# How to compose in AWS Infrastructure Composer
This section covers the basics of using Infrastructure Composer from the [Infrastructure Composer console](using-composer-console.md), [CloudFormation console mode](using-composer-console-cfn-mode.md), and the [AWS Toolkit for Visual Studio Code](using-composer-ide.md). More specifically, the topics in this section provide key details on how to compose an application with Infrastructure Composer, and includes details on additional features and shortcuts. There are a few variations in functionality between console and VS Code experiences, and the topics in this section identifies and describes these variations where they occur.
After composing your application, you will be ready to review [Deploy your Infrastructure Composer serverless application to the AWS Cloud](other-services-cfn.md) for information on deploying your application.
**Topics**
+ [Place cards on Infrastructure Composer's visual canvas](reference-navigation.md)
+ [Group cards together on Infrastructure Composer's visual canvas](reference-navigation-gestures-group.md)
+ [Connect cards on Infrastructure Composer's visual canvas](reference-navigation-gestures-connect.md)
+ [Disconnect cards in Infrastructure Composer](reference-navigation-gestures-disconnect.md)
+ [Arrange cards on Infrastructure Composer's visual canvas](reference-navigation-gestures-arrange.md)
+ [Configure and modify cards in Infrastructure Composer](using-composer-cards.md)
+ [Delete cards in Infrastructure Composer](using-composer-cards-delete.md)
+ [View code updates with the Change Inspector in Infrastructure Composer](using-change-inspector.md)
+ [Reference external files in Infrastructure Composer](using-composer-external-files.md)
+ [Integrate Infrastructure Composer with Amazon Virtual Private Cloud (Amazon VPC)](using-composer-services-vpc.md)
# Place cards on Infrastructure Composer's visual canvas
This section describes how you select and drag Infrastructure Composer [cards](using-composer-connecting.md) in its visual canvas. Before starting, identify what resources your application needs and how they need to interact. For tips on doing this, see [Build your first application with Infrastructure Composer](getting-started-build.md).
To add a card to your application, drag it from the resource palette and drop it onto the visual canvas.
![\[Selecting a resource from the resource palette and dragging it onto the Infrastructure Composer canvas.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_ref_05.gif)
You can choose from two types of cards: [Enhanced component cards](using-composer-cards-component-intro-enhanced.md) and [Standard IaC resource cards](using-composer-cards-resource-intro.md).
After placing your cards on the visual canvas, you'll be ready to group, connect, arrange, and configure your cards. See the following topics for information on doing this:
+ [Group cards together on Infrastructure Composer's visual canvas](reference-navigation-gestures-group.md)
+ [Connect cards on Infrastructure Composer's visual canvas](reference-navigation-gestures-connect.md)
+ [Arrange cards on Infrastructure Composer's visual canvas](reference-navigation-gestures-arrange.md)
+ [Configure and modify cards in Infrastructure Composer](using-composer-cards.md)
# Group cards together on Infrastructure Composer's visual canvas
This topic contains details on grouping enhanced component cards and standard component cards. Grouping cards helps you categorize and organize your resources without needing to think about the code or markup you need write.
## Grouping enhanced component cards
There are two ways to group enhanced component cards together:
+ While pressing **Shift**, select cards to group. Then, choose **Group** from the resource actions menu.
+ select a card you want in a group. From the menu that appears, select **Group**. This will create a group that you can drag and drop other cards into.
![\[Selecting multiple Lambda functions and grouping them together.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_ref_07.gif)
## Grouping a standard component card into another
The following example shows one way a standard component card can be grouped into another card from the **Resource properties** panel:
![\[The Resource properties panel for a standard component card.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_cards_17.png)
In the **Resource configuration** field on the **Resource properties** panel, the `Role` has been referenced in the Lambda function. This results in the **Role** card being grouped into the **Function** card on the canvas.
# Connect cards on Infrastructure Composer's visual canvas
Use this topic to understand how to connect cards in Infrastructure Composer. This section includes details on connecting enhanced component cards and standard component cards. It also provides a few examples that illustrate the different ways cards can be connected.
## Connecting enhanced component cards
On enhanced component cards, ports visually identify where connections can be made.
+ A port on the right side of a card indicates an opportunity for the card to invoke another card.
+ A port on the left side of a card indicates an opportunity for the card to be invoked by another card.
Connect cards together by clicking on a the right port of one card and dragging it onto a left port on another card.
![\[An API Gateway card being connected to a Lambda function.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_con_02.png)
When you create a connection, a message will display, letting you know if the connection was successfully made. Select the message to see what Infrastructure Composer changed to provision a connection. If the connection was unsuccessful, you can select **Template view** to manually update your infrastructure code to provision the connection.
+ When successful, click on the message to view the **Change inspector**. Here, you can see what Infrastructure Composer modified to provision your connection.
+ When unsuccessful, a message will display. You can select the **Template view** and manually update your infrastructure code to provision the connection.
![\[Bringing up the Change Inspector from the bottom of the screen.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_ci_02.gif)
When you connect enhanced component cards together, Infrastructure Composer automatically creates the infrastructure code in your template to provision the event-driven relationship between your resources.
## Connecting standard component cards (Standard IaC resource cards)
Standard IaC resource cards do not include ports to create connections with other resources. During [card configuration](using-composer-standard-cards.md), you specify event-driven relationships in the template of your application, Infrastructure Composer will automatically detect these connections and visualize them with a dotted line between your cards. The following is an example of a connection between a standard component card and an enhanced component card:
![\[A standard component card connected to an enhanced component card.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_con_04.png)
The following example shows how a Lambda function can be connected with an Amazon API Gateway rest API:
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
MyApi:
Type: 'AWS::ApiGateway::RestApi'
Properties:
Name: MyApi
ApiGatewayMethod:
Type: 'AWS::ApiGateway::Method'
Properties:
HttpMethod: POST # Specify the HTTP method you want to use (e.g., GET, POST, PUT, DELETE)
ResourceId: !GetAtt MyApi.RootResourceId
RestApiId: !Ref MyApi
AuthorizationType: NONE
Integration:
Type: AWS_PROXY
IntegrationHttpMethod: POST
Uri: !Sub
- arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${LambdaFunctionArn}/invocations
- { LambdaFunctionArn: !GetAtt MyLambdaFunction.Arn }
MethodResponses:
- StatusCode: 200
MyLambdaFunction:
Type: 'AWS::Lambda::Function'
Properties:
Handler: index.handler
Role: !GetAtt LambdaExecutionRole.Arn
Runtime: nodejs14.x
Code:
S3Bucket: your-bucket-name
S3Key: your-lambda-zip-file.zip
LambdaExecutionRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: 'sts:AssumeRole'
Policies:
- PolicyName: LambdaExecutionPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: 'arn:aws:logs:*:*:*'
- Effect: Allow
Action:
- 'lambda:InvokeFunction'
Resource: !GetAtt MyLambdaFunction.Arn
```
In the above example, the snippet of code listed in `ApiGatewayMethod:` under `Integration:` specifies the event-driven relationship that connects the two cards.
# Examples for connecting cards in Infrastructure Composer
Use the examples in this section to understand how cards can be connected in Infrastructure Composer.
## Invoke an AWS Lambda function when an item is placed in an Amazon Simple Storage Service (Amazon S3) bucket
In this example, an **Amazon S3 bucket** card is connected to a **Lambda function** card. When an item is placed in the Amazon S3 bucket, the function is invoked. The function can then be used to process the item or trigger other events in your application.
![\[A connection from the right port of a Amazon S3 bucket resource to the left port of a Lambda function resource.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_05.png)
This interaction requires that an event be defined for the function. Here is what Infrastructure Composer provisions:
```
Transform: AWS::Serverless-2016-10-31
...
Resources:
MyBucket:
Type: AWS::S3::Bucket
...
MyBucketBucketPolicy:
Type: AWS::S3::BucketPolicy
...
MyFunction:
Type: AWS::Serverless::Function
Properties:
...
Events:
MyBucket:
Type: S3
Properties:
Bucket: !Ref MyBucket
Events:
- s3:ObjectCreated:* # Event that triggers invocation of function
- s3:ObjectRemoved:* # Event that triggers invocation of function
```
## Invoke an Amazon S3 bucket from a Lambda function
In this example, a **Lambda function** card invokes an **Amazon S3 bucket** card. The Lambda function can be used to perform CRUD operations on items in the Amazon S3 bucket.
![\[A connection from the right port of an Lambda function resource to the left port of a Amazon S3 bucket resource.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_06.png)
This interaction requires the following, which is provisioned by Infrastructure Composer:
+ IAM policies that allow the Lambda function to interact with the Amazon S3 bucket.
+ Environment variables that influence the behavior of the Lambda function.
```
Transform: AWS::Serverless-2016-10-31
...
Resources:
MyBucket:
Type: AWS::S3::Bucket
...
MyBucketBucketPolicy:
Type: AWS::S3::BucketPolicy
...
MyFunction:
Type: AWS::Serverless::Function
Properties:
...
Environment:
Variables:
BUCKET_NAME: !Ref MyBucket
BUCKET_ARN: !GetAtt MyBucket.Arn
Policies:
- S3CrudPolicy:
BucketName: !Ref MyBucket
```
# Disconnect cards in Infrastructure Composer
In Infrastructure Composer, you connect and disconnect AWS resources using *enhanced component cards* and *standard component cards*. This section describes how to disconnect both types of cards.
## Enhanced component cards
To disconnect enhanced component cards, select the line and choose **Disconnect**.
![\[An API Gateway card being disconnected from a Lambda function.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_con_03.png)
Infrastructure Composer will automatically modify your template to remove the event-driven relationship from your application.
## Standard component cards
Standard component cards do not include ports to create connections with other resources. During [card configuration](using-composer-standard-cards.md), you specify event-driven relationships in the template of your application, Infrastructure Composer will automatically detect these connections and visualize them with a dotted line between your cards. To disconnect a standard component card, remove the event-driven relationship in the template of your application.
The following example shows a Lambda function that is connected with an Amazon API Gateway rest API:
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
MyApi:
Type: 'AWS::ApiGateway::RestApi'
Properties:
Name: MyApi
ApiGatewayMethod:
Type: 'AWS::ApiGateway::Method'
Properties:
HttpMethod: POST # Specify the HTTP method you want to use (e.g., GET, POST, PUT, DELETE)
ResourceId: !GetAtt MyApi.RootResourceId
RestApiId: !Ref MyApi
AuthorizationType: NONE
Integration:
Type: AWS_PROXY
IntegrationHttpMethod: POST
Uri: !Sub
- arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${LambdaFunctionArn}/invocations
- { LambdaFunctionArn: !GetAtt MyLambdaFunction.Arn }
MethodResponses:
- StatusCode: 200
MyLambdaFunction:
Type: 'AWS::Lambda::Function'
Properties:
Handler: index.handler
Role: !GetAtt LambdaExecutionRole.Arn
Runtime: nodejs14.x
Code:
S3Bucket: your-bucket-name
S3Key: your-lambda-zip-file.zip
LambdaExecutionRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: 'sts:AssumeRole'
Policies:
- PolicyName: LambdaExecutionPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: 'arn:aws:logs:*:*:*'
- Effect: Allow
Action:
- 'lambda:InvokeFunction'
Resource: !GetAtt MyLambdaFunction.Arn
```
To remove the connection betweent the two cards, remove references to `MyLambdaFunction` listed in `ApiGatewayMethod:` under `Integration`.
# Arrange cards on Infrastructure Composer's visual canvas
Select **Arrange** to visually arrange and organize cards on the canvas. Using the **Arrange** button is particularly useful when there many cards and connections on the canvas.
![\[Connecting four cards and then selecting the Arrange button.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_ref_10.gif)
# Configure and modify cards in Infrastructure Composer
In Infrastructure Composer, cards represent resources that you use to design your application architecture. When you configure a card in Infrastructure Composer, you define the details of the resources in your application. This includes details like a card's **Logical ID** and **Partition key**. The way this information is defined varies between **Enhanced component cards** and **Standard cards**.
An **Enhanced component card** is A collection of CloudFormation resources that have been combined into a single curated card that enhances ease of use, functionality, and are designed for a wide variety of use cases. A **Standard IaC resource card** represents a single AWS CloudFormation resource. Each standard IaC resource card, once dragged onto the canvas, is labeled **Standard component**.
This topic provides details on configuring **Enhanced component cards** and **Standard component cards**.
**Note**
This topic applies to using cards from the Infrastructure Composer Console, the AWS Toolkit for Visual Studio Code extension, and while in Infrastructure Composer in CloudFormation console mode. Lambda-related cards (**Lambda Function** and **Lambda Layer**) require code builds and packaging solutions that are not available in Infrastructure Composer in CloudFormation console mode. For more information, see [Using Infrastructure Composer in CloudFormation console mode](using-composer-console-cfn-mode.md).
**Topics**
+ [Enhanced component cards in Infrastructure Composer](using-composer-cards-use-enhanced-component.md)
+ [Standard cards in Infrastructure Composer](using-composer-standard-cards.md)
# Enhanced component cards in Infrastructure Composer
To configure enhanced component cards, Infrastructure Composer provides a form in the **Resource properties** panel. This form is curated uniquely to guide you through configuring each enhanced component card. As you fill out the form, Infrastructure Composer modifies your infrastructure code.
Some enhanced component cards do have additional features. This section reviews the basics of using enhanced component cards and offers details on cards with additional features.
For more information on enhanced component cards, see [Enhanced component cards in Infrastructure Composer](using-composer-cards-component-intro-enhanced.md) and [Enhanced component cards in Infrastructure Composer](using-composer-cards-component-intro-enhanced.md)
# Procedure
The **Resource properties** panel streamlines configuration and adds guiderails that simplifies card configuration. To use this panel, perform the following steps:
1. Double-click a card to bring up the **Resource properties** panel.
1. Click on a card and select **Details** to bring up the resource properties panel.
1. For Infrastructure Composer from the AWS Management Console, select **Template** to show your application code. Configure directly from here.
The following image shows how this can be done:
![\[Selecting the Template View and modifying the infrastructure code from there.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_ref_11.gif)
# Using Infrastructure Composer with Amazon Relational Database Service (Amazon RDS)
AWS Infrastructure Composer features an integration with Amazon Relational Database Service (Amazon RDS). Using the **RDS Database (External)** enhanced component card in Infrastructure Composer, you can connect your application to Amazon RDS DB clusters, instances, and proxies that are defined on another CloudFormation or AWS Serverless Application Model (AWS SAM) template.
The **RDS Database (External)** enhanced component card represents Amazon RDS resources that are defined on another template. This includes:
+ Amazon RDS DB cluster or instance that is defined on another template
+ Amazon RDS DB proxy
The **RDS Database (External)** enhanced component card is available from the **Resources** palette.
![\[An Amazon RDS database (external) enhanced component card.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_rds_01.png)
To use this card, drag it onto the Infrastructure Composer canvas, configure it, and connect it to other resources.
You can connect your application to the external Amazon RDS DB cluster or instance through an Lambda function.
## Requirements
To use this feature, you must meet the following requirements:
1. Your external Amazon RDS DB cluster, instance, or proxy must be using AWS Secrets Manager to manage the user password. To learn more, see [Password management with Amazon RDS and AWS Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html) in the *Amazon RDS User Guide*.
1. Your application in Infrastructure Composer must be a new project or must have been originally created in Infrastructure Composer.
## Procedure
### Step 1: Configure the external RDS Database card
From the **Resources** palette, drag an **RDS Database (external)** enhanced component card onto the canvas.
Select the card and choose **Details** or double-click on the card to bring up the **Resource properties** panel. The card's resource properties panel will appear:
![\[The resource properties panel of an RDS Database (external) enhanced component card.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_rds_03.png)
You can configure the following here:
+ **Logical ID** – A unique name for your external Amazon RDS DB cluster, instance, or proxy. This ID does not have to match the logical ID value of your external Amazon RDS DB resource.
+ **Database secret** – An identifier for the AWS Secrets Manager secret that is associated with your Amazon RDS DB cluster, instance, or proxy. This field accepts the following values:
+ **Static value** – A unique identifier of the database secret, such as the secret ARN. The following is an example: `arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c`. For more information, see [AWS Secrets Manager concepts](https://docs.aws.amazon.com/secretsmanager/latest/userguide/getting-started.html) in the *AWS Secrets Manager User Guide*.
+ **Output value** – When a Secrets Manager secret is deployed to AWS CloudFormation, an output value is created. You can specify the output value here using the `[Fn::ImportValue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-importvalue.html)` intrinsic function. For example, `!ImportValue MySecret`.
+ **Value from the SSM Parameter Store** – You can store your secret in the SSM Parameter Store and specify its value using a dynamic reference. For example, `{{resolve:ssm:MySecret}}`. For more information, see [SSM parameters](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-ssm) in the *AWS CloudFormation User Guide*.
+ **Database hostname** – The hostname that can be used to connect to your Amazon RDS DB cluster, instance, or proxy. This value is specified in the external template that defines your Amazon RDS resource. The following values are accepted:
+ **Static value** – A unique identifier of the database hostname, such as the endpoint address. The following is an example: `mystack-mydb-1apw1j4phylrk.cg034hpkmmjt.us-east-2.rds.amazonaws.com`.
+ **Output value** – The output value of a deployed Amazon RDS DB cluster, instance, or proxy. You can specify the output value using the `[Fn::ImportValue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-importvalue.html)` intrinsic function. For example, `!ImportValue myStack-myDatabase-abcd1234`.
+ **Value from the SSM Parameter Store** – You can store the database hostname in the SSM Parameter Store and specify its value using a dynamic reference. For example, `{{resolve:ssm:MyDatabase}}`.
+ **Database port** – The port number that can be used to connect to your Amazon RDS DB cluster, instance, or proxy. This value is specified in the external template that defines your Amazon RDS resource. The following values are accepted:
+ **Static value** – The database port. For example, `3306`.
+ **Output value** – The output value of a deployed Amazon RDS DB cluster, instance, or proxy. For example, `!ImportValue myStack-MyRDSInstancePort`.
+ **Value from SSM Parameter Store** – You can store the database hostname in the SSM Parameter Store and specify its value using a dynamic reference. For example, `{{resolve:ssm:MyRDSInstancePort}}`.
**Note**
Only the logical ID value must be configured here. You can configure the other properties at deployment time if you prefer.
### Step 2: Connect a Lambda Function card
From the **Resources** palette, drag a **Lambda Function** enhanced component card onto the canvas.
Connect the left port of the **Lambda Function** card to the right port of the **RDS Database (external)** card.
![\[A Lambda Function card connected to an RDS Database (external) enhanced component card.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_rds_02.png)
Infrastructure Composer will provision your template to facilitate this connection.
## What Infrastructure Composer does to create your connection
When you complete the procedure listed above, Infrastructure Composer performs specific actions to connect your Lambda function to your database.
### When specifying the external Amazon RDS DB cluster, instance, or proxy
When you drag an **RDS Database (external)** card onto the canvas, Infrastructure Composer updates the `Metadata` and `Parameters` sections of your template as needed. The following is an example:
```
Metadata:
AWS::Composer::ExternalResources:
ExternalRDS:
Type: externalRDS
Settings:
Port: !Ref ExternalRDSPort
Hostname: !Ref ExternalRDSHostname
SecretArn: !Ref ExternalRDSSecretArn
Parameters:
ExternalRDSPort:
Type: Number
ExternalRDSHostname:
Type: String
ExternalRDSSecretArn:
Type: String
```
[Metadata](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html) is an CloudFormation template section that is used to store details about your template. Metadata that is specific to Infrastructure Composer is stored under the `AWS::Composer::ExternalResources` metadata key. Here, Infrastructure Composer stores the values that you specify for your Amazon RDS DB cluster, instance, or proxy.
The [ Parameters](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html) section of an CloudFormation template is used to store custom values that can be inserted throughout your template at deployment. Depending on the type of values that you provide, Infrastructure Composer may store values here for your Amazon RDS DB cluster, instance, or proxy and specify them throughout your template.
String values in the `Metadata` and `Parameters` section use the logical ID value that you specify on your **RDS Database (external)** card. If you update the logical ID, the string values will change.
### When connecting the Lambda function to your database
When you connect a **Lambda Function** card to the **RDS Database (external)** card, Infrastructure Composer provisions environment variables and AWS Identity and Access Management (IAM) policies. The following is an example:
```
Resources:
Function:
Type: AWS::Serverless::Function
Properties:
...
Environment:
Variables:
EXTERNALRDS_PORT: !Ref ExternalRDSPort
EXTERNALRDS_HOSTNAME: !Ref ExternalRDSHostname
EXTERNALRDS_SECRETARN: !Ref ExternalRDSSecretArn
Policies:
- AWSSecretsManagerGetSecretValuePolicy:
SecretArn: !Ref ExternalRDSSecretArn
```
[Environment](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-environment) variables are variables that can be used by your function at runtime. To learn more, see [Using Lambda environment variables](https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html) in the *AWS Lambda Developer Guide*.
[Policies](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-policies) provision permissions for your function. Here, Infrastructure Composer creates a policy to allow read access from your function to Secrets Manager to obtain your password for access to the Amazon RDS DB cluster, instance, or proxy.
# Using AWS Infrastructure Composer with AWS Step Functions
AWS Infrastructure Composer features an integration with [AWS Step Functions Workflow Studio](https://docs.aws.amazon.com/step-functions/latest/dg/workflow-studio.html). Use Infrastructure Composer to do the following:
+ Launch Step Functions Workflow Studio directly within Infrastructure Composer.
+ Create and manage new workflows or import existing workflows into Infrastructure Composer.
+ Integrate your workflows with other AWS resources using the Infrastructure Composer canvas.
The following image is of a Step Functions State machine card
![\[A Step Functions State machine card.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_sf_01.png)
With Step Functions Workflow Studio in Infrastructure Composer, you can use the benefits of two powerful visual designers in a single place. As you design your workflow and application, Infrastructure Composer creates your infrastructure as code (IaC) to guide you towards deployment.
**Topics**
+ [IAM policies](#using-composer-services-sf-use-iam)
+ [Getting started with Step Functions Workflow Studio in Infrastructure Composer](#using-composer-services-sf-gs)
+ [Using Step Functions Workflow Studio in Infrastructure Composer](#using-composer-services-sf-use)
+ [Learn more](#using-composer-services-sf-learn)
## IAM policies
When you connect tasks from your workflow to resources, Infrastructure Composer automatically creates the AWS Identity and Access Management (IAM) policies required to authorize the interaction between your resources. The following is an example:
```
Transform: AWS::Serverless-2016-10-31
Resources:
StockTradingStateMachine:
Type: AWS::Serverless::StateMachine
Properties:
...
Policies:
- LambdaInvokePolicy:
FunctionName: !Ref CheckStockValue
...
CheckStockValue:
Type: AWS::Serverless::Function
...
```
If necessary, you can add more IAM policies to your template.
## Getting started with Step Functions Workflow Studio in Infrastructure Composer
To get started, you can create new workflows or import existing workflows.
### To create a new workflow
1. From the **Resources** palette, drag a **Step Functions State machine** enhanced component card onto the canvas.
![\[A Step Functions state machine card.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_sf_02.png)
When you drag a **Step Functions State machine** card onto the canvas, Infrastructure Composer creates the following:
+ An `[ AWS::Serverless::StateMachine](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-statemachine.html)` resource that defines your state machine. By default, Infrastructure Composer creates a standard workflow. To create an express workflow, change the `Type` value in your template from `STANDARD` to `EXPRESS`.
+ An `[AWS::Logs::LogGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-loggroup.html)` resource that defines an Amazon CloudWatch log group for your state machine.
1. Open the card’s **Resource properties** panel and select **Edit in Workflow Studio** to open Workflow Studio within Infrastructure Composer.
Step Functions Workflow Studio opens in **Design** mode. To learn more, see [Design mode](https://docs.aws.amazon.com/step-functions/latest/dg/workflow-studio-components.html#wfs-interface-design-mode) in the *AWS Step Functions Developer Guide*.
**Note**
You can modify Infrastructure Composer to save your state machine definition in an external file. To learn more, see [Working with external files](#using-composer-services-sf-use-external).
1. Create your workflow and choose **Save**. To exit Workflow Studio, choose **Return to Infrastructure Composer**.
Infrastructure Composer defines your workflow using the `Defintion` property of the `AWS::Serverless::StateMachine` resource.
1. You can modify your workflow by doing any of the following:
+ Open Workflow Studio again and modify your workflow.
+ For Infrastructure Composer from the console, you can open the **Template** view of your application and modify your template. If using **local sync**, you can modify your workflow in your local IDE. Infrastructure Composer will detect your changes and update your workflow in Infrastructure Composer.
+ For Infrastructure Composer from the Toolkit for VS Code, you can directly modify your template. Infrastructure Composer will detect your changes and update your workflow in Infrastructure Composer.
### To import existing workflows
You can import workflows from applications that are defined using AWS Serverless Application Model (AWS SAM) templates. Use any state machine defined with the `AWS::Serverless::StateMachine` resource type, and it will visualize as a **Step Functions State machine** enhanced component card that you can use to launch Workflow Studio.
The `AWS::Serverless::StateMachine` resource can define workflows using either of the following properties:
+ `[ Definition](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-statemachine.html#sam-statemachine-definition)` – The workflow is defined within the AWS SAM template as an object.
+ `[ DefinitionUri](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-statemachine.html#sam-statemachine-definitionuri)` – The workflow is defined on an external file using the [Amazon States Language](https://docs.aws.amazon.com/step-functions/latest/dg/concepts-amazon-states-language.html). The file’s local path is then specified with this property.
#### Definition property
**Infrastructure Composer from the console**
For workflows defined using the `Definition` property, you can import a single template or the entire project.
+ **Template** – For instructions on importing a template, see [Import an existing project template in the Infrastructure Composer console](using-composer-project-import-template.md). To save changes that you make within Infrastructure Composer, you must export your template.
+ **Project** – When you import a project, you must activate **local sync**. Changes that you make are automatically saved to your local machine. For instructions on importing a project, see [Import an existing project folder in the Infrastructure Composer console](using-composer-project-import-folder.md).
**Infrastructure Composer from the Toolkit for VS Code**
For workflows defined using the `Definition` property, you can open Infrastructure Composer from your template. For instructions, see [Access Infrastructure Composer from the AWS Toolkit for Visual Studio Code](setting-up-composer-access-ide.md).
#### DefinitionUri property
**Infrastructure Composer from the console**
For workflows defined using the `DefinitionUri` property, you must import the project and activate **local sync**. For instructions on importing a project, see [Import an existing project folder in the Infrastructure Composer console](using-composer-project-import-folder.md).
**Infrastructure Composer from the Toolkit for VS Code**
For workflows defined using the `DefinitionUri` property, you can open Infrastructure Composer from your template. For instructions, see [Access Infrastructure Composer from the AWS Toolkit for Visual Studio Code](setting-up-composer-access-ide.md).
## Using Step Functions Workflow Studio in Infrastructure Composer
### Build workflows
Infrastructure Composer uses definition substitutions to map workflow tasks to resources in your application. To learn more about definition substitutions, see `[ DefinitionSubstitutions](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-statemachine.html#sam-statemachine-definitionsubstitutions)` in the *AWS Serverless Application Model Developer Guide*.
When you create tasks in Workflow Studio, specify a definition substitution for each task. You can then connect tasks to resources on the Infrastructure Composer canvas.
**To specify a definition substitution in Workflow Studio**
1. Open the **Configuration** tab of the task and locate the **API Parameters** field.
![\[The Configuration tab of a task in Workflow Studio.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_sf_05.png)
1. If the **API Parameters** field has a drop down option, choose **Enter a CloudFormation substitution**. Then, provide a unique name.
For tasks that connect to the same resource, specify the same definition substitution for each task. To use an existing definition substitution, choose **Select a CloudFormation substitution** and select the substitution to use.
1. If the **API Parameters** field contains a JSON object, modify the entry that specifies the resource name to use a definition substitution. In the following example, we change `"MyDynamoDBTable"` to `"${RecordTransaction}"`.
![\[The Configuration tab of a task in Workflow Studio.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_sf_06.png)
1. Select **Save** and **Return to Infrastructure Composer**.
The tasks from your workflow will visualize on the **Step Functions State machine** card.
![\[A Step Functions State machine card with tasks visualized.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_sf_03.png)
### Connect resources to workflow tasks
You can create connections in Infrastructure Composer between supported workflow tasks and supported Infrastructure Composer cards.
+ **Supported workflow tasks** – Tasks for AWS services that are optimized for Step Functions. To learn more, see [ Optimized integrations for Step Functions](https://docs.aws.amazon.com/step-functions/latest/dg/connect-supported-services.html) in the *AWS Step Functions Developer Guide*.
+ **Supported Infrastructure Composer cards** – Enhanced component cards are supported. To learn more about cards in Infrastructure Composer, see [Configure and modify cards in Infrastructure Composer](using-composer-cards.md).
When creating a connection, the AWS service of the task and card must match. For example, you can connect a workflow task that invokes a Lambda function to a **Lambda Function** enhanced component card.
To create a connection, click and drag the port of a task to the left port of an enhanced component card.
![\[A Step Functions State machine card with a task connected to a Lambda function resource card.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_sf_04.png)
Infrastructure Composer will automatically update your `DefinitionSubstitution` value to define your connection. The following is an example:
```
Transform: AWS::Serverless-2016-10-31
Resources:
StateMachine:
Type: AWS::Serverless::StateMachine
Properties:
Definition:
StartAt: Check Stock Value
States:
Check Stock Value:
Type: Task
Resource: arn:aws:states:::lambda:invoke
Parameters:
Payload.$: $
FunctionName: ${CheckStockValue}
Next: Choice
...
DefinitionSubstitutions:
CheckStockValue: !GetAtt CheckStockValue.Arn
...
CheckStockValue:
Type: AWS::Serverless::Function
Properties:
...
```
### Working with external files
When you create a workflow from the **Step Functions State machine** card, Infrastructure Composer saves your state machine definition within your template using the `Definition` property. You can configure Infrastructure Composer to save your state machine definition on an external file.
**Note**
To use this feature with Infrastructure Composer from the AWS Management Console, you must have **local sync** activated. For more information, see [Locally sync and save your project in the Infrastructure Composer console](using-composer-project-local-sync.md).
**To save your state machine definition on an external file**
1. Open the **Resource properties** panel of your **Step Functions State machine** card.
1. Select the **Use external file for state machine definition** option.
1. Provide a relative path and name for your state machine definition file.
1. Choose **Save**.
Infrastructure Composer will do the following:
1. Move your state machine definition from the `Definition` field to your external file.
1. Save your state machine definition in an external file using the Amazon States Language.
1. Modify your template to reference the external file using the `DefinitionUri` field.
## Learn more
To learn more about Step Functions in Infrastructure Composer, see the following:
+ [Using Workflow Studio in Infrastructure Composer](https://docs.aws.amazon.com/step-functions/latest/dg/use-wfs-in-app-composer.html) in the *AWS Step Functions Developer Guide*.
+ [DefinitionSubstitutions in AWS SAM templates](https://docs.aws.amazon.com/step-functions/latest/dg/concepts-sam-sfn.html#sam-definition-substitution-eg) in the *AWS Step Functions Developer Guide*.
# Standard cards in Infrastructure Composer
All CloudFormation resources are available to use as **standard IaC resource cards** from the **Resources** palette. After being dragged onto the visual canvas, a **standard IaC resource card** becomes a **standard component card**. This simply means the card is one or more standard IaC resources. For further examples and details, see the topics in this section.
You can modify your infrastructure code through the **Template** view and through the **Resource properties** window. For example, the following is an example starting template of an `Alexa::ASK::Skill` standard IaC resource:
```
Resources:
Skill:
Type: Alexa::ASK::Skill
Properties:
AuthenticationConfiguration:
RefreshToken:
ClientSecret:
ClientId:
VendorId:
SkillPackage:
S3Bucket:
S3Key:
```
A standard IaC resource card starting template consists of the following:
+ The CloudFormation resource type.
+ Required or commonly used properties.
+ The required type of the value to provide for each property.
**Note**
You can use Amazon Q to generate infrastructure code suggestions for standard resource cards. To learn more, see [Using AWS Infrastructure Composer with Amazon Q Developer](using-composer-ide-cw.md).
## Procedure
You can modify the infrastructure code for each resource in a standard component card through the **Resource properties** panel.
**To modify a standard component card**
1. Open the **Resource properties** panel of the standard IaC component card.
1. In the **Editing** field, select the standard IaC resource to edit from the dropdown list.
1. Modify your infrastructure code and **Save**.
# Delete cards in Infrastructure Composer
This section provides instructions for deleting cards in AWS Infrastructure Composer.
## Enhanced component cards
To delete an enhanced component card, select a card you have place on the visual canvas. From the **Card actions** menu, select **Delete**.
![\[An enhanced component card with its Card actions menu displayed and the Delete option shown.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac-enhanced-delete.png)
## Standard component cards
To delete standard component cards, you must manually remove the infrastructure code for each CloudFormation resource from your template. The following is a simple way to accomplish this:
1. Take note of the logical ID for the resource to delete.
1. On your template, locate the resource by its logical ID from the `Resources` or `Outputs` section.
1. Delete the resource from your template. This includes the resource logical ID and its nested values, such as `Type` and `Properties`.
1. Check the **Canvas** view to verify that the resource has been removed from your canvas.
# View code updates with the Change Inspector in Infrastructure Composer
As you design in Infrastructure Composer console, your infrastructure code is automatically created. Use the **Change Inspector** to view your template code updates and learn what Infrastructure Composer is creating for you.
This topic covers using Infrastructure Composer from the AWS Management Console or the AWS Toolkit for Visual Studio Code extension.
The **Change Inspector** is a visual tool within Infrastructure Composer that shows you recent code updates.
+ As you design your application, messages display at the bottom of the visual canvas. These messages provide commentary on the actions you are performing.
+ When supported, you can expand a message to view the **Change Inspector**.
+ The **Change Inspector** displays code changes from your most recent interaction.
The following example demonstrates how change inspector works:
![\[Dragging two cards onto the visual canvas, connecting them, and then expanding the resulting message to open Change Inspector.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_ci_01.gif)
## Benefits of the Change Inspector
The **Change Inspector** is a great way to view the template code that Infrastructure Composer creates for you. It is also a great way to learn how to write infrastructure code. As you design applications in Infrastructure Composer, view code updates in the **Change Inspector** to learn about the code needed to provision your design.
## Procedure
**To use the Change Inspector**
1. Expand a message to bring up the **Change Inspector**.
![\[opening up Change Inspector from the bottom of the screen.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_ci_01.gif)
1. View the code that has been automatically composed for you.
![\[Showing the infrastructure code that has been automatically updated by Infrastructure Composer.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_ci_03.png)
1. Code highlighted **green** indicate newly added code.
1. Code highlighted **red** indicate newly removed code.
1. **Line numbers** indicate the location within your template.
1. When multiple sections of your template have been updated, the **Change Inspector** organizes them. Select the **Previous** and **Next** buttons to view all changes.
![\[Selecting Next to view mutliple changes.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_ci_04.gif)
**Note**
For Infrastructure Composer from the console, you can view code changes in the context of your entire template, by using the **Template View**. You can also sync Infrastructure Composer with a local IDE and view your entire template on your local machine. To learn more, see [Connect the Infrastructure Composer console with your local IDE](other-services-ide.md).
## Learn more
For more information about the code that Infrastructure Composer creates, see the following:
+ [Card connections in Infrastructure Composer](using-composer-connecting.md).
# Reference external files in Infrastructure Composer
You can use external files with your AWS Serverless Application Model (AWS SAM) templates to reuse repeated code and organize your projects. For example, you may have multiple Amazon API Gateway REST API resources that are described by an OpenAPI specification. Instead of replicating the OpenAPI specification code in your template, you can create one external file and reference it for each of your resources.
AWS Infrastructure Composer supports the following external file use cases:
+ API Gateway REST API resources defined by external OpenAPI specification files.
+ AWS Step Functions state machine resources defined by external state machine definition files.
To learn more about configuring external files for supported resources, see the following:
+ `[ DefinitionBody](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-definitionbody)` for `AWS::Serverless::Api`.
+ `[ DefinitionUri](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-statemachine.html#sam-statemachine-definitionuri)` for `AWS::Serverless::StateMachine`.
**Note**
To reference external files with Infrastructure Composer from the Infrastructure Composer console, you must use Infrastructure Composer in **local sync** mode. For more information, see [Locally sync and save your project in the Infrastructure Composer console](using-composer-project-local-sync.md).
**Topics**
+ [Best practices for Infrastructure Composer external reference files](using-composer-external-files-best-practices.md)
+ [Create an external file reference in Infrastructure Composer](using-composer-external-files-new.md)
+ [Load a project with an external file reference in Infrastructure Composer](using-composer-external-files-load.md)
+ [Create an application that references an external file in Infrastructure Composer](using-composer-external-files-examples-example3.md)
+ [Reference an OpenAPI specification external file with Infrastructure Composer](using-composer-external-files-examples-example1.md)
# Best practices for Infrastructure Composer external reference files
## Use Infrastructure Composer with a local IDE
When you use Infrastructure Composer with a local IDE in **local sync** mode, you can use your local IDE to view and modify external files. Content from supported external files that are referenced on your template will automatically update in the Infrastructure Composer canvas. To learn more, see [Connect the Infrastructure Composer console with your local IDE](other-services-ide.md).
## Keep external files within your project’s parent directory
You can create subdirectories within your project’s parent directory to organize your external files. Infrastructure Composer can’t access external files that are stored in a directory outside of your project’s parent directory.
## Deploy your application using the AWS SAM CLI
When deploying your application to the AWS Cloud, local external files need to first be uploaded to an accessible location, such as Amazon Simple Storage Service (Amazon S3). You can use the AWS SAM CLI to automatically facilitate this process. To learn more, see [ Upload local files at deployment](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/deploy-upload-local-files.html) in the *AWS Serverless Application Model Developer Guide*.
# Create an external file reference in Infrastructure Composer
You can create an external file reference from the **resource properties** panel of supported resources.
**To create an external file reference**
1. From an **API Gateway** or **Step Functions** enhanced component card, select **Details** to bring up the **resource properties ** panel.
1. Locate and select the **Use external file** option.
1. Specify the relative path to the external file. This is the path from your `template.yaml` file to the external file.
For example, to reference the `api-spec.yaml` external file from the following project’s structure, specify `./api-spec.yaml` as your relative path.
```
demo
├── api-spec.yaml
├── src
│ └── Function
│ ├── index.js
│ └── package.json
└── template.yaml
```
**Note**
If the external file and its specified path does not exist, Infrastructure Composer will create it.
1. **Save** your changes.
# Load a project with an external file reference in Infrastructure Composer
Follow the steps listed on this page to load an Infrastructure Composer project with an external file reference.
**From the Infrastructure Composer console**
1. Complete the steps listed in [Import an existing project template in the Infrastructure Composer console](using-composer-project-import-template.md).
1. Confirm Infrastructure Composer prompts you to connect to the root folder of your project
If your browser supports the File System Access API, Infrastructure Composer will prompt you to connect to the root folder of your project. Infrastructure Composer will open your project in **local sync** mode to support your external file. If the referenced external file is not supported, you will receive an error message. For more information about error messages, see [Troubleshooting](ref-troubleshooting.md).
**From the Toolkit for VS Code**
1. Complete the steps listed in [Access Infrastructure Composer from the AWS Toolkit for Visual Studio Code](setting-up-composer-access-ide.md).
1. Open the template you want to view in Infrastructure Composer.
When you access Infrastructure Composer from a template, Infrastructure Composer will automatically detect your external file. If the referenced external file is not supported, you will receive an error message. For more information about error messages, see [Troubleshooting](ref-troubleshooting.md).
# Create an application that references an external file in Infrastructure Composer
This example uses the AWS SAM CLI to create an application that references an external file for its state machine definition. You then load your project in Infrastructure Composer with your external file properly referenced.
**Example**
1. First, use the AWS SAM CLI **sam init** command to initialize a new application named `demo`. During the interactive flow, select the **Multi-step workflow** quick start template.
```
$ sam init
...
Which template source would you like to use?
1 - AWS Quick Start Templates
2 - Custom Template Location
Choice: 1
Choose an AWS Quick Start application template
1 - Hello World Example
2 - Multi-step workflow
3 - Serverless API
4 - Scheduled task
...
Template: 2
Which runtime would you like to use?
1 - dotnet6
2 - dotnetcore3.1
...
15 - python3.7
16 - python3.10
17 - ruby2.7
Runtime: 16
Based on your selections, the only Package type available is Zip.
We will proceed to selecting the Package type as Zip.
Based on your selections, the only dependency manager available is pip.
We will proceed copying the template using pip.
Would you like to enable X-Ray tracing on the function(s) in your application? [y/N]: ENTER
Would you like to enable monitoring using CloudWatch Application Insights?
For more info, please view https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-application-insights.html [y/N]: ENTER
Project name [sam-app]: demo
-----------------------
Generating application:
-----------------------
Name: demo
Runtime: python3.10
Architectures: x86_64
Dependency Manager: pip
Application Template: step-functions-sample-app
Output Directory: .
Configuration file: demo/samconfig.toml
Next steps can be found in the README file at demo/README.md
...
```
This application references an external file for the state machine definition.
```
...
Resources:
StockTradingStateMachine:
Type: AWS::Serverless::StateMachine
Properties:
DefinitionUri: statemachine/stock_trader.asl.json
...
```
The external file is located in the `statemachine` subdirectory of our application.
```
demo
├── README.md
├── __init__.py
├── functions
│ ├── __init__.py
│ ├── stock_buyer
│ ├── stock_checker
│ └── stock_seller
├── samconfig.toml
├── statemachine
│ └── stock_trader.asl.json
├── template.yaml
└── tests
```
1. Next, load your application in Infrastructure Composer from the console. From the Infrastructure Composer **home** page, select **Load a CloudFormation template**.
1. Select our `demo` project folder and allow the prompt to view files. Select our `template.yaml` file and select **Create**. When prompted, select **Save changes**.
![\[The Infrastructure Composer Open project folder window with our project folder selected and the Create ready to be selected.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_ex_15.png)
Infrastructure Composer automatically detects the external state machine definition file and loads it. Select our **StockTradingStateMachine** resource and choose **Details** to show the **Resource properties** panel. Here, you can see that Infrastructure Composer has automatically connected to our external state machine definition file.
![\[The Infrastructure Composer canvas view with the API Gateway resource properties panel displayed, showing the configuration of the external reference file.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_ex_03.png)
Any changes made to the state machine definition file will be automatically reflected in Infrastructure Composer.
# Reference an OpenAPI specification external file with Infrastructure Composer
This example uses Infrastructure Composer from the console to reference an external OpenAPI specification file that defines a API Gateway REST API.
First, create a new project from the Infrastructure Composer **home** page.
Next, activate **local sync** by selecting **Activate local sync** from the **Menu**. Create a new folder named `demo`, allow the prompt to view files, and select **Activate**. When prompted, select **Save changes**.
![\[The Infrastructure Composer Activate local sync window with a demo project folder selected and the Activate button is ready to be selected.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_ex_11.png)
Next, drag an Amazon API Gateway card onto the canvas. Select **Details** to bring up the **Resource properties** panel.
![\[An API Gateway resource on the canvas with the Resource properties panel open.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_ex_12.png)
From the **Resource properties** panel, configure the following and **save**.
+ Select the **Use external file for api definition** option.
+ Input `./api-spec.yaml` as the **relative path to external file**
![\[A window showing the checkbox marked under Use external file for api definition and a relative path to an external file defined.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_ex_13.png)
This creates the following directory on our local machine:
```
demo
└── api-spec.yaml
```
Now, you can configure the external file on our local machine. Using our IDE, open the `api-spec.yaml` located in your project folder. Replace its contents with the following:
```
openapi: '3.0'
info: {}
paths:
/:
get:
responses: {}
post:
x-amazon-apigateway-integration:
credentials:
Fn::GetAtt:
- ApiQueuesendmessageRole
- Arn
httpMethod: POST
type: aws
uri:
Fn::Sub: arn:${AWS::Partition}:apigateway:${AWS::Region}:sqs:path/${AWS::AccountId}/${Queue.QueueName}
requestParameters:
integration.request.header.Content-Type: '''application/x-www-form-urlencoded'''
requestTemplates:
application/json: Action=SendMessage&MessageBody={"data":$input.body}
responses:
default:
statusCode: 200
responses:
'200':
description: 200 response
```
In the Infrastructure Composer **Template** view, you can see that Infrastructure Composer has automatically updated your template to reference the external file.
![\[The Infrastructure Composer template view showing your infrastructure code configured to reference the external file.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_ex_07.png)
# Integrate Infrastructure Composer with Amazon Virtual Private Cloud (Amazon VPC)
AWS Infrastructure Composer features an integration with the Amazon Virtual Private Cloud (Amazon VPC) service. Using Infrastructure Composer, you can do the following:
+ Identify the resources on your canvas that are in a VPC through a visual **VPC** tag.
+ Configure AWS Lambda functions with VPCs from an external template.
The following image shows is an example of an application with a Lambda function configured with a VPC.
![\[An application with the VPC tag visualizing a Lambda function in Infrastructure Composer that is configured with a VPC.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_vpc_06.png)
To learn more about Amazon VPC, see [What is Amazon VPC?](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html) in the *Amazon VPC User Guide*.
**Topics**
+ [Identify Infrastructure Composer resources and related information in a VPC](using-composer-services-vpc-tag.md)
+ [Configure Lambda functions with external VPCs in Infrastructure Composer](using-composer-services-vpc-configure.md)
+ [Parameters in imported templates for an external VPC with Infrastructure Composer](using-composer-services-vpc-import.md)
+ [Adding new parameters to imported templates with Infrastructure Composer](using-composer-services-vpc-import-add.md)
+ [Configure a Lambda function and a VPC defined in another template with Infrastructure Composer](using-composer-services-vpc-examples.md)
# Identify Infrastructure Composer resources and related information in a VPC
To integrate Infrastructure Composer with Amazon VPC, you must first identify resources in a VPC and the information needed to complete an integration. This also includes configuration information related to security groups, subnet identifiers, parameter types, SSM types, static value types.
Infrastructure Composer visualizes resources in a VPC using a **VPC** tag. This tag is applied to cards on the canvas. The following is an example of a Lambda function with a VPC tag:
![\[A VPC tag visualizing a Lambda function in Infrastructure Composer that is configured with a VPC.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_vpc_01.png)
VPC tags are applied to cards on the canvas when you do the following:
+ Configure a Lambda function with a VPC in Infrastructure Composer.
+ Import a template that contains resources configured with a VPC.
## Security group and subnet identifiers
A Lambda function can be configured with multiple security groups and subnets. To configure a security group or subnet for a Lambda function, provide a value and type.
+ **Value** – An identifier for the security group or subnet. Accepted values will vary based on the **type**.
+ **Type** – The following types of values are allowed:
+ Parameter name
+ AWS Systems Manager (SSM) Parameter Store
+ Static value
## Parameter type
The `Parameters` section of an AWS CloudFormation template can be used to store resource information across multiple templates. For more information on parameters, see [Parameters](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html) in the *AWS CloudFormation User Guide*.
For the **Parameter** type, you can provide a parameter name. In the following example, we provide a `PrivateSubnet1` parameter name value:
![\[A PrivateSubnet1 value being provided for the Parameter type of a subnet ID field.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_vpc_07.png)
When you provide a parameter name, Infrastructure Composer defines it in the `Parameters` section of your template. Then, Infrastructure Composer references the parameter in your Lambda function resource. The following is an example:
```
...
Resources:
Function:
Type: AWS::Serverless::Function
Properties:
...
VpcConfig:
SubnetIds:
- !Ref PrivateSubnet1
Parameters:
PrivateSubnet1:
Type: AWS::EC2::Subnet::Id
Description: Parameter is generated by Infrastructure Composer
```
## SSM type
The SSM Parameter Store provides a secure, hierarchical storage for configuration data management and secrets management. For more information, see [AWS Systems Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html) in the *AWS Systems Manager User Guide*.
For the **SSM** type, you can provide the following values:
+ Dynamic reference to a value from the SSM Parameter Store.
+ Logical ID of an `AWS::SSM::Parameter` resource defined in your template.
### Dynamic reference
You can reference a value from the SSM Parameter Store using a dynamic reference in the following format: `{{resolve:ssm:reference-key}}`. For more information, see [SSM parameters](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-ssm) in the *AWS CloudFormation User Guide*.
Infrastructure Composer creates the infrastructure code to configure your Lambda function with the value from the SSM Parameter Store. The following is an example:
```
...
Resources:
Function:
Type: AWS::Serverless::Function
Properties:
...
VpcConfig:
SecurityGroupIds:
- '{{resolve:ssm:demo-app/sg-0b61d5c742dc2c773}}'
...
```
### Logical ID
You can reference an `AWS::SSM::Parameter` resource in the same template by logical ID.
The following is an example of an `AWS::SSM::Parameter` resource named `PrivateSubnet1Parameter` that stores the subnet ID for `PrivateSubnet1`:
```
...
Resources:
PrivateSubnet1Parameter:
Type: AWS::SSM::Parameter
Properties:
Name: /MyApp/VPC/SubnetIds
Description: Subnet ID for PrivateSubnet1
Type: String
Value: subnet-04df123445678a036
```
The following is an example of this resource value being provided by logical ID for the Lambda function:
![\[A PrivateSubnet1Parameter value being provided for the SSM type of a subnet ID field.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_vpc_08.png)
Infrastructure Composer creates the infrastructure code to configure your Lambda function with the SSM parameter:
```
...
Resources:
Function:
Type: AWS::Serverless::Function
Properties:
...
VpcConfig:
SubnetIds:
- !Ref PrivateSubnet1Parameter
...
PrivateSubnet1Parameter:
Type: AWS::SSM::Parameter
Properties:
...
```
## Static value type
When a security group or subnet is deployed to CloudFormation, an ID value is created. You can provide this ID as a static value.
For the **static value** type, the following are valid values:
+ For security groups, provide the `GroupId`. For more information, see [Return values](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#aws-properties-ec2-security-group-return-values) in the *AWS CloudFormation User Guide*. The following is an example: `sg-0b61d5c742dc2c773`.
+ For subnets, provide the `SubnetId`. For more information, see [Return values](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html#aws-resource-ec2-subnet-return-values) in the *AWS CloudFormation User Guide*. The following is an example: `subnet-01234567890abcdef`.
Infrastructure Composer creates the infrastructure code to configure your Lambda function with the static value. The following is an example:
```
...
Resources:
Function:
Type: AWS::Serverless::Function
Properties:
...
VpcConfig:
SecurityGroupIds:
- subnet-01234567890abcdef
SubnetIds:
- sg-0b61d5c742dc2c773
...
```
## Using multiple types
For security groups and subnets, you can use multiple types together. The following is an example that configures three security groups for a Lambda function by providing values of different types:
![\[Three different value types being used to provide identifiers for the security group ID field of a Lambda function.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_vpc_09.png)
Infrastructure Composer references all three values under the `SecurityGroupIds` property:
```
...
Resources:
Function:
Type: AWS::Serverless::Function
Properties:
...
VpcConfig:
SecurityGroupIds:
- !Ref MySecurityGroup
- sg-0b61d5c742dc2c773
- '{{resolve::ssm::demo/sg-0b61d5c742dc23}}'
...
Parameters:
MySecurityGroup:
Type: AWS::EC2::SecurityGroup::Id
Description: Parameter is generated by Infrastructure Composer
```
# Configure Lambda functions with external VPCs in Infrastructure Composer
To start configuring a Lambda function with a VPC that is defined on another template, use the **Lambda Function** enhanced component card. This card represents a Lambda function using the AWS Serverless Application Model (AWS SAM) `AWS::Serverless::Function` resource type.
**To configure a Lambda function with a VPC from an external template**
1. From the **Lambda Function** resource properties panel, expand the **VPC settings (advanced)** dropdown section.
1. Select **Assign to external VPC**.
1. Provide values for the security groups and subnets to configure for the Lambda function. See [Security group and subnet identifiers](using-composer-services-vpc-tag.md#using-composer-services-vpc-configure-ids) for details.
1. **Save** your changes.
# Parameters in imported templates for an external VPC with Infrastructure Composer
When you import an existing template with parameters defined for the security groups and subnets of an external VPC, Infrastructure Composer provides a dropdown list to select your parameters from.
The following is an example of the `Parameters` section of an imported template:
```
...
Parameters:
VPCSecurityGroups:
Description: Security group IDs generated by Infrastructure Composer
Type: List
VPCSubnets:
Description: Subnet IDs generated by Infrastructure Composer
Type: List
VPCSubnet:
Description: Subnet Id generated by Infrastructure Composer
Type: AWS::EC2::Subnet::Id
...
```
When configuring an external VPC for a new Lambda function on the canvas, these parameters will be available from a dropdown list. The following is an example:
![\[A dropdown list of values being offered for the Parameter type of the Subnet ID field for a Lambda function card.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_vpc_10.png)
## Limitations when importing list parameter types
Normally, you can specify multiple security group and subnet identifiers for each Lambda function. If your existing template contains list parameter types, such as `List` or `List`, you can only specify one identifier.
For more information on parameter lists type, see [Supported AWS-specific parameter types](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html#aws-specific-parameter-types) in the *AWS CloudFormation User Guide*.
The following is an example of a template that defines `VPCSecurityGroups` as a list parameter type:
```
...
Parameters:
VPCSecurityGroups:
Description: Security group IDs generated by Infrastructure Composer
Type: List
...
```
In Infrastructure Composer, if you select the `VPCSecurityGroups` value as a security group identifier for a Lambda function, you will see the following message:
![\[A list parameter type named VPCSecurityGroups being provided for the Parameter type of the security group ID field of a Lambda function card.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_vpc_11.png)
This limitation occurs because the `SecurityGroupIds` and `SubnetIds` properties of an `AWS::Lambda::Function VpcConfig` object both accept only a list of string values. Since a single list parameter type contains a list of strings, it can be the only object provided when specified.
For list parameter types, the following is an example of how they are defined in the template when configured with a Lambda function:
```
...
Parameters:
VPCSecurityGroups:
Description: Security group IDs generated by Infrastructure Composer
Type: List
VPCSubnets:
Description: Subnet IDs generated by Infrastructure Composer
Type: List
Resources:
...
MyFunction:
Type: AWS::Serverless::Function
Properties:
...
VpcConfig:
SecurityGroupIds: !Ref VPCSecurityGroups
SubnetIds: !Ref VPCSubnets
```
# Adding new parameters to imported templates with Infrastructure Composer
When you import an existing template with parameters defined, you can also create new parameters. Instead of selecting an existing parameter from the dropdown list, provide a new type and value. The following is an example that creates a new parameter named `MySecurityGroup`:
![\[The MySecurityGroup value being provided for the Parameter type of the security group ID field of a Lambda function card.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_vpc_12.png)
For all new values that you provide in the **Resource properties** panel for the Lambda function, Infrastructure Composer defines them in a list under the `SecurityGroupIds` or `SubnetIds` properties of a Lambda function. The following is an example:
```
...
Resources:
MyFunction:
Type: AWS::Serverless::Function
Properties:
...
VpcConfig:
SecurityGroupIds:
- sg-94b3a1f6
SubnetIds:
- !Ref SubnetParameter
- !Ref VPCSubnet
```
If you want to reference the logical ID of a list parameter type from an external template, we recommend that you use the **Template** view and directly modify your template. The logical ID of a list parameter type should always be provided as a single value and as the only value.
```
...
Parameters:
VPCSecurityGroups:
Description: Security group IDs generated by Infrastructure Composer
Type: List
VPCSubnets:
Description: Subnet IDs generated by Infrastructure Composer
Type: List
Resources:
...
MyFunction:
Type: AWS::Serverless::Function
Properties:
...
VpcConfig:
SecurityGroupIds: !Ref VPCSecurityGroups # Valid syntax
SubnetIds:
- !Ref VPCSubnets # Not valid syntax
```
# Configure a Lambda function and a VPC defined in another template with Infrastructure Composer
In this example, we configure a Lambda function in Infrastructure Composer with a VPC defined on another template.
We start by dragging a **Lambda Function** enhanced component card onto the canvas.
![\[A Lambda function enhanced component card.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_vpc_03.png)
Next, we open the card’s **Resource properties** panel and expand the **VPC settings (advanced)** dropdown section.
![\[An image of the Resource properties panel of a Lambda Function card with the VPC settings (advanced) dropdown section expanded\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_vpc_04.png)
Next, we select **Assign to external VPC** to begin configuring a VPC from an external template.
In this example, we reference a security group ID and subnet ID. These values are created when the template defining the VPC is deployed. We choose the **Static value** type and input the value of our IDs. We select **Save** when done.
![\[The Resource properties panel of a Lambda Function card with static values being provided in the Security group ID field.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_vpc_05.png)
Now that our Lambda function is configured with our VPC, the VPC tag is displayed on our card.
![\[The VPC tag visualizing a Lambda function in Infrastructure Composer that is configured with a VPC.\]](http://docs.aws.amazon.com/infrastructure-composer/latest/dg/images/aac_use_vpc_01.png)
Infrastructure Composer has created the infrastructure code to configure our Lambda function with the security group and subnet of the external VPC.
```
Transform: AWS::Serverless-2016-10-31
Resources:
Function:
Type: AWS::Serverless::Function
Properties:
Description: !Sub
- Stack ${AWS::StackName} Function ${ResourceName}
- ResourceName: Function
CodeUri: src/Function
Handler: index.handler
Runtime: nodejs18.x
MemorySize: 3008
Timeout: 30
Tracing: Active
VpcConfig:
SecurityGroupIds:
- sg-10f35d07e1be09e15
SubnetIds:
- subnet-0d80727ca90325716
FunctionLogGroup:
Type: AWS::Logs::LogGroup
DeletionPolicy: Retain
Properties:
LogGroupName: !Sub /aws/lambda/${Function}
```