# Sintaxis de Rules de la plantilla de CloudFormation
La sección `Rules` es una parte opcional de una plantilla de CloudFormation que permite una lógica de validación personalizada. Cuando se incluye, esta sección contiene funciones de reglas que validan los valores de los parámetros antes de que CloudFormation cree o actualice cualquier recurso.
Las reglas son útiles cuando las restricciones estándar de los parámetros son insuficientes. Por ejemplo, cuando SSL está habilitado, se debe proporcionar tanto un certificado como un nombre de dominio. Una regla puede garantizar que se cumplan estas dependencias.
## Sintaxis
La sección `Rules` usa la siguiente sintaxis:
### JSON
La sección `Rules` de una plantilla consta del nombre de clave `Rules`, seguido de un único signo de dos puntos. Debe utilizar llaves para incluir todas las declaraciones de reglas. Si se declaran varias reglas, deben delimitarse mediante comas. Para cada regla, se declara un nombre lógico entre comillas seguido de un signo de dos puntos y de las llaves que contienen la condición de regla y las declaraciones.
```
{
"Rules": {
"LogicalRuleName1": {
"RuleCondition": {
"rule-specific intrinsic function": "Value"
},
"Assertions": [
{
"Assert": {
"rule-specific intrinsic function": "Value"
},
"AssertDescription": "Information about this assert"
},
{
"Assert": {
"rule-specific intrinsic function": "Value"
},
"AssertDescription": "Information about this assert"
}
]
},
"LogicalRuleName2": {
"Assertions": [
{
"Assert": {
"rule-specific intrinsic function": "Value"
},
"AssertDescription": "Information about this assert"
}
]
}
}
}
```
### YAML
```
Rules:
LogicalRuleName1:
RuleCondition:
rule-specific intrinsic function: Value
Assertions:
- Assert:
rule-specific intrinsic function: Value
AssertDescription: Information about this assert
- Assert:
rule-specific intrinsic function: Value
AssertDescription: Information about this assert
LogicalRuleName2:
Assertions:
- Assert:
rule-specific intrinsic function: Value
AssertDescription: Information about this assert
```
### Campos de reglas
La sección `Rules` puede incluir los siguientes campos.
**ID lógico (también denominado *nombre lógico*)**
Un identificador único para cada regla.
**`RuleCondition` (opcional)**
Una propiedad que determina cuándo surte efecto una regla. Si no se define la condición de regla, las declaraciones de la regla surten efecto en todos los casos. Para cada regla, sólo puede definir una condición de regla.
**`Assertions` (obligatorio)**
Una o más declaraciones que especifican los valores aceptables para un parámetro determinado.
**`Assert`**
Una condición que se debe evaluar como `true`.
**`AssertDescription`**
Un mensaje que se muestra cuando falla una aserción.
## Funciones intrínsecas específicas de la regla
Para definir sus reglas, debe utilizar *funciones específicas de reglas*, que son funciones que solo se pueden utilizar en la sección `Rules` de una plantilla. Puede anidar funciones, pero el resultado final de una condición de regla o una declaración debe ser `true` o `false`.
Ahora están disponibles las siguientes funciones de reglas:
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-and](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-and)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-contains](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-contains)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-eachmemberequals](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-eachmemberequals)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-eachmemberin](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-eachmemberin)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-equals](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-equals)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-if](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-if)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-not](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-not)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-or](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-or)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-refall](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-refall)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-valueof](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-valueof)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-valueofall](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-valueofall)
Estas funciones intrínsecas se utilizan en la condición o aserciones de una regla. La propiedad de condición determina si CloudFormation aplicará las declaraciones. Si la condición se evalúa como `true`, CloudFormation evalúa las declaraciones para comprobar si el valor de un parámetro es válido en el momento de crear o actualizar un producto provisionado. Si el valor de un parámetro no es válido, CloudFormation no crea o actualizar la pila. Si la condición se evalúa como `false`, CloudFormation no comprueba el valor del parámetro y procede a llevar a cabo la operación de la pila.
## Ejemplos
**Topics**
+ [
### Comprobación condicional del valor de un parámetro
](#template-constraint-rules-example-verify)
+ [
### Validación de parámetros cruzados
](#template-cross-parameter-rules-example)
### Comprobación condicional del valor de un parámetro
En el siguiente ejemplo, las dos reglas comprueban el valor del `InstanceType` parámetro. En función del valor del parámetro entorno (`test` o `prod`), el usuario debe especificar `t3.medium` o `t3.large` para el parámetro `InstanceType`. Los parámetros `InstanceType` y `Environment` deben declararse en la sección `Parameters` de la misma plantilla.
#### JSON
```
{
"Rules": {
"testInstanceType": {
"RuleCondition": {
"Fn::Equals": [
{"Ref": "Environment"},
"test"
]
},
"Assertions": [
{
"Assert": {
"Fn::Contains": [
["t3.medium"],
{"Ref": "InstanceType"}
]
},
"AssertDescription": "For a test environment, the instance type must be t3.medium"
}
]
},
"prodInstanceType": {
"RuleCondition": {
"Fn::Equals": [
{"Ref": "Environment"},
"prod"
]
},
"Assertions": [
{
"Assert": {
"Fn::Contains": [
["t3.large"],
{"Ref": "InstanceType"}
]
},
"AssertDescription": "For a production environment, the instance type must be t3.large"
}
]
}
}
}
```
#### YAML
```
Rules:
testInstanceType:
RuleCondition: !Equals
- !Ref Environment
- test
Assertions:
- Assert:
'Fn::Contains':
- - t3.medium
- !Ref InstanceType
AssertDescription: 'For a test environment, the instance type must be t3.medium'
prodInstanceType:
RuleCondition: !Equals
- !Ref Environment
- prod
Assertions:
- Assert:
'Fn::Contains':
- - t3.large
- !Ref InstanceType
AssertDescription: 'For a production environment, the instance type must be t3.large'
```
### Validación de parámetros cruzados
Las siguientes plantillas de ejemplo demuestran el uso de reglas para las validaciones entre parámetros. Crean un sitio web de ejemplo que se ejecuta en un grupo de escalado automático detrás de un equilibrador de carga. El sitio web está disponible en los puertos 80 o 443, según los parámetros de entrada. Las instancias del grupo de escalado automático se pueden configurar para que escuchen en cualquier puerto (con 8888 como el valor predeterminado).
Las reglas de esta plantilla validan los parámetros de entrada antes de crear la pila. Comprueban que todas las subredes pertenecen a la VPC especificada y garantizan que, cuando el parámetro `UseSSL` se establece en `Yes`, se proporcionen un ARN de certificado SSL y un nombre de zona alojada.
**nota**
Se le facturarán los recursos de AWS que utilice si crea una pila a partir de esta plantilla.
#### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"VpcId": {
"Type": "AWS::EC2::VPC::Id",
"Description": "VpcId of your existing Virtual Private Cloud (VPC)",
"ConstraintDescription": "must be the VPC Id of an existing Virtual Private Cloud."
},
"Subnets": {
"Type": "List",
"Description": "The list of SubnetIds in your Virtual Private Cloud (VPC)",
"ConstraintDescription": "must be a list of at least two existing subnets associated with at least two different availability zones."
},
"InstanceType": {
"Description": "WebServer EC2 instance type",
"Type": "String",
"Default": "t2.micro",
"AllowedValues": ["t2.micro", "t3.micro"],
"ConstraintDescription": "must be a valid EC2 instance type."
},
"KeyName": {
"Description": "Name of an existing EC2 KeyPair to enable SSH access to the instances",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription": "must be the name of an existing EC2 KeyPair."
},
"SSHLocation": {
"Description": "The IP address range that can be used to SSH to the EC2 instances",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
},
"UseSSL": {
"AllowedValues": ["Yes", "No"],
"Default": "No",
"Description": "Select \"Yes\" to implement SSL, \"No\" to skip (default).",
"Type": "String"
},
"ALBSSLCertificateARN": {
"Default": "",
"Description": "[Optional] The ARN of the SSL certificate to be used for the Application Load Balancer",
"Type": "String"
},
"HostedZoneName": {
"AllowedPattern": "^$|(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])$",
"Default": "",
"Description": "[Optional] The domain name of a valid Hosted Zone on AWS.",
"Type": "String"
}
},
"Conditions": {
"UseALBSSL": {"Fn::Equals": [{"Ref": "UseSSL"}, "Yes"]}
},
"Rules": {
"SubnetsInVPC": {
"Assertions": [
{
"Assert": {"Fn::EachMemberEquals": [{"Fn::ValueOf": ["Subnets", "VpcId"]}, {"Ref": "VpcId"}]},
"AssertDescription": "All subnets must be in the VPC"
}
]
},
"ValidateHostedZone": {
"RuleCondition": {"Fn::Equals": [{"Ref": "UseSSL"}, "Yes"]},
"Assertions": [
{
"Assert": {"Fn::Not": [{"Fn::Equals": [{"Ref": "ALBSSLCertificateARN"}, ""]}]},
"AssertDescription": "ACM Certificate value cannot be empty if SSL is required"
},
{
"Assert": {"Fn::Not": [{"Fn::Equals": [{"Ref": "HostedZoneName"}, ""]}]},
"AssertDescription": "Route53 Hosted Zone Name is mandatory when SSL is required"
}
]
}
},
"Resources": {
"WebServerGroup": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"Properties": {
"VPCZoneIdentifier": {"Ref": "Subnets"},
"LaunchTemplate": {
"LaunchTemplateId": {"Ref": "LaunchTemplate"},
"Version": {"Fn::GetAtt": ["LaunchTemplate","LatestVersionNumber"]}
},
"MinSize": "2",
"MaxSize": "2",
"TargetGroupARNs": [{"Ref": "ALBTargetGroup"}]
},
"CreationPolicy": {
"ResourceSignal": {"Timeout": "PT15M"}
},
"UpdatePolicy": {
"AutoScalingRollingUpdate": {
"MinInstancesInService": "1",
"MaxBatchSize": "1",
"PauseTime": "PT15M",
"WaitOnResourceSignals": true
}
}
},
"LaunchTemplate": {
"Type": "AWS::EC2::LaunchTemplate",
"Metadata": {
"Comment": "Install a simple application",
"AWS::CloudFormation::Init": {
"config": {
"packages": {"yum": {"httpd": []}},
"files": {
"/var/www/html/index.html": {
"content": {"Fn::Join": ["\n", ["Congratulations, you have successfully launched the AWS CloudFormation sample.
"]]},
"mode": "000644",
"owner": "root",
"group": "root"
},
"/etc/cfn/cfn-hup.conf": {
"content": {"Fn::Join": ["", [
"[main]\n",
"stack=", {"Ref": "AWS::StackId"}, "\n",
"region=", {"Ref": "AWS::Region"}, "\n"
]]},
"mode": "000400",
"owner": "root",
"group": "root"
},
"/etc/cfn/hooks.d/cfn-auto-reloader.conf": {
"content": {"Fn::Join": ["", [
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.LaunchTemplate.Metadata.AWS::CloudFormation::Init\n",
"action=/opt/aws/bin/cfn-init -v ",
" --stack ", {"Ref": "AWS::StackName"},
" --resource LaunchTemplate ",
" --region ", {"Ref": "AWS::Region"}, "\n",
"runas=root\n"
]]},
"mode": "000400",
"owner": "root",
"group": "root"
}
},
"services": {
"sysvinit": {
"httpd": {
"enabled": "true",
"ensureRunning": "true"
},
"cfn-hup": {
"enabled": "true",
"ensureRunning": "true",
"files": [
"/etc/cfn/cfn-hup.conf",
"/etc/cfn/hooks.d/cfn-auto-reloader.conf"
]
}
}
}
}
}
},
"Properties": {
"LaunchTemplateName": {"Fn::Sub": "${AWS::StackName}-launch-template"},
"LaunchTemplateData": {
"ImageId": "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}",
"SecurityGroupIds": [{"Ref": "InstanceSecurityGroup"}],
"InstanceType": {"Ref": "InstanceType"},
"KeyName": {"Ref": "KeyName"},
"UserData": {
"Fn::Base64": {"Fn::Join": ["", [
"#!/bin/bash\n",
"yum install -y aws-cfn-bootstrap\n",
"/opt/aws/bin/cfn-init -v ",
" --stack ", {"Ref": "AWS::StackName"},
" --resource LaunchTemplate ",
" --region ", {"Ref": "AWS::Region"}, "\n",
"/opt/aws/bin/cfn-signal -e $? ",
" --stack ", {"Ref": "AWS::StackName"},
" --resource WebServerGroup ",
" --region ", {"Ref": "AWS::Region"}, "\n"
]]}
}
}
}
},
"ELBSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow access to the ELB",
"VpcId": {"Ref": "VpcId"},
"SecurityGroupIngress": [{
"Fn::If": [
"UseALBSSL",
{
"IpProtocol": "tcp",
"FromPort": 443,
"ToPort": 443,
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
]
}]
}
},
"ApplicationLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Subnets": {"Ref": "Subnets"},
"SecurityGroups": [{"Ref": "ELBSecurityGroup"}]
}
},
"ALBListener": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"DefaultActions": [{
"Type": "forward",
"TargetGroupArn": {"Ref": "ALBTargetGroup"}
}],
"LoadBalancerArn": {"Ref": "ApplicationLoadBalancer"},
"Port": {"Fn::If": ["UseALBSSL", 443, 80]},
"Protocol": {"Fn::If": ["UseALBSSL", "HTTPS", "HTTP"]},
"Certificates": [{
"Fn::If": [
"UseALBSSL",
{"CertificateArn": {"Ref": "ALBSSLCertificateARN"}},
{"Ref": "AWS::NoValue"}
]
}]
}
},
"ALBTargetGroup": {
"Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties": {
"HealthCheckIntervalSeconds": 30,
"HealthCheckTimeoutSeconds": 5,
"HealthyThresholdCount": 3,
"Port": 80,
"Protocol": "HTTP",
"UnhealthyThresholdCount": 5,
"VpcId": {"Ref": "VpcId"}
}
},
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable SSH access and HTTP access on the inbound port",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"SourceSecurityGroupId": {"Fn::Select": [0, {"Fn::GetAtt": ["ApplicationLoadBalancer", "SecurityGroups"]}]}
},
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": {"Ref": "SSHLocation"}
}
],
"VpcId": {"Ref": "VpcId"}
}
},
"RecordSet": {
"Type": "AWS::Route53::RecordSetGroup",
"Condition": "UseALBSSL",
"Properties": {
"HostedZoneName": {"Fn::Join": ["", [{"Ref": "HostedZoneName"}, "."]]},
"RecordSets": [{
"Name": {"Fn::Join": ["", [
{"Fn::Select": ["0", {"Fn::Split": [".", {"Fn::GetAtt": ["ApplicationLoadBalancer", "DNSName"]}]}]},
".",
{"Ref": "HostedZoneName"},
"."
]]},
"Type": "A",
"AliasTarget": {
"DNSName": {"Fn::GetAtt": ["ApplicationLoadBalancer", "DNSName"]},
"EvaluateTargetHealth": true,
"HostedZoneId": {"Fn::GetAtt": ["ApplicationLoadBalancer", "CanonicalHostedZoneID"]}
}
}]
}
}
},
"Outputs": {
"URL": {
"Description": "URL of the website",
"Value": {"Fn::Join": ["", [
{"Fn::If": [
"UseALBSSL",
{"Fn::Join": ["", [
"https://",
{"Fn::Join": ["", [
{"Fn::Select": ["0", {"Fn::Split": [".", {"Fn::GetAtt": ["ApplicationLoadBalancer", "DNSName"]}]}]},
".",
{"Ref": "HostedZoneName"},
"."
]]}
]]},
{"Fn::Join": ["", [
"http://",
{"Fn::GetAtt": ["ApplicationLoadBalancer", "DNSName"]}
]]}
]}
]]}
}
}
}
```
#### YAML
```
AWSTemplateFormatVersion: 2010-09-09
Parameters:
VpcId:
Type: AWS::EC2::VPC::Id
Description: VpcId of your existing Virtual Private Cloud (VPC)
ConstraintDescription: must be the VPC Id of an existing Virtual Private Cloud.
Subnets:
Type: List
Description: The list of SubnetIds in your Virtual Private Cloud (VPC)
ConstraintDescription: >-
must be a list of at least two existing subnets associated with at least
two different availability zones. They should be residing in the selected
Virtual Private Cloud.
InstanceType:
Description: WebServer EC2 instance type
Type: String
Default: t2.micro
AllowedValues:
- t2.micro
- t3.micro
ConstraintDescription: must be a valid EC2 instance type.
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instances
Type: AWS::EC2::KeyPair::KeyName
ConstraintDescription: must be the name of an existing EC2 KeyPair.
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})'
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
UseSSL:
AllowedValues:
- 'Yes'
- 'No'
ConstraintDescription: Select Yes to create a HTTPS Listener
Default: 'No'
Description: 'Select "Yes" to implement SSL, "No" to skip (default).'
Type: String
ALBSSLCertificateARN:
Default: ''
Description: >-
[Optional] The ARN of the SSL certificate to be used for the Application
Load Balancer
Type: String
HostedZoneName:
AllowedPattern: >-
^$|(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$
Default: ''
Description: '[Optional] The domain name of a valid Hosted Zone on AWS.'
Type: String
Conditions:
UseALBSSL: !Equals
- !Ref UseSSL
- 'Yes'
Rules:
SubnetsInVPC:
Assertions:
- Assert:
'Fn::EachMemberEquals':
- 'Fn::ValueOf':
- Subnets
- VpcId
- Ref: VpcId
AssertDescription: All subnets must be in the VPC
ValidateHostedZone:
RuleCondition: !Equals
- !Ref UseSSL
- 'Yes'
Assertions:
- Assert: !Not
- !Equals
- !Ref ALBSSLCertificateARN
- ''
AssertDescription: ACM Certificate value cannot be empty if SSL is required
- Assert: !Not
- !Equals
- !Ref HostedZoneName
- ''
AssertDescription: Route53 Hosted Zone Name is mandatory when SSL is required
Resources:
WebServerGroup:
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
VPCZoneIdentifier: !Ref Subnets
LaunchTemplate:
LaunchTemplateId: !Ref LaunchTemplate
Version: !GetAtt LaunchTemplate.LatestVersionNumber
MinSize: '2'
MaxSize: '2'
TargetGroupARNs:
- !Ref ALBTargetGroup
CreationPolicy:
ResourceSignal:
Timeout: PT15M
UpdatePolicy:
AutoScalingRollingUpdate:
MinInstancesInService: '1'
MaxBatchSize: '1'
PauseTime: PT15M
WaitOnResourceSignals: 'true'
LaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Metadata:
Comment: Install a simple application
AWS::CloudFormation::Init:
config:
packages:
yum:
httpd: []
files:
/var/www/html/index.html:
content: !Join
- |+
- - >-
Congratulations, you have successfully launched the AWS
CloudFormation sample.
mode: '000644'
owner: root
group: root
/etc/cfn/cfn-hup.conf:
content: !Sub |
[main]
stack=${AWS::StackId}
region=${AWS::Region}
mode: '000400'
owner: root
group: root
/etc/cfn/hooks.d/cfn-auto-reloader.conf:
content: !Sub |-
[cfn-auto-reloader-hook]
triggers=post.update
path=Resources.LaunchTemplate.Metadata.AWS::CloudFormation::Init
action=/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource LaunchTemplate --region ${AWS::Region}
runas=root
mode: '000400'
owner: root
group: root
services:
sysvinit:
httpd:
enabled: 'true'
ensureRunning: 'true'
cfn-hup:
enabled: 'true'
ensureRunning: 'true'
files:
- /etc/cfn/cfn-hup.conf
- /etc/cfn/hooks.d/cfn-auto-reloader.conf
Properties:
LaunchTemplateName: !Sub ${AWS::StackName}-launch-template
LaunchTemplateData:
ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}'
SecurityGroupIds:
- !Ref InstanceSecurityGroup
InstanceType: !Ref InstanceType
KeyName: !Ref KeyName
UserData: !Base64
Fn::Sub: |
#!/bin/bash
yum install -y aws-cfn-bootstrap
/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource LaunchTemplate --region ${AWS::Region}
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource WebServerGroup --region ${AWS::Region}
ELBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow access to the ELB
VpcId: !Ref VpcId
SecurityGroupIngress:
- !If
- UseALBSSL
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
ApplicationLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Subnets: !Ref Subnets
SecurityGroups:
- !Ref ELBSecurityGroup
ALBListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- Type: forward
TargetGroupArn: !Ref ALBTargetGroup
LoadBalancerArn: !Ref ApplicationLoadBalancer
Port: !If
- UseALBSSL
- 443
- 80
Protocol: !If
- UseALBSSL
- HTTPS
- HTTP
Certificates:
- !If
- UseALBSSL
- CertificateArn: !Ref ALBSSLCertificateARN
- !Ref 'AWS::NoValue'
ALBTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 30
HealthCheckTimeoutSeconds: 5
HealthyThresholdCount: 3
Port: 80
Protocol: HTTP
UnhealthyThresholdCount: 5
VpcId: !Ref VpcId
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable SSH access and HTTP access on the inbound port
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupId: !Select
- 0
- !GetAtt
- ApplicationLoadBalancer
- SecurityGroups
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: !Ref SSHLocation
VpcId: !Ref VpcId
RecordSet:
Type: AWS::Route53::RecordSetGroup
Condition: UseALBSSL
Properties:
HostedZoneName: !Join
- ''
- - !Ref HostedZoneName
- .
RecordSets:
- Name: !Join
- ''
- - !Select
- '0'
- !Split
- .
- !GetAtt
- ApplicationLoadBalancer
- DNSName
- .
- !Ref HostedZoneName
- .
Type: A
AliasTarget:
DNSName: !GetAtt
- ApplicationLoadBalancer
- DNSName
EvaluateTargetHealth: true
HostedZoneId: !GetAtt
- ApplicationLoadBalancer
- CanonicalHostedZoneID
Outputs:
URL:
Description: URL of the website
Value: !Join
- ''
- - !If
- UseALBSSL
- !Join
- ''
- - 'https://'
- !Join
- ''
- - !Select
- '0'
- !Split
- .
- !GetAtt
- ApplicationLoadBalancer
- DNSName
- .
- !Ref HostedZoneName
- .
- !Join
- ''
- - 'http://'
- !GetAtt
- ApplicationLoadBalancer
- DNSName
```