# CloudFormation Ingest: Examples
<a name="cfn-ingest-examples"></a>

Find here some detailed examples of how to use the **Create stack with CloudFormation template** change type.

To download a set of sample CloudFormation templates per AWS Region, see [Sample Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-sample-templates.html).

For reference information on CloudFormation resources, see [AWS Resource and Property Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html). However, AMS supports a smaller set of resources, which are described in [AMS CloudFormation ingest](ams-cfn-ingest.md).

**Note**  
AMS advises you to gather all IAM or other policy-related resources and submit them in a single Management \$1 Other \$1 Other \$1 Create change type (ct-1e1xtak34nx76). For example, combine all needed IAM roles, IAM instance profiles, IAM policy updates for existing IAM roles, S3 bucket policies, SNS/SQS policies, and so forth, and then submit a ct-1e1xtak34nx76 RFC so that these pre-existing resources can be referenced inside the future CFN Ingest templates.

**Topics**
+ [CloudFormation Ingest examples: Defining resources](cfn-ingest-ex-define-resource.md)
+ [CloudFormation Ingest examples: 3-tier Web application](cfn-ingest-ex-3-tier.md)

# CloudFormation Ingest examples: Defining resources
<a name="cfn-ingest-ex-define-resource"></a>

When using AMS CloudFormation ingest, you customize a CloudFormation template and submit it to AMS in an RFC with the CloudFormation ingest change type (ct-36cn2avfrrj9v). To create a CloudFormation template that can be reused multiple times, you add the stack configuration parameters to the CloudFormation ingest change type execution input rather than hard coding them in the CloudFormation template. The biggest benefit is that you can reuse the template.

The AMS CloudFormation ingest change type input schema enables you to choose up to sixty parameters in a CloudFormation template and provide custom values.

This example shows how to define a resource property, which can be used in a variety of CloudFormation templates, as a parameter in the AMS CloudFormation ingest CT. The examples in this section specifically show SNS topic usage.

**Topics**
+ [Example 1: Hard code the CloudFormation SNSTopic resource `TopicName` property](#cfn-ingest-example-1)
+ [Example 2: Use an SNSTopic resource to reference a parameter in the AMS change type](#cfn-ingest-example-2)
+ [Example 3: Create an SNS topic by submitting a JSON execution parameters file with the AMS ingest change type](#cfn-ingest-example-3)
+ [Example 4: Submit a new change type that references the same CloudFormation template](#cfn-ingest-example-4)
+ [Example 5: Use the default parameter values in the CloudFormation template](#cfn-ingest-example-5)

## Example 1: Hard code the CloudFormation SNSTopic resource `TopicName` property
<a name="cfn-ingest-example-1"></a>

In this example, you hard code the CloudFormation SNSTopic resource `TopicName` property in the CloudFormation template. Note that the `Parameters` section is empty. 

To have a CloudFormation template that allows you to change the value for the SNSTopic name for a new stack without having to create a new CloudFormation template, you can use the AMS `Parameters` section of the CloudFormation ingest change type to make that configuration. By doing this, you use the same CloudFormation template later to create a new stack with a different `SNSTopic` name.

```
{
  "AWSTemplateFormatVersion" : "2010-09-09",
  "Description" : "My SNS Topic",
  "Parameters" : {
  },
  "Resources" : {
    "SNSTopic" : {
      "Type" : "AWS::SNS::Topic",
      "Properties" : {
        "TopicName" : "MyTopicName"
      }
    }
  }
}
```



## Example 2: Use an SNSTopic resource to reference a parameter in the AMS change type
<a name="cfn-ingest-example-2"></a>

In this example, you use an `SNSTopic` resource `TopicName` property defined in the CloudFormation template to reference a `Parameter` in the AMS change type.

```
{
  "AWSTemplateFormatVersion" : "2010-09-09",
  "Description" : "My SNS Topic",
  "Parameters" : {
    "TopicName" : {
      "Type" : "String",
      "Description" : "Topic ID",
      "Default" : "MyTopicName"
    }
  },
  "Resources" : {
    "SNSTopic" : {
      "Type" : "AWS::SNS::Topic",
      "Properties" : {
        "TopicName" : { "Ref" : "TopicName"}
      }
    }
  }
}
```

## Example 3: Create an SNS topic by submitting a JSON execution parameters file with the AMS ingest change type
<a name="cfn-ingest-example-3"></a>

In this example, you submit a JSON execution parameters file with the AMS ingest CT that creates the SNS topic `TopicName`. The SNS topic must be defined in the CloudFormation template in the modifiable way shown in this example. 

```
{
  "Name": "cfn-ingest",
  "Description": "CFNIngest Web Application Stack",
  "CloudFormationTemplateS3Endpoint": "$S3_PRESIGNED_URL",
  "VpcId": "VPC_ID",
  "Tags": [
    {"Key": "Enviroment Type", "Value": "Dev"}
  ],
  "Parameters": [
    {"Name": "TopicName", "Value": "MyTopic1"}
  ],
  "TimeoutInMinutes": 60
}
```

## Example 4: Submit a new change type that references the same CloudFormation template
<a name="cfn-ingest-example-4"></a>

This JSON example changes the SNS `TopicName` value without making a change to the CloudFormation template. Instead, you submit a new Deployment \$1 Ingestion \$1 Stack from CloudFormation Template \$1 Create change type that references the same CFN template.

```
{
  "Name": "cfn-ingest",
  "Description": "CFNIngest Web Application Stack",
  "CloudFormationTemplateS3Endpoint": "$S3_PRESIGNED_URL",
  "VpcId": "VPC_ID",
  "Tags": [
    {"Key": "Enviroment Type", "Value": "Dev"}
  ],
  "Parameters": [
    {"Name": "TopicName", "Value": "MyTopic2"}
  ],
  "TimeoutInMinutes": 60
}
```

## Example 5: Use the default parameter values in the CloudFormation template
<a name="cfn-ingest-example-5"></a>

In this example, the SNS `TopicName` = 'MyTopicName' is created because no `TopicName` value was provided in the `Parameters` execution parameter. If you don't provide `Parameters` definitions, the default parameter values in the CloudFormation template are used.

```
{
  "Name": "cfn-ingest",
  "Description": "CFNIngest Web Application Stack",
  "CloudFormationTemplateS3Endpoint": "$S3_PRESIGNED_URL",
  "VpcId": "VPC_ID",
  "Tags": [
    {"Key": "Enviroment Type", "Value": "Dev"}
  ],
  "TimeoutInMinutes": 60
}
```

# CloudFormation Ingest examples: 3-tier Web application
<a name="cfn-ingest-ex-3-tier"></a>

Ingest a CloudFormation template for a standard 3-Tier Web Application.

![\[AWS Cloud architecture diagram showing VPC with two availability zones, load balancer, and multi-AZ RDS setup.\]](http://docs.aws.amazon.com/managedservices/latest/appguide/images/cfn-ingest-ex-3-tier.png)


This includes an Application Load Balancer, Application Load Balancer target group, Auto Scaling group, Auto Scaling group launch template, Amazon Relational Database Service (RDS for SQL Server) with a MySQL database, AWS SSM Parameter store, and AWS Secrets Manager. Allow 30-60 minutes to walk through this example.

## Prerequisites
<a name="cfn-ingest-ex-3-tier-prerequisites"></a>
+ Create a secret containing a username and password with corresponding values using the AWS Secrets Manager. You can refer to this [sample JSON template (zip file)](samples/3-tier-cfn-ingest-2025.zip) that contains the secret name `ams-shared/myapp/dev/dbsecrets`, and replace it with your secret name. For information about using AWS Secrets Manager with AMS, see [Using AWS Secrets Manager with AMS resources](secrets-manager.md).
+ Set up required parameters in the AWS SSM Parameter Store (PS). In this example, the `VPCId` and `Subnet-Id` of the Private and Public subnets are stored in the SSM PS in paths like `/app/DemoApp/PublicSubnet1a`, `PublicSubnet1c`, `PrivateSubnet1a`, `PrivateSubnet1c` and `VPCCidr`. Update the paths and parameter names and values for your needs.
+ Create an IAM Amazon EC2 instance role with read permissions to the AWS Secrets Manager and SSM Parameter Store paths (the IAM role created and used in these examples is `customer-ec2_secrets_manager_instance_profile`). If you create IAM-standard policies like instance profile role, the role name must start with `customer-`. To create a new IAM role, (you can name it `customer-ec2_secrets_manager_instance_profile`, or something else) use the AMS change type Management \$1 Applications \$1 IAM instance profile \$1 Create (ct-0ixp4ch2tiu04) CT, and attach the required policies. You can review the AMS IAM standard policies, `customer_secrets_manager_policy` and `customer_systemsmanager_parameterstore_policy`, in the AWS IAM console to be used as-is or as a reference. 

## Ingest a CloudFormation template for a standard 3-Tier Web application
<a name="cfn-ingest-ex-3-tier-procedure"></a>

1. Upload the attached sample CloudFormation JSON template as a zip file, [3-tier-cfn-ingest.zip](samples/3-tier-cfn-ingest-2025.zip) to an S3 bucket and generate a signed S3 URL to use in the CFN Ingest RFC. For more information, see [presign](https://docs.aws.amazon.com/cli/latest/reference/s3/presign.html). The CFN template can also be copy/pasted into the CFN Ingest RFC when you submit the RFC through the AMS console.

1. Create a CloudFormation Ingest RFC (Deployment \$1 Ingestion \$1 Stack from CloudFormation template \$1 Create (ct-36cn2avfrrj9v)), either via the AMS console or the AMS CLI. The CloudFormation ingest automation process validates the CloudFormation template to ensure that the template has valid AMS-supported resources, and adheres to security standards.
   + Using the console - For the change type, select **Deployment** -> **Ingestion** -> **Stack from CloudFormation Template** -> **Create**, and then add the following parameters as an example (note that the default for **MultiAZDatabase** is false):

     ```
     CloudFormationTemplateS3Endpoint: "https://s3-ap-southeast-2.amazonaws.com/amzn-s3-demo-bucket/3-tier-cfn-ingest.json?AWSAccessKeyId=#{S3_ACCESS_KEY_ID}&Expires=#{EXPIRE_DATE}&Signature=#{SIGNATURE}"
     VpcId: "VPC_ID"
     TimeoutInMinutes: 120
     IAMEC2InstanceProfile: "customer_ec2_secrets_manager_instance_profile"
     MultiAZDatabase: "true"
     WebServerCapacity: "2"
     ```
   + Using the AWS CLI - For details about creating RFCs using the AWS CLI, see [Creating RFCs](https://docs.aws.amazon.com/managedservices/latest/userguide/create-rfcs.html). For example, run the following command:

     ```
     aws --profile=saml amscm create-rfc  --change-type-id ct-36cn2avfrrj9v --change-type-version "2.0" --title "TEST_CFN_INGEST" --execution-parameters "{\"CloudFormationTemplateS3Endpoint\":\"https://s3-ap-southeast-2.amazonaws.com/my-bucket/3-tier-cfn-ingest.json?AWSAccessKeyId=#{S3_ACCESS_KEY_ID}&Expires=#{EXPIRE_DATE}&Signature=#{SIGNATURE}\",\"TimeoutInMinutes\":120,\"Description\":\"TEST\",\”VpcId”\”:\”VPC_ID\”,\"Name\":\"MY_TEST\",\"Tags\":[{\"Key\":\"env\",\"Value\":\"test\"}],\"Parameters\":[{\"Name\":\"IAMEC2InstanceProfile\",\"Value\":\"customer_ec2_secrets_manager_instance_profile\"},{\"Name\":\"MultiAZDatabase\",\"Value\":\"true\"},{\"Name\":\"VpcId\",\"Value\":\"VPC_ID\"},{\"Name\":\"WebServerCapacity\",\"Value\":\"2\"}]}" --endpoint-url https://amscm.us-east-1.amazonaws.com/operational/ --no-verify-ssl
     ```

   Find the Application Load Balancer URL in the CloudFormation RFC execution output to access the website. For information about accessing resources, see [Accessing instances](https://docs.aws.amazon.com/managedservices/latest/userguide/access-instance.html).