CloudWatch User Guide*. ### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Parameters" : { "RecoveryInstance" : { "Description" : "The EC2 instance ID to associate this alarm with.", "Type" : "AWS::EC2::Instance::Id" } }, "Resources": { "RecoveryTestAlarm": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmDescription": "Trigger a recovery when instance status check fails for 15 consecutive minutes.", "Namespace": "AWS/EC2" , "MetricName": "StatusCheckFailed_System", "Statistic": "Minimum", "Period": "60", "EvaluationPeriods": "15", "ComparisonOperator": "GreaterThanThreshold", "Threshold": "0", "AlarmActions": [ {"Fn::Join" : ["", ["arn:aws:automate:", { "Ref" : "AWS::Region" }, ":ec2:recover" ]]} ], "Dimensions": [{"Name": "InstanceId","Value": {"Ref": "RecoveryInstance"}}] } } } } ``` ### YAML ``` AWSTemplateFormatVersion: '2010-09-09' Parameters: RecoveryInstance: Description: The EC2 instance ID to associate this alarm with. Type: AWS::EC2::Instance::Id Resources: RecoveryTestAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmDescription: Trigger a recovery when instance status check fails for 15 consecutive minutes. Namespace: AWS/EC2 MetricName: StatusCheckFailed_System Statistic: Minimum Period: '60' EvaluationPeriods: '15' ComparisonOperator: GreaterThanThreshold Threshold: '0' AlarmActions: [ !Sub "arn:aws:automate:${AWS::Region}:ec2:recover" ] Dimensions: - Name: InstanceId Value: !Ref: RecoveryInstance ``` ## Create a basic dashboard The following example creates a simple CloudWatch dashboard with one metric widget displaying CPU utilization, and one text widget displaying a message. ### JSON ``` { "BasicDashboard": { "Type": "AWS::CloudWatch::Dashboard", "Properties": { "DashboardName": "Dashboard1", "DashboardBody": "{\"widgets\":[{\"type\":\"metric\",\"x\":0,\"y\":0,\"width\":12,\"height\":6,\"properties\":{\"metrics\":[[\"AWS/EC2\",\"CPUUtilization\",\"InstanceId\",\"i-012345\"]],\"period\":300,\"stat\":\"Average\",\"region\":\"us-east-1\",\"title\":\"EC2 Instance CPU\"}},{\"type\":\"text\",\"x\":0,\"y\":7,\"width\":3,\"height\":3,\"properties\":{\"markdown\":\"Hello world\"}}]}" } } } ``` ### YAML ``` BasicDashboard: Type: AWS::CloudWatch::Dashboard Properties: DashboardName: Dashboard1 DashboardBody: '{"widgets":[{"type":"metric","x":0,"y":0,"width":12,"height":6,"properties":{"metrics":[["AWS/EC2","CPUUtilization","InstanceId","i-012345"]],"period":300,"stat":"Average","region":"us-east-1","title":"EC2 Instance CPU"}},{"type":"text","x":0,"y":7,"width":3,"height":3,"properties":{"markdown":"Hello world"}}]}' ``` ## Create a dashboard with side-by-side widgets The following example creates a dashboard with two metric widgets that appear side by side. ### JSON ``` { "DashboardSideBySide": { "Type": "AWS::CloudWatch::Dashboard", "Properties": { "DashboardName": "Dashboard1", "DashboardBody": "{\"widgets\":[{\"type\":\"metric\",\"x\":0,\"y\":0,\"width\":12,\"height\":6,\"properties\":{\"metrics\":[[\"AWS/EC2\",\"CPUUtilization\",\"InstanceId\",\"i-012345\"]],\"period\":300,\"stat\":\"Average\",\"region\":\"us-east-1\",\"title\":\"EC2 Instance CPU\"}},{\"type\":\"metric\",\"x\":12,\"y\":0,\"width\":12,\"height\":6,\"properties\":{\"metrics\":[[\"AWS/S3\",\"BucketSizeBytes\",\"BucketName\",\"amzn-s3-demo-bucket\"]],\"period\":86400,\"stat\":\"Maximum\",\"region\":\"us-east-1\",\"title\":\"amzn-s3-demo-bucket bytes\"}}]}" } } } ``` ### YAML ``` DashboardSideBySide: Type: AWS::CloudWatch::Dashboard Properties: DashboardName: Dashboard1 DashboardBody: '{"widgets":[{"type":"metric","x":0,"y":0,"width":12,"height":6,"properties":{"metrics":[["AWS/EC2","CPUUtilization","InstanceId","i-012345"]],"period":300,"stat":"Average","region":"us-east-1","title":"EC2 Instance CPU"}},{"type":"metric","x":12,"y":0,"width":12,"height":6,"properties":{"metrics":[["AWS/S3","BucketSizeBytes","BucketName","amzn-s3-demo-bucket"]],"period":86400,"stat":"Maximum","region":"us-east-1","title":"amzn-s3-demo-bucket bytes"}}]}' ``` # Amazon CloudWatch Logs template snippets Amazon CloudWatch Logs can monitor your system, application, and custom log files from Amazon EC2 instances or other sources. You can use CloudFormation to provision and manage log groups and metric filters. For more information about Amazon CloudWatch Logs, see the [Amazon CloudWatch Logs User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html). **Topics** + [Send logs to CloudWatch Logs from a Linux instance](#quickref-cloudwatchlogs-example1) + [Send logs to CloudWatch Logs from a Windows instance](#quickref-cloudwatchlogs-example2) + [See also](#w2aac11c41c35c11) ## Send logs to CloudWatch Logs from a Linux instance The following template demonstrates how to set up a web server on Amazon Linux 2023 with CloudWatch Logs integration. The template performs the following tasks: + Installs Apache and PHP. + Configures the CloudWatch agent to forward Apache access logs to CloudWatch Logs. + Sets up an IAM role to allow the CloudWatch agent to send log data to CloudWatch Logs. + Creates custom alarms and notifications to monitor for 404 errors or high bandwidth usage. Log events from the web server provide metric data for CloudWatch alarms. The two metric filters describe how the log information is transformed into CloudWatch metrics. The 404 metric counts the number of 404 occurrences. The size metric tracks the size of a request. The two CloudWatch alarms will send notifications if there are more than two 404s within 2 minutes or if the average request size is over 3500 KB over 10 minutes. ### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Sample template that sets up and configures CloudWatch Logs on Amazon Linux 2023 instance.", "Parameters": { "KeyName": { "Description": "Name of an existing EC2 KeyPair to enable SSH access to the instances", "Type": "AWS::EC2::KeyPair::KeyName", "ConstraintDescription": "must be the name of an existing EC2 KeyPair." }, "SSHLocation": { "Description": "The IP address range that can be used to SSH to the EC2 instances", "Type": "String", "MinLength": "9", "MaxLength": "18", "Default": "0.0.0.0/0", "AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})", "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x." }, "OperatorEmail": { "Description": "Email address to notify when CloudWatch alarms are triggered (404 errors or high bandwidth usage)", "Type": "String" } }, "Resources": { "LogRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/", "Policies": [ { "PolicyName": "LogRolePolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:DescribeLogGroups", "logs:CreateLogGroup", "logs:CreateLogStream" ], "Resource": "*" } ] } } ] } }, "LogRoleInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Path": "/", "Roles": [{"Ref": "LogRole"}] } }, "WebServerSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Enable HTTP access via port 80 and SSH access via port 22", "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIp": "0.0.0.0/0" }, { "IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "CidrIp": {"Ref": "SSHLocation"} } ] } }, "WebServerHost": { "Type": "AWS::EC2::Instance", "Metadata": { "Comment": "Install a simple PHP application on Amazon Linux 2023", "AWS::CloudFormation::Init": { "config": { "packages": { "dnf": { "httpd": [], "php": [], "php-fpm": [] } }, "files": { "/etc/amazon-cloudwatch-agent/amazon-cloudwatch-agent.json": { "content": { "logs": { "logs_collected": { "files": { "collect_list": [{ "file_path": "/var/log/httpd/access_log", "log_group_name": {"Ref": "WebServerLogGroup"}, "log_stream_name": "{instance_id}/apache.log", "timestamp_format": "%d/%b/%Y:%H:%M:%S %z" }] } } } }, "mode": "000644", "owner": "root", "group": "root" }, "/var/www/html/index.php": { "content": "AWS CloudFormation sample PHP application on Amazon Linux 2023';\n?>\n", "mode": "000644", "owner": "apache", "group": "apache" }, "/etc/cfn/cfn-hup.conf": { "content": { "Fn::Join": [ "", [ "[main]\n", "stack=", {"Ref": "AWS::StackId"}, "\n", "region=", {"Ref": "AWS::Region"}, "\n" ] ] }, "mode": "000400", "owner": "root", "group": "root" }, "/etc/cfn/hooks.d/cfn-auto-reloader.conf": { "content": { "Fn::Join": [ "", [ "[cfn-auto-reloader-hook]\n", "triggers=post.update\n", "path=Resources.WebServerHost.Metadata.AWS::CloudFormation::Init\n", "action=/opt/aws/bin/cfn-init -s ", {"Ref": "AWS::StackId"}, " -r WebServerHost ", " --region ", {"Ref": "AWS::Region"}, "\n", "runas=root\n" ] ] } } }, "services": { "systemd": { "httpd": { "enabled": "true", "ensureRunning": "true" }, "php-fpm": { "enabled": "true", "ensureRunning": "true" } } } } } }, "CreationPolicy": { "ResourceSignal": { "Timeout": "PT5M" } }, "Properties": { "ImageId": "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64}}", "KeyName": {"Ref": "KeyName"}, "InstanceType": "t3.micro", "SecurityGroupIds": [{"Ref": "WebServerSecurityGroup"}], "IamInstanceProfile": {"Ref": "LogRoleInstanceProfile"}, "UserData": {"Fn::Base64": {"Fn::Join": [ "", [ "#!/bin/bash\n", "dnf update -y aws-cfn-bootstrap\n", "dnf install -y amazon-cloudwatch-agent\n", "/opt/aws/bin/cfn-init -v --stack ", {"Ref": "AWS::StackName"}, " --resource WebServerHost --region ", {"Ref": "AWS::Region"}, "\n", "\n", "# Verify Apache log directory exists and create if needed\n", "mkdir -p /var/log/httpd\n", "\n", "# Start CloudWatch agent\n", "/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/etc/amazon-cloudwatch-agent/amazon-cloudwatch-agent.json -s\n", "\n", "# Signal success\n", "/opt/aws/bin/cfn-signal -e $? --stack ", {"Ref": "AWS::StackName"}, " --resource WebServerHost --region ", {"Ref": "AWS::Region"}, "\n" ]]}} } }, "WebServerLogGroup": { "Type": "AWS::Logs::LogGroup", "DeletionPolicy": "Retain", "UpdateReplacePolicy": "Retain", "Properties": { "RetentionInDays": 7 } }, "404MetricFilter": { "Type": "AWS::Logs::MetricFilter", "Properties": { "LogGroupName": {"Ref": "WebServerLogGroup"}, "FilterPattern": "[ip, identity, user_id, timestamp, request, status_code = 404, size, ...]", "MetricTransformations": [ { "MetricValue": "1", "MetricNamespace": "test/404s", "MetricName": "test404Count" } ] } }, "BytesTransferredMetricFilter": { "Type": "AWS::Logs::MetricFilter", "Properties": { "LogGroupName": {"Ref": "WebServerLogGroup"}, "FilterPattern": "[ip, identity, user_id, timestamp, request, status_code, size, ...]", "MetricTransformations": [ { "MetricValue": "$size", "MetricNamespace": "test/BytesTransferred", "MetricName": "testBytesTransferred" } ] } }, "404Alarm": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmDescription": "The number of 404s is greater than 2 over 2 minutes", "MetricName": "test404Count", "Namespace": "test/404s", "Statistic": "Sum", "Period": "60", "EvaluationPeriods": "2", "Threshold": "2", "AlarmActions": [{"Ref": "AlarmNotificationTopic"}], "ComparisonOperator": "GreaterThanThreshold" } }, "BandwidthAlarm": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmDescription": "The average volume of traffic is greater 3500 KB over 10 minutes", "MetricName": "testBytesTransferred", "Namespace": "test/BytesTransferred", "Statistic": "Average", "Period": "300", "EvaluationPeriods": "2", "Threshold": "3500", "AlarmActions": [{"Ref": "AlarmNotificationTopic"}], "ComparisonOperator": "GreaterThanThreshold" } }, "AlarmNotificationTopic": { "Type": "AWS::SNS::Topic", "Properties": { "Subscription": [{"Endpoint": {"Ref": "OperatorEmail"}, "Protocol": "email"}] } } }, "Outputs": { "InstanceId": { "Description": "The instance ID of the web server", "Value": {"Ref": "WebServerHost"} }, "WebsiteURL": { "Value": {"Fn::Sub": "http://${WebServerHost.PublicDnsName}"}, "Description": "URL for the web server" }, "PublicIP": { "Description": "Public IP address of the web server", "Value": {"Fn::GetAtt": ["WebServerHost","PublicIp"] } }, "CloudWatchLogGroupName": { "Description": "The name of the CloudWatch log group", "Value": {"Ref": "WebServerLogGroup"} } } } ``` ### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: Sample template that sets up and configures CloudWatch Logs on Amazon Linux 2023 instance. Parameters: KeyName: Description: Name of an existing EC2 KeyPair to enable SSH access to the instances Type: AWS::EC2::KeyPair::KeyName ConstraintDescription: must be the name of an existing EC2 KeyPair. SSHLocation: Description: The IP address range that can be used to SSH to the EC2 instances Type: String MinLength: '9' MaxLength: '18' Default: 0.0.0.0/0 AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})' ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x. OperatorEmail: Description: Email address to notify when CloudWatch alarms are triggered (404 errors or high bandwidth usage) Type: String Resources: LogRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: LogRolePolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'logs:PutLogEvents' - 'logs:DescribeLogStreams' - 'logs:DescribeLogGroups' - 'logs:CreateLogGroup' - 'logs:CreateLogStream' Resource: '*' LogRoleInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: / Roles: - !Ref LogRole WebServerSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Enable HTTP access via port 80 and SSH access via port 22 SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: !Ref SSHLocation WebServerHost: Type: AWS::EC2::Instance Metadata: Comment: Install a simple PHP application on Amazon Linux 2023 'AWS::CloudFormation::Init': config: packages: dnf: httpd: [] php: [] php-fpm: [] files: /etc/amazon-cloudwatch-agent/amazon-cloudwatch-agent.json: content: !Sub | { "logs": { "logs_collected": { "files": { "collect_list": [ { "file_path": "/var/log/httpd/access_log", "log_group_name": "${WebServerLogGroup}", "log_stream_name": "{instance_id}/apache.log", "timestamp_format": "%d/%b/%Y:%H:%M:%S %z" } ] } } } } mode: '000644' owner: root group: root /var/www/html/index.php: content: | AWS CloudFormation sample PHP application on Amazon Linux 2023'; ?> mode: '000644' owner: apache group: apache /etc/cfn/cfn-hup.conf: content: !Sub | [main] stack=${AWS::StackId} region=${AWS::Region} mode: '000400' owner: root group: root /etc/cfn/hooks.d/cfn-auto-reloader.conf: content: !Sub | [cfn-auto-reloader-hook] triggers=post.update path=Resources.WebServerHost.Metadata.AWS::CloudFormation::Init action=/opt/aws/bin/cfn-init -s ${AWS::StackId} -r WebServerHost --region ${AWS::Region} runas=root services: systemd: httpd: enabled: 'true' ensureRunning: 'true' php-fpm: enabled: 'true' ensureRunning: 'true' CreationPolicy: ResourceSignal: Timeout: PT5M Properties: ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64}}' KeyName: !Ref KeyName InstanceType: t3.micro SecurityGroupIds: - !Ref WebServerSecurityGroup IamInstanceProfile: !Ref LogRoleInstanceProfile UserData: !Base64 Fn::Sub: | #!/bin/bash dnf update -y aws-cfn-bootstrap dnf install -y amazon-cloudwatch-agent /opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource WebServerHost --region ${AWS::Region} # Verify Apache log directory exists and create if needed mkdir -p /var/log/httpd # Start CloudWatch agent /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/etc/amazon-cloudwatch-agent/amazon-cloudwatch-agent.json -s # Signal success /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource WebServerHost --region ${AWS::Region} echo "Done" WebServerLogGroup: Type: AWS::Logs::LogGroup DeletionPolicy: Retain UpdateReplacePolicy: Retain Properties: RetentionInDays: 7 404MetricFilter: Type: AWS::Logs::MetricFilter Properties: LogGroupName: !Ref WebServerLogGroup FilterPattern: >- [ip, identity, user_id, timestamp, request, status_code = 404, size, ...] MetricTransformations: - MetricValue: '1' MetricNamespace: test/404s MetricName: test404Count BytesTransferredMetricFilter: Type: AWS::Logs::MetricFilter Properties: LogGroupName: !Ref WebServerLogGroup FilterPattern: '[ip, identity, user_id, timestamp, request, status_code, size, ...]' MetricTransformations: - MetricValue: $size MetricNamespace: test/BytesTransferred MetricName: testBytesTransferred 404Alarm: Type: AWS::CloudWatch::Alarm Properties: AlarmDescription: The number of 404s is greater than 2 over 2 minutes MetricName: test404Count Namespace: test/404s Statistic: Sum Period: '60' EvaluationPeriods: '2' Threshold: '2' AlarmActions: - !Ref AlarmNotificationTopic ComparisonOperator: GreaterThanThreshold BandwidthAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmDescription: The average volume of traffic is greater 3500 KB over 10 minutes MetricName: testBytesTransferred Namespace: test/BytesTransferred Statistic: Average Period: '300' EvaluationPeriods: '2' Threshold: '3500' AlarmActions: - !Ref AlarmNotificationTopic ComparisonOperator: GreaterThanThreshold AlarmNotificationTopic: Type: AWS::SNS::Topic Properties: Subscription: - Endpoint: !Ref OperatorEmail Protocol: email Outputs: InstanceId: Description: The instance ID of the web server Value: !Ref WebServerHost WebsiteURL: Value: !Sub 'http://${WebServerHost.PublicDnsName}' Description: URL for the web server PublicIP: Description: Public IP address of the web server Value: !GetAtt WebServerHost.PublicIp CloudWatchLogGroupName: Description: The name of the CloudWatch log group Value: !Ref WebServerLogGroup ``` ## Send logs to CloudWatch Logs from a Windows instance The following template configures CloudWatch Logs for a Windows 2012R2 instance. The CloudWatch Logs agent on Windows (SSM agent on Windows 2012R2 and Windows 2016 AMIs) only sends logs after it's started, so any logs that are generated before startup aren't sent. To work around this, the template helps to ensure that the agent starts before any logs are written by: + Configuring the agent setup as the first `config` item in cfn-init `configSets`. + Using `waitAfterCompletion` to insert a pause after the command that starts the agent. ### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Sample template that sets up and configures CloudWatch Logs on Windows 2012R2 instance.", "Parameters": { "KeyPair": { "Description": "Name of an existing EC2 KeyPair to enable RDP access to the instances", "Type": "AWS::EC2::KeyPair::KeyName", "ConstraintDescription": "must be the name of an existing EC2 KeyPair." }, "RDPLocation": { "Description": "The IP address range that can be used to RDP to the EC2 instances", "Type": "String", "MinLength": "9", "MaxLength": "18", "Default": "0.0.0.0/0", "AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})", "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x." }, "OperatorEmail": { "Description": "Email address to notify when CloudWatch alarms are triggered (404 errors)", "Type": "String" } }, "Resources": { "WebServerSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Enable HTTP access via port 80 and RDP access via port 3389", "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": "80", "ToPort": "80", "CidrIp": "0.0.0.0/0" }, { "IpProtocol": "tcp", "FromPort": "3389", "ToPort": "3389", "CidrIp": {"Ref": "RDPLocation"} } ] } }, "LogRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" ], "Path": "/", "Policies": [ { "PolicyName": "LogRolePolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:Create*", "logs:PutLogEvents", "s3:GetObject" ], "Resource": [ "arn:aws:logs:*:*:*", "arn:aws:s3:::*" ] } ] } } ] } }, "LogRoleInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Path": "/", "Roles": [{"Ref": "LogRole"}] } }, "WebServerHost": { "Type": "AWS::EC2::Instance", "CreationPolicy": { "ResourceSignal": { "Timeout": "PT15M" } }, "Metadata": { "AWS::CloudFormation::Init": { "configSets": { "config": [ "00-ConfigureCWLogs", "01-InstallWebServer", "02-ConfigureApplication", "03-Finalize" ] }, "00-ConfigureCWLogs": { "files": { "C:\\Program Files\\Amazon\\SSM\\Plugins\\awsCloudWatch\\AWS.EC2.Windows.CloudWatch.json": { "content": { "EngineConfiguration": { "Components": [ { "FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch", "Id": "ApplicationEventLog", "Parameters": { "Levels": "7", "LogName": "Application" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch", "Id": "SystemEventLog", "Parameters": { "Levels": "7", "LogName": "System" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch", "Id": "SecurityEventLog", "Parameters": { "Levels": "7", "LogName": "Security" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch", "Id": "EC2ConfigLog", "Parameters": { "CultureName": "en-US", "Encoding": "ASCII", "Filter": "EC2ConfigLog.txt", "LogDirectoryPath": "C:\\Program Files\\Amazon\\Ec2ConfigService\\Logs", "TimeZoneKind": "UTC", "TimestampFormat": "yyyy-MM-ddTHH:mm:ss.fffZ:" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch", "Id": "CfnInitLog", "Parameters": { "CultureName": "en-US", "Encoding": "ASCII", "Filter": "cfn-init.log", "LogDirectoryPath": "C:\\cfn\\log", "TimeZoneKind": "Local", "TimestampFormat": "yyyy-MM-dd HH:mm:ss,fff" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch", "Id": "IISLogs", "Parameters": { "CultureName": "en-US", "Encoding": "UTF-8", "Filter": "", "LineCount": "3", "LogDirectoryPath": "C:\\inetpub\\logs\\LogFiles\\W3SVC1", "TimeZoneKind": "UTC", "TimestampFormat": "yyyy-MM-dd HH:mm:ss" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.PerformanceCounterComponent.PerformanceCounterInputComponent,AWS.EC2.Windows.CloudWatch", "Id": "MemoryPerformanceCounter", "Parameters": { "CategoryName": "Memory", "CounterName": "Available MBytes", "DimensionName": "", "DimensionValue": "", "InstanceName": "", "MetricName": "Memory", "Unit": "Megabytes" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch", "Id": "CloudWatchApplicationEventLog", "Parameters": { "AccessKey": "", "LogGroup": {"Ref": "LogGroup"}, "LogStream": "{instance_id}/ApplicationEventLog", "Region": {"Ref": "AWS::Region"}, "SecretKey": "" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch", "Id": "CloudWatchSystemEventLog", "Parameters": { "AccessKey": "", "LogGroup": {"Ref": "LogGroup"}, "LogStream": "{instance_id}/SystemEventLog", "Region": {"Ref": "AWS::Region"}, "SecretKey": "" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch", "Id": "CloudWatchSecurityEventLog", "Parameters": { "AccessKey": "", "LogGroup": {"Ref": "LogGroup"}, "LogStream": "{instance_id}/SecurityEventLog", "Region": {"Ref": "AWS::Region"}, "SecretKey": "" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch", "Id": "CloudWatchEC2ConfigLog", "Parameters": { "AccessKey": "", "LogGroup": {"Ref": "LogGroup"}, "LogStream": "{instance_id}/EC2ConfigLog", "Region": {"Ref": "AWS::Region"}, "SecretKey": "" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch", "Id": "CloudWatchCfnInitLog", "Parameters": { "AccessKey": "", "LogGroup": {"Ref": "LogGroup"}, "LogStream": "{instance_id}/CfnInitLog", "Region": {"Ref": "AWS::Region"}, "SecretKey": "" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch", "Id": "CloudWatchIISLogs", "Parameters": { "AccessKey": "", "LogGroup": {"Ref": "LogGroup"}, "LogStream": "{instance_id}/IISLogs", "Region": {"Ref": "AWS::Region"}, "SecretKey": "" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.CloudWatch.CloudWatchOutputComponent,AWS.EC2.Windows.CloudWatch", "Id": "CloudWatch", "Parameters": { "AccessKey": "", "NameSpace": "Windows/Default", "Region": {"Ref": "AWS::Region"}, "SecretKey": "" } } ], "Flows": { "Flows": [ "ApplicationEventLog,CloudWatchApplicationEventLog", "SystemEventLog,CloudWatchSystemEventLog", "SecurityEventLog,CloudWatchSecurityEventLog", "EC2ConfigLog,CloudWatchEC2ConfigLog", "CfnInitLog,CloudWatchCfnInitLog", "IISLogs,CloudWatchIISLogs", "MemoryPerformanceCounter,CloudWatch" ] }, "PollInterval": "00:00:05" }, "IsEnabled": true } } }, "commands": { "0-enableSSM": { "command": "powershell.exe -Command \"Set-Service -Name AmazonSSMAgent -StartupType Automatic\" ", "waitAfterCompletion": "0" }, "1-restartSSM": { "command": "powershell.exe -Command \"Restart-Service AmazonSSMAgent \"", "waitAfterCompletion": "30" } } }, "01-InstallWebServer": { "commands": { "01_install_webserver": { "command": "powershell.exe -Command \"Install-WindowsFeature Web-Server -IncludeAllSubFeature\"", "waitAfterCompletion": "0" } } }, "02-ConfigureApplication": { "files": { "c:\\Inetpub\\wwwroot\\index.htm": { "content": " Test Application Page

Congratulations!! Your IIS server is configured.

" } } }, "03-Finalize": { "commands": { "00_signal_success": { "command": { "Fn::Sub": "cfn-signal.exe -e 0 --resource WebServerHost --stack ${AWS::StackName} --region ${AWS::Region}" }, "waitAfterCompletion": "0" } } } } }, "Properties": { "KeyName": { "Ref": "KeyPair" }, "ImageId": "{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2012-R2_RTM-English-64Bit-Base}}", "InstanceType": "t2.xlarge", "SecurityGroupIds": [{"Ref": "WebServerSecurityGroup"}], "IamInstanceProfile": {"Ref": "LogRoleInstanceProfile"}, "UserData": { "Fn::Base64": { "Fn::Join": [ "", [ "\n" ] ] } } } }, "LogGroup": { "Type": "AWS::Logs::LogGroup", "Properties": { "RetentionInDays": 7 } }, "404MetricFilter": { "Type": "AWS::Logs::MetricFilter", "Properties": { "LogGroupName": {"Ref": "LogGroup"}, "FilterPattern": "[timestamps, serverip, method, uri, query, port, dash, clientip, useragent, status_code = 404, ...]", "MetricTransformations": [ { "MetricValue": "1", "MetricNamespace": "test/404s", "MetricName": "test404Count" } ] } }, "404Alarm": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmDescription": "The number of 404s is greater than 2 over 2 minutes", "MetricName": "test404Count", "Namespace": "test/404s", "Statistic": "Sum", "Period": "60", "EvaluationPeriods": "2", "Threshold": "2", "AlarmActions": [{"Ref": "AlarmNotificationTopic"}], "ComparisonOperator": "GreaterThanThreshold" } }, "AlarmNotificationTopic": { "Type": "AWS::SNS::Topic", "Properties": { "Subscription": [{"Endpoint": {"Ref": "OperatorEmail"}, "Protocol": "email"}] } } }, "Outputs": { "InstanceId": { "Description": "The instance ID of the web server", "Value": {"Ref": "WebServerHost"} }, "WebsiteURL": { "Value": {"Fn::Sub": "http://${WebServerHost.PublicDnsName}"}, "Description": "URL for the web server" }, "PublicIP": { "Description": "Public IP address of the web server", "Value": {"Fn::GetAtt": ["WebServerHost","PublicIp"]} }, "CloudWatchLogGroupName": { "Description": "The name of the CloudWatch log group", "Value": {"Ref": "LogGroup"} } } } ``` ### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: >- Sample template that sets up and configures CloudWatch Logs on Windows 2012R2 instance. Parameters: KeyPair: Description: Name of an existing EC2 KeyPair to enable RDP access to the instances Type: AWS::EC2::KeyPair::KeyName ConstraintDescription: must be the name of an existing EC2 KeyPair. RDPLocation: Description: The IP address range that can be used to RDP to the EC2 instances Type: String MinLength: '9' MaxLength: '18' Default: 0.0.0.0/0 AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})' ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x. OperatorEmail: Description: Email address to notify when CloudWatch alarms are triggered (404 errors) Type: String Resources: WebServerSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Enable HTTP access via port 80 and RDP access via port 3389 SecurityGroupIngress: - IpProtocol: tcp FromPort: '80' ToPort: '80' CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: '3389' ToPort: '3389' CidrIp: !Ref RDPLocation LogRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - 'sts:AssumeRole' ManagedPolicyArns: - 'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore' Path: / Policies: - PolicyName: LogRolePolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'logs:Create*' - 'logs:PutLogEvents' - 's3:GetObject' Resource: - 'arn:aws:logs:*:*:*' - 'arn:aws:s3:::*' LogRoleInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: / Roles: - !Ref LogRole WebServerHost: Type: AWS::EC2::Instance CreationPolicy: ResourceSignal: Timeout: PT15M Metadata: 'AWS::CloudFormation::Init': configSets: config: - 00-ConfigureCWLogs - 01-InstallWebServer - 02-ConfigureApplication - 03-Finalize 00-ConfigureCWLogs: files: 'C:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWS.EC2.Windows.CloudWatch.json': content: !Sub | { "EngineConfiguration": { "Components": [ { "FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch", "Id": "ApplicationEventLog", "Parameters": { "Levels": "7", "LogName": "Application" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch", "Id": "SystemEventLog", "Parameters": { "Levels": "7", "LogName": "System" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch", "Id": "SecurityEventLog", "Parameters": { "Levels": "7", "LogName": "Security" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch", "Id": "EC2ConfigLog", "Parameters": { "CultureName": "en-US", "Encoding": "ASCII", "Filter": "EC2ConfigLog.txt", "LogDirectoryPath": "C:\\Program Files\\Amazon\\Ec2ConfigService\\Logs", "TimeZoneKind": "UTC", "TimestampFormat": "yyyy-MM-ddTHH:mm:ss.fffZ:" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch", "Id": "CfnInitLog", "Parameters": { "CultureName": "en-US", "Encoding": "ASCII", "Filter": "cfn-init.log", "LogDirectoryPath": "C:\\cfn\\log", "TimeZoneKind": "Local", "TimestampFormat": "yyyy-MM-dd HH:mm:ss,fff" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch", "Id": "IISLogs", "Parameters": { "CultureName": "en-US", "Encoding": "UTF-8", "Filter": "", "LineCount": "3", "LogDirectoryPath": "C:\\inetpub\\logs\\LogFiles\\W3SVC1", "TimeZoneKind": "UTC", "TimestampFormat": "yyyy-MM-dd HH:mm:ss" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.PerformanceCounterComponent.PerformanceCounterInputComponent,AWS.EC2.Windows.CloudWatch", "Id": "MemoryPerformanceCounter", "Parameters": { "CategoryName": "Memory", "CounterName": "Available MBytes", "DimensionName": "", "DimensionValue": "", "InstanceName": "", "MetricName": "Memory", "Unit": "Megabytes" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch", "Id": "CloudWatchApplicationEventLog", "Parameters": { "AccessKey": "", "LogGroup": "${LogGroup}", "LogStream": "{instance_id}/ApplicationEventLog", "Region": "${AWS::Region}", "SecretKey": "" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch", "Id": "CloudWatchSystemEventLog", "Parameters": { "AccessKey": "", "LogGroup": "${LogGroup}", "LogStream": "{instance_id}/SystemEventLog", "Region": "${AWS::Region}", "SecretKey": "" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch", "Id": "CloudWatchSecurityEventLog", "Parameters": { "AccessKey": "", "LogGroup": "${LogGroup}", "LogStream": "{instance_id}/SecurityEventLog", "Region": "${AWS::Region}", "SecretKey": "" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch", "Id": "CloudWatchEC2ConfigLog", "Parameters": { "AccessKey": "", "LogGroup": "${LogGroup}", "LogStream": "{instance_id}/EC2ConfigLog", "Region": "${AWS::Region}", "SecretKey": "" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch", "Id": "CloudWatchCfnInitLog", "Parameters": { "AccessKey": "", "LogGroup": "${LogGroup}", "LogStream": "{instance_id}/CfnInitLog", "Region": "${AWS::Region}", "SecretKey": "" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch", "Id": "CloudWatchIISLogs", "Parameters": { "AccessKey": "", "LogGroup": "${LogGroup}", "LogStream": "{instance_id}/IISLogs", "Region": "${AWS::Region}", "SecretKey": "" } }, { "FullName": "AWS.EC2.Windows.CloudWatch.CloudWatch.CloudWatchOutputComponent,AWS.EC2.Windows.CloudWatch", "Id": "CloudWatch", "Parameters": { "AccessKey": "", "NameSpace": "Windows/Default", "Region": "${AWS::Region}", "SecretKey": "" } } ], "Flows": { "Flows": [ "ApplicationEventLog,CloudWatchApplicationEventLog", "SystemEventLog,CloudWatchSystemEventLog", "SecurityEventLog,CloudWatchSecurityEventLog", "EC2ConfigLog,CloudWatchEC2ConfigLog", "CfnInitLog,CloudWatchCfnInitLog", "IISLogs,CloudWatchIISLogs", "MemoryPerformanceCounter,CloudWatch" ] }, "PollInterval": "00:00:05" }, "IsEnabled": true } commands: 0-enableSSM: command: >- powershell.exe -Command "Set-Service -Name AmazonSSMAgent -StartupType Automatic" waitAfterCompletion: '0' 1-restartSSM: command: powershell.exe -Command "Restart-Service AmazonSSMAgent " waitAfterCompletion: '30' 01-InstallWebServer: commands: 01_install_webserver: command: >- powershell.exe -Command "Install-WindowsFeature Web-Server -IncludeAllSubFeature" waitAfterCompletion: '0' 02-ConfigureApplication: files: 'c:\Inetpub\wwwroot\index.htm': content: >- Test Application Page

Congratulations !! Your IIS server is configured.

03-Finalize: commands: 00_signal_success: command: !Sub >- cfn-signal.exe -e 0 --resource WebServerHost --stack ${AWS::StackName} --region ${AWS::Region} waitAfterCompletion: '0' Properties: KeyName: !Ref KeyPair ImageId: "{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2012-R2_RTM-English-64Bit-Base}}" InstanceType: t2.xlarge SecurityGroupIds: - !Ref WebServerSecurityGroup IamInstanceProfile: !Ref LogRoleInstanceProfile UserData: !Base64 'Fn::Sub': > LogGroup: Type: AWS::Logs::LogGroup Properties: RetentionInDays: 7 404MetricFilter: Type: AWS::Logs::MetricFilter Properties: LogGroupName: !Ref LogGroup FilterPattern: >- [timestamps, serverip, method, uri, query, port, dash, clientip, useragent, status_code = 404, ...] MetricTransformations: - MetricValue: '1' MetricNamespace: test/404s MetricName: test404Count 404Alarm: Type: AWS::CloudWatch::Alarm Properties: AlarmDescription: The number of 404s is greater than 2 over 2 minutes MetricName: test404Count Namespace: test/404s Statistic: Sum Period: '60' EvaluationPeriods: '2' Threshold: '2' AlarmActions: - !Ref AlarmNotificationTopic ComparisonOperator: GreaterThanThreshold AlarmNotificationTopic: Type: AWS::SNS::Topic Properties: Subscription: - Endpoint: !Ref OperatorEmail Protocol: email Outputs: InstanceId: Description: The instance ID of the web server Value: !Ref WebServerHost WebsiteURL: Value: !Sub 'http://${WebServerHost.PublicDnsName}' Description: URL for the web server PublicIP: Description: Public IP address of the web server Value: !GetAtt - WebServerHost - PublicIp CloudWatchLogGroupName: Description: The name of the CloudWatch log group Value: !Ref LogGroup ``` ## See also For more information about CloudWatch Logs resources, see [AWS::Logs::LogGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-logs-loggroup.html) or [AWS::Logs::MetricFilter](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-logs-metricfilter.html). # Amazon DynamoDB template snippets **Topics** + [Application Auto Scaling with an Amazon DynamoDB table](#quickref-dynamodb-application-autoscaling) + [See also](#w2aac11c41c39b7) ## Application Auto Scaling with an Amazon DynamoDB table This example sets up Application Auto Scaling for a `AWS::DynamoDB::Table` resource. The template defines a `TargetTrackingScaling` scaling policy that scales up the `WriteCapacityUnits` throughput for the table. ### JSON ``` { "Resources": { "DDBTable": { "Type": "AWS::DynamoDB::Table", "Properties": { "AttributeDefinitions": [ { "AttributeName": "ArtistId", "AttributeType": "S" }, { "AttributeName": "Concert", "AttributeType": "S" }, { "AttributeName": "TicketSales", "AttributeType": "S" } ], "KeySchema": [ { "AttributeName": "ArtistId", "KeyType": "HASH" }, { "AttributeName": "Concert", "KeyType": "RANGE" } ], "GlobalSecondaryIndexes": [ { "IndexName": "GSI", "KeySchema": [ { "AttributeName": "TicketSales", "KeyType": "HASH" } ], "Projection": { "ProjectionType": "KEYS_ONLY" }, "ProvisionedThroughput": { "ReadCapacityUnits": 5, "WriteCapacityUnits": 5 } } ], "ProvisionedThroughput": { "ReadCapacityUnits": 5, "WriteCapacityUnits": 5 } } }, "WriteCapacityScalableTarget": { "Type": "AWS::ApplicationAutoScaling::ScalableTarget", "Properties": { "MaxCapacity": 15, "MinCapacity": 5, "ResourceId": { "Fn::Join": [ "/", [ "table", { "Ref": "DDBTable" } ] ] }, "RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable" }, "ScalableDimension": "dynamodb:table:WriteCapacityUnits", "ServiceNamespace": "dynamodb" } }, "WriteScalingPolicy": { "Type": "AWS::ApplicationAutoScaling::ScalingPolicy", "Properties": { "PolicyName": "WriteAutoScalingPolicy", "PolicyType": "TargetTrackingScaling", "ScalingTargetId": { "Ref": "WriteCapacityScalableTarget" }, "TargetTrackingScalingPolicyConfiguration": { "TargetValue": 50, "ScaleInCooldown": 60, "ScaleOutCooldown": 60, "PredefinedMetricSpecification": { "PredefinedMetricType": "DynamoDBWriteCapacityUtilization" } } } } } } ``` ### YAML ``` Resources: DDBTable: Type: AWS::DynamoDB::Table Properties: AttributeDefinitions: - AttributeName: "ArtistId" AttributeType: "S" - AttributeName: "Concert" AttributeType: "S" - AttributeName: "TicketSales" AttributeType: "S" KeySchema: - AttributeName: "ArtistId" KeyType: "HASH" - AttributeName: "Concert" KeyType: "RANGE" GlobalSecondaryIndexes: - IndexName: "GSI" KeySchema: - AttributeName: "TicketSales" KeyType: "HASH" Projection: ProjectionType: "KEYS_ONLY" ProvisionedThroughput: ReadCapacityUnits: 5 WriteCapacityUnits: 5 ProvisionedThroughput: ReadCapacityUnits: 5 WriteCapacityUnits: 5 WriteCapacityScalableTarget: Type: AWS::ApplicationAutoScaling::ScalableTarget Properties: MaxCapacity: 15 MinCapacity: 5 ResourceId: !Join - / - - table - !Ref DDBTable RoleARN: Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable' ScalableDimension: dynamodb:table:WriteCapacityUnits ServiceNamespace: dynamodb WriteScalingPolicy: Type: AWS::ApplicationAutoScaling::ScalingPolicy Properties: PolicyName: WriteAutoScalingPolicy PolicyType: TargetTrackingScaling ScalingTargetId: !Ref WriteCapacityScalableTarget TargetTrackingScalingPolicyConfiguration: TargetValue: 50.0 ScaleInCooldown: 60 ScaleOutCooldown: 60 PredefinedMetricSpecification: PredefinedMetricType: DynamoDBWriteCapacityUtilization ``` ## See also For more information, see the blog post [How to use CloudFormation to configure auto scaling for DynamoDB tables and indexes](https://aws.amazon.com/blogs/database/how-to-use-aws-cloudformation-to-configure-auto-scaling-for-amazon-dynamodb-tables-and-indexes/) on the AWS Database Blog. For more information about DynamoDB resources, see [AWS::DynamoDB::Table](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-table.html). # Amazon EC2 CloudFormation template snippets Amazon EC2 provides scalable compute capacity in the AWS Cloud. You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage. These virtual servers, known as instances, can run a variety of operating systems and applications, and can be customized to meet your specific requirements. Amazon EC2 enables you to scale up or down to handle changes in requirements or spikes in usage. You can define and provision Amazon EC2 instances as part of your infrastructure using CloudFormation templates. Templates make it easy to manage and automate the deployment of Amazon EC2 resources in a repeatable and consistent manner. The following example template snippets describe CloudFormation resources or components for Amazon EC2. These snippets are designed to be integrated into a template and are not intended to be run independently. **Topics** + [Configure EC2 instances](quickref-ec2-instance-config.md) + [Create launch templates](quickref-ec2-launch-templates.md) + [Manage security groups](quickref-ec2-sg.md) + [Allocate Elastic IPs](quickref-ec2-elastic-ip.md) + [Configure VPC resources](quickref-ec2-vpc.md) # Configure Amazon EC2 instances with CloudFormation The following snippets demonstrate how to configure Amazon EC2 instances using CloudFormation. **Topics** + [General Amazon EC2 configurations](#quickref-ec2-instance-config-general) + [Specify the block device mappings for an instance](#scenario-ec2-bdm) ## General Amazon EC2 configurations The following snippets demonstrate general configurations for Amazon EC2 instances using CloudFormation. **Topics** + [Create an Amazon EC2 instance in a specified Availability Zone](#scenario-ec2-instance) + [Configure a tagged Amazon EC2 instance with an EBS volume and user data](#scenario-ec2-instance-with-vol-and-tags) + [Define DynamoDB table name in user data for Amazon EC2 instance launch](#scenario-ec2-with-sdb-domain) + [Create an Amazon EBS volume with `DeletionPolicy`](#scenario-ec2-volume) ### Create an Amazon EC2 instance in a specified Availability Zone The following snippet creates an Amazon EC2 instance in the specified Availability Zone using an [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) resource. The code for an Availability Zone is its Region code followed by a letter identifier. You can launch an instance into a single Availability Zone. #### JSON ``` 1. "Ec2Instance": { 2. "Type": "AWS::EC2::Instance", 3. "Properties": { 4. "AvailabilityZone": "aa-example-1a", 5. "ImageId": "ami-1234567890abcdef0" 6. } 7. } ``` #### YAML ``` 1. Ec2Instance: 2. Type: AWS::EC2::Instance 3. Properties: 4. AvailabilityZone: aa-example-1a 5. ImageId: ami-1234567890abcdef0 ``` ### Configure a tagged Amazon EC2 instance with an EBS volume and user data The following snippet creates an Amazon EC2 instance with a tag, an EBS volume, and user data. It uses an [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) resource. In the same template, you must define an [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) resource, an [AWS::SNS::Topic](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html) resource, and an [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) resource. The `KeyName` must be defined in the `Parameters` section of the template. Tags can help you to categorize AWS resources based on your preferences, such as by purpose, owner, or environment. User data allows for the provisioning of custom scripts or data to an instance during launch. This data facilitates task automation, software configuration, package installation, and other actions on an instance during initialization. For more information about tagging your resources, see [Tag your Amazon EC2 resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html) in the *Amazon EC2 User Guide*. For information about user data, see [Use instance metadata to manage your EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) in the *Amazon EC2 User Guide*. #### JSON ``` 1. "Ec2Instance": { 2. "Type": "AWS::EC2::Instance", 3. "Properties": { 4. "KeyName": { "Ref": "KeyName" }, 5. "SecurityGroups": [ { "Ref": "Ec2SecurityGroup" } ], 6. "UserData": { 7. "Fn::Base64": { 8. "Fn::Join": [ ":", [ 9. "PORT=80", 10. "TOPIC=", 11. { "Ref": "MySNSTopic" } 12. ] 13. ] 14. } 15. }, 16. "InstanceType": "aa.size", 17. "AvailabilityZone": "aa-example-1a", 18. "ImageId": "ami-1234567890abcdef0", 19. "Volumes": [ 20. { 21. "VolumeId": { "Ref": "MyVolumeResource" }, 22. "Device": "/dev/sdk" 23. } 24. ], 25. "Tags": [ { "Key": "Name", "Value": "MyTag" } ] 26. } 27. } ``` #### YAML ``` 1. Ec2Instance: 2. Type: AWS::EC2::Instance 3. Properties: 4. KeyName: !Ref KeyName 5. SecurityGroups: 6. - !Ref Ec2SecurityGroup 7. UserData: 8. Fn::Base64: 9. Fn::Join: 10. - ":" 11. - - "PORT=80" 12. - "TOPIC=" 13. - !Ref MySNSTopic 14. InstanceType: aa.size 15. AvailabilityZone: aa-example-1a 16. ImageId: ami-1234567890abcdef0 17. Volumes: 18. - VolumeId: !Ref MyVolumeResource 19. Device: "/dev/sdk" 20. Tags: 21. - Key: Name 22. Value: MyTag ``` ### Define DynamoDB table name in user data for Amazon EC2 instance launch The following snippet creates an Amazon EC2 instance and defines a DynamoDB table name in the user data to pass to the instance at launch. It uses an [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) resource. You can define parameters or dynamic values in the user data to pass an EC2 instance at launch. For more information about user data, see [Use instance metadata to manage your EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) in the *Amazon EC2 User Guide*. #### JSON ``` 1. "Ec2Instance": { 2. "Type": "AWS::EC2::Instance", 3. "Properties": { 4. "UserData": { 5. "Fn::Base64": { 6. "Fn::Join": [ 7. "", 8. [ 9. "TableName=", 10. { 11. "Ref": "DynamoDBTableName" 12. } 13. ] 14. ] 15. } 16. }, 17. "AvailabilityZone": "aa-example-1a", 18. "ImageId": "ami-1234567890abcdef0" 19. } 20. } ``` #### YAML ``` 1. Ec2Instance: 2. Type: AWS::EC2::Instance 3. Properties: 4. UserData: 5. Fn::Base64: 6. Fn::Join: 7. - '' 8. - - 'TableName=' 9. - Ref: DynamoDBTableName 10. AvailabilityZone: aa-example-1a 11. ImageId: ami-1234567890abcdef0 ``` ### Create an Amazon EBS volume with `DeletionPolicy` The following snippets create an Amazon EBS volume using an Amazon EC2 [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) resource. You can use the `Size` or `SnapshotID` properties to define the volume, but not both. A `DeletionPolicy` attribute is set to create a snapshot of the volume when the stack is deleted. For more information about the `DeletionPolicy` attribute, see [DeletionPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-deletionpolicy.html). For more information about creating Amazon EBS volumes, see [Create an Amazon EBS volume](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-creating-volume.html). #### JSON This snippet creates an Amazon EBS volume with a specified **size**. The size is set to 10, but you can adjust it as needed. The [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) resource allows you to specify either the size or a snapshot ID but not both. ``` 1. "MyEBSVolume": { 2. "Type": "AWS::EC2::Volume", 3. "Properties": { 4. "Size": "10", 5. "AvailabilityZone": { 6. "Ref": "AvailabilityZone" 7. } 8. }, 9. "DeletionPolicy": "Snapshot" 10. } ``` This snippet creates an Amazon EBS volume using a provided **snapshot ID**. The [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) resource allows you to specify either the size or a snapshot ID but not both. ``` 1. "MyEBSVolume": { 2. "Type": "AWS::EC2::Volume", 3. "Properties": { 4. "SnapshotId" : "snap-1234567890abcdef0", 5. "AvailabilityZone": { 6. "Ref": "AvailabilityZone" 7. } 8. }, 9. "DeletionPolicy": "Snapshot" 10. } ``` #### YAML This snippet creates an Amazon EBS volume with a specified **size**. The size is set to 10, but you can adjust it as needed. The [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) resource allows you to specify either the size or a snapshot ID but not both. ``` 1. MyEBSVolume: 2. Type: AWS::EC2::Volume 3. Properties: 4. Size: 10 5. AvailabilityZone: 6. Ref: AvailabilityZone 7. DeletionPolicy: Snapshot ``` This snippet creates an Amazon EBS volume using a provided **snapshot ID**. The [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) resource allows you to specify either the size or a snapshot ID but not both. ``` 1. MyEBSVolume: 2. Type: AWS::EC2::Volume 3. Properties: 4. SnapshotId: snap-1234567890abcdef0 5. AvailabilityZone: 6. Ref: AvailabilityZone 7. DeletionPolicy: Snapshot ``` ## Specify the block device mappings for an instance A block device mapping defines the block devices, which includes instance store volumes and EBS volumes, to attach to an instance. You can specify a block device mapping when creating an AMI so that the mapping is used by all instances launched from the AMI. Alternatively, you can specify a block device mapping when you launch an instance, so that the mapping overrides the one specified in the AMI from which the instance was launched. You can use the following template snippets to specify the block device mappings for your EBS or instance store volumes using the `BlockDeviceMappings` property of an [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) resource. For more information about block device mappings, see [Block device mappings for volumes on Amazon EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html) in the *Amazon EC2 User Guide*. **Topics** + [Specify the block device mappings for two EBS volumes](#w2aac11c41c43c13b9c11) + [Specify the block device mapping for an instance store volume](#w2aac11c41c43c13b9c13) ### Specify the block device mappings for two EBS volumes #### JSON ``` "Ec2Instance": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}", "KeyName": { "Ref": "KeyName" }, "InstanceType": { "Ref": "InstanceType" }, "SecurityGroups": [{ "Ref": "Ec2SecurityGroup" }], "BlockDeviceMappings": [ { "DeviceName": "/dev/sda1", "Ebs": { "VolumeSize": "50" } }, { "DeviceName": "/dev/sdm", "Ebs": { "VolumeSize": "100" } } ] } } } ``` #### YAML ``` EC2Instance: Type: AWS::EC2::Instance Properties: ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' KeyName: !Ref KeyName InstanceType: !Ref InstanceType SecurityGroups: - !Ref Ec2SecurityGroup BlockDeviceMappings: - DeviceName: /dev/sda1 Ebs: VolumeSize: 50 - DeviceName: /dev/sdm Ebs: VolumeSize: 100 ``` ### Specify the block device mapping for an instance store volume #### JSON ``` "Ec2Instance" : { "Type" : "AWS::EC2::Instance", "Properties" : { "ImageId" : "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}", "KeyName" : { "Ref" : "KeyName" }, "InstanceType": { "Ref": "InstanceType" }, "SecurityGroups" : [{ "Ref" : "Ec2SecurityGroup" }], "BlockDeviceMappings" : [ { "DeviceName" : "/dev/sdc", "VirtualName" : "ephemeral0" } ] } } ``` #### YAML ``` EC2Instance: Type: AWS::EC2::Instance Properties: ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' KeyName: !Ref KeyName InstanceType: !Ref InstanceType SecurityGroups: - !Ref Ec2SecurityGroup BlockDeviceMappings: - DeviceName: /dev/sdc VirtualName: ephemeral0 ``` # Create launch templates with CloudFormation This section provides an example for creating an Amazon EC2 launch template using CloudFormation. Launch templates allow you to create templates for configuring and provisioning Amazon EC2 instances within AWS. With launch templates, you can store launch parameters so that you do not have to specify them every time you launch an instance. For more examples, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html#aws-resource-ec2-launchtemplate--examples) section in the `AWS::EC2::LaunchTemplate` resource. For more information about launch templates, see [Store instance launch parameters in Amazon EC2 launch templates](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html) in the *Amazon EC2 User Guide*. For information about creating launch templates for use with Auto Scaling groups, see [Auto Scaling launch templates](https://docs.aws.amazon.com/autoscaling/ec2/userguide/launch-templates.html) in the *Amazon EC2 Auto Scaling User Guide*. **Topics** + [Create a launch template that specifies security groups, tags, user data, and an IAM role](#scenario-as-launch-template) ## Create a launch template that specifies security groups, tags, user data, and an IAM role This snippet shows an [AWS::EC2::LaunchTemplate](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) resource that contains the configuration information to launch an instance. You specify values for the `ImageId`, `InstanceType`, `SecurityGroups`, `UserData`, and `TagSpecifications` properties. The `SecurityGroups` property specifies an existing EC2 security group and a new security group. The `Ref` function gets the ID of the [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) resource `myNewEC2SecurityGroup` that's declared elsewhere in the stack template. The launch template includes a section for custom user data. You can pass in configuration tasks and scripts that run when an instance launches in this section. In this example, the user data installs the AWS Systems Manager Agent and starts the agent. The launch template also includes an IAM role that allows applications running on instances to perform actions on your behalf. This example shows an [AWS::IAM::Role](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-role.html) resource for the launch template, which uses the `IamInstanceProfile` property to specify the IAM role. The `Ref` function gets the name of the [AWS::IAM::InstanceProfile](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-instanceprofile.html) resource `myInstanceProfile`. To configure the permissions of the IAM role, you specify a value for the `ManagedPolicyArns` property. ### JSON ``` 1. { 2. "Resources":{ 3. "myLaunchTemplate":{ 4. "Type":"AWS::EC2::LaunchTemplate", 5. "Properties":{ 6. "LaunchTemplateName":{ "Fn::Sub": "${AWS::StackName}-launch-template" }, 7. "LaunchTemplateData":{ 8. "ImageId":"ami-02354e95b3example", 9. "InstanceType":"t3.micro", 10. "IamInstanceProfile":{ 11. "Name":{ 12. "Ref":"myInstanceProfile" 13. } 14. }, 15. "SecurityGroupIds":[ 16. { 17. "Ref":"myNewEC2SecurityGroup" 18. }, 19. "sg-083cd3bfb8example" 20. ], 21. "UserData":{ 22. "Fn::Base64":{ 23. "Fn::Join": [ 24. "", [ 25. "#!/bin/bash\n", 26. "cd /tmp\n", 27. "yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm\n", 28. "systemctl enable amazon-ssm-agent\n", 29. "systemctl start amazon-ssm-agent\n" 30. ] 31. ] 32. } 33. }, 34. "TagSpecifications":[ 35. { 36. "ResourceType":"instance", 37. "Tags":[ 38. { 39. "Key":"environment", 40. "Value":"development" 41. } 42. ] 43. }, 44. { 45. "ResourceType":"volume", 46. "Tags":[ 47. { 48. "Key":"environment", 49. "Value":"development" 50. } 51. ] 52. } 53. ] 54. } 55. } 56. }, 57. "myInstanceRole":{ 58. "Type":"AWS::IAM::Role", 59. "Properties":{ 60. "RoleName":"InstanceRole", 61. "AssumeRolePolicyDocument":{ 62. "Version": "2012-10-17", 63. "Statement":[ 64. { 65. "Effect":"Allow", 66. "Principal":{ 67. "Service":[ 68. "ec2.amazonaws.com" 69. ] 70. }, 71. "Action":[ 72. "sts:AssumeRole" 73. ] 74. } 75. ] 76. }, 77. "ManagedPolicyArns":[ 78. "arn:aws:iam::aws:policy/myCustomerManagedPolicy" 79. ] 80. } 81. }, 82. "myInstanceProfile":{ 83. "Type":"AWS::IAM::InstanceProfile", 84. "Properties":{ 85. "Path":"/", 86. "Roles":[ 87. { 88. "Ref":"myInstanceRole" 89. } 90. ] 91. } 92. } 93. } 94. } ``` ### YAML ``` 1. --- 2. Resources: 3. myLaunchTemplate: 4. Type: AWS::EC2::LaunchTemplate 5. Properties: 6. LaunchTemplateName: !Sub ${AWS::StackName}-launch-template 7. LaunchTemplateData: 8. ImageId: ami-02354e95b3example 9. InstanceType: t3.micro 10. IamInstanceProfile: 11. Name: !Ref myInstanceProfile 12. SecurityGroupIds: 13. - !Ref myNewEC2SecurityGroup 14. - sg-083cd3bfb8example 15. UserData: 16. Fn::Base64: !Sub | 17. #!/bin/bash 18. cd /tmp 19. yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm 20. systemctl enable amazon-ssm-agent 21. systemctl start amazon-ssm-agent 22. TagSpecifications: 23. - ResourceType: instance 24. Tags: 25. - Key: environment 26. Value: development 27. - ResourceType: volume 28. Tags: 29. - Key: environment 30. Value: development 31. myInstanceRole: 32. Type: AWS::IAM::Role 33. Properties: 34. RoleName: InstanceRole 35. AssumeRolePolicyDocument: 36. Version: '2012-10-17' 37. Statement: 38. - Effect: 'Allow' 39. Principal: 40. Service: 41. - 'ec2.amazonaws.com' 42. Action: 43. - 'sts:AssumeRole' 44. ManagedPolicyArns: 45. - 'arn:aws:iam::aws:policy/myCustomerManagedPolicy' 46. myInstanceProfile: 47. Type: AWS::IAM::InstanceProfile 48. Properties: 49. Path: '/' 50. Roles: 51. - !Ref myInstanceRole ``` # Manage security groups with CloudFormation The following snippets demonstrate how to use CloudFormation to manage security groups and Amazon EC2 instances to control access to your AWS resources. **Topics** + [Associate an Amazon EC2 instance with a security group](#quickref-ec2-instances-associate-security-group) + [Create security groups with ingress rules](#quickref-ec2-instances-ingress) + [Create an Elastic Load Balancer with a security group ingress rule](#scenario-ec2-security-group-elbingress) ## Associate an Amazon EC2 instance with a security group The following example snippets demonstrate how to associate an Amazon EC2 instance with a default Amazon VPC security group using CloudFormation. **Topics** + [Associate an Amazon EC2 instance with a default VPC security group](#using-cfn-getatt-default-values) + [Create an Amazon EC2 instance with an attached volume and security group](#scenario-ec2-volumeattachment) ### Associate an Amazon EC2 instance with a default VPC security group The following snippet creates an Amazon VPC, a subnet within the VPC, and an Amazon EC2 instance. The VPC is created using an [AWS::EC2::VPC](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-vpc.html) resource. The IP address range for the VPC is defined in the larger template and is referenced by the `MyVPCCIDRRange` parameter. A subnet is created within the VPC using an [AWS::EC2:: Subnet](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-subnet.html) resource. The subnet is associated with the VPC, which is referenced as `MyVPC`. An EC2 instance is launched within the VPC and subnet using an [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) resource. This resource specifies the Amazon Machine Image (AMI) to use to launch the instance, the subnet where the instance will run, and the security group to associate with the instance. The `ImageId` uses a Systems Manager parameter to dynamically retrieve the latest Amazon Linux 2 AMI. The security group ID is obtained using the `Fn::GetAtt` function, which retrieves the default security group from the `MyVPC` resource. The instance is placed within the `MySubnet` resource defined in the snippet. When you create a VPC using CloudFormation, AWS automatically creates default resources within the VPC, including a default security group. However, when you define a VPC within a CloudFormation template, you may not have access to the IDs of these default resources when you create the template. To access and use the default resources specified in the template, you can use intrinsic functions such as `Fn::GetAtt`. This function allows you to work with the default resources that are automatically created by CloudFormation. #### JSON ``` "MyVPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": { "Ref": "MyVPCCIDRRange" }, "EnableDnsSupport": false, "EnableDnsHostnames": false, "InstanceTenancy": "default" } }, "MySubnet": { "Type": "AWS::EC2::Subnet", "Properties": { "CidrBlock": { "Ref": "MyVPCCIDRRange" }, "VpcId": { "Ref": "MyVPC" } } }, "MyInstance": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}", "SecurityGroupIds": [ { "Fn::GetAtt": [ "MyVPC", "DefaultSecurityGroup" ] } ], "SubnetId": { "Ref": "MySubnet" } } } ``` #### YAML ``` MyVPC: Type: AWS::EC2::VPC Properties: CidrBlock: Ref: MyVPCCIDRRange EnableDnsSupport: false EnableDnsHostnames: false InstanceTenancy: default MySubnet: Type: AWS::EC2::Subnet Properties: CidrBlock: Ref: MyVPCCIDRRange VpcId: Ref: MyVPC MyInstance: Type: AWS::EC2::Instance Properties: ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' SecurityGroupIds: - Fn::GetAtt: - MyVPC - DefaultSecurityGroup SubnetId: Ref: MySubnet ``` ### Create an Amazon EC2 instance with an attached volume and security group The following snippet creates an Amazon EC2 instance using an [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) resource, which is launched from a designated AMI . The instance is associated with a security group that allows incoming SSH traffic on port 22 from a specified IP address, using an [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) resource . It creates a 100 GB Amazon EBS volume using an [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) resource. The volume is created in the same availability zone as the instance, as specified by the `GetAtt` function, and is mounted to the instance at the `/dev/sdh` device. For more information about creating Amazon EBS volumes, see [Create an Amazon EBS volume](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-creating-volume.html). #### JSON ``` 1. "Ec2Instance": { 2. "Type": "AWS::EC2::Instance", 3. "Properties": { 4. "SecurityGroups": [ 5. { 6. "Ref": "InstanceSecurityGroup" 7. } 8. ], 9. "ImageId": "ami-1234567890abcdef0" 10. } 11. }, 12. "InstanceSecurityGroup": { 13. "Type": "AWS::EC2::SecurityGroup", 14. "Properties": { 15. "GroupDescription": "Enable SSH access via port 22", 16. "SecurityGroupIngress": [ 17. { 18. "IpProtocol": "tcp", 19. "FromPort": "22", 20. "ToPort": "22", 21. "CidrIp": "192.0.2.0/24" 22. } 23. ] 24. } 25. }, 26. "NewVolume": { 27. "Type": "AWS::EC2::Volume", 28. "Properties": { 29. "Size": "100", 30. "AvailabilityZone": { 31. "Fn::GetAtt": [ 32. "Ec2Instance", 33. "AvailabilityZone" 34. ] 35. } 36. } 37. }, 38. "MountPoint": { 39. "Type": "AWS::EC2::VolumeAttachment", 40. "Properties": { 41. "InstanceId": { 42. "Ref": "Ec2Instance" 43. }, 44. "VolumeId": { 45. "Ref": "NewVolume" 46. }, 47. "Device": "/dev/sdh" 48. } 49. } ``` #### YAML ``` 1. Ec2Instance: 2. Type: AWS::EC2::Instance 3. Properties: 4. SecurityGroups: 5. - !Ref InstanceSecurityGroup 6. ImageId: ami-1234567890abcdef0 7. InstanceSecurityGroup: 8. Type: AWS::EC2::SecurityGroup 9. Properties: 10. GroupDescription: Enable SSH access via port 22 11. SecurityGroupIngress: 12. - IpProtocol: tcp 13. FromPort: 22 14. ToPort: 22 15. CidrIp: 192.0.2.0/24 16. NewVolume: 17. Type: AWS::EC2::Volume 18. Properties: 19. Size: 100 20. AvailabilityZone: !GetAtt [Ec2Instance, AvailabilityZone] 21. MountPoint: 22. Type: AWS::EC2::VolumeAttachment 23. Properties: 24. InstanceId: !Ref Ec2Instance 25. VolumeId: !Ref NewVolume 26. Device: /dev/sdh ``` ## Create security groups with ingress rules The following example snippets demonstrate how to configure security groups with specific ingress rules using CloudFormation. **Topics** + [Create security group with ingress rules for SSH and HTTP access](#scenario-ec2-security-group-rule) + [Create a security group with ingress rules for HTTP and SSH access from specified CIDR ranges](#scenario-ec2-security-group-two-ports) + [Create cross-referencing security groups with ingress rules](#scenario-ec2-security-group-ingress) ### Create security group with ingress rules for SSH and HTTP access The following snippet describes two security group ingress rules using an [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) resource. The first ingress rule allows SSH (port 22) access from an existing security group named `MyAdminSecurityGroup`, which is owned by the AWS account with the account number `1111-2222-3333`. The second ingress rule allows HTTP (port 80) access from a different security group named `MySecurityGroupCreatedInCFN`, which is created in the same template. The `Ref` function is used to reference the logical name of the security group created in the same template. In the first ingress rule, you must add a value for both the `SourceSecurityGroupName` and `SourceSecurityGroupOwnerId` properties. In the second ingress rule, `MySecurityGroupCreatedInCFNTemplate` references a different security group, which is created in the same template. Verify that the logical name `MySecurityGroupCreatedInCFNTemplate` matches the actual logical name of the security group resource that you specify in the larger template. For more information about security groups, see [Amazon EC2 security groups for your Amazon EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html) in the *Amazon EC2 User Guide*. #### JSON ``` 1. "SecurityGroup": { 2. "Type": "AWS::EC2::SecurityGroup", 3. "Properties": { 4. "GroupDescription": "Allow connections from specified source security group", 5. "SecurityGroupIngress": [ 6. { 7. "IpProtocol": "tcp", 8. "FromPort": "22", 9. "ToPort": "22", 10. "SourceSecurityGroupName": "MyAdminSecurityGroup", 11. "SourceSecurityGroupOwnerId": "1111-2222-3333" 12. }, 13. { 14. "IpProtocol": "tcp", 15. "FromPort": "80", 16. "ToPort": "80", 17. "SourceSecurityGroupName": { 18. "Ref": "MySecurityGroupCreatedInCFNTemplate" 19. } 20. } 21. ] 22. } 23. } ``` #### YAML ``` 1. SecurityGroup: 2. Type: AWS::EC2::SecurityGroup 3. Properties: 4. GroupDescription: Allow connections from specified source security group 5. SecurityGroupIngress: 6. - IpProtocol: tcp 7. FromPort: '22' 8. ToPort: '22' 9. SourceSecurityGroupName: MyAdminSecurityGroup 10. SourceSecurityGroupOwnerId: '1111-2222-3333' 11. - IpProtocol: tcp 12. FromPort: '80' 13. ToPort: '80' 14. SourceSecurityGroupName: 15. Ref: MySecurityGroupCreatedInCFNTemplate ``` ### Create a security group with ingress rules for HTTP and SSH access from specified CIDR ranges The following snippet creates a security group for an Amazon EC2 instance with two inbound rules. The inbound rules allow incoming TCP traffic on the specified ports from the designated CIDR ranges. An [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) resource is used to specify the rules. You must specify a protocol for each rule. For TCP, you must specify a port or port range. If you do not specify either a source security group or a CIDR range, the stack will launch successfully, but the rule will not be applied to the security group. For more information about security groups, see [Amazon EC2 security groups for your Amazon EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html) in the *Amazon EC2 User Guide*. #### JSON ``` 1. "ServerSecurityGroup": { 2. "Type": "AWS::EC2::SecurityGroup", 3. "Properties": { 4. "GroupDescription": "Allow connections from specified CIDR ranges", 5. "SecurityGroupIngress": [ 6. { 7. "IpProtocol": "tcp", 8. "FromPort": "80", 9. "ToPort": "80", 10. "CidrIp": "192.0.2.0/24" 11. }, 12. { 13. "IpProtocol": "tcp", 14. "FromPort": "22", 15. "ToPort": "22", 16. "CidrIp": "192.0.2.0/24" 17. } 18. ] 19. } 20. } ``` #### YAML ``` 1. ServerSecurityGroup: 2. Type: AWS::EC2::SecurityGroup 3. Properties: 4. GroupDescription: Allow connections from specified CIDR ranges 5. SecurityGroupIngress: 6. - IpProtocol: tcp 7. FromPort: 80 8. ToPort: 80 9. CidrIp: 192.0.2.0/24 10. - IpProtocol: tcp 11. FromPort: 22 12. ToPort: 22 13. CidrIp: 192.0.2.0/24 ``` ### Create cross-referencing security groups with ingress rules The following snippet uses the [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) resource to create two Amazon EC2 security groups, `SGroup1` and `SGroup2`. Ingress rules that allow communication between the two security groups are created by using the [AWS::EC2::SecurityGroupIngress](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroupingress.html) resource. `SGroup1Ingress` establishes an ingress rule for `SGroup1` that allows incoming TCP traffic on port 80 from the source security group, `SGroup2`. `SGroup2Ingress` establishes an ingress rule for `SGroup2` that allows incoming TCP traffic on port 80 from the source security group, `SGroup1`. #### JSON ``` 1. "SGroup1": { 2. "Type": "AWS::EC2::SecurityGroup", 3. "Properties": { 4. "GroupDescription": "EC2 instance access" 5. } 6. }, 7. "SGroup2": { 8. "Type": "AWS::EC2::SecurityGroup", 9. "Properties": { 10. "GroupDescription": "EC2 instance access" 11. } 12. }, 13. "SGroup1Ingress": { 14. "Type": "AWS::EC2::SecurityGroupIngress", 15. "Properties": { 16. "GroupName": { 17. "Ref": "SGroup1" 18. }, 19. "IpProtocol": "tcp", 20. "ToPort": "80", 21. "FromPort": "80", 22. "SourceSecurityGroupName": { 23. "Ref": "SGroup2" 24. } 25. } 26. }, 27. "SGroup2Ingress": { 28. "Type": "AWS::EC2::SecurityGroupIngress", 29. "Properties": { 30. "GroupName": { 31. "Ref": "SGroup2" 32. }, 33. "IpProtocol": "tcp", 34. "ToPort": "80", 35. "FromPort": "80", 36. "SourceSecurityGroupName": { 37. "Ref": "SGroup1" 38. } 39. } 40. } ``` #### YAML ``` 1. SGroup1: 2. Type: AWS::EC2::SecurityGroup 3. Properties: 4. GroupDescription: EC2 Instance access 5. SGroup2: 6. Type: AWS::EC2::SecurityGroup 7. Properties: 8. GroupDescription: EC2 Instance access 9. SGroup1Ingress: 10. Type: AWS::EC2::SecurityGroupIngress 11. Properties: 12. GroupName: !Ref SGroup1 13. IpProtocol: tcp 14. ToPort: 80 15. FromPort: 80 16. SourceSecurityGroupName: !Ref SGroup2 17. SGroup2Ingress: 18. Type: AWS::EC2::SecurityGroupIngress 19. Properties: 20. GroupName: !Ref SGroup2 21. IpProtocol: tcp 22. ToPort: 80 23. FromPort: 80 24. SourceSecurityGroupName: !Ref SGroup1 ``` ## Create an Elastic Load Balancer with a security group ingress rule The following template creates an [AWS::ElasticLoadBalancing::LoadBalancer](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancing-loadbalancer.html) resource in the specified availability zone. The [AWS::ElasticLoadBalancing::LoadBalancer](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancing-loadbalancer.html) resource is configured to listen on port 80 for HTTP traffic and direct requests to instances also on port 80. The Elastic Load Balancer is responsible for load balancing incoming HTTP traffic among the instances. Additionally, this template generates an [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) resource associated with the load balancer. This security group is created with a single ingress rule, described as `ELB ingress group`, which allows incoming TCP traffic on port 80. The source for this ingress rule is defined using the `Fn::GetAtt` fucntion to retrieve attributes from the load balancer resource. `SourceSecurityGroupOwnerId` uses `Fn::GetAtt` to obtain the `OwnerAlias` of the source security group of the load balancer. `SourceSecurityGroupName` uses `Fn::Getatt` to obtain the `GroupName` of the source security group of the ELB. This setup ensures secure communication between the ELB and the instances. For more information about load balancing, see the [Elastic Load Balancing User Guide](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/). ### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "MyELB": { "Type": "AWS::ElasticLoadBalancing::LoadBalancer", "Properties": { "AvailabilityZones": [ "aa-example-1a" ], "Listeners": [ { "LoadBalancerPort": "80", "InstancePort": "80", "Protocol": "HTTP" } ] } }, "MyELBIngressGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "ELB ingress group", "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "SourceSecurityGroupOwnerId": { "Fn::GetAtt": [ "MyELB", "SourceSecurityGroup.OwnerAlias" ] }, "SourceSecurityGroupName": { "Fn::GetAtt": [ "MyELB", "SourceSecurityGroup.GroupName" ] } } ] } } } } ``` ### YAML ``` AWSTemplateFormatVersion: '2010-09-09' Resources: MyELB: Type: AWS::ElasticLoadBalancing::LoadBalancer Properties: AvailabilityZones: - aa-example-1a Listeners: - LoadBalancerPort: '80' InstancePort: '80' Protocol: HTTP MyELBIngressGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: ELB ingress group SecurityGroupIngress: - IpProtocol: tcp FromPort: '80' ToPort: '80' SourceSecurityGroupOwnerId: Fn::GetAtt: - MyELB - SourceSecurityGroup.OwnerAlias SourceSecurityGroupName: Fn::GetAtt: - MyELB - SourceSecurityGroup.GroupName ``` # Allocate and associate Elastic IP addresses with CloudFormation The following template snippets are examples related to Elastic IP addresses (EIPs) in Amazon EC2. These examples cover allocation, association, and management of EIPs for your instances. **Topics** + [Allocate an Elastic IP address and associate it with an Amazon EC2 instance](#scenario-ec2-eip) + [Associate an Elastic IP address to an Amazon EC2 instance by specifying the IP address](#scenario-ec2-eip-association) + [Associate an Elastic IP address to an Amazon EC2 instance by specifying the allocation ID of the IP address](#scenario-ec2-eip-association-vpc) ## Allocate an Elastic IP address and associate it with an Amazon EC2 instance The following snippet allocates an Amazon EC2 Elastic IP (EIP) address and associates it with an Amazon EC2 instance using an [AWS::EC2::EIP ](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eip.html) resource. You can allocate an EIP address from an address pool owned by AWS or from an address pool created from a public IPv4 address range you bring to AWS for use with your AWS resources using [bring your own IP addresses (BYOIP)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html). In this example, the EIP is allocated from an address pool owned by AWS. For more information about Elastic IP addresses, see [Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html) in the *Amazon EC2 User Guide*. ### JSON ``` 1. "ElasticIP": { 2. "Type": "AWS::EC2::EIP", 3. "Properties": { 4. "InstanceId": { 5. "Ref": "Ec2Instance" 6. } 7. } 8. } ``` ### YAML ``` 1. ElasticIP: 2. Type: AWS::EC2::EIP 3. Properties: 4. InstanceId: !Ref EC2Instance ``` ## Associate an Elastic IP address to an Amazon EC2 instance by specifying the IP address The following snippet associates an existing Amazon EC2 Elastic IP address to an EC2 instance using an [AWS::EC2::EIPAssociation](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eipassociation.html) resource. You must first allocate an Elastic IP address for use in your account. An Elastic IP address can be associated with a single instance. ### JSON ``` 1. "IPAssoc": { 2. "Type": "AWS::EC2::EIPAssociation", 3. "Properties": { 4. "InstanceId": { 5. "Ref": "Ec2Instance" 6. }, 7. "EIP": "192.0.2.0" 8. } 9. } ``` ### YAML ``` 1. IPAssoc: 2. Type: AWS::EC2::EIPAssociation 3. Properties: 4. InstanceId: !Ref EC2Instance 5. EIP: 192.0.2.0 ``` ## Associate an Elastic IP address to an Amazon EC2 instance by specifying the allocation ID of the IP address The following snippet associates an existing Elastic IP address to an Amazon EC2 instance by specifying the allocation ID using an [AWS::EC2::EIPAssociation](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eipassociation.html) resource. An allocation ID is assigned to an Elastic IP address upon Elastic IP address allocation. ### JSON ``` 1. "IPAssoc": { 2. "Type": "AWS::EC2::EIPAssociation", 3. "Properties": { 4. "InstanceId": { 5. "Ref": "Ec2Instance" 6. }, 7. "AllocationId": "eipalloc-1234567890abcdef0" 8. } 9. } ``` ### YAML ``` 1. IPAssoc: 2. Type: AWS::EC2::EIPAssociation 3. Properties: 4. InstanceId: !Ref EC2Instance 5. AllocationId: eipalloc-1234567890abcdef0 ``` # Configure Amazon VPC resources with CloudFormation This section provides examples for configuring Amazon VPC resources using CloudFormation. VPCs allow you to create a virtual network within AWS, and these snippets show how to configure aspects of VPCs to meet your networking requirements. **Topics** + [Enable IPv6 egress-only internet access in a VPC](#quickref-ec2-route-egressonlyinternetgateway) + [Elastic network interface (ENI) template snippets](#cfn-template-snippets-eni) ## Enable IPv6 egress-only internet access in a VPC An egress-only internet gateway allows instances within a VPC to access the internet and prevent resources on the internet from communicating with the instances. The following snippet enables IPv6 egress-only internet access from within a VPC. It creates a VPC with an IPv4 address range of `10.0.0/16` using an [AWS::EC2::VPC](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-vpc.html) resource. A route table is associated with this VPC resource using an [AWS::EC2::RouteTable](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-routetable.html) resource. The route table manages routes for instances within the VPC. An [AWS::EC2::EgressOnlyInternetGateway](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-egressonlyinternetgateway.html) is used to create an egress-only internet gateway to enable IPv6 communication for outbound traffic from instances within the VPC, while preventing inbound traffic. An [AWS::EC2::Route](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-route.html) resource is specified to create an IPv6 route in the route table that directs all outbound IPv6 traffic (`::/0`) to the egress-only internet gateway. For more information about egress-only internet gateways, see [Enable outbound IPv6 traffic using an egress-only internet gateway](https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html) in the *Amazon VPC User Guide*. ### JSON ``` "DefaultIpv6Route": { "Type": "AWS::EC2::Route", "Properties": { "DestinationIpv6CidrBlock": "::/0", "EgressOnlyInternetGatewayId": { "Ref": "EgressOnlyInternetGateway" }, "RouteTableId": { "Ref": "RouteTable" } } }, "EgressOnlyInternetGateway": { "Type": "AWS::EC2::EgressOnlyInternetGateway", "Properties": { "VpcId": { "Ref": "VPC" } } }, "RouteTable": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" } } }, "VPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16" } } ``` ### YAML ``` DefaultIpv6Route: Type: AWS::EC2::Route Properties: DestinationIpv6CidrBlock: "::/0" EgressOnlyInternetGatewayId: Ref: "EgressOnlyInternetGateway" RouteTableId: Ref: "RouteTable" EgressOnlyInternetGateway: Type: AWS::EC2::EgressOnlyInternetGateway Properties: VpcId: Ref: "VPC" RouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: "VPC" VPC: Type: AWS::EC2::VPC Properties: CidrBlock: "10.0.0.0/16" ``` ## Elastic network interface (ENI) template snippets ### Create an Amazon EC2 instance with attached elastic network interfaces (ENIs) The following example snippet creates an Amazon EC2 instance using an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) resource in the specified Amazon VPC and subnet. It attaches two network interfaces (ENIs) with the instance, associates Elastic IP addresses to the instances through the attached ENIs, and configures the security group for SSH and HTTP access. User data is supplied to the instance as part of the launch configuration when the instance is created. The user data includes a script encoded in `base64` format to ensure it is passed to the instance. When the instance is launched, the script runs automatically as part of the bootstrapping process. It installs `ec2-net-utils`, configures the network interfaces, and starts the HTTP service. To determine the appropriate Amazon Machine Image (AMI) based on the selected Region, the snippet uses a `Fn::FindInMap` function that looks up values in a `RegionMap` mapping. This mapping must be defined in the larger template. The two network interfaces are created using [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-networkinterface.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-networkinterface.html) resources. Elastic IP addresses are specified using [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eip.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eip.html) resources allocated to the `vpc` domain. These elastic IP addresses are associated with the network interfaces using [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eipassociation.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eipassociation.html) resources. The `Outputs` section defines values or resources that you want to access after the stack is created. In this snippet, the defined output is `InstancePublicIp`, which represents the public IP address of the EC2 instance created by the stack. You can retrieve this output in the **Output** tab on the CloudFormation console, or using the [describe-stacks](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/describe-stacks.html) command. For more information about elastic network interfaces, see [Elastic network interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html). #### JSON ``` "Resources": { "ControlPortAddress": { "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc" } }, "AssociateControlPort": { "Type": "AWS::EC2::EIPAssociation", "Properties": { "AllocationId": { "Fn::GetAtt": [ "ControlPortAddress", "AllocationId" ] }, "NetworkInterfaceId": { "Ref": "controlXface" } } }, "WebPortAddress": { "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc" } }, "AssociateWebPort": { "Type": "AWS::EC2::EIPAssociation", "Properties": { "AllocationId": { "Fn::GetAtt": [ "WebPortAddress", "AllocationId" ] }, "NetworkInterfaceId": { "Ref": "webXface" } } }, "SSHSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "VpcId" }, "GroupDescription": "Enable SSH access via port 22", "SecurityGroupIngress": [ { "CidrIp": "0.0.0.0/0", "FromPort": 22, "IpProtocol": "tcp", "ToPort": 22 } ] } }, "WebSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "VpcId" }, "GroupDescription": "Enable HTTP access via user-defined port", "SecurityGroupIngress": [ { "CidrIp": "0.0.0.0/0", "FromPort": 80, "IpProtocol": "tcp", "ToPort": 80 } ] } }, "controlXface": { "Type": "AWS::EC2::NetworkInterface", "Properties": { "SubnetId": { "Ref": "SubnetId" }, "Description": "Interface for controlling traffic such as SSH", "GroupSet": [ { "Fn::GetAtt": [ "SSHSecurityGroup", "GroupId" ] } ], "SourceDestCheck": true, "Tags": [ { "Key": "Network", "Value": "Control" } ] } }, "webXface": { "Type": "AWS::EC2::NetworkInterface", "Properties": { "SubnetId": { "Ref": "SubnetId" }, "Description": "Interface for web traffic", "GroupSet": [ { "Fn::GetAtt": [ "WebSecurityGroup", "GroupId" ] } ], "SourceDestCheck": true, "Tags": [ { "Key": "Network", "Value": "Web" } ] } }, "Ec2Instance": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": { "Fn::FindInMap": [ "RegionMap", { "Ref": "AWS::Region" }, "AMI" ] }, "KeyName": { "Ref": "KeyName" }, "NetworkInterfaces": [ { "NetworkInterfaceId": { "Ref": "controlXface" }, "DeviceIndex": "0" }, { "NetworkInterfaceId": { "Ref": "webXface" }, "DeviceIndex": "1" } ], "Tags": [ { "Key": "Role", "Value": "Test Instance" } ], "UserData": { "Fn::Base64": { "Fn::Sub": "#!/bin/bash -xe\nyum install ec2-net-utils -y\nec2ifup eth1\nservice httpd start\n" } } } } }, "Outputs": { "InstancePublicIp": { "Description": "Public IP Address of the EC2 Instance", "Value": { "Fn::GetAtt": [ "Ec2Instance", "PublicIp" ] } } } ``` #### YAML ``` Resources: ControlPortAddress: Type: AWS::EC2::EIP Properties: Domain: vpc AssociateControlPort: Type: AWS::EC2::EIPAssociation Properties: AllocationId: Fn::GetAtt: - ControlPortAddress - AllocationId NetworkInterfaceId: Ref: controlXface WebPortAddress: Type: AWS::EC2::EIP Properties: Domain: vpc AssociateWebPort: Type: AWS::EC2::EIPAssociation Properties: AllocationId: Fn::GetAtt: - WebPortAddress - AllocationId NetworkInterfaceId: Ref: webXface SSHSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: Ref: VpcId GroupDescription: Enable SSH access via port 22 SecurityGroupIngress: - CidrIp: 0.0.0.0/0 FromPort: 22 IpProtocol: tcp ToPort: 22 WebSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: Ref: VpcId GroupDescription: Enable HTTP access via user-defined port SecurityGroupIngress: - CidrIp: 0.0.0.0/0 FromPort: 80 IpProtocol: tcp ToPort: 80 controlXface: Type: AWS::EC2::NetworkInterface Properties: SubnetId: Ref: SubnetId Description: Interface for controlling traffic such as SSH GroupSet: - Fn::GetAtt: - SSHSecurityGroup - GroupId SourceDestCheck: true Tags: - Key: Network Value: Control webXface: Type: AWS::EC2::NetworkInterface Properties: SubnetId: Ref: SubnetId Description: Interface for web traffic GroupSet: - Fn::GetAtt: - WebSecurityGroup - GroupId SourceDestCheck: true Tags: - Key: Network Value: Web Ec2Instance: Type: AWS::EC2::Instance Properties: ImageId: Fn::FindInMap: - RegionMap - Ref: AWS::Region - AMI KeyName: Ref: KeyName NetworkInterfaces: - NetworkInterfaceId: Ref: controlXface DeviceIndex: "0" - NetworkInterfaceId: Ref: webXface DeviceIndex: "1" Tags: - Key: Role Value: Test Instance UserData: Fn::Base64: !Sub | #!/bin/bash -xe yum install ec2-net-utils -y ec2ifup eth1 service httpd start Outputs: InstancePublicIp: Description: Public IP Address of the EC2 Instance Value: Fn::GetAtt: - Ec2Instance - PublicIp ``` # Amazon Elastic Container Service sample templates Amazon Elastic Container Service (Amazon ECS) is a container management service that makes it easy to run, stop, and manage Docker containers on a cluster of Amazon Elastic Compute Cloud (Amazon EC2) instances. ## Create a cluster with the AL2023 Amazon ECS-Optimized-AMI Define a cluster that uses a capacity provider that launches AL2023 instances on Amazon EC2. **Important** For the latest AMI IDs, see [Amazon ECS-optimized AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) in the *Amazon Elastic Container Service Developer Guide*. ### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "EC2 ECS cluster that starts out empty, with no EC2 instances yet. An ECS capacity provider automatically launches more EC2 instances as required on the fly when you request ECS to launch services or standalone tasks.", "Parameters": { "InstanceType": { "Type": "String", "Description": "EC2 instance type", "Default": "t2.medium", "AllowedValues": [ "t1.micro", "t2.2xlarge", "t2.large", "t2.medium", "t2.micro", "t2.nano", "t2.small", "t2.xlarge", "t3.2xlarge", "t3.large", "t3.medium", "t3.micro", "t3.nano", "t3.small", "t3.xlarge" ] }, "DesiredCapacity": { "Type": "Number", "Default": "0", "Description": "Number of EC2 instances to launch in your ECS cluster." }, "MaxSize": { "Type": "Number", "Default": "100", "Description": "Maximum number of EC2 instances that can be launched in your ECS cluster." }, "ECSAMI": { "Description": "The Amazon Machine Image ID used for the cluster", "Type": "AWS::SSM::Parameter::Value", "Default": "/aws/service/ecs/optimized-ami/amazon-linux-2023/recommended/image_id" }, "VpcId": { "Type": "AWS::EC2::VPC::Id", "Description": "VPC ID where the ECS cluster is launched", "Default": "vpc-1234567890abcdef0" }, "SubnetIds": { "Type": "List", "Description": "List of subnet IDs where the EC2 instances will be launched", "Default": "subnet-021345abcdef67890" } }, "Resources": { "ECSCluster": { "Type": "AWS::ECS::Cluster", "Properties": { "ClusterSettings": [ { "Name": "containerInsights", "Value": "enabled" } ] } }, "ECSAutoScalingGroup": { "Type": "AWS::AutoScaling::AutoScalingGroup", "DependsOn": [ "ECSCluster", "EC2Role" ], "Properties": { "VPCZoneIdentifier": { "Ref": "SubnetIds" }, "LaunchTemplate": { "LaunchTemplateId": { "Ref": "ContainerInstances" }, "Version": { "Fn::GetAtt": [ "ContainerInstances", "LatestVersionNumber" ] } }, "MinSize": 0, "MaxSize": { "Ref": "MaxSize" }, "DesiredCapacity": { "Ref": "DesiredCapacity" }, "NewInstancesProtectedFromScaleIn": true }, "UpdatePolicy": { "AutoScalingReplacingUpdate": { "WillReplace": "true" } } }, "ContainerInstances": { "Type": "AWS::EC2::LaunchTemplate", "Properties": { "LaunchTemplateName": "asg-launch-template", "LaunchTemplateData": { "ImageId": { "Ref": "ECSAMI" }, "InstanceType": { "Ref": "InstanceType" }, "IamInstanceProfile": { "Name": { "Ref": "EC2InstanceProfile" } }, "SecurityGroupIds": [ { "Ref": "ContainerHostSecurityGroup" } ], "UserData": { "Fn::Base64": { "Fn::Sub": "#!/bin/bash -xe\n echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config\n yum install -y aws-cfn-bootstrap\n /opt/aws/bin/cfn-init -v --stack ${AWS::StackId} --resource ContainerInstances --configsets full_install --region ${AWS::Region} &\n" } }, "MetadataOptions": { "HttpEndpoint": "enabled", "HttpTokens": "required" } } } }, "EC2InstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Path": "/", "Roles": [ { "Ref": "EC2Role" } ] } }, "CapacityProvider": { "Type": "AWS::ECS::CapacityProvider", "Properties": { "AutoScalingGroupProvider": { "AutoScalingGroupArn": { "Ref": "ECSAutoScalingGroup" }, "ManagedScaling": { "InstanceWarmupPeriod": 60, "MinimumScalingStepSize": 1, "MaximumScalingStepSize": 100, "Status": "ENABLED", "TargetCapacity": 100 }, "ManagedTerminationProtection": "ENABLED" } } }, "CapacityProviderAssociation": { "Type": "AWS::ECS::ClusterCapacityProviderAssociations", "Properties": { "CapacityProviders": [ { "Ref": "CapacityProvider" } ], "Cluster": { "Ref": "ECSCluster" }, "DefaultCapacityProviderStrategy": [ { "Base": 0, "CapacityProvider": { "Ref": "CapacityProvider" }, "Weight": 1 } ] } }, "ContainerHostSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Access to the EC2 hosts that run containers", "VpcId": { "Ref": "VpcId" } } }, "EC2Role": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/", "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" ] } }, "ECSTaskExecutionRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ecs-tasks.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ], "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::Sub": "arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:*" } }, "StringEquals": { "aws:SourceAccount": { "Fn::Sub": "${AWS::AccountId}" } } } } ] }, "Path": "/", "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" ] } } }, "Outputs": { "ClusterName": { "Description": "The ECS cluster into which to launch resources", "Value": "ECSCluster" }, "ECSTaskExecutionRole": { "Description": "The role used to start up a task", "Value": "ECSTaskExecutionRole" }, "CapacityProvider": { "Description": "The cluster capacity provider that the service should use to request capacity when it wants to start up a task", "Value": "CapacityProvider" } } } ``` ### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Description: EC2 ECS cluster that starts out empty, with no EC2 instances yet. An ECS capacity provider automatically launches more EC2 instances as required on the fly when you request ECS to launch services or standalone tasks. Parameters: InstanceType: Type: String Description: EC2 instance type Default: "t2.medium" AllowedValues: - t1.micro - t2.2xlarge - t2.large - t2.medium - t2.micro - t2.nano - t2.small - t2.xlarge - t3.2xlarge - t3.large - t3.medium - t3.micro - t3.nano - t3.small - t3.xlarge DesiredCapacity: Type: Number Default: "0" Description: Number of EC2 instances to launch in your ECS cluster. MaxSize: Type: Number Default: "100" Description: Maximum number of EC2 instances that can be launched in your ECS cluster. ECSAMI: Description: The Amazon Machine Image ID used for the cluster Type: AWS::SSM::Parameter::Value Default: /aws/service/ecs/optimized-ami/amazon-linux-2023/recommended/image_id VpcId: Type: AWS::EC2::VPC::Id Description: VPC ID where the ECS cluster is launched Default: vpc-1234567890abcdef0 SubnetIds: Type: List Description: List of subnet IDs where the EC2 instances will be launched Default: "subnet-021345abcdef67890" Resources: # This is authorizes ECS to manage resources on your # account on your behalf. This role is likely already created on your account # ECSRole: # Type: AWS::IAM::ServiceLinkedRole # Properties: # AWSServiceName: 'ecs.amazonaws.com' # ECS Resources ECSCluster: Type: AWS::ECS::Cluster Properties: ClusterSettings: - Name: containerInsights Value: enabled # Autoscaling group. This launches the actual EC2 instances that will register # themselves as members of the cluster, and run the docker containers. ECSAutoScalingGroup: Type: AWS::AutoScaling::AutoScalingGroup DependsOn: # This is to ensure that the ASG gets deleted first before these # resources, when it comes to stack teardown. - ECSCluster - EC2Role Properties: VPCZoneIdentifier: Ref: SubnetIds LaunchTemplate: LaunchTemplateId: !Ref ContainerInstances Version: !GetAtt ContainerInstances.LatestVersionNumber MinSize: 0 MaxSize: Ref: MaxSize DesiredCapacity: Ref: DesiredCapacity NewInstancesProtectedFromScaleIn: true UpdatePolicy: AutoScalingReplacingUpdate: WillReplace: "true" # The config for each instance that is added to the cluster ContainerInstances: Type: AWS::EC2::LaunchTemplate Properties: LaunchTemplateName: "asg-launch-template" LaunchTemplateData: ImageId: Ref: ECSAMI InstanceType: Ref: InstanceType IamInstanceProfile: Name: !Ref EC2InstanceProfile SecurityGroupIds: - !Ref ContainerHostSecurityGroup # This injected configuration file is how the EC2 instance # knows which ECS cluster on your AWS account it should be joining UserData: Fn::Base64: !Sub | #!/bin/bash -xe echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config yum install -y aws-cfn-bootstrap /opt/aws/bin/cfn-init -v --stack ${AWS::StackId} --resource ContainerInstances --configsets full_install --region ${AWS::Region} & # Disable IMDSv1, and require IMDSv2 MetadataOptions: HttpEndpoint: enabled HttpTokens: required EC2InstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: / Roles: - !Ref EC2Role # Create an ECS capacity provider to attach the ASG to the ECS cluster # so that it autoscales as we launch more containers CapacityProvider: Type: AWS::ECS::CapacityProvider Properties: AutoScalingGroupProvider: AutoScalingGroupArn: !Ref ECSAutoScalingGroup ManagedScaling: InstanceWarmupPeriod: 60 MinimumScalingStepSize: 1 MaximumScalingStepSize: 100 Status: ENABLED # Percentage of cluster reservation to try to maintain TargetCapacity: 100 ManagedTerminationProtection: ENABLED # Create a cluster capacity provider assocation so that the cluster # will use the capacity provider CapacityProviderAssociation: Type: AWS::ECS::ClusterCapacityProviderAssociations Properties: CapacityProviders: - !Ref CapacityProvider Cluster: !Ref ECSCluster DefaultCapacityProviderStrategy: - Base: 0 CapacityProvider: !Ref CapacityProvider Weight: 1 # A security group for the EC2 hosts that will run the containers. # This can be used to limit incoming traffic to or outgoing traffic # from the container's host EC2 instance. ContainerHostSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Access to the EC2 hosts that run containers VpcId: Ref: VpcId # Role for the EC2 hosts. This allows the ECS agent on the EC2 hosts # to communciate with the ECS control plane, as well as download the docker # images from ECR to run on your host. EC2Role: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: / ManagedPolicyArns: # See reference: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonEC2ContainerServiceforEC2Role - arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role # This managed policy allows us to connect to the instance using SSM - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore # This is a role which is used within Fargate to allow the Fargate agent # to download images, and upload logs. ECSTaskExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - ecs-tasks.amazonaws.com Action: - sts:AssumeRole Condition: ArnLike: aws:SourceArn: !Sub arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:* StringEquals: aws:SourceAccount: !Sub ${AWS::AccountId} Path: / # This role enables all features of ECS. See reference: # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonECSTaskExecutionRolePolicy ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy Outputs: ClusterName: Description: The ECS cluster into which to launch resources Value: ECSCluster ECSTaskExecutionRole: Description: The role used to start up a task Value: ECSTaskExecutionRole CapacityProvider: Description: The cluster capacity provider that the service should use to request capacity when it wants to start up a task Value: CapacityProvider ``` ## Deploy a service The following template defines a service that uses the capacity provider to request AL2023 capacity to run on. Containers will be launched onto the AL2023 instances as they come online: ### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "An example service that deploys in AWS VPC networking mode on EC2 capacity. Service uses a capacity provider to request EC2 instances to run on. Service runs with networking in private subnets, but still accessible to the internet via a load balancer hosted in public subnets.", "Parameters": { "VpcId": { "Type": "String", "Description": "The VPC that the service is running inside of" }, "PublicSubnetIds": { "Type": "List", "Description": "List of public subnet ID's to put the load balancer in" }, "PrivateSubnetIds": { "Type": "List", "Description": "List of private subnet ID's that the AWS VPC tasks are in" }, "ClusterName": { "Type": "String", "Description": "The name of the ECS cluster into which to launch capacity." }, "ECSTaskExecutionRole": { "Type": "String", "Description": "The role used to start up an ECS task" }, "CapacityProvider": { "Type": "String", "Description": "The cluster capacity provider that the service should use to request capacity when it wants to start up a task" }, "ServiceName": { "Type": "String", "Default": "web", "Description": "A name for the service" }, "ImageUrl": { "Type": "String", "Default": "public.ecr.aws/docker/library/nginx:latest", "Description": "The url of a docker image that contains the application process that will handle the traffic for this service" }, "ContainerCpu": { "Type": "Number", "Default": 256, "Description": "How much CPU to give the container. 1024 is 1 CPU" }, "ContainerMemory": { "Type": "Number", "Default": 512, "Description": "How much memory in megabytes to give the container" }, "ContainerPort": { "Type": "Number", "Default": 80, "Description": "What port that the application expects traffic on" }, "DesiredCount": { "Type": "Number", "Default": 2, "Description": "How many copies of the service task to run" } }, "Resources": { "TaskDefinition": { "Type": "AWS::ECS::TaskDefinition", "Properties": { "Family": { "Ref": "ServiceName" }, "Cpu": { "Ref": "ContainerCpu" }, "Memory": { "Ref": "ContainerMemory" }, "NetworkMode": "awsvpc", "RequiresCompatibilities": [ "EC2" ], "ExecutionRoleArn": { "Ref": "ECSTaskExecutionRole" }, "ContainerDefinitions": [ { "Name": { "Ref": "ServiceName" }, "Cpu": { "Ref": "ContainerCpu" }, "Memory": { "Ref": "ContainerMemory" }, "Image": { "Ref": "ImageUrl" }, "PortMappings": [ { "ContainerPort": { "Ref": "ContainerPort" }, "HostPort": { "Ref": "ContainerPort" } } ], "LogConfiguration": { "LogDriver": "awslogs", "Options": { "mode": "non-blocking", "max-buffer-size": "25m", "awslogs-group": { "Ref": "LogGroup" }, "awslogs-region": { "Ref": "AWS::Region" }, "awslogs-stream-prefix": { "Ref": "ServiceName" } } } } ] } }, "Service": { "Type": "AWS::ECS::Service", "DependsOn": "PublicLoadBalancerListener", "Properties": { "ServiceName": { "Ref": "ServiceName" }, "Cluster": { "Ref": "ClusterName" }, "PlacementStrategies": [ { "Field": "attribute:ecs.availability-zone", "Type": "spread" }, { "Field": "cpu", "Type": "binpack" } ], "CapacityProviderStrategy": [ { "Base": 0, "CapacityProvider": { "Ref": "CapacityProvider" }, "Weight": 1 } ], "NetworkConfiguration": { "AwsvpcConfiguration": { "SecurityGroups": [ { "Ref": "ServiceSecurityGroup" } ], "Subnets": { "Ref": "PrivateSubnetIds" } } }, "DeploymentConfiguration": { "MaximumPercent": 200, "MinimumHealthyPercent": 75 }, "DesiredCount": { "Ref": "DesiredCount" }, "TaskDefinition": { "Ref": "TaskDefinition" }, "LoadBalancers": [ { "ContainerName": { "Ref": "ServiceName" }, "ContainerPort": { "Ref": "ContainerPort" }, "TargetGroupArn": { "Ref": "ServiceTargetGroup" } } ] } }, "ServiceSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Security group for service", "VpcId": { "Ref": "VpcId" } } }, "ServiceTargetGroup": { "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", "Properties": { "HealthCheckIntervalSeconds": 6, "HealthCheckPath": "/", "HealthCheckProtocol": "HTTP", "HealthCheckTimeoutSeconds": 5, "HealthyThresholdCount": 2, "TargetType": "ip", "Port": { "Ref": "ContainerPort" }, "Protocol": "HTTP", "UnhealthyThresholdCount": 10, "VpcId": { "Ref": "VpcId" }, "TargetGroupAttributes": [ { "Key": "deregistration_delay.timeout_seconds", "Value": 0 } ] } }, "PublicLoadBalancerSG": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Access to the public facing load balancer", "VpcId": { "Ref": "VpcId" }, "SecurityGroupIngress": [ { "CidrIp": "0.0.0.0/0", "IpProtocol": -1 } ] } }, "PublicLoadBalancer": { "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Properties": { "Scheme": "internet-facing", "LoadBalancerAttributes": [ { "Key": "idle_timeout.timeout_seconds", "Value": "30" } ], "Subnets": { "Ref": "PublicSubnetIds" }, "SecurityGroups": [ { "Ref": "PublicLoadBalancerSG" } ] } }, "PublicLoadBalancerListener": { "Type": "AWS::ElasticLoadBalancingV2::Listener", "Properties": { "DefaultActions": [ { "Type": "forward", "ForwardConfig": { "TargetGroups": [ { "TargetGroupArn": { "Ref": "ServiceTargetGroup" }, "Weight": 100 } ] } } ], "LoadBalancerArn": { "Ref": "PublicLoadBalancer" }, "Port": 80, "Protocol": "HTTP" } }, "ServiceIngressfromLoadBalancer": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "Description": "Ingress from the public ALB", "GroupId": { "Ref": "ServiceSecurityGroup" }, "IpProtocol": -1, "SourceSecurityGroupId": { "Ref": "PublicLoadBalancerSG" } } }, "LogGroup": { "Type": "AWS::Logs::LogGroup" } } } ``` ### YAML ``` AWSTemplateFormatVersion: '2010-09-09' Description: >- An example service that deploys in AWS VPC networking mode on EC2 capacity. Service uses a capacity provider to request EC2 instances to run on. Service runs with networking in private subnets, but still accessible to the internet via a load balancer hosted in public subnets. Parameters: VpcId: Type: String Description: The VPC that the service is running inside of PublicSubnetIds: Type: 'List' Description: List of public subnet ID's to put the load balancer in PrivateSubnetIds: Type: 'List' Description: List of private subnet ID's that the AWS VPC tasks are in ClusterName: Type: String Description: The name of the ECS cluster into which to launch capacity. ECSTaskExecutionRole: Type: String Description: The role used to start up an ECS task CapacityProvider: Type: String Description: >- The cluster capacity provider that the service should use to request capacity when it wants to start up a task ServiceName: Type: String Default: web Description: A name for the service ImageUrl: Type: String Default: 'public.ecr.aws/docker/library/nginx:latest' Description: >- The url of a docker image that contains the application process that will handle the traffic for this service ContainerCpu: Type: Number Default: 256 Description: How much CPU to give the container. 1024 is 1 CPU ContainerMemory: Type: Number Default: 512 Description: How much memory in megabytes to give the container ContainerPort: Type: Number Default: 80 Description: What port that the application expects traffic on DesiredCount: Type: Number Default: 2 Description: How many copies of the service task to run Resources: TaskDefinition: Type: AWS::ECS::TaskDefinition Properties: Family: !Ref ServiceName Cpu: !Ref ContainerCpu Memory: !Ref ContainerMemory NetworkMode: awsvpc RequiresCompatibilities: - EC2 ExecutionRoleArn: !Ref ECSTaskExecutionRole ContainerDefinitions: - Name: !Ref ServiceName Cpu: !Ref ContainerCpu Memory: !Ref ContainerMemory Image: !Ref ImageUrl PortMappings: - ContainerPort: !Ref ContainerPort HostPort: !Ref ContainerPort LogConfiguration: LogDriver: awslogs Options: mode: non-blocking max-buffer-size: 25m awslogs-group: !Ref LogGroup awslogs-region: !Ref AWS::Region awslogs-stream-prefix: !Ref ServiceName Service: Type: AWS::ECS::Service DependsOn: PublicLoadBalancerListener Properties: ServiceName: !Ref ServiceName Cluster: !Ref ClusterName PlacementStrategies: - Field: 'attribute:ecs.availability-zone' Type: spread - Field: cpu Type: binpack CapacityProviderStrategy: - Base: 0 CapacityProvider: !Ref CapacityProvider Weight: 1 NetworkConfiguration: AwsvpcConfiguration: SecurityGroups: - !Ref ServiceSecurityGroup Subnets: !Ref PrivateSubnetIds DeploymentConfiguration: MaximumPercent: 200 MinimumHealthyPercent: 75 DesiredCount: !Ref DesiredCount TaskDefinition: !Ref TaskDefinition LoadBalancers: - ContainerName: !Ref ServiceName ContainerPort: !Ref ContainerPort TargetGroupArn: !Ref ServiceTargetGroup ServiceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security group for service VpcId: !Ref VpcId ServiceTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: HealthCheckIntervalSeconds: 6 HealthCheckPath: / HealthCheckProtocol: HTTP HealthCheckTimeoutSeconds: 5 HealthyThresholdCount: 2 TargetType: ip Port: !Ref ContainerPort Protocol: HTTP UnhealthyThresholdCount: 10 VpcId: !Ref VpcId TargetGroupAttributes: - Key: deregistration_delay.timeout_seconds Value: 0 PublicLoadBalancerSG: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Access to the public facing load balancer VpcId: !Ref VpcId SecurityGroupIngress: - CidrIp: 0.0.0.0/0 IpProtocol: -1 PublicLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Scheme: internet-facing LoadBalancerAttributes: - Key: idle_timeout.timeout_seconds Value: '30' Subnets: !Ref PublicSubnetIds SecurityGroups: - !Ref PublicLoadBalancerSG PublicLoadBalancerListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: DefaultActions: - Type: forward ForwardConfig: TargetGroups: - TargetGroupArn: !Ref ServiceTargetGroup Weight: 100 LoadBalancerArn: !Ref PublicLoadBalancer Port: 80 Protocol: HTTP ServiceIngressfromLoadBalancer: Type: AWS::EC2::SecurityGroupIngress Properties: Description: Ingress from the public ALB GroupId: !Ref ServiceSecurityGroup IpProtocol: -1 SourceSecurityGroupId: !Ref PublicLoadBalancerSG LogGroup: Type: AWS::Logs::LogGroup ``` # Amazon Elastic File System Sample Template Amazon Elastic File System (Amazon EFS) is a file storage service for Amazon Elastic Compute Cloud (Amazon EC2) instances. With Amazon EFS, your applications have storage when they need it because storage capacity grows and shrinks automatically as you add and remove files. The following sample template deploys EC2 instances (in an Auto Scaling group) that are associated with an Amazon EFS file system. To associate the instances with the file system, the instances run the cfn-init helper script, which downloads and installs the `nfs-utils` yum package, creates a new directory, and then uses the file system's DNS name to mount the file system at that directory. The file system's DNS name resolves to a mount target's IP address in the Amazon EC2 instance's Availability Zone. For more information about the DNS name structure, see [Mounting File Systems](https://docs.aws.amazon.com/efs/latest/ug/mounting-fs.html) in the *Amazon Elastic File System User Guide*. To measure Network File System activity, the template includes custom Amazon CloudWatch metrics. The template also creates a VPC, subnet, and security groups. To allow the instances to communicate with the file system, the VPC must have DNS enabled, and the mount target and the EC2 instances must be in the same Availability Zone (AZ), which is specified by the subnet. The security group of the mount target enables a network connection to TCP port 2049, which is required for an NFSv4 client to mount a file system. For more information on security groups for EC2 instances and mount targets, see [Security](https://docs.aws.amazon.com/efs/latest/ug/security-considerations.html) in the [https://docs.aws.amazon.com/efs/latest/ug/](https://docs.aws.amazon.com/efs/latest/ug/). **Note** If you make an update to the mount target that causes it to be replaced, instances or applications that use the associated file system might be disrupted. This can cause uncommitted writes to be lost. To avoid disruption, stop your instances when you update the mount target by setting the desired capacity to zero. This allows the instances to unmount the file system before the mount target is deleted. After the mount update has completed, start your instances in a subsequent update by setting the desired capacity. ## JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "This template creates an Amazon EFS file system and mount target and associates it with Amazon EC2 instances in an Auto Scaling group. **WARNING** This template creates Amazon EC2 instances and related resources. You will be billed for the AWS resources used if you create a stack from this template.", "Parameters": { "InstanceType" : { "Description" : "WebServer EC2 instance type", "Type" : "String", "Default" : "t2.small", "AllowedValues" : [ "t1.micro", "t2.nano", "t2.micro", "t2.small", "t2.medium", "t2.large", "m1.small", "m1.medium", "m1.large", "m1.xlarge", "m2.xlarge", "m2.2xlarge", "m2.4xlarge", "m3.medium", "m3.large", "m3.xlarge", "m3.2xlarge", "m4.large", "m4.xlarge", "m4.2xlarge", "m4.4xlarge", "m4.10xlarge", "c1.medium", "c1.xlarge", "c3.large", "c3.xlarge", "c3.2xlarge", "c3.4xlarge", "c3.8xlarge", "c4.large", "c4.xlarge", "c4.2xlarge", "c4.4xlarge", "c4.8xlarge", "g2.2xlarge", "g2.8xlarge", "r3.large", "r3.xlarge", "r3.2xlarge", "r3.4xlarge", "r3.8xlarge", "i2.xlarge", "i2.2xlarge", "i2.4xlarge", "i2.8xlarge", "d2.xlarge", "d2.2xlarge", "d2.4xlarge", "d2.8xlarge", "hi1.4xlarge", "hs1.8xlarge", "cr1.8xlarge", "cc2.8xlarge", "cg1.4xlarge" ], "ConstraintDescription" : "must be a valid EC2 instance type." }, "KeyName": { "Type": "AWS::EC2::KeyPair::KeyName", "Description": "Name of an existing EC2 key pair to enable SSH access to the EC2 instances" }, "AsgMaxSize": { "Type": "Number", "Description": "Maximum size and initial desired capacity of Auto Scaling Group", "Default": "2" }, "SSHLocation" : { "Description" : "The IP address range that can be used to connect to the EC2 instances by using SSH", "Type": "String", "MinLength": "9", "MaxLength": "18", "Default": "0.0.0.0/0", "AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})", "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x." }, "VolumeName" : { "Description" : "The name to be used for the EFS volume", "Type": "String", "MinLength": "1", "Default": "myEFSvolume" }, "MountPoint" : { "Description" : "The Linux mount point for the EFS volume", "Type": "String", "MinLength": "1", "Default": "myEFSvolume" } }, "Mappings" : { "AWSInstanceType2Arch" : { "t1.micro" : { "Arch" : "HVM64" }, "t2.nano" : { "Arch" : "HVM64" }, "t2.micro" : { "Arch" : "HVM64" }, "t2.small" : { "Arch" : "HVM64" }, "t2.medium" : { "Arch" : "HVM64" }, "t2.large" : { "Arch" : "HVM64" }, "m1.small" : { "Arch" : "HVM64" }, "m1.medium" : { "Arch" : "HVM64" }, "m1.large" : { "Arch" : "HVM64" }, "m1.xlarge" : { "Arch" : "HVM64" }, "m2.xlarge" : { "Arch" : "HVM64" }, "m2.2xlarge" : { "Arch" : "HVM64" }, "m2.4xlarge" : { "Arch" : "HVM64" }, "m3.medium" : { "Arch" : "HVM64" }, "m3.large" : { "Arch" : "HVM64" }, "m3.xlarge" : { "Arch" : "HVM64" }, "m3.2xlarge" : { "Arch" : "HVM64" }, "m4.large" : { "Arch" : "HVM64" }, "m4.xlarge" : { "Arch" : "HVM64" }, "m4.2xlarge" : { "Arch" : "HVM64" }, "m4.4xlarge" : { "Arch" : "HVM64" }, "m4.10xlarge" : { "Arch" : "HVM64" }, "c1.medium" : { "Arch" : "HVM64" }, "c1.xlarge" : { "Arch" : "HVM64" }, "c3.large" : { "Arch" : "HVM64" }, "c3.xlarge" : { "Arch" : "HVM64" }, "c3.2xlarge" : { "Arch" : "HVM64" }, "c3.4xlarge" : { "Arch" : "HVM64" }, "c3.8xlarge" : { "Arch" : "HVM64" }, "c4.large" : { "Arch" : "HVM64" }, "c4.xlarge" : { "Arch" : "HVM64" }, "c4.2xlarge" : { "Arch" : "HVM64" }, "c4.4xlarge" : { "Arch" : "HVM64" }, "c4.8xlarge" : { "Arch" : "HVM64" }, "g2.2xlarge" : { "Arch" : "HVMG2" }, "g2.8xlarge" : { "Arch" : "HVMG2" }, "r3.large" : { "Arch" : "HVM64" }, "r3.xlarge" : { "Arch" : "HVM64" }, "r3.2xlarge" : { "Arch" : "HVM64" }, "r3.4xlarge" : { "Arch" : "HVM64" }, "r3.8xlarge" : { "Arch" : "HVM64" }, "i2.xlarge" : { "Arch" : "HVM64" }, "i2.2xlarge" : { "Arch" : "HVM64" }, "i2.4xlarge" : { "Arch" : "HVM64" }, "i2.8xlarge" : { "Arch" : "HVM64" }, "d2.xlarge" : { "Arch" : "HVM64" }, "d2.2xlarge" : { "Arch" : "HVM64" }, "d2.4xlarge" : { "Arch" : "HVM64" }, "d2.8xlarge" : { "Arch" : "HVM64" }, "hi1.4xlarge" : { "Arch" : "HVM64" }, "hs1.8xlarge" : { "Arch" : "HVM64" }, "cr1.8xlarge" : { "Arch" : "HVM64" }, "cc2.8xlarge" : { "Arch" : "HVM64" } }, "AWSRegionArch2AMI" : { "us-east-1" : {"HVM64" : "ami-0ff8a91507f77f867", "HVMG2" : "ami-0a584ac55a7631c0c"}, "us-west-2" : {"HVM64" : "ami-a0cfeed8", "HVMG2" : "ami-0e09505bc235aa82d"}, "us-west-1" : {"HVM64" : "ami-0bdb828fd58c52235", "HVMG2" : "ami-066ee5fd4a9ef77f1"}, "eu-west-1" : {"HVM64" : "ami-047bb4163c506cd98", "HVMG2" : "ami-0a7c483d527806435"}, "eu-west-2" : {"HVM64" : "ami-f976839e", "HVMG2" : "NOT_SUPPORTED"}, "eu-west-3" : {"HVM64" : "ami-0ebc281c20e89ba4b", "HVMG2" : "NOT_SUPPORTED"}, "eu-central-1" : {"HVM64" : "ami-0233214e13e500f77", "HVMG2" : "ami-06223d46a6d0661c7"}, "ap-northeast-1" : {"HVM64" : "ami-06cd52961ce9f0d85", "HVMG2" : "ami-053cdd503598e4a9d"}, "ap-northeast-2" : {"HVM64" : "ami-0a10b2721688ce9d2", "HVMG2" : "NOT_SUPPORTED"}, "ap-northeast-3" : {"HVM64" : "ami-0d98120a9fb693f07", "HVMG2" : "NOT_SUPPORTED"}, "ap-southeast-1" : {"HVM64" : "ami-08569b978cc4dfa10", "HVMG2" : "ami-0be9df32ae9f92309"}, "ap-southeast-2" : {"HVM64" : "ami-09b42976632b27e9b", "HVMG2" : "ami-0a9ce9fecc3d1daf8"}, "ap-south-1" : {"HVM64" : "ami-0912f71e06545ad88", "HVMG2" : "ami-097b15e89dbdcfcf4"}, "us-east-2" : {"HVM64" : "ami-0b59bfac6be064b78", "HVMG2" : "NOT_SUPPORTED"}, "ca-central-1" : {"HVM64" : "ami-0b18956f", "HVMG2" : "NOT_SUPPORTED"}, "sa-east-1" : {"HVM64" : "ami-07b14488da8ea02a0", "HVMG2" : "NOT_SUPPORTED"}, "cn-north-1" : {"HVM64" : "ami-0a4eaf6c4454eda75", "HVMG2" : "NOT_SUPPORTED"}, "cn-northwest-1" : {"HVM64" : "ami-6b6a7d09", "HVMG2" : "NOT_SUPPORTED"} } }, "Resources": { "CloudWatchPutMetricsRole" : { "Type" : "AWS::IAM::Role", "Properties" : { "AssumeRolePolicyDocument" : { "Statement" : [ { "Effect" : "Allow", "Principal" : { "Service" : [ "ec2.amazonaws.com" ] }, "Action" : [ "sts:AssumeRole" ] } ] }, "Path" : "/" } }, "CloudWatchPutMetricsRolePolicy" : { "Type" : "AWS::IAM::Policy", "Properties" : { "PolicyName" : "CloudWatch_PutMetricData", "PolicyDocument" : { "Version": "2012-10-17", "Statement": [ { "Sid": "CloudWatchPutMetricData", "Effect": "Allow", "Action": ["cloudwatch:PutMetricData"], "Resource": ["*"] } ] }, "Roles" : [ { "Ref" : "CloudWatchPutMetricsRole" } ] } }, "CloudWatchPutMetricsInstanceProfile" : { "Type" : "AWS::IAM::InstanceProfile", "Properties" : { "Path" : "/", "Roles" : [ { "Ref" : "CloudWatchPutMetricsRole" } ] } }, "VPC": { "Type": "AWS::EC2::VPC", "Properties": { "EnableDnsSupport" : "true", "EnableDnsHostnames" : "true", "CidrBlock": "10.0.0.0/16", "Tags": [ {"Key": "Application", "Value": { "Ref": "AWS::StackId"} } ] } }, "InternetGateway" : { "Type" : "AWS::EC2::InternetGateway", "Properties" : { "Tags" : [ { "Key" : "Application", "Value" : { "Ref" : "AWS::StackName" } }, { "Key" : "Network", "Value" : "Public" } ] } }, "GatewayToInternet" : { "Type" : "AWS::EC2::VPCGatewayAttachment", "Properties" : { "VpcId" : { "Ref" : "VPC" }, "InternetGatewayId" : { "Ref" : "InternetGateway" } } }, "RouteTable":{ "Type":"AWS::EC2::RouteTable", "Properties":{ "VpcId": {"Ref":"VPC"} } }, "SubnetRouteTableAssoc": { "Type" : "AWS::EC2::SubnetRouteTableAssociation", "Properties" : { "RouteTableId" : {"Ref":"RouteTable"}, "SubnetId" : {"Ref":"Subnet"} } }, "InternetGatewayRoute": { "Type":"AWS::EC2::Route", "Properties":{ "DestinationCidrBlock":"0.0.0.0/0", "RouteTableId":{"Ref":"RouteTable"}, "GatewayId":{"Ref":"InternetGateway"} } }, "Subnet": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" }, "CidrBlock": "10.0.0.0/24", "Tags": [ { "Key": "Application", "Value": { "Ref": "AWS::StackId" } } ] } }, "InstanceSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "VPC" }, "GroupDescription": "Enable SSH access via port 22", "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "CidrIp": { "Ref": "SSHLocation" } }, { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIp": "0.0.0.0/0" } ] } }, "MountTargetSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "VPC" }, "GroupDescription": "Security group for mount target", "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": 2049, "ToPort": 2049, "CidrIp": "0.0.0.0/0" } ] } }, "FileSystem": { "Type": "AWS::EFS::FileSystem", "Properties": { "PerformanceMode": "generalPurpose", "FileSystemTags": [ { "Key": "Name", "Value": { "Ref" : "VolumeName" } } ] } }, "MountTarget": { "Type": "AWS::EFS::MountTarget", "Properties": { "FileSystemId": { "Ref": "FileSystem" }, "SubnetId": { "Ref": "Subnet" }, "SecurityGroups": [ { "Ref": "MountTargetSecurityGroup" } ] } }, "LaunchConfiguration": { "Type": "AWS::AutoScaling::LaunchConfiguration", "Metadata" : { "AWS::CloudFormation::Init" : { "configSets" : { "MountConfig" : [ "setup", "mount" ] }, "setup" : { "packages" : { "yum" : { "nfs-utils" : [] } }, "files" : { "/home/ec2-user/post_nfsstat" : { "content" : { "Fn::Join" : [ "", [ "#!/bin/bash\n", "\n", "INPUT=\"$(cat)\"\n", "CW_JSON_OPEN='{ \"Namespace\": \"EFS\", \"MetricData\": [ '\n", "CW_JSON_CLOSE=' ] }'\n", "CW_JSON_METRIC=''\n", "METRIC_COUNTER=0\n", "\n", "for COL in 1 2 3 4 5 6; do\n", "\n", " COUNTER=0\n", " METRIC_FIELD=$COL\n", " DATA_FIELD=$(($COL+($COL-1)))\n", "\n", " while read line; do\n", " if [[ COUNTER -gt 0 ]]; then\n", "\n", " LINE=`echo $line | tr -s ' ' `\n", " AWS_COMMAND=\"aws cloudwatch put-metric-data --region ", { "Ref": "AWS::Region" }, "\"\n", " MOD=$(( $COUNTER % 2))\n", "\n", " if [ $MOD -eq 1 ]; then\n", " METRIC_NAME=`echo $LINE | cut -d ' ' -f $METRIC_FIELD`\n", " else\n", " METRIC_VALUE=`echo $LINE | cut -d ' ' -f $DATA_FIELD`\n", " fi\n", "\n", " if [[ -n \"$METRIC_NAME\" && -n \"$METRIC_VALUE\" ]]; then\n", " INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)\n", " CW_JSON_METRIC=\"$CW_JSON_METRIC { \\\"MetricName\\\": \\\"$METRIC_NAME\\\", \\\"Dimensions\\\": [{\\\"Name\\\": \\\"InstanceId\\\", \\\"Value\\\": \\\"$INSTANCE_ID\\\"} ], \\\"Value\\\": $METRIC_VALUE },\"\n", " unset METRIC_NAME\n", " unset METRIC_VALUE\n", "\n", " METRIC_COUNTER=$((METRIC_COUNTER+1))\n", " if [ $METRIC_COUNTER -eq 20 ]; then\n", " # 20 is max metric collection size, so we have to submit here\n", " aws cloudwatch put-metric-data --region ", { "Ref": "AWS::Region" }, " --cli-input-json \"`echo $CW_JSON_OPEN ${CW_JSON_METRIC%?} $CW_JSON_CLOSE`\"\n", "\n", " # reset\n", " METRIC_COUNTER=0\n", " CW_JSON_METRIC=''\n", " fi\n", " fi \n", "\n", "\n", "\n", " COUNTER=$((COUNTER+1))\n", " fi\n", "\n", " if [[ \"$line\" == \"Client nfs v4:\" ]]; then\n", " # the next line is the good stuff \n", " COUNTER=$((COUNTER+1))\n", " fi\n", " done <<< \"$INPUT\"\n", "done\n", "\n", "# submit whatever is left\n", "aws cloudwatch put-metric-data --region ", { "Ref": "AWS::Region" }, " --cli-input-json \"`echo $CW_JSON_OPEN ${CW_JSON_METRIC%?} $CW_JSON_CLOSE`\"" ] ] }, "mode": "000755", "owner": "ec2-user", "group": "ec2-user" }, "/home/ec2-user/crontab" : { "content" : { "Fn::Join" : [ "", [ "* * * * * /usr/sbin/nfsstat | /home/ec2-user/post_nfsstat\n" ] ] }, "owner": "ec2-user", "group": "ec2-user" } }, "commands" : { "01_createdir" : { "command" : {"Fn::Join" : [ "", [ "mkdir /", { "Ref" : "MountPoint" }]]} } } }, "mount" : { "commands" : { "01_mount" : { "command" : { "Fn::Sub": "sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 ${FileSystem}.efs.${AWS::Region}.amazonaws.com:/ /${MountPoint}"} }, "02_permissions" : { "command" : {"Fn::Join" : [ "", [ "chown ec2-user:ec2-user /", { "Ref" : "MountPoint" }]]} } } } } }, "Properties": { "AssociatePublicIpAddress" : true, "ImageId": { "Fn::FindInMap": [ "AWSRegionArch2AMI", { "Ref": "AWS::Region" }, { "Fn::FindInMap": [ "AWSInstanceType2Arch", { "Ref": "InstanceType" }, "Arch" ] } ] }, "InstanceType": { "Ref": "InstanceType" }, "KeyName": { "Ref": "KeyName" }, "SecurityGroups": [ { "Ref": "InstanceSecurityGroup" } ], "IamInstanceProfile" : { "Ref" : "CloudWatchPutMetricsInstanceProfile" }, "UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [ "#!/bin/bash -xe\n", "yum install -y aws-cfn-bootstrap\n", "/opt/aws/bin/cfn-init -v ", " --stack ", { "Ref" : "AWS::StackName" }, " --resource LaunchConfiguration ", " --configsets MountConfig ", " --region ", { "Ref" : "AWS::Region" }, "\n", "crontab /home/ec2-user/crontab\n", "/opt/aws/bin/cfn-signal -e $? ", " --stack ", { "Ref" : "AWS::StackName" }, " --resource AutoScalingGroup ", " --region ", { "Ref" : "AWS::Region" }, "\n" ]]}} } }, "AutoScalingGroup": { "Type": "AWS::AutoScaling::AutoScalingGroup", "DependsOn": ["MountTarget", "GatewayToInternet"], "CreationPolicy" : { "ResourceSignal" : { "Timeout" : "PT15M", "Count" : { "Ref": "AsgMaxSize" } } }, "Properties": { "VPCZoneIdentifier": [ { "Ref": "Subnet" } ], "LaunchConfigurationName": { "Ref": "LaunchConfiguration" }, "MinSize": "1", "MaxSize": { "Ref": "AsgMaxSize" }, "DesiredCapacity": { "Ref": "AsgMaxSize" }, "Tags": [ { "Key": "Name", "Value": "EFS FileSystem Mounted Instance", "PropagateAtLaunch": "true" } ] } } }, "Outputs" : { "MountTargetID" : { "Description" : "Mount target ID", "Value" : { "Ref" : "MountTarget" } }, "FileSystemID" : { "Description" : "File system ID", "Value" : { "Ref" : "FileSystem" } } } } ``` ## YAML ``` AWSTemplateFormatVersion: '2010-09-09' Description: This template creates an Amazon EFS file system and mount target and associates it with Amazon EC2 instances in an Auto Scaling group. **WARNING** This template creates Amazon EC2 instances and related resources. You will be billed for the AWS resources used if you create a stack from this template. Parameters: InstanceType: Description: WebServer EC2 instance type Type: String Default: t2.small AllowedValues: - t1.micro - t2.nano - t2.micro - t2.small - t2.medium - t2.large - m1.small - m1.medium - m1.large - m1.xlarge - m2.xlarge - m2.2xlarge - m2.4xlarge - m3.medium - m3.large - m3.xlarge - m3.2xlarge - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge - m4.10xlarge - c1.medium - c1.xlarge - c3.large - c3.xlarge - c3.2xlarge - c3.4xlarge - c3.8xlarge - c4.large - c4.xlarge - c4.2xlarge - c4.4xlarge - c4.8xlarge - g2.2xlarge - g2.8xlarge - r3.large - r3.xlarge - r3.2xlarge - r3.4xlarge - r3.8xlarge - i2.xlarge - i2.2xlarge - i2.4xlarge - i2.8xlarge - d2.xlarge - d2.2xlarge - d2.4xlarge - d2.8xlarge - hi1.4xlarge - hs1.8xlarge - cr1.8xlarge - cc2.8xlarge - cg1.4xlarge ConstraintDescription: must be a valid EC2 instance type. KeyName: Type: AWS::EC2::KeyPair::KeyName Description: Name of an existing EC2 key pair to enable SSH access to the ECS instances AsgMaxSize: Type: Number Description: Maximum size and initial desired capacity of Auto Scaling Group Default: '2' SSHLocation: Description: The IP address range that can be used to connect to the EC2 instances by using SSH Type: String MinLength: '9' MaxLength: '18' Default: 0.0.0.0/0 AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})" ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x. VolumeName: Description: The name to be used for the EFS volume Type: String MinLength: '1' Default: myEFSvolume MountPoint: Description: The Linux mount point for the EFS volume Type: String MinLength: '1' Default: myEFSvolume Mappings: AWSInstanceType2Arch: t1.micro: Arch: HVM64 t2.nano: Arch: HVM64 t2.micro: Arch: HVM64 t2.small: Arch: HVM64 t2.medium: Arch: HVM64 t2.large: Arch: HVM64 m1.small: Arch: HVM64 m1.medium: Arch: HVM64 m1.large: Arch: HVM64 m1.xlarge: Arch: HVM64 m2.xlarge: Arch: HVM64 m2.2xlarge: Arch: HVM64 m2.4xlarge: Arch: HVM64 m3.medium: Arch: HVM64 m3.large: Arch: HVM64 m3.xlarge: Arch: HVM64 m3.2xlarge: Arch: HVM64 m4.large: Arch: HVM64 m4.xlarge: Arch: HVM64 m4.2xlarge: Arch: HVM64 m4.4xlarge: Arch: HVM64 m4.10xlarge: Arch: HVM64 c1.medium: Arch: HVM64 c1.xlarge: Arch: HVM64 c3.large: Arch: HVM64 c3.xlarge: Arch: HVM64 c3.2xlarge: Arch: HVM64 c3.4xlarge: Arch: HVM64 c3.8xlarge: Arch: HVM64 c4.large: Arch: HVM64 c4.xlarge: Arch: HVM64 c4.2xlarge: Arch: HVM64 c4.4xlarge: Arch: HVM64 c4.8xlarge: Arch: HVM64 g2.2xlarge: Arch: HVMG2 g2.8xlarge: Arch: HVMG2 r3.large: Arch: HVM64 r3.xlarge: Arch: HVM64 r3.2xlarge: Arch: HVM64 r3.4xlarge: Arch: HVM64 r3.8xlarge: Arch: HVM64 i2.xlarge: Arch: HVM64 i2.2xlarge: Arch: HVM64 i2.4xlarge: Arch: HVM64 i2.8xlarge: Arch: HVM64 d2.xlarge: Arch: HVM64 d2.2xlarge: Arch: HVM64 d2.4xlarge: Arch: HVM64 d2.8xlarge: Arch: HVM64 hi1.4xlarge: Arch: HVM64 hs1.8xlarge: Arch: HVM64 cr1.8xlarge: Arch: HVM64 cc2.8xlarge: Arch: HVM64 AWSRegionArch2AMI: us-east-1: HVM64: ami-0ff8a91507f77f867 HVMG2: ami-0a584ac55a7631c0c us-west-2: HVM64: ami-a0cfeed8 HVMG2: ami-0e09505bc235aa82d us-west-1: HVM64: ami-0bdb828fd58c52235 HVMG2: ami-066ee5fd4a9ef77f1 eu-west-1: HVM64: ami-047bb4163c506cd98 HVMG2: ami-0a7c483d527806435 eu-west-2: HVM64: ami-f976839e HVMG2: NOT_SUPPORTED eu-west-3: HVM64: ami-0ebc281c20e89ba4b HVMG2: NOT_SUPPORTED eu-central-1: HVM64: ami-0233214e13e500f77 HVMG2: ami-06223d46a6d0661c7 ap-northeast-1: HVM64: ami-06cd52961ce9f0d85 HVMG2: ami-053cdd503598e4a9d ap-northeast-2: HVM64: ami-0a10b2721688ce9d2 HVMG2: NOT_SUPPORTED ap-northeast-3: HVM64: ami-0d98120a9fb693f07 HVMG2: NOT_SUPPORTED ap-southeast-1: HVM64: ami-08569b978cc4dfa10 HVMG2: ami-0be9df32ae9f92309 ap-southeast-2: HVM64: ami-09b42976632b27e9b HVMG2: ami-0a9ce9fecc3d1daf8 ap-south-1: HVM64: ami-0912f71e06545ad88 HVMG2: ami-097b15e89dbdcfcf4 us-east-2: HVM64: ami-0b59bfac6be064b78 HVMG2: NOT_SUPPORTED ca-central-1: HVM64: ami-0b18956f HVMG2: NOT_SUPPORTED sa-east-1: HVM64: ami-07b14488da8ea02a0 HVMG2: NOT_SUPPORTED cn-north-1: HVM64: ami-0a4eaf6c4454eda75 HVMG2: NOT_SUPPORTED cn-northwest-1: HVM64: ami-6b6a7d09 HVMG2: NOT_SUPPORTED Resources: CloudWatchPutMetricsRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: "/" CloudWatchPutMetricsRolePolicy: Type: AWS::IAM::Policy Properties: PolicyName: CloudWatch_PutMetricData PolicyDocument: Version: '2012-10-17' Statement: - Sid: CloudWatchPutMetricData Effect: Allow Action: - cloudwatch:PutMetricData Resource: - "*" Roles: - Ref: CloudWatchPutMetricsRole CloudWatchPutMetricsInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - Ref: CloudWatchPutMetricsRole VPC: Type: AWS::EC2::VPC Properties: EnableDnsSupport: 'true' EnableDnsHostnames: 'true' CidrBlock: 10.0.0.0/16 Tags: - Key: Application Value: Ref: AWS::StackId InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Application Value: Ref: AWS::StackName - Key: Network Value: Public GatewayToInternet: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: Ref: VPC InternetGatewayId: Ref: InternetGateway RouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: VPC SubnetRouteTableAssoc: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: Ref: RouteTable SubnetId: Ref: Subnet InternetGatewayRoute: Type: AWS::EC2::Route Properties: DestinationCidrBlock: 0.0.0.0/0 RouteTableId: Ref: RouteTable GatewayId: Ref: InternetGateway Subnet: Type: AWS::EC2::Subnet Properties: VpcId: Ref: VPC CidrBlock: 10.0.0.0/24 Tags: - Key: Application Value: Ref: AWS::StackId InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: Ref: VPC GroupDescription: Enable SSH access via port 22 SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: Ref: SSHLocation - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 MountTargetSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: Ref: VPC GroupDescription: Security group for mount target SecurityGroupIngress: - IpProtocol: tcp FromPort: 2049 ToPort: 2049 CidrIp: 0.0.0.0/0 FileSystem: Type: AWS::EFS::FileSystem Properties: PerformanceMode: generalPurpose FileSystemTags: - Key: Name Value: Ref: VolumeName MountTarget: Type: AWS::EFS::MountTarget Properties: FileSystemId: Ref: FileSystem SubnetId: Ref: Subnet SecurityGroups: - Ref: MountTargetSecurityGroup LaunchConfiguration: Type: AWS::AutoScaling::LaunchConfiguration Metadata: AWS::CloudFormation::Init: configSets: MountConfig: - setup - mount setup: packages: yum: nfs-utils: [] files: "/home/ec2-user/post_nfsstat": content: !Sub | #!/bin/bash INPUT="$(cat)" CW_JSON_OPEN='{ "Namespace": "EFS", "MetricData": [ ' CW_JSON_CLOSE=' ] }' CW_JSON_METRIC='' METRIC_COUNTER=0 for COL in 1 2 3 4 5 6; do COUNTER=0 METRIC_FIELD=$COL DATA_FIELD=$(($COL+($COL-1))) while read line; do if [[ COUNTER -gt 0 ]]; then LINE=`echo $line | tr -s ' ' ` AWS_COMMAND="aws cloudwatch put-metric-data --region ${AWS::Region}" MOD=$(( $COUNTER % 2)) if [ $MOD -eq 1 ]; then METRIC_NAME=`echo $LINE | cut -d ' ' -f $METRIC_FIELD` else METRIC_VALUE=`echo $LINE | cut -d ' ' -f $DATA_FIELD` fi if [[ -n "$METRIC_NAME" && -n "$METRIC_VALUE" ]]; then INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id) CW_JSON_METRIC="$CW_JSON_METRIC { \"MetricName\": \"$METRIC_NAME\", \"Dimensions\": [{\"Name\": \"InstanceId\", \"Value\": \"$INSTANCE_ID\"} ], \"Value\": $METRIC_VALUE }," unset METRIC_NAME unset METRIC_VALUE METRIC_COUNTER=$((METRIC_COUNTER+1)) if [ $METRIC_COUNTER -eq 20 ]; then # 20 is max metric collection size, so we have to submit here aws cloudwatch put-metric-data --region ${AWS::Region} --cli-input-json "`echo $CW_JSON_OPEN ${!CW_JSON_METRIC%?} $CW_JSON_CLOSE`" # reset METRIC_COUNTER=0 CW_JSON_METRIC='' fi fi COUNTER=$((COUNTER+1)) fi if [[ "$line" == "Client nfs v4:" ]]; then # the next line is the good stuff COUNTER=$((COUNTER+1)) fi done <<< "$INPUT" done # submit whatever is left aws cloudwatch put-metric-data --region ${AWS::Region} --cli-input-json "`echo $CW_JSON_OPEN ${!CW_JSON_METRIC%?} $CW_JSON_CLOSE`" mode: '000755' owner: ec2-user group: ec2-user "/home/ec2-user/crontab": content: "* * * * * /usr/sbin/nfsstat | /home/ec2-user/post_nfsstat\n" owner: ec2-user group: ec2-user commands: 01_createdir: command: !Sub "mkdir /${MountPoint}" mount: commands: 01_mount: command: !Sub > mount -t nfs4 -o nfsvers=4.1 ${FileSystem}.efs.${AWS::Region}.amazonaws.com:/ /${MountPoint} 02_permissions: command: !Sub "chown ec2-user:ec2-user /${MountPoint}" Properties: AssociatePublicIpAddress: true ImageId: Fn::FindInMap: - AWSRegionArch2AMI - Ref: AWS::Region - Fn::FindInMap: - AWSInstanceType2Arch - Ref: InstanceType - Arch InstanceType: Ref: InstanceType KeyName: Ref: KeyName SecurityGroups: - Ref: InstanceSecurityGroup IamInstanceProfile: Ref: CloudWatchPutMetricsInstanceProfile UserData: Fn::Base64: !Sub | #!/bin/bash -xe yum install -y aws-cfn-bootstrap /opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource LaunchConfiguration --configsets MountConfig --region ${AWS::Region} crontab /home/ec2-user/crontab /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource AutoScalingGroup --region ${AWS::Region} AutoScalingGroup: Type: AWS::AutoScaling::AutoScalingGroup DependsOn: - MountTarget - GatewayToInternet CreationPolicy: ResourceSignal: Timeout: PT15M Count: Ref: AsgMaxSize Properties: VPCZoneIdentifier: - Ref: Subnet LaunchConfigurationName: Ref: LaunchConfiguration MinSize: '1' MaxSize: Ref: AsgMaxSize DesiredCapacity: Ref: AsgMaxSize Tags: - Key: Name Value: EFS FileSystem Mounted Instance PropagateAtLaunch: 'true' Outputs: MountTargetID: Description: Mount target ID Value: Ref: MountTarget FileSystemID: Description: File system ID Value: Ref: FileSystem ``` # Elastic Beanstalk template snippets With Elastic Beanstalk, you can quickly deploy and manage applications in AWS without worrying about the infrastructure that runs those applications. The following sample template can help you describe Elastic Beanstalk resources in your CloudFormation template. ## Elastic Beanstalk sample PHP The following sample template deploys a sample PHP web application that's stored in an Amazon S3 bucket. The environment is also an auto-scaling, load-balancing environment, with a minimum of two Amazon EC2 instances and a maximum of six. It shows an Elastic Beanstalk environment that uses a legacy launch configuration. For information about using a launch template instead, see [Launch Templates](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-cfg-autoscaling-launch-templates.html) in the *AWS Elastic Beanstalk Developer Guide*. Replace `solution-stack` with a solution stack name (platform version). For a list of available solution stacks, use the AWS CLI command **aws elasticbeanstalk list-available-solution-stacks**. ### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "sampleApplication": { "Type": "AWS::ElasticBeanstalk::Application", "Properties": { "Description": "AWS Elastic Beanstalk Sample Application" } }, "sampleApplicationVersion": { "Type": "AWS::ElasticBeanstalk::ApplicationVersion", "Properties": { "ApplicationName": { "Ref": "sampleApplication" }, "Description": "AWS ElasticBeanstalk Sample Application Version", "SourceBundle": { "S3Bucket": { "Fn::Sub": "elasticbeanstalk-samples-${AWS::Region}" }, "S3Key": "php-newsample-app.zip" } } }, "sampleConfigurationTemplate": { "Type": "AWS::ElasticBeanstalk::ConfigurationTemplate", "Properties": { "ApplicationName": { "Ref": "sampleApplication" }, "Description": "AWS ElasticBeanstalk Sample Configuration Template", "OptionSettings": [ { "Namespace": "aws:autoscaling:asg", "OptionName": "MinSize", "Value": "2" }, { "Namespace": "aws:autoscaling:asg", "OptionName": "MaxSize", "Value": "6" }, { "Namespace": "aws:elasticbeanstalk:environment", "OptionName": "EnvironmentType", "Value": "LoadBalanced" }, { "Namespace": "aws:autoscaling:launchconfiguration", "OptionName": "IamInstanceProfile", "Value": { "Ref": "MyInstanceProfile" } } ], "SolutionStackName": "solution-stack" } }, "sampleEnvironment": { "Type": "AWS::ElasticBeanstalk::Environment", "Properties": { "ApplicationName": { "Ref": "sampleApplication" }, "Description": "AWS ElasticBeanstalk Sample Environment", "TemplateName": { "Ref": "sampleConfigurationTemplate" }, "VersionLabel": { "Ref": "sampleApplicationVersion" } } }, "MyInstanceRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Description": "Beanstalk EC2 role", "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier", "arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker", "arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier" ] } }, "MyInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Roles": [ { "Ref": "MyInstanceRole" } ] } } } } ``` ### YAML ``` AWSTemplateFormatVersion: '2010-09-09' Resources: sampleApplication: Type: AWS::ElasticBeanstalk::Application Properties: Description: AWS Elastic Beanstalk Sample Application sampleApplicationVersion: Type: AWS::ElasticBeanstalk::ApplicationVersion Properties: ApplicationName: Ref: sampleApplication Description: AWS ElasticBeanstalk Sample Application Version SourceBundle: S3Bucket: !Sub "elasticbeanstalk-samples-${AWS::Region}" S3Key: php-newsample-app.zip sampleConfigurationTemplate: Type: AWS::ElasticBeanstalk::ConfigurationTemplate Properties: ApplicationName: Ref: sampleApplication Description: AWS ElasticBeanstalk Sample Configuration Template OptionSettings: - Namespace: aws:autoscaling:asg OptionName: MinSize Value: '2' - Namespace: aws:autoscaling:asg OptionName: MaxSize Value: '6' - Namespace: aws:elasticbeanstalk:environment OptionName: EnvironmentType Value: LoadBalanced - Namespace: aws:autoscaling:launchconfiguration OptionName: IamInstanceProfile Value: !Ref MyInstanceProfile SolutionStackName: solution-stack sampleEnvironment: Type: AWS::ElasticBeanstalk::Environment Properties: ApplicationName: Ref: sampleApplication Description: AWS ElasticBeanstalk Sample Environment TemplateName: Ref: sampleConfigurationTemplate VersionLabel: Ref: sampleApplicationVersion MyInstanceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Description: Beanstalk EC2 role ManagedPolicyArns: - arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier - arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker - arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier MyInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Roles: - !Ref MyInstanceRole ``` # Elastic Load Balancing template snippets To create an Application Load Balancer, a Network Load Balancer, or a Gateway Load Balancer, use the V2 resource types, which start with `AWS::ElasticLoadBalancingV2`. To create a Classic Load Balancer, use the resource types that start with `AWS::ElasticLoadBalancing`. **Topics** + [ELBv2 resources](#scenario-elbv2-load-balancer) + [Classic Load Balancer resources](#scenario-elb-load-balancer) ## ELBv2 resources This example defines an Application Load Balancer with an HTTP listener and a default action that forwards traffic to the target group. The load balancer uses the default health check settings. The target group has two registered EC2 instances. ------ #### [ YAML ] ``` Resources: myLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: my-alb Type: application Scheme: internal Subnets: - !Ref subnet-AZ1 - !Ref subnet-AZ2 SecurityGroups: - !Ref mySecurityGroup myHTTPlistener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: LoadBalancerArn: !Ref myLoadBalancer Protocol: HTTP Port: 80 DefaultActions: - Type: "forward" TargetGroupArn: !Ref myTargetGroup myTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Name: "my-target-group" Protocol: HTTP Port: 80 TargetType: instance VpcId: !Ref myVPC Targets: - Id: !GetAtt Instance1.InstanceId Port: 80 - Id: !GetAtt Instance2.InstanceId Port: 80 ``` ------ #### [ JSON ] ``` { "Resources": { "myLoadBalancer": { "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Properties": { "Name": "my-alb", "Type": "application", "Scheme": "internal", "Subnets": [ { "Ref": "subnet-AZ1" }, { "Ref": "subnet-AZ2" } ], "SecurityGroups": [ { "Ref": "mySecurityGroup" } ] } }, "myHTTPlistener": { "Type": "AWS::ElasticLoadBalancingV2::Listener", "Properties": { "LoadBalancerArn": { "Ref": "myLoadBalancer" }, "Protocol": "HTTP", "Port": 80, "DefaultActions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "myTargetGroup" } } ] } }, "myTargetGroup": { "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", "Properties": { "Name": "my-target-group", "Protocol": "HTTP", "Port": 80, "TargetType": "instance", "VpcId": { "Ref": "myVPC" }, "Targets": [ { "Id": { "Fn::GetAtt": [ "Instance1", "InstanceId" ] }, "Port": 80 }, { "Id": { "Fn::GetAtt": [ "Instance2", "InstanceId" ] }, "Port": 80 } ] } } } } ``` ------ ## Classic Load Balancer resources This example defines a Classic Load Balancer with an HTTP listener and no registered EC2 instances. The load balancer uses the default health check settings. ------ #### [ YAML ] ``` myLoadBalancer: Type: AWS::ElasticLoadBalancing::LoadBalancer Properties: AvailabilityZones: - "us-east-1a" Listeners: - LoadBalancerPort: '80' InstancePort: '80' Protocol: HTTP ``` ------ #### [ JSON ] ``` "myLoadBalancer" : { "Type" : "AWS::ElasticLoadBalancing::LoadBalancer", "Properties" : { "AvailabilityZones" : [ "us-east-1a" ], "Listeners" : [ { "LoadBalancerPort" : "80", "InstancePort" : "80", "Protocol" : "HTTP" } ] } } ``` ------ This example defines a Classic Load Balancer with an HTTP listener, two registered EC2 instances, and custom health check settings. ------ #### [ YAML ] ``` myClassicLoadBalancer: Type: AWS::ElasticLoadBalancing::LoadBalancer Properties: AvailabilityZones: - "us-east-1a" Instances: - Ref: Instance1 - Ref: Instance2 Listeners: - LoadBalancerPort: '80' InstancePort: '80' Protocol: HTTP HealthCheck: Target: HTTP:80/ HealthyThreshold: '3' UnhealthyThreshold: '5' Interval: '30' Timeout: '5' ``` ------ #### [ JSON ] ``` "myClassicLoadBalancer" : { "Type" : "AWS::ElasticLoadBalancing::LoadBalancer", "Properties" : { "AvailabilityZones" : [ "us-east-1a" ], "Instances" : [ { "Ref" : "Instance1" }, { "Ref" : "Instance2" } ], "Listeners" : [ { "LoadBalancerPort" : "80", "InstancePort" : "80", "Protocol" : "HTTP" } ], "HealthCheck" : { "Target" : "HTTP:80/", "HealthyThreshold" : "3", "UnhealthyThreshold" : "5", "Interval" : "30", "Timeout" : "5" } } } ``` ------ # AWS Identity and Access Management template snippets This section contains AWS Identity and Access Management template snippets. **Topics** + [Declaring an IAM user resource](#scenario-iam-user) + [Declaring an IAM access key resource](#scenario-iam-accesskey) + [Declaring an IAM group resource](#scenario-iam-group) + [Adding users to a group](#scenario-iam-addusertogroup) + [Declaring an IAM policy](#scenario-iam-policy) + [Declaring an Amazon S3 bucket policy](#scenario-bucket-policy) + [Declaring an Amazon SNS topic policy](#scenario-sns-policy) + [Declaring an Amazon SQS policy](#scenario-sqs-policy) + [IAM role template examples](#scenarios-iamroles) **Important** When creating or updating a stack using a template containing IAM resources, you must acknowledge the use of IAM capabilities. For more information, see [Acknowledging IAM resources in CloudFormation templates](control-access-with-iam.md#using-iam-capabilities). ## Declaring an IAM user resource This snippet shows how to declare an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html) resource to create an IAM user. The user is declared with the path (`"/"`) and a login profile with the password (`myP@ssW0rd`). The policy document named `giveaccesstoqueueonly` gives the user permission to perform all Amazon SQS actions on the Amazon SQS queue resource `myqueue`, and denies access to all other Amazon SQS queue resources. The `Fn::GetAtt` function gets the Arn attribute of the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html) resource `myqueue`. The policy document named `giveaccesstotopiconly` is added to the user to give the user permission to perform all Amazon SNS actions on the Amazon SNS topic resource `mytopic` and to deny access to all other Amazon SNS resources. The `Ref` function gets the ARN of the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html) resource `mytopic`. ### JSON ``` "myuser" : { "Type" : "AWS::IAM::User", "Properties" : { "Path" : "/", "LoginProfile" : { "Password" : "myP@ssW0rd" }, "Policies" : [ { "PolicyName" : "giveaccesstoqueueonly", "PolicyDocument" : { "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "sqs:*" ], "Resource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ] }, { "Effect" : "Deny", "Action" : [ "sqs:*" ], "NotResource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ] } ] } }, { "PolicyName" : "giveaccesstotopiconly", "PolicyDocument" : { "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "sns:*" ], "Resource" : [ { "Ref" : "mytopic" } ] }, { "Effect" : "Deny", "Action" : [ "sns:*" ], "NotResource" : [ { "Ref" : "mytopic" } ] } ] } } ] } } ``` ### YAML ``` myuser: Type: AWS::IAM::User Properties: Path: "/" LoginProfile: Password: myP@ssW0rd Policies: - PolicyName: giveaccesstoqueueonly PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - sqs:* Resource: - !GetAtt myqueue.Arn - Effect: Deny Action: - sqs:* NotResource: - !GetAtt myqueue.Arn - PolicyName: giveaccesstotopiconly PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - sns:* Resource: - !Ref mytopic - Effect: Deny Action: - sns:* NotResource: - !Ref mytopic ``` ## Declaring an IAM access key resource ### This snippet shows an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-accesskey.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-accesskey.html) resource. The `myaccesskey` resource creates an access key and assigns it to an IAM user that is declared as an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html) resource in the template. #### JSON ``` "myaccesskey" : { "Type" : "AWS::IAM::AccessKey", "Properties" : { "UserName" : { "Ref" : "myuser" } } } ``` #### YAML ``` myaccesskey: Type: AWS::IAM::AccessKey Properties: UserName: !Ref myuser ``` ### You can get the secret key for an `AWS::IAM::AccessKey` resource using the `Fn::GetAtt` function. One way to retrieve the secret key is to put it into an `Output` value. You can get the access key using the `Ref` function. The following `Output` value declarations get the access key and secret key for `myaccesskey`. #### JSON ``` "AccessKeyformyaccesskey" : { "Value" : { "Ref" : "myaccesskey" } }, "SecretKeyformyaccesskey" : { "Value" : { "Fn::GetAtt" : [ "myaccesskey", "SecretAccessKey" ] } } ``` #### YAML ``` AccessKeyformyaccesskey: Value: !Ref myaccesskey SecretKeyformyaccesskey: Value: !GetAtt myaccesskey.SecretAccessKey ``` ### You can also pass the AWS access key and secret key to an Amazon EC2 instance or Auto Scaling group defined in the template. The following [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) declaration uses the `UserData` property to pass the access key and secret key for the `myaccesskey` resource. #### JSON ``` "myinstance" : { "Type" : "AWS::EC2::Instance", "Properties" : { "AvailabilityZone" : "us-east-1a", "ImageId" : "ami-0ff8a91507f77f867", "UserData" : { "Fn::Base64" : { "Fn::Join" : [ "", [ "ACCESS_KEY=", { "Ref" : "myaccesskey" }, "&", "SECRET_KEY=", { "Fn::GetAtt" : [ "myaccesskey", "SecretAccessKey" ] } ] ] } } } } ``` #### YAML ``` myinstance: Type: AWS::EC2::Instance Properties: AvailabilityZone: "us-east-1a" ImageId: ami-0ff8a91507f77f867 UserData: Fn::Base64: !Sub "ACCESS_KEY=${myaccesskey}&SECRET_KEY=${myaccesskey.SecretAccessKey}" ``` ## Declaring an IAM group resource This snippet shows an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-group.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-group.html) resource. The group has a path (`"/myapplication/"`). The policy document named `myapppolicy` is added to the group to allow the group's users to perform all Amazon SQS actions on the Amazon SQS queue resource myqueue and deny access to all other Amazon SQS resources except `myqueue`. To assign a policy to a resource, IAM requires the Amazon Resource Name (ARN) for the resource. In the snippet, the `Fn::GetAtt` function gets the ARN of the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html) resource queue. ### JSON ``` "mygroup" : { "Type" : "AWS::IAM::Group", "Properties" : { "Path" : "/myapplication/", "Policies" : [ { "PolicyName" : "myapppolicy", "PolicyDocument" : { "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "sqs:*" ], "Resource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ] }, { "Effect" : "Deny", "Action" : [ "sqs:*" ], "NotResource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ] } ] } } ] } } ``` ### YAML ``` mygroup: Type: AWS::IAM::Group Properties: Path: "/myapplication/" Policies: - PolicyName: myapppolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - sqs:* Resource: !GetAtt myqueue.Arn - Effect: Deny Action: - sqs:* NotResource: !GetAtt myqueue.Arn ``` ## Adding users to a group The [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-usertogroupaddition.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-usertogroupaddition.html) resource adds users to a group. In the following snippet, the `addUserToGroup` resource adds the following users to an existing group named `myexistinggroup2`: the existing user `existinguser1` and the user `myuser` which is declared as an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html) resource in the template. ### JSON ``` "addUserToGroup" : { "Type" : "AWS::IAM::UserToGroupAddition", "Properties" : { "GroupName" : "myexistinggroup2", "Users" : [ "existinguser1", { "Ref" : "myuser" } ] } } ``` ### YAML ``` addUserToGroup: Type: AWS::IAM::UserToGroupAddition Properties: GroupName: myexistinggroup2 Users: - existinguser1 - !Ref myuser ``` ## Declaring an IAM policy This snippet shows how to create a policy and apply it to multiple groups using an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-policy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-policy.html) resource named `mypolicy`. The `mypolicy` resource contains a `PolicyDocument` property that allows `GetObject`, `PutObject`, and `PutObjectAcl` actions on the objects in the S3 bucket represented by the ARN `arn:aws:s3:::myAWSBucket`. The `mypolicy` resource applies the policy to an existing group named `myexistinggroup1` and a group `mygroup` that's declared in the template as an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-group.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-group.html) resource. This example shows how to apply a policy to a group using the `Groups` property; however, you can alternatively use the `Users` property to add a policy document to a list of users. ### JSON ``` "mypolicy" : { "Type" : "AWS::IAM::Policy", "Properties" : { "PolicyName" : "mygrouppolicy", "PolicyDocument" : { "Version": "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "s3:GetObject" , "s3:PutObject" , "s3:PutObjectAcl" ], "Resource" : "arn:aws:s3:::myAWSBucket/*" } ] }, "Groups" : [ "myexistinggroup1", { "Ref" : "mygroup" } ] } } ``` ### YAML ``` mypolicy: Type: AWS::IAM::Policy Properties: PolicyName: mygrouppolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:GetObject - s3:PutObject - s3:PutObjectAcl Resource: arn:aws:s3:::myAWSBucket/* Groups: - myexistinggroup1 - !Ref mygroup ``` ## Declaring an Amazon S3 bucket policy This snippet shows how to create a policy and apply it to an Amazon S3 bucket using the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucket.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucket.html) resource. The `mybucketpolicy` resource declares a policy document that allows the `user1` IAM user to perform the `GetObject` action on all objects in the S3 bucket to which this policy is applied. In the snippet, the `Fn::GetAtt` function gets the ARN of the `user1` resource. The `mybucketpolicy` resource applies the policy to the `AWS::S3::BucketPolicy` resource mybucket. The `Ref` function gets the bucket name of the `mybucket` resource. ### JSON ``` "mybucketpolicy" : { "Type" : "AWS::S3::BucketPolicy", "Properties" : { "PolicyDocument" : { "Id" : "MyPolicy", "Version": "2012-10-17", "Statement" : [ { "Sid" : "ReadAccess", "Action" : [ "s3:GetObject" ], "Effect" : "Allow", "Resource" : { "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "mybucket" } , "/*" ] ] }, "Principal" : { "AWS" : { "Fn::GetAtt" : [ "user1", "Arn" ] } } } ] }, "Bucket" : { "Ref" : "mybucket" } } } ``` ### YAML ``` mybucketpolicy: Type: AWS::S3::BucketPolicy Properties: PolicyDocument: Id: MyPolicy Version: '2012-10-17' Statement: - Sid: ReadAccess Action: - s3:GetObject Effect: Allow Resource: !Sub "arn:aws:s3:::${mybucket}/*" Principal: AWS: !GetAtt user1.Arn Bucket: !Ref mybucket ``` ## Declaring an Amazon SNS topic policy This snippet shows how to create a policy and apply it to an Amazon SNS topic using the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topicpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topicpolicy.html) resource. The `mysnspolicy` resource contains a `PolicyDocument` property that allows the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html) resource `myuser` to perform the `Publish` action on an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html) resource `mytopic`. In the snippet, the `Fn::GetAtt` function gets the ARN for the `myuser` resource and the `Ref` function gets the ARN for the `mytopic` resource. ### JSON ``` "mysnspolicy" : { "Type" : "AWS::SNS::TopicPolicy", "Properties" : { "PolicyDocument" : { "Id" : "MyTopicPolicy", "Version": "2012-10-17", "Statement" : [ { "Sid" : "My-statement-id", "Effect" : "Allow", "Principal" : { "AWS" : { "Fn::GetAtt" : [ "myuser", "Arn" ] } }, "Action" : "sns:Publish", "Resource" : "*" } ] }, "Topics" : [ { "Ref" : "mytopic" } ] } } ``` ### YAML ``` mysnspolicy: Type: AWS::SNS::TopicPolicy Properties: PolicyDocument: Id: MyTopicPolicy Version: '2012-10-17' Statement: - Sid: My-statement-id Effect: Allow Principal: AWS: !GetAtt myuser.Arn Action: sns:Publish Resource: "*" Topics: - !Ref mytopic ``` ## Declaring an Amazon SQS policy This snippet shows how to create a policy and apply it to an Amazon SQS queue using the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queuepolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queuepolicy.html) resource. The `PolicyDocument` property allows the existing user `myapp` (specified by its ARN) to perform the `SendMessage` action on an existing queue, which is specified by its URL, and an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html) resource myqueue. The [Ref](resources-section-structure.md#resource-properties-ref) function gets the URL for the `myqueue` resource. ### JSON ``` "mysqspolicy" : { "Type" : "AWS::SQS::QueuePolicy", "Properties" : { "PolicyDocument" : { "Id" : "MyQueuePolicy", "Version": "2012-10-17", "Statement" : [ { "Sid" : "Allow-User-SendMessage", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::123456789012:user/myapp" }, "Action" : [ "sqs:SendMessage" ], "Resource" : "*" } ] }, "Queues" : [ "https://sqs.us-east-2aws-region.amazonaws.com/123456789012/myexistingqueue", { "Ref" : "myqueue" } ] } } ``` ### YAML ``` mysqspolicy: Type: AWS::SQS::QueuePolicy Properties: PolicyDocument: Id: MyQueuePolicy Version: '2012-10-17' Statement: - Sid: Allow-User-SendMessage Effect: Allow Principal: AWS: arn:aws:iam::123456789012:user/myapp Action: - sqs:SendMessage Resource: "*" Queues: - https://sqs.aws-region.amazonaws.com/123456789012/myexistingqueue - !Ref myqueue ``` ## IAM role template examples This section provides CloudFormation template examples for IAM roles for EC2 instances. For more information, see [IAM roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) in the *Amazon EC2 User Guide*. ### IAM role with EC2 In this example, the instance profile is referenced by the `IamInstanceProfile` property of the EC2 instance. Both the instance policy and role policy reference [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-role.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-role.html). #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "myEC2Instance": { "Type": "AWS::EC2::Instance", "Version": "2009-05-15", "Properties": { "ImageId": "ami-0ff8a91507f77f867", "InstanceType": "m1.small", "Monitoring": "true", "DisableApiTermination": "false", "IamInstanceProfile": { "Ref": "RootInstanceProfile" } } }, "RootRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/" } }, "RolePolicies": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "root", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }, "Roles": [ { "Ref": "RootRole" } ] } }, "RootInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Path": "/", "Roles": [ { "Ref": "RootRole" } ] } } } } ``` #### YAML ``` AWSTemplateFormatVersion: '2010-09-09' Resources: myEC2Instance: Type: AWS::EC2::Instance Version: '2009-05-15' Properties: ImageId: ami-0ff8a91507f77f867 InstanceType: m1.small Monitoring: 'true' DisableApiTermination: 'false' IamInstanceProfile: !Ref RootInstanceProfile RootRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: "/" RolePolicies: Type: AWS::IAM::Policy Properties: PolicyName: root PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: "*" Resource: "*" Roles: - !Ref RootRole RootInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - !Ref RootRole ``` ### IAM role with Auto Scaling group In this example, the instance profile is referenced by the `IamInstanceProfile` property of an Amazon EC2 Auto Scaling launch configuration. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "myLCOne": { "Type": "AWS::AutoScaling::LaunchConfiguration", "Version": "2009-05-15", "Properties": { "ImageId": "ami-0ff8a91507f77f867", "InstanceType": "m1.small", "InstanceMonitoring": "true", "IamInstanceProfile": { "Ref": "RootInstanceProfile" } } }, "myASGrpOne": { "Type": "AWS::AutoScaling::AutoScalingGroup", "Version": "2009-05-15", "Properties": { "AvailabilityZones": [ "us-east-1a" ], "LaunchConfigurationName": { "Ref": "myLCOne" }, "MinSize": "0", "MaxSize": "0", "HealthCheckType": "EC2", "HealthCheckGracePeriod": "120" } }, "RootRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/" } }, "RolePolicies": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "root", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }, "Roles": [ { "Ref": "RootRole" } ] } }, "RootInstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Path": "/", "Roles": [ { "Ref": "RootRole" } ] } } } } ``` #### YAML ``` AWSTemplateFormatVersion: '2010-09-09' Resources: myLCOne: Type: AWS::AutoScaling::LaunchConfiguration Version: '2009-05-15' Properties: ImageId: ami-0ff8a91507f77f867 InstanceType: m1.small InstanceMonitoring: 'true' IamInstanceProfile: !Ref RootInstanceProfile myASGrpOne: Type: AWS::AutoScaling::AutoScalingGroup Version: '2009-05-15' Properties: AvailabilityZones: - "us-east-1a" LaunchConfigurationName: !Ref myLCOne MinSize: '0' MaxSize: '0' HealthCheckType: EC2 HealthCheckGracePeriod: '120' RootRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: "/" RolePolicies: Type: AWS::IAM::Policy Properties: PolicyName: root PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: "*" Resource: "*" Roles: - !Ref RootRole RootInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - !Ref RootRole ``` # AWS Lambda template The following template uses an AWS Lambda (Lambda) function and custom resource to append a new security group to a list of existing security groups. This function is useful when you want to build a list of security groups dynamically, so that your list includes both new and existing security groups. For example, you can pass a list of existing security groups as a parameter value, append the new value to the list, and then associate all your values with an EC2 instance. For more information about the Lambda function resource type, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html). In the example, when CloudFormation creates the `AllSecurityGroups` custom resource, CloudFormation invokes the `AppendItemToListFunction` Lambda function. CloudFormation passes the list of existing security groups and a new security group (`NewSecurityGroup`) to the function, which appends the new security group to the list and then returns the modified list. CloudFormation uses the modified list to associate all security groups with the `MyEC2Instance` resource. ## JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { "ExistingSecurityGroups": { "Type": "List" }, "ExistingVPC": { "Type": "AWS::EC2::VPC::Id", "Description": "The VPC ID that includes the security groups in the ExistingSecurityGroups parameter." }, "InstanceType": { "Type": "String", "Default": "t2.micro", "AllowedValues": [ "t2.micro", "t3.micro" ] } }, "Resources": { "SecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Allow HTTP traffic to the host", "VpcId": { "Ref": "ExistingVPC" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIp": "0.0.0.0/0" } ], "SecurityGroupEgress": [ { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIp": "0.0.0.0/0" } ] } }, "AllSecurityGroups": { "Type": "Custom::Split", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "AppendItemToListFunction", "Arn" ] }, "List": { "Ref": "ExistingSecurityGroups" }, "AppendedItem": { "Ref": "SecurityGroup" } } }, "AppendItemToListFunction": { "Type": "AWS::Lambda::Function", "Properties": { "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "LambdaExecutionRole", "Arn" ] }, "Code": { "ZipFile": { "Fn::Join": [ "", [ "var response = require('cfn-response');", "exports.handler = function(event, context) {", " var responseData = {Value: event.ResourceProperties.List};", " responseData.Value.push(event.ResourceProperties.AppendedItem);", " response.send(event, context, response.SUCCESS, responseData);", "};" ] ] } }, "Runtime": "nodejs20.x" } }, "MyEC2Instance": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}", "SecurityGroupIds": { "Fn::GetAtt": [ "AllSecurityGroups", "Value" ] }, "InstanceType": { "Ref": "InstanceType" } } }, "LambdaExecutionRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/", "Policies": [ { "PolicyName": "root", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:*" ], "Resource": "arn:aws:logs:*:*:*" } ] } } ] } } }, "Outputs": { "AllSecurityGroups": { "Description": "Security Groups that are associated with the EC2 instance", "Value": { "Fn::Join": [ ", ", { "Fn::GetAtt": [ "AllSecurityGroups", "Value" ] } ] } } } } ``` ## YAML ``` AWSTemplateFormatVersion: '2010-09-09' Parameters: ExistingSecurityGroups: Type: List ExistingVPC: Type: AWS::EC2::VPC::Id Description: The VPC ID that includes the security groups in the ExistingSecurityGroups parameter. InstanceType: Type: String Default: t2.micro AllowedValues: - t2.micro - t3.micro Resources: SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow HTTP traffic to the host VpcId: !Ref ExistingVPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 SecurityGroupEgress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 AllSecurityGroups: Type: Custom::Split Properties: ServiceToken: !GetAtt AppendItemToListFunction.Arn List: !Ref ExistingSecurityGroups AppendedItem: !Ref SecurityGroup AppendItemToListFunction: Type: AWS::Lambda::Function Properties: Handler: index.handler Role: !GetAtt LambdaExecutionRole.Arn Code: ZipFile: !Join - '' - - var response = require('cfn-response'); - exports.handler = function(event, context) { - ' var responseData = {Value: event.ResourceProperties.List};' - ' responseData.Value.push(event.ResourceProperties.AppendedItem);' - ' response.send(event, context, response.SUCCESS, responseData);' - '};' Runtime: nodejs20.x MyEC2Instance: Type: AWS::EC2::Instance Properties: ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}' SecurityGroupIds: !GetAtt AllSecurityGroups.Value InstanceType: !Ref InstanceType LambdaExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - sts:AssumeRole Path: / Policies: - PolicyName: root PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - logs:* Resource: arn:aws:logs:*:*:* Outputs: AllSecurityGroups: Description: Security Groups that are associated with the EC2 instance Value: !Join - ', ' - !GetAtt AllSecurityGroups.Value ``` # Amazon Redshift template snippets Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. You can use CloudFormation to provision and manage Amazon Redshift clusters. ## Amazon Redshift cluster The following sample template creates an Amazon Redshift cluster according to the parameter values that are specified when the stack is created. The cluster parameter group that is associated with the Amazon Redshift cluster enables user activity logging. The template also launches the Amazon Redshift clusters in an Amazon VPC that is defined in the template. The VPC includes an internet gateway so that you can access the Amazon Redshift clusters from the Internet. However, the communication between the cluster and the Internet gateway must also be enabled, which is done by the route table entry. **Note** The template includes the `IsMultiNodeCluster` condition so that the `NumberOfNodes` parameter is declared only when the `ClusterType` parameter value is set to `multi-node`. The example defines the `MysqlRootPassword` parameter with its `NoEcho` property set to `true`. If you set the `NoEcho` attribute to `true`, CloudFormation returns the parameter value masked as asterisks (\$1\$1\$1\$1\$1) for any calls that describe the stack or stack events, except for information stored in the locations specified below. **Important** Using the `NoEcho` attribute does not mask any information stored in the following: The `Metadata` template section. CloudFormation does not transform, modify, or redact any information you include in the `Metadata` section. For more information, see [Metadata](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html). The `Outputs` template section. For more information, see [Outputs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html). The `Metadata` attribute of a resource definition. For more information, see [`Metadata` attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-metadata.html). We strongly recommend you do not use these mechanisms to include sensitive information, such as passwords or secrets. **Important** Rather than embedding sensitive information directly in your CloudFormation templates, we recommend you use dynamic parameters in the stack template to reference sensitive information that is stored and managed outside of CloudFormation, such as in the AWS Systems Manager Parameter Store or AWS Secrets Manager. For more information, see the [Do not embed credentials in your templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/security-best-practices.html#creds) best practice. ### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Parameters" : { "DatabaseName" : { "Description" : "The name of the first database to be created when the cluster is created", "Type" : "String", "Default" : "dev", "AllowedPattern" : "([a-z]|[0-9])+" }, "ClusterType" : { "Description" : "The type of cluster", "Type" : "String", "Default" : "single-node", "AllowedValues" : [ "single-node", "multi-node" ] }, "NumberOfNodes" : { "Description" : "The number of compute nodes in the cluster. For multi-node clusters, the NumberOfNodes parameter must be greater than 1", "Type" : "Number", "Default" : "1" }, "NodeType" : { "Description" : "The type of node to be provisioned", "Type" : "String", "Default" : "ds2.xlarge", "AllowedValues" : [ "ds2.xlarge", "ds2.8xlarge", "dc1.large", "dc1.8xlarge" ] }, "MasterUsername" : { "Description" : "The user name that is associated with the master user account for the cluster that is being created", "Type" : "String", "Default" : "defaultuser", "AllowedPattern" : "([a-z])([a-z]|[0-9])*" }, "MasterUserPassword" : { "Description" : "The password that is associated with the master user account for the cluster that is being created.", "Type" : "String", "NoEcho" : "true" }, "InboundTraffic" : { "Description" : "Allow inbound traffic to the cluster from this CIDR range.", "Type" : "String", "MinLength": "9", "MaxLength": "18", "Default" : "0.0.0.0/0", "AllowedPattern" : "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})", "ConstraintDescription" : "must be a valid CIDR range of the form x.x.x.x/x." }, "PortNumber" : { "Description" : "The port number on which the cluster accepts incoming connections.", "Type" : "Number", "Default" : "5439" } }, "Conditions" : { "IsMultiNodeCluster" : { "Fn::Equals" : [{ "Ref" : "ClusterType" }, "multi-node" ] } }, "Resources" : { "RedshiftCluster" : { "Type" : "AWS::Redshift::Cluster", "DependsOn" : "AttachGateway", "Properties" : { "ClusterType" : { "Ref" : "ClusterType" }, "NumberOfNodes" : { "Fn::If" : [ "IsMultiNodeCluster", { "Ref" : "NumberOfNodes" }, { "Ref" : "AWS::NoValue" }]}, "NodeType" : { "Ref" : "NodeType" }, "DBName" : { "Ref" : "DatabaseName" }, "MasterUsername" : { "Ref" : "MasterUsername" }, "MasterUserPassword" : { "Ref" : "MasterUserPassword" }, "ClusterParameterGroupName" : { "Ref" : "RedshiftClusterParameterGroup" }, "VpcSecurityGroupIds" : [ { "Ref" : "SecurityGroup" } ], "ClusterSubnetGroupName" : { "Ref" : "RedshiftClusterSubnetGroup" }, "PubliclyAccessible" : "true", "Port" : { "Ref" : "PortNumber" } } }, "RedshiftClusterParameterGroup" : { "Type" : "AWS::Redshift::ClusterParameterGroup", "Properties" : { "Description" : "Cluster parameter group", "ParameterGroupFamily" : "redshift-1.0", "Parameters" : [{ "ParameterName" : "enable_user_activity_logging", "ParameterValue" : "true" }] } }, "RedshiftClusterSubnetGroup" : { "Type" : "AWS::Redshift::ClusterSubnetGroup", "Properties" : { "Description" : "Cluster subnet group", "SubnetIds" : [ { "Ref" : "PublicSubnet" } ] } }, "VPC" : { "Type" : "AWS::EC2::VPC", "Properties" : { "CidrBlock" : "10.0.0.0/16" } }, "PublicSubnet" : { "Type" : "AWS::EC2::Subnet", "Properties" : { "CidrBlock" : "10.0.0.0/24", "VpcId" : { "Ref" : "VPC" } } }, "SecurityGroup" : { "Type" : "AWS::EC2::SecurityGroup", "Properties" : { "GroupDescription" : "Security group", "SecurityGroupIngress" : [ { "CidrIp" : { "Ref": "InboundTraffic" }, "FromPort" : { "Ref" : "PortNumber" }, "ToPort" : { "Ref" : "PortNumber" }, "IpProtocol" : "tcp" } ], "VpcId" : { "Ref" : "VPC" } } }, "myInternetGateway" : { "Type" : "AWS::EC2::InternetGateway" }, "AttachGateway" : { "Type" : "AWS::EC2::VPCGatewayAttachment", "Properties" : { "VpcId" : { "Ref" : "VPC" }, "InternetGatewayId" : { "Ref" : "myInternetGateway" } } }, "PublicRouteTable" : { "Type" : "AWS::EC2::RouteTable", "Properties" : { "VpcId" : { "Ref" : "VPC" } } }, "PublicRoute" : { "Type" : "AWS::EC2::Route", "DependsOn" : "AttachGateway", "Properties" : { "RouteTableId" : { "Ref" : "PublicRouteTable" }, "DestinationCidrBlock" : "0.0.0.0/0", "GatewayId" : { "Ref" : "myInternetGateway" } } }, "PublicSubnetRouteTableAssociation" : { "Type" : "AWS::EC2::SubnetRouteTableAssociation", "Properties" : { "SubnetId" : { "Ref" : "PublicSubnet" }, "RouteTableId" : { "Ref" : "PublicRouteTable" } } } }, "Outputs" : { "ClusterEndpoint" : { "Description" : "Cluster endpoint", "Value" : { "Fn::Join" : [ ":", [ { "Fn::GetAtt" : [ "RedshiftCluster", "Endpoint.Address" ] }, { "Fn::GetAtt" : [ "RedshiftCluster", "Endpoint.Port" ] } ] ] } }, "ClusterName" : { "Description" : "Name of cluster", "Value" : { "Ref" : "RedshiftCluster" } }, "ParameterGroupName" : { "Description" : "Name of parameter group", "Value" : { "Ref" : "RedshiftClusterParameterGroup" } }, "RedshiftClusterSubnetGroupName" : { "Description" : "Name of cluster subnet group", "Value" : { "Ref" : "RedshiftClusterSubnetGroup" } }, "RedshiftClusterSecurityGroupName" : { "Description" : "Name of cluster security group", "Value" : { "Ref" : "SecurityGroup" } } } } ``` ### YAML ``` AWSTemplateFormatVersion: '2010-09-09' Parameters: DatabaseName: Description: The name of the first database to be created when the cluster is created Type: String Default: dev AllowedPattern: "([a-z]|[0-9])+" ClusterType: Description: The type of cluster Type: String Default: single-node AllowedValues: - single-node - multi-node NumberOfNodes: Description: The number of compute nodes in the cluster. For multi-node clusters, the NumberOfNodes parameter must be greater than 1 Type: Number Default: '1' NodeType: Description: The type of node to be provisioned Type: String Default: ds2.xlarge AllowedValues: - ds2.xlarge - ds2.8xlarge - dc1.large - dc1.8xlarge MasterUsername: Description: The user name that is associated with the master user account for the cluster that is being created Type: String Default: defaultuser AllowedPattern: "([a-z])([a-z]|[0-9])*" MasterUserPassword: Description: The password that is associated with the master user account for the cluster that is being created. Type: String NoEcho: 'true' InboundTraffic: Description: Allow inbound traffic to the cluster from this CIDR range. Type: String MinLength: '9' MaxLength: '18' Default: 0.0.0.0/0 AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})" ConstraintDescription: must be a valid CIDR range of the form x.x.x.x/x. PortNumber: Description: The port number on which the cluster accepts incoming connections. Type: Number Default: '5439' Conditions: IsMultiNodeCluster: Fn::Equals: - Ref: ClusterType - multi-node Resources: RedshiftCluster: Type: AWS::Redshift::Cluster DependsOn: AttachGateway Properties: ClusterType: Ref: ClusterType NumberOfNodes: Fn::If: - IsMultiNodeCluster - Ref: NumberOfNodes - Ref: AWS::NoValue NodeType: Ref: NodeType DBName: Ref: DatabaseName MasterUsername: Ref: MasterUsername MasterUserPassword: Ref: MasterUserPassword ClusterParameterGroupName: Ref: RedshiftClusterParameterGroup VpcSecurityGroupIds: - Ref: SecurityGroup ClusterSubnetGroupName: Ref: RedshiftClusterSubnetGroup PubliclyAccessible: 'true' Port: Ref: PortNumber RedshiftClusterParameterGroup: Type: AWS::Redshift::ClusterParameterGroup Properties: Description: Cluster parameter group ParameterGroupFamily: redshift-1.0 Parameters: - ParameterName: enable_user_activity_logging ParameterValue: 'true' RedshiftClusterSubnetGroup: Type: AWS::Redshift::ClusterSubnetGroup Properties: Description: Cluster subnet group SubnetIds: - Ref: PublicSubnet VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 PublicSubnet: Type: AWS::EC2::Subnet Properties: CidrBlock: 10.0.0.0/24 VpcId: Ref: VPC SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security group SecurityGroupIngress: - CidrIp: Ref: InboundTraffic FromPort: Ref: PortNumber ToPort: Ref: PortNumber IpProtocol: tcp VpcId: Ref: VPC myInternetGateway: Type: AWS::EC2::InternetGateway AttachGateway: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: Ref: VPC InternetGatewayId: Ref: myInternetGateway PublicRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: Ref: VPC PublicRoute: Type: AWS::EC2::Route DependsOn: AttachGateway Properties: RouteTableId: Ref: PublicRouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: Ref: myInternetGateway PublicSubnetRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: Ref: PublicSubnet RouteTableId: Ref: PublicRouteTable Outputs: ClusterEndpoint: Description: Cluster endpoint Value: !Sub "${RedshiftCluster.Endpoint.Address}:${RedshiftCluster.Endpoint.Port}" ClusterName: Description: Name of cluster Value: Ref: RedshiftCluster ParameterGroupName: Description: Name of parameter group Value: Ref: RedshiftClusterParameterGroup RedshiftClusterSubnetGroupName: Description: Name of cluster subnet group Value: Ref: RedshiftClusterSubnetGroup RedshiftClusterSecurityGroupName: Description: Name of cluster security group Value: Ref: SecurityGroup ``` ## See also [AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-redshift-cluster.html) # Amazon RDS template snippets **Topics** + [Amazon RDS DB instance resource](#scenario-rds-instance) + [Amazon RDS oracle database DB instance resource](#scenario-rds-oracleinstance) + [Amazon RDS DBSecurityGroup resource for CIDR range](#scenario-rds-security-group-cidr) + [Amazon RDS DBSecurityGroup with an Amazon EC2 security group](#scenario-rds-security-group-ec2) + [Multiple VPC security groups](#scenario-multiple-vpc-security-groups) + [Amazon RDS database instance in a VPC security group](#w2aac11c41c76c15) ## Amazon RDS DB instance resource This example shows an Amazon RDS DB Instance resource with managed master user password. For more information, see [Password management with AWS Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html) in the *Amazon RDS User Guide* and [Password management with AWS Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-secrets-manager.html) in the *Aurora User Guide*. Because the optional `EngineVersion` property isn't specified, the default engine version is used for this DB Instance. For details about the default engine version and other default settings, see [CreateDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html). The `DBSecurityGroups` property authorizes network ingress to the `AWS::RDS::DBSecurityGroup` resources named `MyDbSecurityByEC2SecurityGroup` and MyDbSecurityByCIDRIPGroup. For details, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html). The DB Instance resource also has a `DeletionPolicy` attribute set to `Snapshot`. With the `Snapshot` `DeletionPolicy` set, CloudFormation will take a snapshot of this DB Instance before deleting it during stack deletion. ### JSON ``` 1. "MyDB" : { 2. "Type" : "AWS::RDS::DBInstance", 3. "Properties" : { 4. "DBSecurityGroups" : [ 5. {"Ref" : "MyDbSecurityByEC2SecurityGroup"}, {"Ref" : "MyDbSecurityByCIDRIPGroup"} ], 6. "AllocatedStorage" : "5", 7. "DBInstanceClass" : "db.t2.small", 8. "Engine" : "MySQL", 9. "MasterUsername" : "MyName", 10. "ManageMasterUserPassword" : true, 11. "MasterUserSecret" : { 12. "KmsKeyId" : {"Ref" : "KMSKey"} 13. } 14. }, 15. "DeletionPolicy" : "Snapshot" 16. } ``` ### YAML ``` 1. MyDB: 2. Type: AWS::RDS::DBInstance 3. Properties: 4. DBSecurityGroups: 5. - Ref: MyDbSecurityByEC2SecurityGroup 6. - Ref: MyDbSecurityByCIDRIPGroup 7. AllocatedStorage: '5' 8. DBInstanceClass: db.t2.small 9. Engine: MySQL 10. MasterUsername: MyName 11. ManageMasterUserPassword: true 12. MasterUserSecret: 13. KmsKeyId: !Ref KMSKey 14. DeletionPolicy: Snapshot ``` ## Amazon RDS oracle database DB instance resource This example creates an Oracle Database DB Instance resource with managed master user password. For more information, see [Password management with AWS Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html) in the *Amazon RDS User Guide*. The example specifies the `Engine` as `oracle-ee` with a license model of bring-your-own-license. For details about the settings for Oracle Database DB instances, see [CreateDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html). The DBSecurityGroups property authorizes network ingress to the `AWS::RDS::DBSecurityGroup` resources named MyDbSecurityByEC2SecurityGroup and MyDbSecurityByCIDRIPGroup. For details, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html). The DB Instance resource also has a `DeletionPolicy` attribute set to `Snapshot`. With the `Snapshot` `DeletionPolicy` set, CloudFormation will take a snapshot of this DB Instance before deleting it during stack deletion. ### JSON ``` 1. "MyDB" : { 2. "Type" : "AWS::RDS::DBInstance", 3. "Properties" : { 4. "DBSecurityGroups" : [ 5. {"Ref" : "MyDbSecurityByEC2SecurityGroup"}, {"Ref" : "MyDbSecurityByCIDRIPGroup"} ], 6. "AllocatedStorage" : "5", 7. "DBInstanceClass" : "db.t2.small", 8. "Engine" : "oracle-ee", 9. "LicenseModel" : "bring-your-own-license", 10. "MasterUsername" : "master", 11. "ManageMasterUserPassword" : true, 12. "MasterUserSecret" : { 13. "KmsKeyId" : {"Ref" : "KMSKey"} 14. } 15. }, 16. "DeletionPolicy" : "Snapshot" 17. } ``` ### YAML ``` 1. MyDB: 2. Type: AWS::RDS::DBInstance 3. Properties: 4. DBSecurityGroups: 5. - Ref: MyDbSecurityByEC2SecurityGroup 6. - Ref: MyDbSecurityByCIDRIPGroup 7. AllocatedStorage: '5' 8. DBInstanceClass: db.t2.small 9. Engine: oracle-ee 10. LicenseModel: bring-your-own-license 11. MasterUsername: master 12. ManageMasterUserPassword: true 13. MasterUserSecret: 14. KmsKeyId: !Ref KMSKey 15. DeletionPolicy: Snapshot ``` ## Amazon RDS DBSecurityGroup resource for CIDR range This example shows an Amazon RDS `DBSecurityGroup` resource with ingress authorization for the specified CIDR range in the format `ddd.ddd.ddd.ddd/dd`. For details, see [AWS::RDS::DBSecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbsecuritygroup.html) and [Ingress](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-rds-dbsecuritygroup-ingress.html). ### JSON ``` 1. "MyDbSecurityByCIDRIPGroup" : { 2. "Type" : "AWS::RDS::DBSecurityGroup", 3. "Properties" : { 4. "GroupDescription" : "Ingress for CIDRIP", 5. "DBSecurityGroupIngress" : { 6. "CIDRIP" : "192.168.0.0/32" 7. } 8. } 9. } ``` ### YAML ``` 1. MyDbSecurityByCIDRIPGroup: 2. Type: AWS::RDS::DBSecurityGroup 3. Properties: 4. GroupDescription: Ingress for CIDRIP 5. DBSecurityGroupIngress: 6. CIDRIP: "192.168.0.0/32" ``` ## Amazon RDS DBSecurityGroup with an Amazon EC2 security group This example shows an [AWS::RDS::DBSecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbsecuritygroup.html) resource with ingress authorization from an Amazon EC2 security group referenced by `MyEc2SecurityGroup`. To do this, you define an EC2 security group and then use the intrinsic `Ref` function to refer to the EC2 security group within your `DBSecurityGroup`. ### JSON ``` "DBInstance" : { "Type": "AWS::RDS::DBInstance", "Properties": { "DBName" : { "Ref" : "DBName" }, "Engine" : "MySQL", "MasterUsername" : { "Ref" : "DBUsername" }, "DBInstanceClass" : { "Ref" : "DBClass" }, "DBSecurityGroups" : [ { "Ref" : "DBSecurityGroup" } ], "AllocatedStorage" : { "Ref" : "DBAllocatedStorage" }, "MasterUserPassword": { "Ref" : "DBPassword" } } }, "DBSecurityGroup": { "Type": "AWS::RDS::DBSecurityGroup", "Properties": { "DBSecurityGroupIngress": { "EC2SecurityGroupName": { "Fn::GetAtt": ["WebServerSecurityGroup", "GroupName"] } }, "GroupDescription" : "Frontend Access" } }, "WebServerSecurityGroup" : { "Type" : "AWS::EC2::SecurityGroup", "Properties" : { "GroupDescription" : "Enable HTTP access via port 80 and SSH access", "SecurityGroupIngress" : [ {"IpProtocol" : "tcp", "FromPort" : 80, "ToPort" : 80, "CidrIp" : "0.0.0.0/0"}, {"IpProtocol" : "tcp", "FromPort" : 22, "ToPort" : 22, "CidrIp" : "0.0.0.0/0"} ] } } ``` ### YAML This example is extracted from the following full example: [Drupal\$1Single\$1Instance\$1With\$1RDS.template](https://s3.amazonaws.com/cloudformation-templates-us-east-1/Drupal_Single_Instance_With_RDS.template) ``` DBInstance: Type: AWS::RDS::DBInstance Properties: DBName: Ref: DBName Engine: MySQL MasterUsername: Ref: DBUsername DBInstanceClass: Ref: DBClass DBSecurityGroups: - Ref: DBSecurityGroup AllocatedStorage: Ref: DBAllocatedStorage MasterUserPassword: Ref: DBPassword DBSecurityGroup: Type: AWS::RDS::DBSecurityGroup Properties: DBSecurityGroupIngress: EC2SecurityGroupName: Ref: WebServerSecurityGroup GroupDescription: Frontend Access WebServerSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Enable HTTP access via port 80 and SSH access SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 ``` ## Multiple VPC security groups This example shows an [AWS::RDS::DBSecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbsecuritygroup.html) resource with ingress authorization for multiple Amazon EC2 VPC security groups in [AWS::RDS::DBSecurityGroupIngress](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbsecuritygroupingress.html). ### JSON ``` { "Resources" : { "DBinstance" : { "Type" : "AWS::RDS::DBInstance", "Properties" : { "AllocatedStorage" : "5", "DBInstanceClass" : "db.t2.small", "DBName" : {"Ref": "MyDBName" }, "DBSecurityGroups" : [ { "Ref" : "DbSecurityByEC2SecurityGroup" } ], "DBSubnetGroupName" : { "Ref" : "MyDBSubnetGroup" }, "Engine" : "MySQL", "MasterUserPassword": { "Ref" : "MyDBPassword" }, "MasterUsername" : { "Ref" : "MyDBUsername" } }, "DeletionPolicy" : "Snapshot" }, "DbSecurityByEC2SecurityGroup" : { "Type" : "AWS::RDS::DBSecurityGroup", "Properties" : { "GroupDescription" : "Ingress for Amazon EC2 security group", "EC2VpcId" : { "Ref" : "MyVPC" }, "DBSecurityGroupIngress" : [ { "EC2SecurityGroupId" : "sg-b0ff1111", "EC2SecurityGroupOwnerId" : "111122223333" }, { "EC2SecurityGroupId" : "sg-ffd722222", "EC2SecurityGroupOwnerId" : "111122223333" } ] } } } } ``` ### YAML ``` Resources: DBinstance: Type: AWS::RDS::DBInstance Properties: AllocatedStorage: '5' DBInstanceClass: db.t2.small DBName: Ref: MyDBName DBSecurityGroups: - Ref: DbSecurityByEC2SecurityGroup DBSubnetGroupName: Ref: MyDBSubnetGroup Engine: MySQL MasterUserPassword: Ref: MyDBPassword MasterUsername: Ref: MyDBUsername DeletionPolicy: Snapshot DbSecurityByEC2SecurityGroup: Type: AWS::RDS::DBSecurityGroup Properties: GroupDescription: Ingress for Amazon EC2 security group EC2VpcId: Ref: MyVPC DBSecurityGroupIngress: - EC2SecurityGroupId: sg-b0ff1111 EC2SecurityGroupOwnerId: '111122223333' - EC2SecurityGroupId: sg-ffd722222 EC2SecurityGroupOwnerId: '111122223333' ``` ## Amazon RDS database instance in a VPC security group This example shows an Amazon RDS database instance associated with an Amazon EC2 VPC security group. ### JSON ``` { "DBEC2SecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties" : { "GroupDescription": "Open database for access", "SecurityGroupIngress" : [{ "IpProtocol" : "tcp", "FromPort" : 3306, "ToPort" : 3306, "SourceSecurityGroupName" : { "Ref" : "WebServerSecurityGroup" } }] } }, "DBInstance" : { "Type": "AWS::RDS::DBInstance", "Properties": { "DBName" : { "Ref" : "DBName" }, "Engine" : "MySQL", "MultiAZ" : { "Ref": "MultiAZDatabase" }, "MasterUsername" : { "Ref" : "DBUser" }, "DBInstanceClass" : { "Ref" : "DBClass" }, "AllocatedStorage" : { "Ref" : "DBAllocatedStorage" }, "MasterUserPassword": { "Ref" : "DBPassword" }, "VPCSecurityGroups" : [ { "Fn::GetAtt": [ "DBEC2SecurityGroup", "GroupId" ] } ] } } } ``` ### YAML ``` DBEC2SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Open database for access SecurityGroupIngress: - IpProtocol: tcp FromPort: 3306 ToPort: 3306 SourceSecurityGroupName: Ref: WebServerSecurityGroup DBInstance: Type: AWS::RDS::DBInstance Properties: DBName: Ref: DBName Engine: MySQL MultiAZ: Ref: MultiAZDatabase MasterUsername: Ref: DBUser DBInstanceClass: Ref: DBClass AllocatedStorage: Ref: DBAllocatedStorage MasterUserPassword: Ref: DBPassword VPCSecurityGroups: - !GetAtt DBEC2SecurityGroup.GroupId ``` # Route 53 template snippets **Topics** + [Amazon Route 53 resource record set using hosted zone name or ID](#scenario-route53-recordset-by-host) + [Using RecordSetGroup to set up weighted resource record sets](#scenario-recordsetgroup-weighted) + [Using RecordSetGroup to set up an alias resource record set](#scenario-recordsetgroup-zoneapex) + [Alias resource record set for a CloudFront distribution](#scenario-user-friendly-url-for-cloudfront-distribution) ## Amazon Route 53 resource record set using hosted zone name or ID When you create an Amazon Route 53 resource record set, you must specify the hosted zone where you want to add it. CloudFormation provides two ways to specify a hosted zone: + You can explicitly specify the hosted zone using the `HostedZoneId` property. + You can have CloudFormation find the hosted zone using the `HostedZoneName` property. If you use the `HostedZoneName` property and there are multiple hosted zones with the same name, CloudFormation doesn't create the stack. ### Adding RecordSet using HostedZoneId This example adds an Amazon Route 53 resource record set containing an `SPF` record for the domain name `mysite.example.com` that uses the `HostedZoneId` property to specify the hosted zone. #### JSON ``` 1. "myDNSRecord" : { 2. "Type" : "AWS::Route53::RecordSet", 3. "Properties" : 4. { 5. "HostedZoneId" : "Z3DG6IL3SJCGPX", 6. "Name" : "mysite.example.com.", 7. "Type" : "SPF", 8. "TTL" : "900", 9. "ResourceRecords" : [ "\"v=spf1 ip4:192.168.0.1/16 -all\"" ] 10. } 11. } ``` #### YAML ``` 1. myDNSRecord: 2. Type: AWS::Route53::RecordSet 3. Properties: 4. HostedZoneId: Z3DG6IL3SJCGPX 5. Name: mysite.example.com. 6. Type: SPF 7. TTL: '900' 8. ResourceRecords: 9. - '"v=spf1 ip4:192.168.0.1/16 -all"' ``` ### Adding RecordSet using HostedZoneName This example adds an Amazon Route 53 resource record set for the domain name "mysite.example.com" using the `HostedZoneName` property to specify the hosted zone. #### JSON ``` 1. "myDNSRecord2" : { 2. "Type" : "AWS::Route53::RecordSet", 3. "Properties" : { 4. "HostedZoneName" : "example.com.", 5. "Name" : "mysite.example.com.", 6. "Type" : "A", 7. "TTL" : "900", 8. "ResourceRecords" : [ 9. "192.168.0.1", 10. "192.168.0.2" 11. ] 12. } 13. } ``` #### YAML ``` 1. myDNSRecord2: 2. Type: AWS::Route53::RecordSet 3. Properties: 4. HostedZoneName: example.com. 5. Name: mysite.example.com. 6. Type: A 7. TTL: '900' 8. ResourceRecords: 9. - 192.168.0.1 10. - 192.168.0.2 ``` ## Using RecordSetGroup to set up weighted resource record sets This example uses an [AWS::Route53::RecordSetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-route53-recordsetgroup.html) to set up two CNAME records for the "example.com." hosted zone. The `RecordSets` property contains the CNAME record sets for the "mysite.example.com" DNS name. Each record set contains an identifier (`SetIdentifier`) and weight (`Weight`). The proportion of internet traffic that's routed to the resources is based on the following calculations: + `Frontend One`: `140/(140+60)` = `140/200` = 70% + `Frontend Two`: `60/(140+60)` = `60/200` = 30% For more information about weighted resource record sets, see [Weighted routing](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-weighted.html) in the *Amazon Route 53 Developer Guide*. ### JSON ``` 1. "myDNSOne" : { 2. "Type" : "AWS::Route53::RecordSetGroup", 3. "Properties" : { 4. "HostedZoneName" : "example.com.", 5. "Comment" : "Weighted RR for my frontends.", 6. "RecordSets" : [ 7. { 8. "Name" : "mysite.example.com.", 9. "Type" : "CNAME", 10. "TTL" : "900", 11. "SetIdentifier" : "Frontend One", 12. "Weight" : "140", 13. "ResourceRecords" : ["example-ec2.amazonaws.com"] 14. }, 15. { 16. "Name" : "mysite.example.com.", 17. "Type" : "CNAME", 18. "TTL" : "900", 19. "SetIdentifier" : "Frontend Two", 20. "Weight" : "60", 21. "ResourceRecords" : ["example-ec2-larger.amazonaws.com"] 22. } 23. ] 24. } 25. } ``` ### YAML ``` 1. myDNSOne: 2. Type: AWS::Route53::RecordSetGroup 3. Properties: 4. HostedZoneName: example.com. 5. Comment: Weighted RR for my frontends. 6. RecordSets: 7. - Name: mysite.example.com. 8. Type: CNAME 9. TTL: '900' 10. SetIdentifier: Frontend One 11. Weight: '140' 12. ResourceRecords: 13. - example-ec2.amazonaws.com 14. - Name: mysite.example.com. 15. Type: CNAME 16. TTL: '900' 17. SetIdentifier: Frontend Two 18. Weight: '60' 19. ResourceRecords: 20. - example-ec2-larger.amazonaws.com ``` ## Using RecordSetGroup to set up an alias resource record set The following examples use an [AWS::Route53::RecordSetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-route53-recordsetgroup.html) to set up an alias resource record set named `example.com` that routes traffic to an ELB Version 1 (Classic) load balancer and a Version 2 (Application or Network) load balancer. The [AliasTarget](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-route53-recordset-aliastarget.html) property specifies the hosted zone ID and DNS name for the `myELB` `LoadBalancer` by using the `GetAtt` intrinsic function. `GetAtt` retrieves different properties of `myELB` resource, depending on whether you're routing traffic to a Version 1 or Version 2 load balancer: + Version 1 load balancer: `CanonicalHostedZoneNameID` and `DNSName` + Version 2 load balancer: `CanonicalHostedZoneID` and `DNSName` For more information about alias resource record sets, see [Choosing between alias and non-alias records](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html) in the *Route 53 Developer Guide*. ### JSON for version 1 load balancer ``` 1. "myELB" : { 2. "Type" : "AWS::ElasticLoadBalancing::LoadBalancer", 3. "Properties" : { 4. "AvailabilityZones" : [ "us-east-1a" ], 5. "Listeners" : [ { 6. "LoadBalancerPort" : "80", 7. "InstancePort" : "80", 8. "Protocol" : "HTTP" 9. } ] 10. } 11. }, 12. "myDNS" : { 13. "Type" : "AWS::Route53::RecordSetGroup", 14. "Properties" : { 15. "HostedZoneName" : "example.com.", 16. "Comment" : "Zone apex alias targeted to myELB LoadBalancer.", 17. "RecordSets" : [ 18. { 19. "Name" : "example.com.", 20. "Type" : "A", 21. "AliasTarget" : { 22. "HostedZoneId" : { "Fn::GetAtt" : ["myELB", "CanonicalHostedZoneNameID"] }, 23. "DNSName" : { "Fn::GetAtt" : ["myELB","DNSName"] } 24. } 25. } 26. ] 27. } 28. } ``` ### YAML for version 1 load balancer ``` 1. myELB: 2. Type: AWS::ElasticLoadBalancing::LoadBalancer 3. Properties: 4. AvailabilityZones: 5. - "us-east-1a" 6. Listeners: 7. - LoadBalancerPort: '80' 8. InstancePort: '80' 9. Protocol: HTTP 10. myDNS: 11. Type: AWS::Route53::RecordSetGroup 12. Properties: 13. HostedZoneName: example.com. 14. Comment: Zone apex alias targeted to myELB LoadBalancer. 15. RecordSets: 16. - Name: example.com. 17. Type: A 18. AliasTarget: 19. HostedZoneId: !GetAtt 'myELB.CanonicalHostedZoneNameID' 20. DNSName: !GetAtt 'myELB.DNSName' ``` ### JSON for version 2 load balancer ``` 1. "myELB" : { 2. "Type" : "AWS::ElasticLoadBalancing::LoadBalancer", 3. "Properties" : { 4. "Subnets" : [ 5. {"Ref": "SubnetAZ1"}, 6. {"Ref" : "SubnetAZ2"} 7. ] 8. } 9. }, 10. "myDNS" : { 11. "Type" : "AWS::Route53::RecordSetGroup", 12. "Properties" : { 13. "HostedZoneName" : "example.com.", 14. "Comment" : "Zone apex alias targeted to myELB LoadBalancer.", 15. "RecordSets" : [ 16. { 17. "Name" : "example.com.", 18. "Type" : "A", 19. "AliasTarget" : { 20. "HostedZoneId" : { "Fn::GetAtt" : ["myELB", "CanonicalHostedZoneID"] }, 21. "DNSName" : { "Fn::GetAtt" : ["myELB","DNSName"] } 22. } 23. } 24. ] 25. } 26. } ``` ### YAML for version 2 load balancer ``` 1. myELB: 2. Type: AWS::ElasticLoadBalancingV2::LoadBalancer 3. Properties: 4. Subnets: 5. - Ref: SubnetAZ1 6. - Ref: SubnetAZ2 7. myDNS: 8. Type: AWS::Route53::RecordSetGroup 9. Properties: 10. HostedZoneName: example.com. 11. Comment: Zone apex alias targeted to myELB LoadBalancer. 12. RecordSets: 13. - Name: example.com. 14. Type: A 15. AliasTarget: 16. HostedZoneId: !GetAtt 'myELB.CanonicalHostedZoneID' 17. DNSName: !GetAtt 'myELB.DNSName' ``` ## Alias resource record set for a CloudFront distribution The following example creates an alias A record that points a custom domain name to an existing CloudFront distribution. `myHostedZoneID` is assumed to be either a reference to an actual `AWS::Route53::HostedZone` resource in the same template or a parameter. `myCloudFrontDistribution` refers to an `AWS::CloudFront::Distribution` resource within the same template. The alias record uses the standard CloudFront hosted zone ID (`Z2FDTNDATAQYW2`) and automatically resolves the distribution’s domain name using `Fn::GetAtt`. This setup allows web traffic to be routed from the custom domain to the CloudFront distribution without requiring an IP address. **Note** When you create alias resource record sets, you must specify `Z2FDTNDATAQYW2` for the `HostedZoneId` property. Alias resource record sets for CloudFront can't be created in a private zone. ### JSON ``` 1. { 2. "myDNS": { 3. "Type": "AWS::Route53::RecordSetGroup", 4. "Properties": { 5. "HostedZoneId": { 6. "Ref": "myHostedZoneID" 7. }, 8. "RecordSets": [ 9. { 10. "Name": { 11. "Ref": "myRecordSetDomainName" 12. }, 13. "Type": "A", 14. "AliasTarget": { 15. "HostedZoneId": "Z2FDTNDATAQYW2", 16. "DNSName": { 17. "Fn::GetAtt": [ 18. "myCloudFrontDistribution", 19. "DomainName" 20. ] 21. }, 22. "EvaluateTargetHealth": false 23. } 24. } 25. ] 26. } 27. } 28. } ``` ### YAML ``` 1. myDNS: 2. Type: AWS::Route53::RecordSetGroup 3. Properties: 4. HostedZoneId: !Ref myHostedZoneID 5. RecordSets: 6. - Name: !Ref myRecordSetDomainName 7. Type: A 8. AliasTarget: 9. HostedZoneId: Z2FDTNDATAQYW2 10. DNSName: !GetAtt 11. - myCloudFrontDistribution 12. - DomainName 13. EvaluateTargetHealth: false ``` # Amazon S3 template snippets Use these Amazon S3 sample templates to help describe your Amazon S3 buckets with CloudFormation. For more examples, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucket.html#aws-resource-s3-bucket--examples) section in the `AWS::S3::Bucket` resource. **Topics** + [Creating an Amazon S3 bucket with defaults](#scenario-s3-bucket) + [Creating an Amazon S3 bucket for website hosting and with a `DeletionPolicy`](#scenario-s3-bucket-website) + [Creating a static website using a custom domain](#scenario-s3-bucket-website-customdomain) ## Creating an Amazon S3 bucket with defaults This example uses a [AWS::S3::Bucket](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucket.html) to create a bucket with default settings. ### JSON ``` 1. "myS3Bucket" : { 2. "Type" : "AWS::S3::Bucket" 3. } ``` ### YAML ``` 1. MyS3Bucket: 2. Type: AWS::S3::Bucket ``` ## Creating an Amazon S3 bucket for website hosting and with a `DeletionPolicy` This example creates a bucket as a website and disables Block Public Access (public read permissions are required for buckets set up for website hosting). A public bucket policy is then added to the bucket. Because this bucket resource has a `DeletionPolicy` attribute set to `Retain`, CloudFormation will not delete this bucket when it deletes the stack. The `Output` section uses `Fn::GetAtt` to retrieve the `WebsiteURL` attribute and `DomainName` attribute of the `S3Bucket` resource. **Note** The following examples assume the `BlockPublicPolicy` and `RestrictPublicBuckets` Block Public Access settings have been disabled at the account level. ### JSON ``` 1. { 2. "AWSTemplateFormatVersion": "2010-09-09", 3. "Resources": { 4. "S3Bucket": { 5. "Type": "AWS::S3::Bucket", 6. "Properties": { 7. "PublicAccessBlockConfiguration": { 8. "BlockPublicAcls": false, 9. "BlockPublicPolicy": false, 10. "IgnorePublicAcls": false, 11. "RestrictPublicBuckets": false 12. }, 13. "WebsiteConfiguration": { 14. "IndexDocument": "index.html", 15. "ErrorDocument": "error.html" 16. } 17. }, 18. "DeletionPolicy": "Retain", 19. "UpdateReplacePolicy": "Retain" 20. }, 21. "BucketPolicy": { 22. "Type": "AWS::S3::BucketPolicy", 23. "Properties": { 24. "PolicyDocument": { 25. "Id": "MyPolicy", 26. "Version": "2012-10-17", 27. "Statement": [ 28. { 29. "Sid": "PublicReadForGetBucketObjects", 30. "Effect": "Allow", 31. "Principal": "*", 32. "Action": "s3:GetObject", 33. "Resource": { 34. "Fn::Join": [ 35. "", 36. [ 37. "arn:aws:s3:::", 38. { 39. "Ref": "S3Bucket" 40. }, 41. "/*" 42. ] 43. ] 44. } 45. } 46. ] 47. }, 48. "Bucket": { 49. "Ref": "S3Bucket" 50. } 51. } 52. } 53. }, 54. "Outputs": { 55. "WebsiteURL": { 56. "Value": { 57. "Fn::GetAtt": [ 58. "S3Bucket", 59. "WebsiteURL" 60. ] 61. }, 62. "Description": "URL for website hosted on S3" 63. }, 64. "S3BucketSecureURL": { 65. "Value": { 66. "Fn::Join": [ 67. "", 68. [ 69. "https://", 70. { 71. "Fn::GetAtt": [ 72. "S3Bucket", 73. "DomainName" 74. ] 75. } 76. ] 77. ] 78. }, 79. "Description": "Name of S3 bucket to hold website content" 80. } 81. } 82. } ``` ### YAML ``` 1. AWSTemplateFormatVersion: 2010-09-09 2. Resources: 3. S3Bucket: 4. Type: AWS::S3::Bucket 5. Properties: 6. PublicAccessBlockConfiguration: 7. BlockPublicAcls: false 8. BlockPublicPolicy: false 9. IgnorePublicAcls: false 10. RestrictPublicBuckets: false 11. WebsiteConfiguration: 12. IndexDocument: index.html 13. ErrorDocument: error.html 14. DeletionPolicy: Retain 15. UpdateReplacePolicy: Retain 16. BucketPolicy: 17. Type: AWS::S3::BucketPolicy 18. Properties: 19. PolicyDocument: 20. Id: MyPolicy 21. Version: 2012-10-17 22. Statement: 23. - Sid: PublicReadForGetBucketObjects 24. Effect: Allow 25. Principal: '*' 26. Action: 's3:GetObject' 27. Resource: !Join 28. - '' 29. - - 'arn:aws:s3:::' 30. - !Ref S3Bucket 31. - /* 32. Bucket: !Ref S3Bucket 33. Outputs: 34. WebsiteURL: 35. Value: !GetAtt 36. - S3Bucket 37. - WebsiteURL 38. Description: URL for website hosted on S3 39. S3BucketSecureURL: 40. Value: !Join 41. - '' 42. - - 'https://' 43. - !GetAtt 44. - S3Bucket 45. - DomainName 46. Description: Name of S3 bucket to hold website content ``` ## Creating a static website using a custom domain You can use Route 53 with a registered domain. The following sample assumes that you have already created a hosted zone in Route 53 for your domain. The example creates two buckets for website hosting. The root bucket hosts the content, and the other bucket redirects `www.domainname.com` requests to the root bucket. The record sets map your domain name to Amazon S3 endpoints. You will also need to add a bucket policy, as shown in the examples above. For more information about using a custom domain, see [Tutorial: Configuring a static website using a custom domain registered with Route 53](https://docs.aws.amazon.com/AmazonS3/latest/userguide/website-hosting-custom-domain-walkthrough.html) in the *Amazon Simple Storage Service User Guide*. **Note** The following examples assume the `BlockPublicPolicy` and `RestrictPublicBuckets` Block Public Access settings have been disabled at the account level. ### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Mappings" : { "RegionMap" : { "us-east-1" : { "S3hostedzoneID" : "Z3AQBSTGFYJSTF", "websiteendpoint" : "s3-website-us-east-1.amazonaws.com" }, "us-west-1" : { "S3hostedzoneID" : "Z2F56UZL2M1ACD", "websiteendpoint" : "s3-website-us-west-1.amazonaws.com" }, "us-west-2" : { "S3hostedzoneID" : "Z3BJ6K6RIION7M", "websiteendpoint" : "s3-website-us-west-2.amazonaws.com" }, "eu-west-1" : { "S3hostedzoneID" : "Z1BKCTXD74EZPE", "websiteendpoint" : "s3-website-eu-west-1.amazonaws.com" }, "ap-southeast-1" : { "S3hostedzoneID" : "Z3O0J2DXBE1FTB", "websiteendpoint" : "s3-website-ap-southeast-1.amazonaws.com" }, "ap-southeast-2" : { "S3hostedzoneID" : "Z1WCIGYICN2BYD", "websiteendpoint" : "s3-website-ap-southeast-2.amazonaws.com" }, "ap-northeast-1" : { "S3hostedzoneID" : "Z2M4EHUR26P7ZW", "websiteendpoint" : "s3-website-ap-northeast-1.amazonaws.com" }, "sa-east-1" : { "S3hostedzoneID" : "Z31GFT0UA1I2HV", "websiteendpoint" : "s3-website-sa-east-1.amazonaws.com" } } }, "Parameters": { "RootDomainName": { "Description": "Domain name for your website (example.com)", "Type": "String" } }, "Resources": { "RootBucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName" : {"Ref":"RootDomainName"}, "PublicAccessBlockConfiguration": { "BlockPublicAcls": false, "BlockPublicPolicy": false, "IgnorePublicAcls": false, "RestrictPublicBuckets": false }, "WebsiteConfiguration": { "IndexDocument":"index.html", "ErrorDocument":"404.html" } } }, "WWWBucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": { "Fn::Join": ["", ["www.", {"Ref":"RootDomainName"}]] }, "AccessControl": "BucketOwnerFullControl", "WebsiteConfiguration": { "RedirectAllRequestsTo": { "HostName": {"Ref": "RootBucket"} } } } }, "myDNS": { "Type": "AWS::Route53::RecordSetGroup", "Properties": { "HostedZoneName": { "Fn::Join": ["", [{"Ref": "RootDomainName"}, "."]] }, "Comment": "Zone apex alias.", "RecordSets": [ { "Name": {"Ref": "RootDomainName"}, "Type": "A", "AliasTarget": { "HostedZoneId": {"Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "S3hostedzoneID"]}, "DNSName": {"Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "websiteendpoint"]} } }, { "Name": { "Fn::Join": ["", ["www.", {"Ref":"RootDomainName"}]] }, "Type": "CNAME", "TTL" : "900", "ResourceRecords" : [ {"Fn::GetAtt":["WWWBucket", "DomainName"]} ] } ] } } }, "Outputs": { "WebsiteURL": { "Value": {"Fn::GetAtt": ["RootBucket", "WebsiteURL"]}, "Description": "URL for website hosted on S3" } } } ``` ### YAML ``` Parameters: RootDomainName: Description: Domain name for your website (example.com) Type: String Mappings: RegionMap: us-east-1: S3hostedzoneID: Z3AQBSTGFYJSTF websiteendpoint: s3-website-us-east-1.amazonaws.com us-west-1: S3hostedzoneID: Z2F56UZL2M1ACD websiteendpoint: s3-website-us-west-1.amazonaws.com us-west-2: S3hostedzoneID: Z3BJ6K6RIION7M websiteendpoint: s3-website-us-west-2.amazonaws.com eu-west-1: S3hostedzoneID: Z1BKCTXD74EZPE websiteendpoint: s3-website-eu-west-1.amazonaws.com ap-southeast-1: S3hostedzoneID: Z3O0J2DXBE1FTB websiteendpoint: s3-website-ap-southeast-1.amazonaws.com ap-southeast-2: S3hostedzoneID: Z1WCIGYICN2BYD websiteendpoint: s3-website-ap-southeast-2.amazonaws.com ap-northeast-1: S3hostedzoneID: Z2M4EHUR26P7ZW websiteendpoint: s3-website-ap-northeast-1.amazonaws.com sa-east-1: S3hostedzoneID: Z31GFT0UA1I2HV websiteendpoint: s3-website-sa-east-1.amazonaws.com Resources: RootBucket: Type: AWS::S3::Bucket Properties: BucketName: !Ref RootDomainName PublicAccessBlockConfiguration: BlockPublicAcls: false BlockPublicPolicy: false IgnorePublicAcls: false RestrictPublicBuckets: false WebsiteConfiguration: IndexDocument: index.html ErrorDocument: 404.html WWWBucket: Type: AWS::S3::Bucket Properties: BucketName: !Sub - www.${Domain} - Domain: !Ref RootDomainName AccessControl: BucketOwnerFullControl WebsiteConfiguration: RedirectAllRequestsTo: HostName: !Ref RootBucket myDNS: Type: AWS::Route53::RecordSetGroup Properties: HostedZoneName: !Sub - ${Domain}. - Domain: !Ref RootDomainName Comment: Zone apex alias. RecordSets: - Name: !Ref RootDomainName Type: A AliasTarget: HostedZoneId: !FindInMap [ RegionMap, !Ref 'AWS::Region', S3hostedzoneID] DNSName: !FindInMap [ RegionMap, !Ref 'AWS::Region', websiteendpoint] - Name: !Sub - www.${Domain} - Domain: !Ref RootDomainName Type: CNAME TTL: 900 ResourceRecords: - !GetAtt WWWBucket.DomainName Outputs: WebsiteURL: Value: !GetAtt RootBucket.WebsiteURL Description: URL for website hosted on S3 ``` # Amazon SNS template snippets This example shows an Amazon SNS topic resource. It requires a valid email address. ## JSON ``` 1. "MySNSTopic" : { 2. "Type" : "AWS::SNS::Topic", 3. "Properties" : { 4. "Subscription" : [ { 5. "Endpoint" : "add valid email address", 6. "Protocol" : "email" 7. } ] 8. } 9. } ``` ## YAML ``` 1. MySNSTopic: 2. Type: AWS::SNS::Topic 3. Properties: 4. Subscription: 5. - Endpoint: "add valid email address" 6. Protocol: email ``` # Amazon SQS template snippets This example shows an Amazon SQS queue. ## JSON ``` 1. "MyQueue" : { 2. "Type" : "AWS::SQS::Queue", 3. "Properties" : { 4. "VisibilityTimeout" : "value" 5. } 6. } ``` ## YAML ``` 1. MyQueue: 2. Type: AWS::SQS::Queue 3. Properties: 4. VisibilityTimeout: value ``` # Amazon Timestream template snippets Amazon Timestream for InfluxDB makes it easy for application developers and DevOps teams to run fully managed InfluxDB databases on AWS for real-time time-series applications using open-source APIs. You can quickly create an InfluxDB database that handles demanding time- series workloads. With a few simple API calls, you can set up, migrate, operate, and scale an InfluxDB database on AWS with automated software patching, backups, and recovery. You can also find these samples at [awslabs/amazon-timestream-tools/tree/mainline/integrations/cloudformation/timestream-influxdb](https://github.com/awslabs/amazon-timestream-tools/tree/mainline/integrations/cloudformation/timestream-influxdb) on GitHub. **Topics** + [Minimal sample using default values](#scenario-timestream-influxdb-example-1) + [More complete example with parameters](#scenario-timestream-influxdb-example-2) These CloudFormation templates create the following resources that are needed to successfully create, connect to, and monitor a Amazon Timestream for InfluxDB instance: **Amazon VPC** + `VPC` + One or more `Subnet` + `InternetGateway` + `RouteTable` + `SecurityGroup` **Amazon S3** + `Bucket` **Amazon Timestream** + `InfluxDBInstance` ## Minimal sample using default values This example deploys a multi- AZ and publicly accessible instance using default values when possible. ### JSON ``` { "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": {"default": "Amazon Timestream for InfluxDB Configuration"}, "Parameters": [ "DbInstanceName", "InfluxDBPassword" ] } ], "ParameterLabels": { "VPCCIDR": {"default": "VPC CIDR"} } } }, "Parameters": { "DbInstanceName": { "Description": "The name that uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and CLI commands. This name will also be a prefix included in the endpoint. DB instance names must be unique per customer and per Region.", "Type": "String", "Default": "mydbinstance", "MinLength": 3, "MaxLength": 40, "AllowedPattern": "^[a-zA-z][a-zA-Z0-9]*(-[a-zA-Z0-9]+)*$" }, "InfluxDBPassword": { "Description": "The password of the initial admin user created in InfluxDB. This password will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in AWS Secrets Manager in your account.", "Type": "String", "NoEcho": true, "MinLength": 8, "MaxLength": 64, "AllowedPattern": "^[a-zA-Z0-9]+$" } }, "Resources": { "VPC": { "Type": "AWS::EC2::VPC", "Properties": {"CidrBlock": "10.0.0.0/16"} }, "InternetGateway": {"Type": "AWS::EC2::InternetGateway"}, "InternetGatewayAttachment": { "Type": "AWS::EC2::VPCGatewayAttachment", "Properties": { "InternetGatewayId": {"Ref": "InternetGateway"}, "VpcId": {"Ref": "VPC"} } }, "Subnet1": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": {"Ref": "VPC"}, "AvailabilityZone": { "Fn::Select": [ 0, {"Fn::GetAZs": ""} ] }, "CidrBlock": { "Fn::Select": [ 0, { "Fn::Cidr": [ { "Fn::GetAtt": [ "VPC", "CidrBlock" ] }, 2, 12 ] } ] }, "MapPublicIpOnLaunch": true } }, "Subnet2": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": {"Ref": "VPC"}, "AvailabilityZone": { "Fn::Select": [ 1, {"Fn::GetAZs": ""} ] }, "CidrBlock": { "Fn::Select": [ 1, { "Fn::Cidr": [ { "Fn::GetAtt": [ "VPC", "CidrBlock" ] }, 2, 12 ] } ] }, "MapPublicIpOnLaunch": true } }, "RouteTable": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": {"Ref": "VPC"} } }, "DefaultRoute": { "Type": "AWS::EC2::Route", "DependsOn": "InternetGatewayAttachment", "Properties": { "RouteTableId": {"Ref": "RouteTable"}, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": {"Ref": "InternetGateway"} } }, "Subnet1RouteTableAssociation": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": {"Ref": "RouteTable"}, "SubnetId": {"Ref": "Subnet1"} } }, "Subnet2RouteTableAssociation": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": {"Ref": "RouteTable"}, "SubnetId": {"Ref": "Subnet2"} } }, "InfluxDBSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupName": "influxdb-sg", "GroupDescription": "Security group allowing port 8086 ingress for InfluxDB", "VpcId": {"Ref": "VPC"} } }, "InfluxDBSecurityGroupIngress": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": {"Ref": "InfluxDBSecurityGroup"}, "IpProtocol": "tcp", "CidrIp": "0.0.0.0/0", "FromPort": 8086, "ToPort": 8086 } }, "InfluxDBLogsS3Bucket": { "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain" }, "InfluxDBLogsS3BucketPolicy": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": {"Ref": "InfluxDBLogsS3Bucket"}, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "s3:PutObject", "Effect": "Allow", "Resource": {"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}/InfluxLogs/*"}, "Principal": {"Service": "timestream-influxdb.amazonaws.com"} }, { "Action": "s3:*", "Effect": "Deny", "Resource": [ {"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}/*"}, {"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}"} ], "Principal": "*", "Condition": { "Bool": {"aws:SecureTransport": false} } } ] } } }, "DbInstance": { "Type": "AWS::Timestream::InfluxDBInstance", "DependsOn": "InfluxDBLogsS3BucketPolicy", "Properties": { "AllocatedStorage": 20, "DbInstanceType": "db.influx.medium", "Name": {"Ref": "DbInstanceName"}, "Password": {"Ref": "InfluxDBPassword"}, "PubliclyAccessible": true, "DeploymentType": "WITH_MULTIAZ_STANDBY", "VpcSecurityGroupIds": [ {"Ref": "InfluxDBSecurityGroup"} ], "VpcSubnetIds": [ {"Ref": "Subnet1"}, {"Ref": "Subnet2"} ], "LogDeliveryConfiguration": { "S3Configuration": { "BucketName": {"Ref": "InfluxDBLogsS3Bucket"}, "Enabled": true } } } } }, "Outputs": { "VPC": { "Description": "A reference to the VPC used to create network resources", "Value": {"Ref": "VPC"} }, "Subnets": { "Description": "A list of the subnets created", "Value": { "Fn::Join": [ ",", [ {"Ref": "Subnet1"}, {"Ref": "Subnet2"} ] ] } }, "Subnet1": { "Description": "A reference to the subnet in the 1st Availability Zone", "Value": {"Ref": "Subnet1"} }, "Subnet2": { "Description": "A reference to the subnet in the 2nd Availability Zone", "Value": {"Ref": "Subnet2"} }, "InfluxDBSecurityGroup": { "Description": "Security group with port 8086 ingress rule", "Value": {"Ref": "InfluxDBSecurityGroup"} }, "InfluxDBLogsS3Bucket": { "Description": "S3 Bucket containing InfluxDB logs from the DB instance", "Value": {"Ref": "InfluxDBLogsS3Bucket"} }, "DbInstance": { "Description": "A reference to the Timestream for InfluxDB DB instance", "Value": {"Ref": "DbInstance"} }, "InfluxAuthParametersSecretArn": { "Description": "The Amazon Resource Name (ARN) of the AWS Secrets Manager secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password.", "Value": { "Fn::GetAtt": [ "DbInstance", "InfluxAuthParametersSecretArn" ] } }, "Endpoint": { "Description": "The endpoint URL to connect to InfluxDB", "Value": { "Fn::Join": [ "", [ "https://", { "Fn::GetAtt": [ "DbInstance", "Endpoint" ] }, ":8086" ] ] } } } } ``` ### YAML ``` Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: "Amazon Timestream for InfluxDB Configuration" Parameters: - DbInstanceName - InfluxDBPassword ParameterLabels: VPCCIDR: default: VPC CIDR Parameters: DbInstanceName: Description: The name that uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and CLI commands. This name will also be a prefix included in the endpoint. DB instance names must be unique per customer and per Region. Type: String Default: mydbinstance MinLength: 3 MaxLength: 40 AllowedPattern: ^[a-zA-z][a-zA-Z0-9]*(-[a-zA-Z0-9]+)*$ InfluxDBPassword: Description: The password of the initial admin user created in InfluxDB. This password will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in AWS Secrets Manager in your account. Type: String NoEcho: true MinLength: 8 MaxLength: 64 AllowedPattern: ^[a-zA-Z0-9]+$ Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 InternetGateway: Type: AWS::EC2::InternetGateway InternetGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: InternetGatewayId: !Ref InternetGateway VpcId: !Ref VPC Subnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [0, !GetAZs ''] CidrBlock: !Select [0, !Cidr [!GetAtt VPC.CidrBlock, 2, 12 ]] MapPublicIpOnLaunch: true Subnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [1, !GetAZs ''] CidrBlock: !Select [1, !Cidr [!GetAtt VPC.CidrBlock, 2, 12 ]] MapPublicIpOnLaunch: true RouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC DefaultRoute: Type: AWS::EC2::Route DependsOn: InternetGatewayAttachment Properties: RouteTableId: !Ref RouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway Subnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref RouteTable SubnetId: !Ref Subnet1 Subnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref RouteTable SubnetId: !Ref Subnet2 InfluxDBSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: "influxdb-sg" GroupDescription: "Security group allowing port 8086 ingress for InfluxDB" VpcId: !Ref VPC InfluxDBSecurityGroupIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref InfluxDBSecurityGroup IpProtocol: tcp CidrIp: 0.0.0.0/0 FromPort: 8086 ToPort: 8086 InfluxDBLogsS3Bucket: Type: AWS::S3::Bucket DeletionPolicy: Retain InfluxDBLogsS3BucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref InfluxDBLogsS3Bucket PolicyDocument: Version: '2012-10-17' Statement: - Action: "s3:PutObject" Effect: Allow Resource: !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}/InfluxLogs/* Principal: Service: timestream-influxdb.amazonaws.com - Action: "s3:*" Effect: Deny Resource: - !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}/* - !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket} Principal: "*" Condition: Bool: aws:SecureTransport: false DbInstance: Type: AWS::Timestream::InfluxDBInstance DependsOn: InfluxDBLogsS3BucketPolicy Properties: AllocatedStorage: 20 DbInstanceType: db.influx.medium Name: !Ref DbInstanceName Password: !Ref InfluxDBPassword PubliclyAccessible: true DeploymentType: WITH_MULTIAZ_STANDBY VpcSecurityGroupIds: - !Ref InfluxDBSecurityGroup VpcSubnetIds: - !Ref Subnet1 - !Ref Subnet2 LogDeliveryConfiguration: S3Configuration: BucketName: !Ref InfluxDBLogsS3Bucket Enabled: true Outputs: # Network Resources VPC: Description: A reference to the VPC used to create network resources Value: !Ref VPC Subnets: Description: A list of the subnets created Value: !Join [",", [!Ref Subnet1, !Ref Subnet2]] Subnet1: Description: A reference to the subnet in the 1st Availability Zone Value: !Ref Subnet1 Subnet2: Description: A reference to the subnet in the 2nd Availability Zone Value: !Ref Subnet2 InfluxDBSecurityGroup: Description: Security group with port 8086 ingress rule Value: !Ref InfluxDBSecurityGroup # Timestream for InfluxDB Resources InfluxDBLogsS3Bucket: Description: S3 Bucket containing InfluxDB logs from the DB instance Value: !Ref InfluxDBLogsS3Bucket DbInstance: Description: A reference to the Timestream for InfluxDB DB instance Value: !Ref DbInstance InfluxAuthParametersSecretArn: Description: "The Amazon Resource Name (ARN) of the AWS Secrets Manager secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password." Value: !GetAtt DbInstance.InfluxAuthParametersSecretArn Endpoint: Description: The endpoint URL to connect to InfluxDB Value: !Join ["", ["https://", !GetAtt DbInstance.Endpoint, ":8086"]] ``` ## More complete example with parameters This example template dynamically alters the network resources based on the parameters provided. Parameters include `PubliclyAccessible` and `DeploymentType`. ### JSON ``` { "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": {"default": "Network Configuration"}, "Parameters": ["VPCCIDR"] }, { "Label": {"default": "Amazon Timestream for InfluxDB Configuration"}, "Parameters": [ "DbInstanceName", "InfluxDBUsername", "InfluxDBPassword", "InfluxDBOrganization", "InfluxDBBucket", "DbInstanceType", "DbStorageType", "AllocatedStorage", "PubliclyAccessible", "DeploymentType" ] } ], "ParameterLabels": { "VPCCIDR": {"default": "VPC CIDR"} } } }, "Parameters": { "VPCCIDR": { "Description": "Please enter the IP range (CIDR notation) for the new VPC", "Type": "String", "Default": "10.0.0.0/16" }, "DbInstanceName": { "Description": "The name that uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and CLI commands. This name will also be a prefix included in the endpoint. DB instance names must be unique per customer and per Region.", "Type": "String", "Default": "mydbinstance", "MinLength": 3, "MaxLength": 40, "AllowedPattern": "^[a-zA-z][a-zA-Z0-9]*(-[a-zA-Z0-9]+)*$" }, "InfluxDBUsername": { "Description": "The username of the initial admin user created in InfluxDB. Must start with a letter and can't end with a hyphen or contain two consecutive hyphens. For example, my-user1. This username will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in AWS Secrets Manager in your account.", "Type": "String", "Default": "admin", "MinLength": 1, "MaxLength": 64 }, "InfluxDBPassword": { "Description": "The password of the initial admin user created in InfluxDB. This password will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in AWS Secrets Manager in your account.", "Type": "String", "NoEcho": true, "MinLength": 8, "MaxLength": 64, "AllowedPattern": "^[a-zA-Z0-9]+$" }, "InfluxDBOrganization": { "Description": "The name of the initial organization for the initial admin user in InfluxDB. An InfluxDB organization is a workspace for a group of users.", "Type": "String", "Default": "org", "MinLength": 1, "MaxLength": 64 }, "InfluxDBBucket": { "Description": "The name of the initial InfluxDB bucket. All InfluxDB data is stored in a bucket. A bucket combines the concept of a database and a retention period (the duration of time that each data point persists). A bucket belongs to an organization.", "Type": "String", "Default": "bucket", "MinLength": 2, "MaxLength": 64, "AllowedPattern": "^[^_\\\"][^\\\"]*$" }, "DeploymentType": { "Description": "Specifies whether the Timestream for InfluxDB is deployed as Single-AZ or with a MultiAZ Standby for High availability", "Type": "String", "Default": "WITH_MULTIAZ_STANDBY", "AllowedValues": [ "SINGLE_AZ", "WITH_MULTIAZ_STANDBY" ] }, "AllocatedStorage": { "Description": "The amount of storage to allocate for your DB storage type in GiB (gibibytes).", "Type": "Number", "Default": 400, "MinValue": 20, "MaxValue": 16384 }, "DbInstanceType": { "Description": "The Timestream for InfluxDB DB instance type to run InfluxDB on.", "Type": "String", "Default": "db.influx.medium", "AllowedValues": [ "db.influx.medium", "db.influx.large", "db.influx.xlarge", "db.influx.2xlarge", "db.influx.4xlarge", "db.influx.8xlarge", "db.influx.12xlarge", "db.influx.16xlarge" ] }, "DbStorageType": { "Description": "The Timestream for InfluxDB DB storage type to read and write InfluxDB data.", "Type": "String", "Default": "InfluxIOIncludedT1", "AllowedValues": [ "InfluxIOIncludedT1", "InfluxIOIncludedT2", "InfluxIOIncludedT3" ] }, "PubliclyAccessible": { "Description": "Configures the DB instance with a public IP to facilitate access.", "Type": "String", "Default": true, "AllowedValues": [ true, false ] } }, "Conditions": { "IsMultiAZ": { "Fn::Equals": [ {"Ref": "DeploymentType"}, "WITH_MULTIAZ_STANDBY" ] }, "IsPublic": { "Fn::Equals": [ {"Ref": "PubliclyAccessible"}, true ] } }, "Resources": { "VPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": {"Ref": "VPCCIDR"} } }, "InternetGateway": { "Type": "AWS::EC2::InternetGateway", "Condition": "IsPublic" }, "InternetGatewayAttachment": { "Type": "AWS::EC2::VPCGatewayAttachment", "Condition": "IsPublic", "Properties": { "InternetGatewayId": {"Ref": "InternetGateway"}, "VpcId": {"Ref": "VPC"} } }, "Subnet1": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": {"Ref": "VPC"}, "AvailabilityZone": { "Fn::Select": [ 0, {"Fn::GetAZs": ""} ] }, "CidrBlock": { "Fn::Select": [ 0, { "Fn::Cidr": [ { "Fn::GetAtt": [ "VPC", "CidrBlock" ] }, 2, 12 ] } ] }, "MapPublicIpOnLaunch": { "Fn::If": [ "IsPublic", true, false ] } } }, "Subnet2": { "Type": "AWS::EC2::Subnet", "Condition": "IsMultiAZ", "Properties": { "VpcId": {"Ref": "VPC"}, "AvailabilityZone": { "Fn::Select": [ 1, {"Fn::GetAZs": ""} ] }, "CidrBlock": { "Fn::Select": [ 1, { "Fn::Cidr": [ { "Fn::GetAtt": [ "VPC", "CidrBlock" ] }, 2, 12 ] } ] }, "MapPublicIpOnLaunch": { "Fn::If": [ "IsPublic", true, false ] } } }, "RouteTable": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": {"Ref": "VPC"} } }, "DefaultRoute": { "Type": "AWS::EC2::Route", "Condition": "IsPublic", "DependsOn": "InternetGatewayAttachment", "Properties": { "RouteTableId": {"Ref": "RouteTable"}, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": {"Ref": "InternetGateway"} } }, "Subnet1RouteTableAssociation": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": {"Ref": "RouteTable"}, "SubnetId": {"Ref": "Subnet1"} } }, "Subnet2RouteTableAssociation": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Condition": "IsMultiAZ", "Properties": { "RouteTableId": {"Ref": "RouteTable"}, "SubnetId": {"Ref": "Subnet2"} } }, "InfluxDBSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupName": "influxdb-sg", "GroupDescription": "Security group allowing port 8086 ingress for InfluxDB", "VpcId": {"Ref": "VPC"} } }, "InfluxDBSecurityGroupIngress": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": {"Ref": "InfluxDBSecurityGroup"}, "IpProtocol": "tcp", "CidrIp": "0.0.0.0/0", "FromPort": 8086, "ToPort": 8086 } }, "InfluxDBLogsS3Bucket": { "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain" }, "InfluxDBLogsS3BucketPolicy": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": {"Ref": "InfluxDBLogsS3Bucket"}, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "s3:PutObject", "Effect": "Allow", "Resource": {"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}/InfluxLogs/*"}, "Principal": {"Service": "timestream-influxdb.amazonaws.com"} }, { "Action": "s3:*", "Effect": "Deny", "Resource": [ {"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}/*"}, {"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}"} ], "Principal": "*", "Condition": { "Bool": {"aws:SecureTransport": false} } } ] } } }, "DbInstance": { "Type": "AWS::Timestream::InfluxDBInstance", "DependsOn": "InfluxDBLogsS3BucketPolicy", "Properties": { "DbStorageType": {"Ref": "DbStorageType"}, "AllocatedStorage": {"Ref": "AllocatedStorage"}, "DbInstanceType": {"Ref": "DbInstanceType"}, "Name": {"Ref": "DbInstanceName"}, "Username": {"Ref": "InfluxDBUsername"}, "Password": {"Ref": "InfluxDBPassword"}, "Organization": {"Ref": "InfluxDBOrganization"}, "Bucket": {"Ref": "InfluxDBBucket"}, "PubliclyAccessible": { "Fn::If": [ "IsPublic", true, false ] }, "DeploymentType": {"Ref": "DeploymentType"}, "VpcSecurityGroupIds": [ {"Ref": "InfluxDBSecurityGroup"} ], "VpcSubnetIds": { "Fn::If": [ "IsMultiAZ", [ {"Ref": "Subnet1"}, {"Ref": "Subnet2"} ], [ {"Ref": "Subnet1"} ] ] }, "LogDeliveryConfiguration": { "S3Configuration": { "BucketName": {"Ref": "InfluxDBLogsS3Bucket"}, "Enabled": true } } } } }, "Outputs": { "VPC": { "Description": "A reference to the VPC used to create network resources", "Value": {"Ref": "VPC"} }, "Subnets": { "Description": "A list of the subnets created", "Value": { "Fn::If": [ "IsMultiAZ", { "Fn::Join": [ ",", [ {"Ref": "Subnet1"}, {"Ref": "Subnet2"} ] ] }, {"Ref": "Subnet1"} ] } }, "Subnet1": { "Description": "A reference to the subnet in the 1st Availability Zone", "Value": {"Ref": "Subnet1"} }, "Subnet2": { "Condition": "IsMultiAZ", "Description": "A reference to the subnet in the 2nd Availability Zone", "Value": {"Ref": "Subnet2"} }, "InfluxDBSecurityGroup": { "Description": "Security group with port 8086 ingress rule", "Value": {"Ref": "InfluxDBSecurityGroup"} }, "InfluxDBLogsS3Bucket": { "Description": "S3 Bucket containing InfluxDB logs from the DB instance", "Value": {"Ref": "InfluxDBLogsS3Bucket"} }, "DbInstance": { "Description": "A reference to the Timestream for InfluxDB DB instance", "Value": {"Ref": "DbInstance"} }, "InfluxAuthParametersSecretArn": { "Description": "The Amazon Resource Name (ARN) of the AWS Secrets Manager secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password.", "Value": { "Fn::GetAtt": [ "DbInstance", "InfluxAuthParametersSecretArn" ] } }, "Endpoint": { "Description": "The endpoint URL to connect to InfluxDB", "Value": { "Fn::Join": [ "", [ "https://", { "Fn::GetAtt": [ "DbInstance", "Endpoint" ] }, ":8086" ] ] } } } } ``` ### YAML ``` Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: "Network Configuration" Parameters: - VPCCIDR - Label: default: "Amazon Timestream for InfluxDB Configuration" Parameters: - DbInstanceName - InfluxDBUsername - InfluxDBPassword - InfluxDBOrganization - InfluxDBBucket - DbInstanceType - DbStorageType - AllocatedStorage - PubliclyAccessible - DeploymentType ParameterLabels: VPCCIDR: default: VPC CIDR Parameters: # Network Configuration VPCCIDR: Description: Please enter the IP range (CIDR notation) for the new VPC Type: String Default: 10.0.0.0/16 # Timestream for InfluxDB Configuration DbInstanceName: Description: The name that uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and CLI commands. This name will also be a prefix included in the endpoint. DB instance names must be unique per customer and per Region. Type: String Default: mydbinstance MinLength: 3 MaxLength: 40 AllowedPattern: ^[a-zA-z][a-zA-Z0-9]*(-[a-zA-Z0-9]+)*$ # InfluxDB initial user configurations InfluxDBUsername: Description: The username of the initial admin user created in InfluxDB. Must start with a letter and can't end with a hyphen or contain two consecutive hyphens. For example, my-user1. This username will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in AWS Secrets Manager in your account. Type: String Default: admin MinLength: 1 MaxLength: 64 InfluxDBPassword: Description: The password of the initial admin user created in InfluxDB. This password will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in AWS in your account. Type: String NoEcho: true MinLength: 8 MaxLength: 64 AllowedPattern: ^[a-zA-Z0-9]+$ InfluxDBOrganization: Description: The name of the initial organization for the initial admin user in InfluxDB. An InfluxDB organization is a workspace for a group of users. Type: String Default: org MinLength: 1 MaxLength: 64 InfluxDBBucket: Description: The name of the initial InfluxDB bucket. All InfluxDB data is stored in a bucket. A bucket combines the concept of a database and a retention period (the duration of time that each data point persists). A bucket belongs to an organization. Type: String Default: bucket MinLength: 2 MaxLength: 64 AllowedPattern: ^[^_\"][^\"]*$ DeploymentType: Description: Specifies whether the Timestream for InfluxDB is deployed as Single-AZ or with a MultiAZ Standby for High availability Type: String Default: WITH_MULTIAZ_STANDBY AllowedValues: - SINGLE_AZ - WITH_MULTIAZ_STANDBY AllocatedStorage: Description: The amount of storage to allocate for your DB storage type in GiB (gibibytes). Type: Number Default: 400 MinValue: 20 MaxValue: 16384 DbInstanceType: Description: The Timestream for InfluxDB DB instance type to run InfluxDB on. Type: String Default: db.influx.medium AllowedValues: - db.influx.medium - db.influx.large - db.influx.xlarge - db.influx.2xlarge - db.influx.4xlarge - db.influx.8xlarge - db.influx.12xlarge - db.influx.16xlarge DbStorageType: Description: The Timestream for InfluxDB DB storage type to read and write InfluxDB data. Type: String Default: InfluxIOIncludedT1 AllowedValues: - InfluxIOIncludedT1 - InfluxIOIncludedT2 - InfluxIOIncludedT3 PubliclyAccessible: Description: Configures the DB instance with a public IP to facilitate access. Type: String Default: true AllowedValues: - true - false Conditions: IsMultiAZ: !Equals [!Ref DeploymentType, WITH_MULTIAZ_STANDBY] IsPublic: !Equals [!Ref PubliclyAccessible, true] Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VPCCIDR InternetGateway: Type: AWS::EC2::InternetGateway Condition: IsPublic InternetGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Condition: IsPublic Properties: InternetGatewayId: !Ref InternetGateway VpcId: !Ref VPC Subnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [0, !GetAZs ''] CidrBlock: !Select [0, !Cidr [!GetAtt VPC.CidrBlock, 2, 12 ]] MapPublicIpOnLaunch: !If [IsPublic, true, false] Subnet2: Type: AWS::EC2::Subnet Condition: IsMultiAZ Properties: VpcId: !Ref VPC AvailabilityZone: !Select [1, !GetAZs ''] CidrBlock: !Select [1, !Cidr [!GetAtt VPC.CidrBlock, 2, 12 ]] MapPublicIpOnLaunch: !If [IsPublic, true, false] RouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC DefaultRoute: Type: AWS::EC2::Route Condition: IsPublic DependsOn: InternetGatewayAttachment Properties: RouteTableId: !Ref RouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway Subnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref RouteTable SubnetId: !Ref Subnet1 Subnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Condition: IsMultiAZ Properties: RouteTableId: !Ref RouteTable SubnetId: !Ref Subnet2 InfluxDBSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: "influxdb-sg" GroupDescription: "Security group allowing port 8086 ingress for InfluxDB" VpcId: !Ref VPC InfluxDBSecurityGroupIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref InfluxDBSecurityGroup IpProtocol: tcp CidrIp: 0.0.0.0/0 FromPort: 8086 ToPort: 8086 InfluxDBLogsS3Bucket: Type: AWS::S3::Bucket DeletionPolicy: Retain InfluxDBLogsS3BucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref InfluxDBLogsS3Bucket PolicyDocument: Version: '2012-10-17' Statement: - Action: "s3:PutObject" Effect: Allow Resource: !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}/InfluxLogs/* Principal: Service: timestream-influxdb.amazonaws.com - Action: "s3:*" Effect: Deny Resource: - !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}/* - !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket} Principal: "*" Condition: Bool: aws:SecureTransport: false DbInstance: Type: AWS::Timestream::InfluxDBInstance DependsOn: InfluxDBLogsS3BucketPolicy Properties: DbStorageType: !Ref DbStorageType AllocatedStorage: !Ref AllocatedStorage DbInstanceType: !Ref DbInstanceType Name: !Ref DbInstanceName Username: !Ref InfluxDBUsername Password: !Ref InfluxDBPassword Organization: !Ref InfluxDBOrganization Bucket: !Ref InfluxDBBucket PubliclyAccessible: !If [IsPublic, true, false] DeploymentType: !Ref DeploymentType VpcSecurityGroupIds: - !Ref InfluxDBSecurityGroup VpcSubnetIds: !If - IsMultiAZ - - !Ref Subnet1 - !Ref Subnet2 - - !Ref Subnet1 LogDeliveryConfiguration: S3Configuration: BucketName: !Ref InfluxDBLogsS3Bucket Enabled: true Outputs: # Network Resources VPC: Description: A reference to the VPC used to create network resources Value: !Ref VPC Subnets: Description: A list of the subnets created Value: !If - IsMultiAZ - !Join [",", [!Ref Subnet1, !Ref Subnet2]] - !Ref Subnet1 Subnet1: Description: A reference to the subnet in the 1st Availability Zone Value: !Ref Subnet1 Subnet2: Condition: IsMultiAZ Description: A reference to the subnet in the 2nd Availability Zone Value: !Ref Subnet2 InfluxDBSecurityGroup: Description: Security group with port 8086 ingress rule Value: !Ref InfluxDBSecurityGroup # Timestream for InfluxDB Resources InfluxDBLogsS3Bucket: Description: S3 Bucket containing InfluxDB logs from the DB instance Value: !Ref InfluxDBLogsS3Bucket DbInstance: Description: A reference to the Timestream for InfluxDB DB instance Value: !Ref DbInstance InfluxAuthParametersSecretArn: Description: "The Amazon Resource Name (ARN) of the AWS Secrets Manager secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password." Value: !GetAtt DbInstance.InfluxAuthParametersSecretArn Endpoint: Description: The endpoint URL to connect to InfluxDB Value: !Join ["", ["https://", !GetAtt DbInstance.Endpoint, ":8086"]] ```