This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # Intrinsic function reference CloudFormation provides several built-in functions that help you manage your stacks. Use intrinsic functions in your templates to assign values to properties that are not available until runtime. **Note** You can use intrinsic functions only in specific parts of a template. Currently, you can use intrinsic functions in resource properties, outputs, metadata attributes, and update policy attributes. You can also use intrinsic functions to conditionally create stack resources. **Topics** + [ # `Fn::Base64` ](intrinsic-function-reference-base64.md) + [ # `Fn::Cidr` ](intrinsic-function-reference-cidr.md) + [ # Condition functions ](intrinsic-function-reference-conditions.md) + [ # `Fn::FindInMap` ](intrinsic-function-reference-findinmap.md) + [ # `Fn::ForEach` ](intrinsic-function-reference-foreach.md) + [ # `Fn::GetAtt` ](intrinsic-function-reference-getatt.md) + [ # `Fn::GetAZs` ](intrinsic-function-reference-getavailabilityzones.md) + [ # `Fn::ImportValue` ](intrinsic-function-reference-importvalue.md) + [ # `Fn::Join` ](intrinsic-function-reference-join.md) + [ # `Fn::Length` ](intrinsic-function-reference-length.md) + [ # `Fn::Select` ](intrinsic-function-reference-select.md) + [ # `Fn::Split` ](intrinsic-function-reference-split.md) + [ # `Fn::Sub` ](intrinsic-function-reference-sub.md) + [ # `Fn::ToJsonString` ](intrinsic-function-reference-ToJsonString.md) + [ # `Fn::Transform` ](intrinsic-function-reference-transform.md) + [ # `Ref` ](intrinsic-function-reference-ref.md) + [ # Rule functions ](intrinsic-function-reference-rules.md) # `Fn::Base64` The intrinsic function `Fn::Base64` returns the Base64 representation of the input string. This function is typically used to pass encoded data to Amazon EC2 instances by way of the `UserData` property. ## Declaration ### JSON ``` { "Fn::Base64" : valueToEncode } ``` ### YAML Syntax for the full function name: ``` Fn::Base64: valueToEncode ``` Syntax for the short form: ``` !Base64 valueToEncode ``` **Note** If you use the short form and immediately include another function in the `valueToEncode` parameter, use the full function name for at least one of the functions. For example, the following syntax isn't valid: ``` !Base64 !Sub string !Base64 !Ref logical_ID ``` Instead, use the full function name for at least one of the functions, as shown in the following examples: ``` !Base64 "Fn::Sub": string Fn::Base64: !Sub string ``` ## Parameters valueToEncode The string value you want to convert to Base64. ## Return value: The original string, in Base64 representation. ## Examples ### JSON ``` { "Fn::Base64" : "AWS CloudFormation" } ``` ### YAML ``` Fn::Base64: AWS CloudFormation ``` ## Supported functions You can use any function that returns a string inside the `Fn::Base64` function. # `Fn::Cidr` The intrinsic function `Fn::Cidr` returns an array of CIDR address blocks. The number of CIDR blocks returned is dependent on the `count` parameter. ## Declaration ### JSON ``` { "Fn::Cidr" : [ipBlock, count, cidrBits]} ``` ### YAML Syntax for the full function name: ``` Fn::Cidr: - ipBlock - count - cidrBits ``` Syntax for the short form: ``` !Cidr [ ipBlock, count, cidrBits ] ``` ## Parameters ipBlock The user-specified CIDR address block to be split into smaller CIDR blocks. count The number of CIDRs to generate. Valid range is between 1 and 256. cidrBits The number of subnet bits for the CIDR. For example, specifying a value "8" for this parameter will create a CIDR with a mask of "/24". Subnet bits is the inverse of subnet mask. To calculate the required host bits for a given subnet bits, subtract the subnet bits from 32 for IPv4 or 128 for IPv6. ## Return value An array of CIDR address blocks. ## Example ### Basic usage This example creates 6 CIDRs with a subnet mask "/27" inside from a CIDR with a mask of "/24". #### JSON ``` { "Fn::Cidr" : [ "192.168.0.0/24", "6", "5"] } ``` #### YAML ``` !Cidr [ "192.168.0.0/24", 6, 5 ] ``` ### Creating an IPv6 enabled VPC This example template creates an IPv6 enabled subnet. #### JSON ``` { "Resources": { "ExampleVpc": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16" } }, "IPv6CidrBlock": { "Type": "AWS::EC2::VPCCidrBlock", "Properties": { "AmazonProvidedIpv6CidrBlock": true, "VpcId": { "Ref": "ExampleVpc" } } }, "ExampleSubnet": { "Type": "AWS::EC2::Subnet", "DependsOn": "IPv6CidrBlock", "Properties": { "AssignIpv6AddressOnCreation": true, "CidrBlock": { "Fn::Select": [ 0, { "Fn::Cidr": [ { "Fn::GetAtt": [ "ExampleVpc", "CidrBlock" ] }, 1, 8 ] } ] }, "Ipv6CidrBlock": { "Fn::Select": [ 0, { "Fn::Cidr": [ { "Fn::Select": [ 0, { "Fn::GetAtt": [ "ExampleVpc", "Ipv6CidrBlocks" ] } ] }, 1, 64 ] } ] }, "VpcId": { "Ref": "ExampleVpc" } } } } } ``` #### YAML ``` Resources: ExampleVpc: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 IPv6CidrBlock: Type: AWS::EC2::VPCCidrBlock Properties: AmazonProvidedIpv6CidrBlock: true VpcId: !Ref ExampleVpc ExampleSubnet: Type: AWS::EC2::Subnet DependsOn: IPv6CidrBlock Properties: AssignIpv6AddressOnCreation: true CidrBlock: !Select - 0 - !Cidr - !GetAtt ExampleVpc.CidrBlock - 1 - 8 Ipv6CidrBlock: !Select - 0 - !Cidr - !Select - 0 - !GetAtt ExampleVpc.Ipv6CidrBlocks - 1 - 64 VpcId: !Ref ExampleVpc ``` ## Supported functions You can use the following functions in a `Fn::Cidr` function: + [`Fn::Select`](intrinsic-function-reference-select.md) + [`Ref`](intrinsic-function-reference-ref.md) # Condition functions You can use intrinsic functions, such as `Fn::If` or `Fn::Equals`, to create and configure stack resources based on conditional logic. These conditions evaluate during stack creation or updates. After you define all your conditions, you can associate them with resources or resource properties in the `Resources` and `Outputs` sections of a template. For advanced scenarios, you can combine conditions using `Fn::And` or `Fn::Or` functions, or use `Fn::Not` to negate a condition's value. You can also nest conditions to create more complex conditional logic. If you're new to using conditions in your templates, we recommend you first review the [CloudFormation template Conditions syntax](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/conditions-section-structure.html) topic in the *AWS CloudFormation User Guide*. **Note** You must define all conditions in the `Conditions` section of a template, except for `Fn::If` conditions. You can use the `Fn::If` condition in the `Metadata` attribute, `UpdatePolicy` attribute, and property values in the `Resources` and `Outputs` sections. **Topics** + [ ## `Fn::And` ](#intrinsic-function-reference-conditions-and) + [ ## `Fn::Equals` ](#intrinsic-function-reference-conditions-equals) + [ ## `Fn::If` ](#intrinsic-function-reference-conditions-if) + [ ## `Fn::Not` ](#intrinsic-function-reference-conditions-not) + [ ## `Fn::Or` ](#intrinsic-function-reference-conditions-or) + [ ## Supported functions ](#w2aac24c20c25) + [ ## Sample template ](#conditions-sample-templates) ## `Fn::And` Returns `true` if all the specified conditions evaluate to true, or returns `false` if any one of the conditions evaluates to false. `Fn::And` acts as an AND operator. The minimum number of conditions that you can include is 2, and the maximum is 10. ### Declaration #### JSON ``` "Fn::And": [{condition}, {...}] ``` #### YAML Syntax for the full function name: ``` Fn::And: [condition] ``` Syntax for the short form: ``` !And [condition] ``` ### Parameters condition A condition that evaluates to `true` or `false`. ### `Fn::And` usage examples The following `MyAndCondition` evaluates to true if the referenced security group name is equal to `sg-mysggroup` and if `SomeOtherCondition` evaluates to true: #### JSON ``` "MyAndCondition": { "Fn::And": [ {"Fn::Equals": ["sg-mysggroup", {"Ref": "ASecurityGroup"}]}, {"Condition": "SomeOtherCondition"} ] } ``` #### YAML ``` MyAndCondition: !And - !Equals ["sg-mysggroup", !Ref ASecurityGroup] - !Condition SomeOtherCondition ``` ## `Fn::Equals` Compares if two values are equal. Returns `true` if the two values are equal or `false` if they aren't. ### Declaration #### JSON ``` "Fn::Equals" : ["value_1", "value_2"] ``` #### YAML Syntax for the full function name: ``` Fn::Equals: [value_1, value_2] ``` Syntax for the short form: ``` !Equals [value_1, value_2] ``` ### Parameters value A string value that you want to compare. ### `Fn::Equals` usage examples The following `IsProduction` condition evaluates to true if the value for the `EnvironmentType` parameter is equal to `prod`: #### JSON ``` "IsProduction" : { "Fn::Equals": [ {"Ref": "EnvironmentType"}, "prod" ] } ``` #### YAML ``` IsProduction: !Equals [!Ref EnvironmentType, prod] ``` ## `Fn::If` Returns one value if the specified condition evaluates to `true` and another value if the specified condition evaluates to `false`. Currently, CloudFormation supports the `Fn::If` intrinsic function in the `Metadata` attribute, `UpdatePolicy` attribute, and property values in the `Resources` section and `Outputs` sections of a template. You can use the `AWS::NoValue` pseudo parameter as a return value to remove the corresponding property. ### Declaration #### JSON ``` "Fn::If": [condition_name, value_if_true, value_if_false] ``` #### YAML Syntax for the full function name: ``` Fn::If: [condition_name, value_if_true, value_if_false] ``` Syntax for the short form: ``` !If [condition_name, value_if_true, value_if_false] ``` ### Parameters condition\$1name A reference to a condition in the Conditions section. Use the condition's name to reference it. value\$1if\$1true A value to be returned if the specified condition evaluates to true. value\$1if\$1false A value to be returned if the specified condition evaluates to `false`. ### `Fn::If` usage examples **Topics** + [ #### Conditionally choosing a resource ](#w2aac24c20c19b9b5) + [ #### Conditional outputs ](#w2aac24c20c19b9b7) + [ #### Conditional array values ](#w2aac24c20c19b9b9) + [ #### Conditional properties and property values ](#w2aac24c20c19b9c11) + [ #### Conditional update policies ](#w2aac24c20c19b9c13) #### Conditionally choosing a resource The following example uses an `Fn::If` function in an Amazon EC2 resource definition to determine which security group resource to associate with the instance. If the `CreateNewSecurityGroup` condition evaluates to true, CloudFormation uses the referenced value of `NewSecurityGroup` (a security group created elsewhere in the template) to specify the `SecurityGroupIds` property. If `CreateNewSecurityGroup` is false, CloudFormation uses the referenced value of `ExistingSecurityGroupId` (a parameter that references an existing security group). ##### JSON ``` "Resources": { "EC2Instance": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": "ami-0abcdef1234567890", "InstanceType": "t3.micro", "SecurityGroupIds": { "Fn::If": [ "CreateNewSecurityGroup", [{"Ref": "NewSecurityGroup"}], [{"Ref": "ExistingSecurityGroupId"}] ] }] } } } ``` ##### YAML ``` Resources: EC2Instance: Type: AWS::EC2::Instance Properties: ImageId: ami-0abcdef1234567890 InstanceType: t3.micro SecurityGroupIds: !If - CreateNewSecurityGroup - [!Ref NewSecurityGroup] - [!Ref ExistingSecurityGroupId] ``` #### Conditional outputs In the `Output` section of a template, you can use the `Fn::If` function to conditionally output information. In the following snippet, if the `CreateNewSecurityGroup` condition evaluates to true, CloudFormation outputs the security group ID of the `NewSecurityGroup` resource. If the condition is false, CloudFormation outputs the security group ID of the `ExistingSecurityGroup` resource. ##### JSON ``` "Outputs" : { "SecurityGroupId" : { "Description" : "Group ID of the security group used.", "Value" : { "Fn::If" : [ "CreateNewSecurityGroup", {"Ref" : "NewSecurityGroup"}, {"Ref" : "ExistingSecurityGroupId"} ] } } } ``` ##### YAML ``` Outputs: SecurityGroupId: Description: Group ID of the security group used. Value: !If [CreateNewSecurityGroup, !Ref NewSecurityGroup, !Ref ExistingSecurityGroupId] ``` #### Conditional array values The following example uses `Fn::If` to conditionally provide different array values based on a condition. If the `MoreThan2AZs` condition evaluates to true, it uses three public subnets. Otherwise, it uses only two public subnets. ##### JSON ``` "Subnets": { "Fn::If": [ "MoreThan2AZs", [ {"Fn::ImportValue": "PublicSubnet01"}, {"Fn::ImportValue": "PublicSubnet02"}, {"Fn::ImportValue": "PublicSubnet03"} ], [ {"Fn::ImportValue": "PublicSubnet01"}, {"Fn::ImportValue": "PublicSubnet02"} ] ] } ``` ##### YAML ``` Subnets: Fn::If: - MoreThan2AZs - - Fn::ImportValue: PublicSubnet01 - Fn::ImportValue: PublicSubnet02 - Fn::ImportValue: PublicSubnet03 - - Fn::ImportValue: PublicSubnet01 - Fn::ImportValue: PublicSubnet02 ``` #### Conditional properties and property values The following example uses the `AWS::NoValue` pseudo parameter in an `Fn::If` function. The condition uses a snapshot for an Amazon RDS DB instance only if a snapshot ID is provided. If the `UseDBSnapshot` condition evaluates to true, CloudFormation uses the `DBSnapshotName` parameter value for the `DBSnapshotIdentifier` property. If the condition evaluates to false, CloudFormation removes the `DBSnapshotIdentifier` property. It also uses an `Fn::If` function in the `AllocatedStorage` property of the Amazon RDS DB instance. If the `IsProduction` condition evaluates to true, the storage size is set to `100`. Otherwise, it's set to `20`. ##### JSON ``` "MyDatabase" : { "Type" : "AWS::RDS::DBInstance", "Properties": { "DBInstanceClass": "db.t3.micro", "AllocatedStorage": { "Fn::If": [ "IsProduction", 100, 20 ] }, "Engine" : "MySQL", "EngineVersion" : "5.5", "MasterUsername" : { "Ref" : "DBUser" }, "MasterUserPassword" : { "Ref" : "DBPassword" }, "DBParameterGroupName" : { "Ref" : "MyRDSParamGroup" }, "DBSnapshotIdentifier" : { "Fn::If" : [ "UseDBSnapshot", {"Ref" : "DBSnapshotName"}, {"Ref" : "AWS::NoValue"} ] } } } ``` ##### YAML ``` MyDatabase: Type: AWS::RDS::DBInstance Properties: DBInstanceClass: db.t3.micro AllocatedStorage: !If [IsProduction, 100, 20] Engine: MySQL EngineVersion: 5.5 MasterUsername: !Ref DBUser MasterUserPassword: !Ref DBPassword DBParameterGroupName: !Ref MyRDSParamGroup DBSnapshotIdentifier: !If [UseDBSnapshot, !Ref DBSnapshotName, !Ref "AWS::NoValue"] ``` #### Conditional update policies The following snippet provides an Auto Scaling update policy only if the `RollingUpdates` condition evaluates to true. If the condition evaluates to false, CloudFormation removes the `AutoScalingRollingUpdate` update policy. ##### JSON ``` "UpdatePolicy": { "Fn::If": [ "RollingUpdates", { "AutoScalingRollingUpdate": { "MaxBatchSize": 2, "MinInstancesInService": 2, "PauseTime": "PT0M30S" } }, { "Ref": "AWS::NoValue" } ] } ``` ##### YAML ``` UpdatePolicy: !If - RollingUpdates - AutoScalingRollingUpdate: MaxBatchSize: 2 MinInstancesInService: 2 PauseTime: PT0M30S - !Ref "AWS::NoValue" ``` ## `Fn::Not` Returns `true` for a condition that evaluates to `false` or returns `false` for a condition that evaluates to `true`. `Fn::Not` acts as a NOT operator. ### Declaration #### JSON ``` "Fn::Not": [{condition}] ``` #### YAML Syntax for the full function name: ``` Fn::Not: [condition] ``` Syntax for the short form: ``` !Not [condition] ``` ### Parameters condition A condition such as `Fn::Equals` that evaluates to `true` or `false`. ### `Fn::Not` usage examples The following `EnvCondition` condition evaluates to true if the value for the `EnvironmentType` parameter isn't equal to `prod`: #### JSON ``` "MyNotCondition" : { "Fn::Not" : [{ "Fn::Equals" : [ {"Ref" : "EnvironmentType"}, "prod" ] }] } ``` #### YAML ``` MyNotCondition: !Not [!Equals [!Ref EnvironmentType, prod]] ``` ## `Fn::Or` Returns `true` if any one of the specified conditions evaluate to true, or returns `false` if all the conditions evaluates to false. `Fn::Or` acts as an OR operator. The minimum number of conditions that you can include is 2, and the maximum is 10. ### Declaration #### JSON ``` "Fn::Or": [{condition}, {...}] ``` #### YAML Syntax for the full function name: ``` Fn::Or: [condition, ...] ``` Syntax for the short form: ``` !Or [condition, ...] ``` ### Parameters condition A condition that evaluates to `true` or `false`. ### `Fn::Or` usage examples The following `MyOrCondition` evaluates to true if the referenced security group name is equal to `sg-mysggroup` or if `SomeOtherCondition` evaluates to true: #### JSON ``` "MyOrCondition" : { "Fn::Or" : [ {"Fn::Equals" : ["sg-mysggroup", {"Ref" : "ASecurityGroup"}]}, {"Condition" : "SomeOtherCondition"} ] } ``` #### YAML ``` MyOrCondition: !Or [!Equals [sg-mysggroup, !Ref ASecurityGroup], Condition: SomeOtherCondition] ``` ## Supported functions You can use the following functions in the `Fn::If` condition: + `Fn::Base64` + `Fn::FindInMap` + `Fn::GetAtt` + `Fn::GetAZs` + `Fn::If` + `Fn::Join` + `Fn::Select` + `Fn::Sub` + `Ref` You can use the following functions in all other condition functions, such as `Fn::Equals` and `Fn::Or`: + `Fn::FindInMap` + `Ref` + Other condition functions ## Sample template ### Conditionally create resources for a production, development, or test stack In some cases, you might want to create stacks that are similar but with minor tweaks. For example, you might have a template that you use for production applications. You want to create the same production stack so that you can use it for development or testing. However, for development and testing, you might not require all the extra capacity that's included in a production-level stack. Instead, you can use an environment type input parameter to conditionally create stack resources that are specific to production, development, or testing, as shown in the following sample: You can specify `prod`, `dev`, or `test` for the `EnvType` parameter. For each environment type, the template specifies a different instance type. The instance types can range from a large, compute-optimized instance type to a small general purpose instance type. In order to conditionally specify the instance type, the template defines two conditions in the `Conditions` section of the template: `CreateProdResources`, which evaluates to true if the `EnvType` parameter value is equal to `prod` and `CreateDevResources`, which evaluates to true if the parameter value is equal to `dev`. In the `InstanceType` property, the template nests two `Fn::If` intrinsic functions to determine which instance type to use. If the `CreateProdResources` condition is true, the instance type is `c5.xlarge`. If the condition is false, the `CreateDevResources` condition is evaluated. If the `CreateDevResources` condition is true, the instance type is `t3.medium` or else the instance type is `t3.small`. In addition to the instance type, the production environment creates and attaches an Amazon EC2 volume to the instance. The `MountPoint` and `NewVolume` resources are associated with the `CreateProdResources` condition so that the resources are created only if the condition evaluates to true. **Example JSON** ``` { "AWSTemplateFormatVersion" : "2010-09-09", "Parameters" : { "EnvType" : { "Description" : "Environment type.", "Default" : "test", "Type" : "String", "AllowedValues" : ["prod", "dev", "test"], "ConstraintDescription" : "must specify prod, dev, or test." } }, "Conditions" : { "CreateProdResources" : {"Fn::Equals" : [{"Ref" : "EnvType"}, "prod"]}, "CreateDevResources" : {"Fn::Equals" : [{"Ref" : "EnvType"}, "dev"]} }, "Resources" : { "EC2Instance" : { "Type" : "AWS::EC2::Instance", "Properties" : { "ImageId" : "ami-1234567890abcdef0", "InstanceType" : { "Fn::If" : [ "CreateProdResources", "c5.xlarge", {"Fn::If" : [ "CreateDevResources", "t3.medium", "t3.small" ]} ]} } }, "MountPoint" : { "Type" : "AWS::EC2::VolumeAttachment", "Condition" : "CreateProdResources", "Properties" : { "InstanceId" : { "Ref" : "EC2Instance" }, "VolumeId" : { "Ref" : "NewVolume" }, "Device" : "/dev/sdh" } }, "NewVolume" : { "Type" : "AWS::EC2::Volume", "Condition" : "CreateProdResources", "Properties" : { "Size" : "100", "AvailabilityZone" : { "Fn::GetAtt" : [ "EC2Instance", "AvailabilityZone" ]} } } } } ``` **Example YAML** ``` AWSTemplateFormatVersion: "2010-09-09" Parameters: EnvType: Description: Environment type. Default: test Type: String AllowedValues: [prod, dev, test] ConstraintDescription: must specify prod, dev, or test. Conditions: CreateProdResources: !Equals [!Ref EnvType, prod] CreateDevResources: !Equals [!Ref EnvType, "dev"] Resources: EC2Instance: Type: AWS::EC2::Instance Properties: ImageId: ami-1234567890abcdef0 InstanceType: !If [CreateProdResources, c5.xlarge, !If [CreateDevResources, t3.medium, t3.small]] MountPoint: Type: AWS::EC2::VolumeAttachment Condition: CreateProdResources Properties: InstanceId: !Ref EC2Instance VolumeId: !Ref NewVolume Device: /dev/sdh NewVolume: Type: AWS::EC2::Volume Condition: CreateProdResources Properties: Size: 100 AvailabilityZone: !GetAtt EC2Instance.AvailabilityZone ``` **Note** For more complext examples of using conditions to create resources, see the [`Condition` attribute](aws-attribute-condition.md) topic. # `Fn::FindInMap` The intrinsic function `Fn::FindInMap` returns the value corresponding to keys in a two-level map that's declared in the `Mappings` section. ## Declaration ### JSON ``` { "Fn::FindInMap" : [ "MapName", "TopLevelKey", "SecondLevelKey"] } ``` ### YAML Syntax for the full function name: ``` Fn::FindInMap: [ MapName, TopLevelKey, SecondLevelKey ] ``` Syntax for the short form: ``` !FindInMap [ MapName, TopLevelKey, SecondLevelKey ] ``` **Note** You can't nest two instances of two functions in short form. ## Parameters MapName The logical name of a mapping declared in the Mappings section that contains the keys and values. TopLevelKey The top-level key name. Its value is a list of key-value pairs. SecondLevelKey The second-level key name, which is set to one of the keys from the list assigned to `TopLevelKey`. ## Return value The value that's assigned to `SecondLevelKey`. ## Examples The following examples demonstrate how to use the `Fn::FindInMap` function. **Topics** + [ ### Use Fn::FindInMap with region-specific values ](#intrinsic-function-reference-findinmap-region-example) + [ ### Use Fn::FindInMap for environment-specific configurations ](#intrinsic-function-reference-findinmap-environment-example) ### Use Fn::FindInMap with region-specific values The following example shows how to use `Fn::FindInMap` in a template that includes two mappings: `AWSInstanceType2Arch` and `AWSRegionArch2AMI`. It also includes an `InstanceType` parameter that allows you to choose between `t3.micro` and `t4g.nano`. The default is `t3.micro`, but this can be overridden during stack creation. `Fn::FindInMap` first determines the architecture (`HVM64` or `ARM64`) based on the selected instance type, and then looks up the correct AMI ID for that architecture in the current AWS Region. **Note** The AMI IDs shown in these examples are placeholders for demonstration purposes. Whenever possible, consider using dynamic references to AWS Systems Manager parameters as an alternative to the `Mappings` section. To avoid updating all your templates with a new ID each time the AMI that you want to use changes, use a AWS Systems Manager parameter to retrieve the latest AMI ID when the stack is created or updated. The latest versions of commonly used AMIs are also available as public parameters in Systems Manager. For more information, see [Get values stored in other services using dynamic references](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html). #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { "InstanceType": { "Description": "The EC2 instance type", "Type": "String", "AllowedValues": [ "t3.micro", "t4g.nano" ], "Default": "t3.micro" } }, "Mappings": { "AWSInstanceType2Arch": { "t3.micro": { "Arch": "HVM64" }, "t4g.nano": { "Arch": "ARM64" } }, "AWSRegionArch2AMI": { "us-east-1" : { "HVM64" : "ami-12345678901234567", "ARM64" : "ami-23456789012345678" }, "us-west-1" : { "HVM64" : "ami-34567890123456789", "ARM64" : "ami-45678901234567890" }, "eu-west-1" : { "HVM64" : "ami-56789012345678901", "ARM64" : "ami-67890123456789012" }, "ap-southeast-1" : { "HVM64" : "ami-78901234567890123", "ARM64" : "ami-89012345678901234" }, "ap-northeast-1" : { "HVM64" : "ami-90123456789012345", "ARM64" : "ami-01234567890123456" } } }, "Resources" : { "MyEC2Instance" : { "Type" : "AWS::EC2::Instance", "Properties" : { "InstanceType" : { "Ref": "InstanceType" }, "ImageId" : { "Fn::FindInMap" : [ "AWSRegionArch2AMI", { "Ref": "AWS::Region" }, { "Fn::FindInMap": [ "AWSInstanceType2Arch", { "Ref": "InstanceType" }, "Arch" ]}] } } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Parameters: InstanceType: Description: The EC2 instance type Type: String AllowedValues: - t3.micro - t4g.nano Default: t3.micro Mappings: AWSInstanceType2Arch: t3.micro: Arch: HVM64 t4g.nano: Arch: ARM64 AWSRegionArch2AMI: us-east-1: HVM64: ami-12345678901234567 ARM64: ami-23456789012345678 us-west-1: HVM64: ami-34567890123456789 ARM64: ami-45678901234567890 eu-west-1: HVM64: ami-56789012345678901 ARM64: ami-67890123456789012 ap-southeast-1: HVM64: ami-78901234567890123 ARM64: ami-89012345678901234 ap-northeast-1: HVM64: ami-90123456789012345 ARM64: ami-01234567890123456 Resources: myEC2Instance: Type: AWS::EC2::Instance Properties: InstanceType: !Ref InstanceType ImageId: Fn::FindInMap: - AWSRegionArch2AMI - Ref: AWS::Region - Fn::FindInMap: - AWSInstanceType2Arch - Ref: InstanceType - Arch ``` ### Use Fn::FindInMap for environment-specific configurations The following example shows how to use `Fn::FindInMap` for a template with a `Mappings` section that contains a single map, `SecurityGroups`. It also contains an `EnvironmentType` parameter that allows you to specify whether the environment is `Dev` or `Prod`. It defaults to `Dev` but can be overridden during stack creation. `Fn::FindInMap` returns the appropriate `SecurityGroupIds` based on the `EnvironmentType` parameter. `Fn::Split` then splits the comma-separated string of security group IDs into a list, which is the expected format for [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html#cfn-ec2-instance-securitygroupids](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html#cfn-ec2-instance-securitygroupids). If you deploy this stack with `EnvironmentType` set to `Dev`, the `SecurityGroupIds` for `EC2Instance` will be `sg-12345678`. If you set `EnvironmentType` to `Prod`, it will use `sg-abcdef01` and `sg-ghijkl23`. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Parameters":{ "EnvironmentType":{ "Description":"The environment type (Dev or Prod)", "Type":"String", "Default":"Dev", "AllowedValues":[ "Dev", "Prod" ] } }, "Mappings":{ "SecurityGroups":{ "Dev":{ "SecurityGroupIds":"sg-12345678" }, "Prod":{ "SecurityGroupIds":"sg-abcdef01,sg-ghijkl23" } } }, "Resources":{ "Ec2Instance":{ "Type":"AWS::EC2::Instance", "Properties":{ "ImageId": "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64}}", "InstanceType": "t2.micro", "SecurityGroupIds":{ "Fn::Split":[ ",", { "Fn::FindInMap":[ "SecurityGroups", { "Ref":"EnvironmentType" }, "SecurityGroupIds" ] } ] } } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Parameters: EnvironmentType: Description: The environment type (Dev or Prod) Type: String Default: Dev AllowedValues: - Dev - Prod Mappings: SecurityGroups: Dev: SecurityGroupIds: sg-12345678 Prod: SecurityGroupIds: sg-abcdef01,sg-ghijkl23 Resources: Ec2Instance: Type: AWS::EC2::Instance Properties: ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64}}' InstanceType: t2.micro SecurityGroupIds: Fn::Split: - "," - Fn::FindInMap: [ SecurityGroups, !Ref EnvironmentType, SecurityGroupIds ] ``` ## Supported functions You can use the following functions in a `Fn::FindInMap` function: + `Fn::FindInMap` + `Ref` ## Related resources To use other intrinsic functions or a default value in a `Fn::FindInMap` function, you must declare the `AWS::LanguageExtensions` transform within your template. For more information, see [`Fn::FindInMap enhancements`](intrinsic-function-reference-findinmap-enhancements.md). These related topics can be helpful as you develop templates that use the `Fn::FindInMap` function. + [`Fn::Sub`](intrinsic-function-reference-sub.md) + [CloudFormation template Mappings syntax](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/mappings-section-structure.html) in the *AWS CloudFormation User Guide* # `Fn::ForEach` The `Fn::ForEach` intrinsic function takes a collection and a fragment, and applies the items in the collection to the identifier in the provided fragment. `Fn::ForEach` can contain other intrinsic functions, including `Fn::ForEach` itself, and be used within the `Conditions`, `Outputs`, and `Resources` (including the resource properties) sections. It can't be used in any of the following sections, `AWSTemplateFormatVersion`, `Description`, `Metadata`, `Transform`, `Parameters`, `Mappings`, `Rules`, or `Hooks` sections. If you use the `Fn::ForEach` intrinsic function in your template, you must also use the [`AWS::LanguageExtensions` transform](transform-aws-languageextensions.md) . Using the `Fn::ForEach` intrinsic function does not change the quotas, which apply to the resultant template. Quotas include the maximum size of a template and the maximum number of resources in a template. For more information, see [Understand CloudFormation quotas](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html) in the *AWS CloudFormation User Guide*. ## Declaration ### JSON ``` "Fn::ForEach::LoopLogicalName": [ "Identifier", ["Value1","Value2"], // Collection {"OutputKey": {OutputValue}} ] ``` ### YAML ``` 'Fn::ForEach::LoopLogicalName': - Identifier - - Value1 # Collection - Value2 - 'OutputKey': OutputValue ``` ## Parameters *Loop logical name* A logical ID for the loop. The name must be unique within the template and can't conflict with any logical ID values in the `Resources` section of the template. This name isn't in the transformed output. It’s used for internal reference within the CloudFormation template itself. *Identifier* An identifier for the placeholder that gets replaced in the `OutputKey` and `OutputValue` parameters. All instances of `${Identifier}` or `&{Identifier}` in the `OutputKey` and `OutputValue` parameters will be replaced with the values from the `Collection` parameter. *Collection* The collection of values to iterate over. This can be an array in this parameter, or it can be a [`Ref`](intrinsic-function-reference-ref.md) to a `CommaDelimitedList`. When using `&{Identifier}`, non-alphanumeric characters can be passed in the `Collection`. *Output key* The key in the transformed template. `${Identifier}` or `&{Identifier}` must be included within the `OutputKey` parameter. For example, if `Fn::ForEach` is used in the `Resources` section of the template, this is the logical ID of each resource. The `&{}` syntax allows non-alphanumeric characters in the `Collection` to be used in `OutputKey` parameter. For an example of this, see [Passing non-alphanumeric characters within the `Collection` for `Fn::ForEach`](intrinsic-function-reference-foreach-example-resource.md#intrinsic-function-reference-foreach-example-non-alphanumeric). *Output value* The value that's replicated in the transformed template for each item in the `Collection` parameter. For example, if `Fn::ForEach` is used in the `Resources` section of the template, this is the template fragment that's repeated to configure each resource. ## Return value An expanded object that contains the object fragment repeated once for each item in the collection, where the identifier in the fragment is replaced with the item from the collection. ## Supported functions You can use the following functions within `Fn::ForEach`. + Condition functions: + [`Fn::And`](intrinsic-function-reference-conditions.md#intrinsic-function-reference-conditions-and) + [`Fn::Equals`](intrinsic-function-reference-conditions.md#intrinsic-function-reference-conditions-equals) + [`Fn::If`](intrinsic-function-reference-conditions.md#intrinsic-function-reference-conditions-if) + [`Fn::Not`](intrinsic-function-reference-conditions.md#intrinsic-function-reference-conditions-not) + [`Fn::Or`](intrinsic-function-reference-conditions.md#intrinsic-function-reference-conditions-or) + [`Fn::Base64`](intrinsic-function-reference-base64.md) + [`Fn::FindInMap`](intrinsic-function-reference-findinmap.md) + [`Fn::GetAtt`](intrinsic-function-reference-getatt.md) + [`Fn::GetAZs`](intrinsic-function-reference-getavailabilityzones.md) + [`Fn::ImportValue`](intrinsic-function-reference-importvalue.md) + [`Fn::Join`](intrinsic-function-reference-join.md) + [`Fn::Length`](intrinsic-function-reference-length.md) + [`Fn::Transform`](intrinsic-function-reference-transform.md) + [`Fn::Select`](intrinsic-function-reference-select.md) + [`Fn::Sub`](intrinsic-function-reference-sub.md) + [`Fn::ToJsonString`](intrinsic-function-reference-ToJsonString.md) + [`Ref`](intrinsic-function-reference-ref.md) ## Examples You can find examples for the `Conditions`, `Outputs`, and `Resources` sections in [Examples](intrinsic-function-reference-foreach-examples.md). # Examples **Topics** + [ # Examples of `Fn::ForEach` in the `Resources` section ](intrinsic-function-reference-foreach-example-resource.md) + [ # Examples of `Fn::ForEach` in the `Outputs` section ](intrinsic-function-reference-foreach-example-outputs.md) + [ # Examples of `Fn::ForEach` in the `Conditions` section ](intrinsic-function-reference-foreach-example-conditions.md) # Examples of `Fn::ForEach` in the `Resources` section These examples demonstrate using the `Fn::ForEach` intrinsic function in the `Resources` section. For more information about this section, see [Resources](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resources-section-structure.html) in the *AWS CloudFormation User Guide*. **Topics** + [ ## Replicate an Amazon SNS resource ](#intrinsic-function-reference-foreach-example-replicate-resource) + [ ## Replicate an Amazon DynamoDB resource ](#intrinsic-function-reference-foreach-example-replicate-ddb-resource) + [ ## Replicate multiple resources ](#intrinsic-function-reference-foreach-example-replicate-multiple-resources) + [ ## Replicate multiple resources using a nested `Fn::ForEach` loops ](#intrinsic-function-reference-foreach-example-nested-loop-resources) + [ ## Reference replicated properties for an Amazon EC2 resource ](#intrinsic-function-reference-foreach-example-reference-replicated-resource) + [ ## Replicate properties for an Amazon EC2 resource ](#intrinsic-function-reference-foreach-example-replicate-resource-properties) + [ ## Passing non-alphanumeric characters within the `Collection` for `Fn::ForEach` ](#intrinsic-function-reference-foreach-example-non-alphanumeric) ## Replicate an Amazon SNS resource This example snippet returns a list of four Amazon SNS topics, with the logical ID corresponding to the items in the collection (`Success`, `Failure`, `Timeout`, `Unknown`), with a matching `TopicName` and `FifoTopic` set to `true`. **Note** For templates that need to work with both FIFO and standard topics, you can use the `DisplayName` property instead of `TopicName`. This allows CloudFormation to automatically generate topic names with the appropriate `.fifo` suffix when `FifoTopic` is `true`. Simply replace `TopicName` with `DisplayName: !Ref TopicName` in the `Properties` section. ### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::LanguageExtensions", "Resources": { "Fn::ForEach::Topics": [ "TopicName", ["Success", "Failure", "Timeout", "Unknown"], { "SnsTopic${TopicName}": { "Type": "AWS::SNS::Topic", "Properties": { "TopicName": {"Fn::Sub": "${TopicName}.fifo"}, "FifoTopic": true } } } ] } } ``` ### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::LanguageExtensions Resources: 'Fn::ForEach::Topics': - TopicName - [Success, Failure, Timeout, Unknown] - 'SnsTopic${TopicName}': Type: AWS::SNS::Topic Properties: TopicName: !Sub '${TopicName}.fifo' FifoTopic: true ``` The transformed template will be equivalent to the following template: ``` AWSTemplateFormatVersion: 2010-09-09 Resources: SnsTopicSuccess: Type: AWS::SNS::Topic Properties: TopicName: Success.fifo FifoTopic: true SnsTopicFailure: Type: AWS::SNS::Topic Properties: TopicName: Failure.fifo FifoTopic: true SnsTopicTimeout: Type: AWS::SNS::Topic Properties: TopicName: Timeout.fifo FifoTopic: true SnsTopicUnknown: Type: AWS::SNS::Topic Properties: TopicName: Unknown.fifo FifoTopic: true ``` ## Replicate an Amazon DynamoDB resource This example snippet creates four [AWS::DynamoDB::Table](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-table.html) resources with names such as `Points`, `Score`, etc. ### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::LanguageExtensions", "Resources": { "Fn::ForEach::Tables": [ "TableName", ["Points", "Score", "Name", "Leaderboard"], { "DynamoDB${TableName}": { "Type": "AWS::DynamoDB::Table", "Properties": { "TableName": { "Ref": "TableName" }, "AttributeDefinitions": [ { "AttributeName": "id", "AttributeType": "S" } ], "KeySchema": [ { "AttributeName": "id", "KeyType": "HASH" } ], "ProvisionedThroughput": { "ReadCapacityUnits": "5", "WriteCapacityUnits": "5" } } } } ] } } ``` ### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::LanguageExtensions Resources: 'Fn::ForEach::Tables': - TableName - [Points, Score, Name, Leaderboard] - 'DynamoDB${TableName}': Type: AWS::DynamoDB::Table Properties: TableName: !Ref TableName AttributeDefinitions: - AttributeName: id AttributeType: S KeySchema: - AttributeName: id KeyType: HASH ProvisionedThroughput: ReadCapacityUnits: '5' WriteCapacityUnits: '5' ``` The transformed template will be equivalent to the following template: ``` AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::LanguageExtensions Resources: DynamoDBPoints: Type: AWS::DynamoDB::Table Properties: TableName: Points AttributeDefinitions: - AttributeName: id AttributeType: S KeySchema: - AttributeName: id KeyType: HASH ProvisionedThroughput: ReadCapacityUnits: '5' WriteCapacityUnits: '5' DynamoDBScore: Type: AWS::DynamoDB::Table Properties: TableName: Score AttributeDefinitions: - AttributeName: id AttributeType: S KeySchema: - AttributeName: id KeyType: HASH ProvisionedThroughput: ReadCapacityUnits: '5' WriteCapacityUnits: '5' DynamoDBName: Type: AWS::DynamoDB::Table Properties: TableName: Name AttributeDefinitions: - AttributeName: id AttributeType: S KeySchema: - AttributeName: id KeyType: HASH ProvisionedThroughput: ReadCapacityUnits: '5' WriteCapacityUnits: '5' DynamoDBLeaderboard: Type: AWS::DynamoDB::Table Properties: TableName: Leaderboard AttributeDefinitions: - AttributeName: id AttributeType: S KeySchema: - AttributeName: id KeyType: HASH ProvisionedThroughput: ReadCapacityUnits: '5' WriteCapacityUnits: '5' ``` ## Replicate multiple resources This example creates multiple instances of [AWS::EC2::NatGateway](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-natgateway.html) and [AWS::EC2::EIP](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eip.html) using a naming convention of `"{ResourceType}${Identifier}"`. You can declare multiple resource types under one `Fn::ForEach` loop to take advantage of a single identifier. Unique values for each element in the collection are defined within the `Mappings` section, where the [`Fn::FindInMap`](intrinsic-function-reference-findinmap.md) intrinsic function is used to reference the corresponding value. If `Fn::FindInMap` is unable to find the corresponding identifier, the `Condition` property will not be set resolving to `!Ref AWS:::NoValue`. ### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::LanguageExtensions", "Conditions": { "TwoNatGateways": {"Fn::Equals": [{"Ref": "AWS::Region"}, "us-east-1"]}, "ThreeNatGateways": {"Fn::Equals": [{"Ref": "AWS::Region"}, "us-west-2"]} }, "Mappings": { "NatGateway": { "Condition": { "B": "TwoNatGateways", "C": "ThreeNatGateways" } } }, "Resources": { "VPC": { "Type": "AWS::EC2::VPC", "Properties": {"CidrBlock": "10.0.0.0/16"} }, "PublicSubnetA": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": {"Ref": "VPC"}, "CidrBlock": "10.0.1.0/24", "AvailabilityZone": {"Fn::Select": [0, {"Fn::GetAZs": ""}]} } }, "PublicSubnetB": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": {"Ref": "VPC"}, "CidrBlock": "10.0.2.0/24", "AvailabilityZone": {"Fn::Select": [1, {"Fn::GetAZs": ""}]} } }, "PublicSubnetC": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": {"Ref": "VPC"}, "CidrBlock": "10.0.3.0/24", "AvailabilityZone": {"Fn::Select": [2, {"Fn::GetAZs": ""}]} } }, "Fn::ForEach::NatGatewayAndEIP": [ "Identifier", [ "A", "B", "C" ], { "NatGateway${Identifier}": { "Type": "AWS::EC2::NatGateway", "Properties": { "AllocationId": {"Fn::GetAtt": [{"Fn::Sub": "NatGatewayAttachment${Identifier}"}, "AllocationId"]}, "SubnetId": {"Ref": {"Fn::Sub": "PublicSubnet${Identifier}"}} }, "Condition": {"Fn::FindInMap": ["NatGateway", "Condition", {"Ref": "Identifier"}, {"DefaultValue": {"Ref": "AWS::NoValue"}}]} }, "NatGatewayAttachment${Identifier}": { "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc" }, "Condition": {"Fn::FindInMap": ["NatGateway", "Condition", {"Ref": "Identifier"}, {"DefaultValue": {"Ref": "AWS::NoValue"}}]} } } ] } } ``` ### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::LanguageExtensions Conditions: TwoNatGateways: !Equals [!Ref "AWS::Region", "us-east-1"] ThreeNatGateways: !Equals [!Ref "AWS::Region", "us-west-2"] Mappings: NatGateway: Condition: B: TwoNatGateways C: ThreeNatGateways Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 PublicSubnetA: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 10.0.1.0/24 AvailabilityZone: !Select [0, !GetAZs ""] PublicSubnetB: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 10.0.2.0/24 AvailabilityZone: !Select [1, !GetAZs ""] PublicSubnetC: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 10.0.3.0/24 AvailabilityZone: !Select [2, !GetAZs ""] Fn::ForEach::NatGatewayAndEIP: - Identifier - - A - B - C - NatGateway${Identifier}: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt - !Sub NatGatewayAttachment${Identifier} - AllocationId SubnetId: !Ref Fn::Sub: PublicSubnet${Identifier} Condition: !FindInMap - NatGateway - Condition - !Ref Identifier - DefaultValue: !Ref AWS::NoValue NatGatewayAttachment${Identifier}: Type: AWS::EC2::EIP Properties: Domain: vpc Condition: !FindInMap - NatGateway - Condition - !Ref Identifier - DefaultValue: !Ref AWS::NoValue ``` The transformed template will be equivalent to the following template: ``` AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::LanguageExtensions Conditions: TwoNatGateways: !Equals [!Ref "AWS::Region", "us-east-1"] ThreeNatGateways: !Equals [!Ref "AWS::Region", "us-west-2"] Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 PublicSubnetA: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 10.0.1.0/24 AvailabilityZone: !Select [0, !GetAZs ""] PublicSubnetB: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 10.0.2.0/24 AvailabilityZone: !Select [1, !GetAZs ""] PublicSubnetC: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 10.0.3.0/24 AvailabilityZone: !Select [2, !GetAZs ""] NatGatewayA: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt - NatGatewayAttachmentA - AllocationId SubnetId: !Ref PublicSubnetA NatGatewayB: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt - NatGatewayAttachmentB - AllocationId SubnetId: !Ref PublicSubnetB Condition: TwoNatGateways NatGatewayC: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt - NatGatewayAttachmentC - AllocationId SubnetId: !Ref PublicSubnetC Condition: ThreeNatGateways NatGatewayAttachmentA: Type: AWS::EC2::EIP Properties: Domain: vpc NatGatewayAttachmentB: Type: AWS::EC2::EIP Properties: Domain: vpc Condition: TwoNatGateways NatGatewayAttachmentC: Type: AWS::EC2::EIP Properties: Domain: vpc Condition: ThreeNatGateways ``` ## Replicate multiple resources using a nested `Fn::ForEach` loops This example uses nested `Fn::ForEach` loops to map three resources ( [AWS::EC2::NetworkAcl](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-natgateway.html), [AWS::EC2::Subnet](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-subnet.html), and [AWS::EC2::SubnetNetworkAclAssociation](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-subnetnetworkaclassociation.html)) with each other. ### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::LanguageExtensions", "Resources": { "VPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16", "EnableDnsSupport": "true", "EnableDnsHostnames": "true" } }, "Fn::ForEach::SubnetResources": [ "Prefix", [ "Transit", "Public" ], { "Nacl${Prefix}Subnet": { "Type": "AWS::EC2::NetworkAcl", "Properties": { "VpcId": { "Ref": "VPC" } } }, "Fn::ForEach::LoopInner": [ "Suffix", [ "A", "B", "C" ], { "${Prefix}Subnet${Suffix}": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" } } }, "Nacl${Prefix}Subnet${Suffix}Association": { "Type": "AWS::EC2::SubnetNetworkAclAssociation", "Properties": { "SubnetId": { "Ref": { "Fn::Sub": "${Prefix}Subnet${Suffix}" } }, "NetworkAclId": { "Ref": { "Fn::Sub": "Nacl${Prefix}Subnet" } } } } } ] } ] } } ``` ### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::LanguageExtensions Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 EnableDnsSupport: 'true' EnableDnsHostnames: 'true' 'Fn::ForEach::SubnetResources': - Prefix - [Transit, Public] - 'Nacl${Prefix}Subnet': Type: AWS::EC2::NetworkAcl Properties: VpcId: !Ref 'VPC' 'Fn::ForEach::LoopInner': - Suffix - [A, B, C] - '${Prefix}Subnet${Suffix}': Type: AWS::EC2::Subnet Properties: VpcId: !Ref 'VPC' 'Nacl${Prefix}Subnet${Suffix}Association': Type: AWS::EC2::SubnetNetworkAclAssociation Properties: SubnetId: !Ref 'Fn::Sub': '${Prefix}Subnet${Suffix}' NetworkAclId: !Ref 'Fn::Sub': 'Nacl${Prefix}Subnet' ``` The transformed template will be equivalent to the following template: ``` AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::LanguageExtensions Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 EnableDnsSupport: 'true' EnableDnsHostnames: 'true' NaclTransitSubnet: Type: AWS::EC2::NetworkAcl Properties: VpcId: !Ref VPC TransitSubnetA: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC NaclTransitSubnetAAssociation: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: SubnetId: !Ref TransitSubnetA NetworkAclId: !Ref NaclTransitSubnet TransitSubnetB: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC NaclTransitSubnetBAssociation: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: SubnetId: !Ref TransitSubnetB NetworkAclId: !Ref NaclTransitSubnet TransitSubnetC: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC NaclTransitSubnetCAssociation: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: SubnetId: !Ref TransitSubnetC NetworkAclId: !Ref NaclTransitSubnet NaclPublicSubnet: Type: AWS::EC2::NetworkAcl Properties: VpcId: !Ref VPC PublicSubnetA: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC NaclPublicSubnetAAssociation: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: SubnetId: !Ref PublicSubnetA NetworkAclId: !Ref NaclPublicSubnet PublicSubnetB: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC NaclPublicSubnetBAssociation: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: SubnetId: !Ref PublicSubnetB NetworkAclId: !Ref NaclPublicSubnet PublicSubnetC: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC NaclPublicSubnetCAssociation: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: SubnetId: !Ref PublicSubnetC NetworkAclId: !Ref NaclPublicSubnet ``` ## Reference replicated properties for an Amazon EC2 resource This example uses the `Fn::ForEach` intrinsic function to reference replicated [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) resources. ### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::LanguageExtensions", "Mappings": { "Instances": { "InstanceType": { "B": "m5.4xlarge", "C": "c5.2xlarge" }, "ImageId": {"A": "ami-id1"} } }, "Resources": { "Fn::ForEach::Instances": [ "Identifier", [ "A", "B", "C" ], { "Instance${Identifier}": { "Type": "AWS::EC2::Instance", "Properties": { "InstanceType": {"Fn::FindInMap": ["Instances", "InstanceType", {"Ref": "Identifier"}, {"DefaultValue": "m5.xlarge"}]}, "ImageId": {"Fn::FindInMap": ["Instances", "ImageId", {"Ref": "Identifier"}, {"DefaultValue": "ami-id-default"}]} } } } ] }, "Outputs": { "SecondInstanceId": { "Description": "Instance Id for InstanceB", "Value": {"Ref": "InstanceB"} }, "SecondPrivateIp": { "Description": "Private IP for InstanceB", "Value": { "Fn::GetAtt": [ "InstanceB", "PrivateIp" ] } } } } ``` ### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::LanguageExtensions Mappings: Instances: InstanceType: B: m5.4xlarge C: c5.2xlarge ImageId: A: ami-id1 Resources: 'Fn::ForEach::Instances': - Identifier - [A, B, C] - 'Instance${Identifier}': Type: AWS::EC2::Instance Properties: InstanceType: !FindInMap [Instances, InstanceType, !Ref 'Identifier', {DefaultValue: m5.xlarge}] ImageId: !FindInMap [Instances, ImageId, !Ref 'Identifier', {DefaultValue: ami-id-default}] Outputs: SecondInstanceId: Description: Instance Id for InstanceB Value: !Ref 'InstanceB' SecondPrivateIp: Description: Private IP for InstanceB Value: !GetAtt [InstanceB, PrivateIp] ``` The transformed template will be equivalent to the following template: ``` AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::LanguageExtensions Resources: InstanceA: Type: AWS::EC2::Instance Properties: InstanceType: m5.xlarge ImageId: ami-id1 InstanceB: Type: AWS::EC2::Instance Properties: InstanceType: m5.4xlarge ImageId: ami-id-default InstanceC: Type: AWS::EC2::Instance Properties: InstanceType: c5.2xlarge ImageId: ami-id-default Outputs: SecondInstanceId: Description: Instance Id for InstanceB Value: !Ref InstanceB SecondPrivateIp: Description: Private IP for InstanceB Value: !GetAtt [InstanceB, PrivateIp] ``` ## Replicate properties for an Amazon EC2 resource This example uses the `Fn::ForEach` intrinsic function to repeat some properties like `ImageId`, `InstanceType`, and `AvailabilityZone` to an [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) resource. ### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::LanguageExtensions", "Mappings": { "InstanceA": { "Properties": { "ImageId": "ami-id1", "InstanceType": "m5.xlarge" } }, "InstanceB": { "Properties": { "ImageId": "ami-id2" } }, "InstanceC": { "Properties": { "ImageId": "ami-id3", "InstanceType": "m5.2xlarge", "AvailabilityZone": "us-east-1a" } } }, "Resources": { "Fn::ForEach::Instances": [ "InstanceLogicalId", [ "InstanceA", "InstanceB", "InstanceC" ], { "${InstanceLogicalId}": { "Type": "AWS::EC2::Instance", "Properties": { "DisableApiTermination": true, "UserData": { "Fn::Base64": { "Fn::Join": [ "", [ "#!/bin/bash\n", "yum update -y\n", "yum install -y httpd.x86_64\n", "systemctl start httpd.service\n", "systemctl enable httpd.service\n", "echo \"Hello World from $(hostname -f)\" > /var/www/html/index.html\n" ] ] } }, "Fn::ForEach::Properties": [ "PropertyName", [ "ImageId", "InstanceType", "AvailabilityZone" ], { "${PropertyName}": { "Fn::FindInMap": [ { "Ref": "InstanceLogicalId" }, "Properties", { "Ref": "PropertyName"}, { "DefaultValue": { "Ref": "AWS::NoValue" } } ] } } ] } } } ] } } ``` ### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::LanguageExtensions Mappings: InstanceA: Properties: ImageId: ami-id1 InstanceType: m5.xlarge InstanceB: Properties: ImageId: ami-id2 InstanceC: Properties: ImageId: ami-id3 InstanceType: m5.2xlarge AvailabilityZone: us-east-1a Resources: 'Fn::ForEach::Instances': - InstanceLogicalId - [InstanceA, InstanceB, InstanceC] - '${InstanceLogicalId}': Type: AWS::EC2::Instance Properties: DisableApiTermination: true UserData: Fn::Base64: !Sub | #!/bin/bash yum update -y yum install -y httpd.x86_64 systemctl start httpd.service systemctl enable httpd.service echo "Hello World from $(hostname -f)" > /var/www/html/index.html 'Fn::ForEach::Properties': - PropertyName - [ImageId, InstanceType, AvailabilityZone] - '${PropertyName}': 'Fn::FindInMap': - Ref: 'InstanceLogicalId' - Properties - Ref: 'PropertyName' - {DefaultValue: !Ref 'AWS::NoValue'} ``` The transformed template will be equivalent to the following template: ``` AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::LanguageExtensions Resources: InstanceA: Type: AWS::EC2::Instance Properties: DisableApiTermination: true UserData: Fn::Base64: !Sub | #!/bin/bash yum update -y yum install -y httpd.x86_64 systemctl start httpd.service systemctl enable httpd.service echo "Hello World from $(hostname -f)" > /var/www/html/index.html ImageId: ami-id1 InstanceType: m5.xlarge InstanceB: Type: AWS::EC2::Instance Properties: DisableApiTermination: true UserData: Fn::Base64: !Sub | #!/bin/bash yum update -y yum install -y httpd.x86_64 systemctl start httpd.service systemctl enable httpd.service echo "Hello World from $(hostname -f)" > /var/www/html/index.html ImageId: ami-id2 InstanceC: Type: AWS::EC2::Instance Properties: DisableApiTermination: true UserData: Fn::Base64: !Sub | #!/bin/bash yum update -y yum install -y httpd.x86_64 systemctl start httpd.service systemctl enable httpd.service echo "Hello World from $(hostname -f)" > /var/www/html/index.html ImageId: ami-id3 InstanceType: m5.2xlarge AvailabilityZone: us-east-1a ``` ## Passing non-alphanumeric characters within the `Collection` for `Fn::ForEach` This example uses the `&{}` syntax, which allows the non-alphanumeric characters (`.` and `/`) in the IP addresses to be passed within the `Collection`. ### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::LanguageExtensions", "Parameters": { "IpAddresses": { "Type": "CommaDelimitedList", "Default": "10.0.2.0/24,10.0.3.0/24,10.0.4.0/24" } }, "Resources": { "VPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16", "EnableDnsSupport": "true", "EnableDnsHostnames": "true" } }, "Fn::ForEach::Subnets": [ "CIDR", { "Ref": "IpAddresses" }, { "Subnet&{CIDR}": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" }, "CidrBlock": { "Ref": "CIDR" } } } } ] } } ``` ### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::LanguageExtensions Parameters: IpAddresses: Type: CommaDelimitedList Default: '10.0.2.0/24,10.0.3.0/24,10.0.4.0/24' Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 EnableDnsSupport: 'true' EnableDnsHostnames: 'true' 'Fn::ForEach::Subnets': - CIDR - !Ref IpAddresses - 'Subnet&{CIDR}': Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: !Ref CIDR ``` The transformed template will be equivalent to the following template: ``` AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::LanguageExtensions Parameters: IpAddresses: Type: CommaDelimitedList Default: '10.0.2.0/24,10.0.3.0/24,10.0.4.0/24' Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 EnableDnsSupport: 'true' EnableDnsHostnames: 'true' Subnet1002024: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 10.0.2.0/24 Subnet1003024: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 10.0.3.0/24 Subnet1004024: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 10.0.4.0/24 ``` # Examples of `Fn::ForEach` in the `Outputs` section These examples demonstrate using the `Fn::ForEach` intrinsic function in the `Outputs` section. For more information about this section, see [Outputs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html) in the *AWS CloudFormation User Guide*. **Topics** + [ ## Reference replicated `AWS::S3::Bucket` resources ](#intrinsic-function-reference-foreach-example-replicate-outputs) + [ ## Reference replicated `AWS::EC2::Instance` resources ](#intrinsic-function-reference-foreach-example-replicate-conditions) ## Reference replicated `AWS::S3::Bucket` resources This example uses nested `Fn::ForEach` loops in the `Outputs` section to reduce the template length. ### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::LanguageExtensions", "Resources": { "Fn::ForEach::Buckets": [ "Identifier", [ "A", "B", "C" ], { "S3Bucket${Identifier}": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "PublicRead", "MetricsConfigurations": [ { "Id": {"Fn::Sub": "EntireBucket${Identifier}"} } ], "WebsiteConfiguration": { "IndexDocument": "index.html", "ErrorDocument": "error.html", "RoutingRules": [ { "RoutingRuleCondition": { "HttpErrorCodeReturnedEquals": "404", "KeyPrefixEquals": "out1/" }, "RedirectRule": { "HostName": "ec2-11-22-333-44.compute-1.amazonaws.com", "ReplaceKeyPrefixWith": "report-404/" } } ] } }, "DeletionPolicy": "Retain", "UpdateReplacePolicy": "Retain" } } ] }, "Outputs": { "Fn::ForEach::BucketOutputs": [ "Identifier", [ "A", "B", "C" ], { "Fn::ForEach::GetAttLoop": [ "Property", [ "Arn", "DomainName", "WebsiteURL" ], { "S3Bucket${Identifier}${Property}": { "Value": {"Fn::GetAtt": [{"Fn::Sub": "S3Bucket${Identifier}"}, {"Ref": "Property"}]} } } ] } ] } } ``` ### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::LanguageExtensions Resources: 'Fn::ForEach::Buckets': - Identifier - [A, B, C] - 'S3Bucket${Identifier}': Type: AWS::S3::Bucket Properties: AccessControl: PublicRead MetricsConfigurations: - Id: !Sub 'EntireBucket${Identifier}' WebsiteConfiguration: IndexDocument: index.html ErrorDocument: error.html RoutingRules: - RoutingRuleCondition: HttpErrorCodeReturnedEquals: '404' KeyPrefixEquals: out1/ RedirectRule: HostName: ec2-11-22-333-44.compute-1.amazonaws.com ReplaceKeyPrefixWith: report-404/ DeletionPolicy: Retain UpdateReplacePolicy: Retain Outputs: 'Fn::ForEach::BucketOutputs': - Identifier - [A, B, C] - 'Fn::ForEach::GetAttLoop': - Property - [Arn, DomainName, WebsiteURL] - 'S3Bucket${Identifier}${Property}': Value: !GetAtt [!Sub 'S3Bucket${Identifier}', !Ref Property] ``` The transformed template will be equivalent to the following template: ``` AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::LanguageExtensions Resources: S3BucketA: Type: AWS::S3::Bucket Properties: AccessControl: PublicRead MetricsConfigurations: - Id: EntireBucketA WebsiteConfiguration: IndexDocument: index.html ErrorDocument: error.html RoutingRules: - RoutingRuleCondition: HttpErrorCodeReturnedEquals: '404' KeyPrefixEquals: out1/ RedirectRule: HostName: ec2-11-22-333-44.compute-1.amazonaws.com ReplaceKeyPrefixWith: report-404/ DeletionPolicy: Retain UpdateReplacePolicy: Retain S3BucketB: Type: AWS::S3::Bucket Properties: AccessControl: PublicRead MetricsConfigurations: - Id: EntireBucketB WebsiteConfiguration: IndexDocument: index.html ErrorDocument: error.html RoutingRules: - RoutingRuleCondition: HttpErrorCodeReturnedEquals: '404' KeyPrefixEquals: out1/ RedirectRule: HostName: ec2-11-22-333-44.compute-1.amazonaws.com ReplaceKeyPrefixWith: report-404/ DeletionPolicy: Retain UpdateReplacePolicy: Retain S3BucketC: Type: AWS::S3::Bucket Properties: AccessControl: PublicRead MetricsConfigurations: - Id: EntireBucketC WebsiteConfiguration: IndexDocument: index.html ErrorDocument: error.html RoutingRules: - RoutingRuleCondition: HttpErrorCodeReturnedEquals: '404' KeyPrefixEquals: out1/ RedirectRule: HostName: ec2-11-22-333-44.compute-1.amazonaws.com ReplaceKeyPrefixWith: report-404/ DeletionPolicy: Retain UpdateReplacePolicy: Retain Outputs: S3BucketAArn: Value: !GetAtt [S3BucketA, Arn] S3BucketADomainName: Value: !GetAtt [S3BucketA, DomainName] S3BucketAWebsiteURL: Value: !GetAtt [S3BucketA, WebsiteURL] S3BucketBArn: Value: !GetAtt [S3BucketB, Arn] S3BucketBDomainName: Value: !GetAtt [S3BucketB, DomainName] S3BucketBWebsiteURL: Value: !GetAtt [S3BucketB, WebsiteURL] S3BucketCArn: Value: !GetAtt [S3BucketC, Arn] S3BucketCDomainName: Value: !GetAtt [S3BucketC, DomainName] S3BucketCWebsiteURL: Value: !GetAtt [S3BucketC, WebsiteURL] ``` ## Reference replicated `AWS::EC2::Instance` resources This example references replicated resources in the `Resources` section using the generated logical IDs. ### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::LanguageExtensions", "Mappings": { "Instances": { "InstanceType": { "B": "m5.4xlarge", "C": "c5.2xlarge" }, "ImageId": {"A": "ami-id1"} } }, "Resources": { "Fn::ForEach::Instances": [ "Identifier", [ "A", "B", "C" ], { "Instance${Identifier}": { "Type": "AWS::EC2::Instance", "Properties": { "InstanceType": {"Fn::FindInMap": ["Instances", "InstanceType", {"Ref": "Identifier"}, {"DefaultValue": "m5.xlarge"}]}, "ImageId": {"Fn::FindInMap": ["Instances", "ImageId", {"Ref": "Identifier"}, {"DefaultValue": "ami-id-default"}]} } } } ] }, "Outputs": { "SecondInstanceId": { "Description": "Instance Id for InstanceB", "Value": {"Ref": "InstanceB"} }, "SecondPrivateIp": { "Description": "Private IP for InstanceB", "Value": { "Fn::GetAtt": [ "InstanceB", "PrivateIp" ] } } } } ``` ### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::LanguageExtensions Mappings: Instances: InstanceType: B: m5.4xlarge C: c5.2xlarge ImageId: A: ami-id1 Resources: 'Fn::ForEach::Instances': - Identifier - [A, B, C] - 'Instance${Identifier}': Type: AWS::EC2::Instance Properties: InstanceType: !FindInMap [Instances, InstanceType, !Ref Identifier, DefaultValue: m5.xlarge] ImageId: !FindInMap [Instances, ImageId, !Ref Identifier, DefaultValue: ami-id-default] Outputs: SecondInstanceId: Description: Instance Id for InstanceB Value: !Ref InstanceB SecondPrivateIp: Description: Private IP for InstanceB Value: !GetAtt [InstanceB, PrivateIp] ``` The transformed template will be equivalent to the following template: ``` AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::LanguageExtensions Resources: InstanceA: Type: AWS::EC2::Instance Properties: InstanceType: m5.xlarge ImageId: ami-id1 InstanceB: Type: AWS::EC2::Instance Properties: InstanceType: m5.4xlarge ImageId: ami-id-default InstanceC: Type: AWS::EC2::Instance Properties: InstanceType: c5.2xlarge ImageId: ami-id-default Outputs: SecondInstanceId: Description: Instance Id for InstanceB Value: !Ref InstanceB SecondPrivateIp: Description: Private IP for InstanceB Value: !GetAtt [InstanceB, PrivateIp] ``` # Examples of `Fn::ForEach` in the `Conditions` section These examples demonstrate using the `Fn::ForEach` intrinsic function in the `Conditions` section. For more information about this section, see [Conditions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/conditions-section-structure.html) in the *AWS CloudFormation User Guide*. **Important** `Conditions` must be the second property listed, or later. Stack creation will fail if `Conditions` is the first property listed within the template fragment parameter of `Fn::ForEach`. ``` Resources: 'Fn::ForEach::Topics': - LogicalId - !Ref TopicList - '${LogicalId}': Condition: !Sub 'TopicCondition${LogicalId}' Type: AWS::SNS::Topic Properties: TopicName: !Sub 'My${LogicalId}' ``` `Conditions` must be added as the second key, or later, for stack creation to succeed: ``` Resources: 'Fn::ForEach::Topics': - LogicalId - !Ref TopicList - '${LogicalId}': Type: AWS::SNS::Topic Condition: !Sub 'TopicCondition${LogicalId}' Properties: TopicName: !Sub 'My${LogicalId}' ``` **Topics** + [ ## Replicate a single condition ](#intrinsic-function-reference-foreach-example-replicated-single-condition) ## Replicate a single condition This example uses the `Fn::ForEach` intrinsic function in the `Conditions` section to replicate multiple similar conditions with different properties. ### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::LanguageExtensions", "Parameters": { "ParamA": { "Type": "String", "AllowedValues": [ "true", "false" ] }, "ParamB": { "Type": "String", "AllowedValues": [ "true", "false" ] }, "ParamC": { "Type": "String", "AllowedValues": [ "true", "false" ] }, "ParamD": { "Type": "String", "AllowedValues": [ "true", "false" ] } }, "Conditions": { "Fn::ForEach::CheckTrue": [ "Identifier", ["A", "B", "C", "D"], { "IsParam${Identifier}Enabled": { "Fn::Equals": [ {"Ref": {"Fn::Sub": "Param${Identifier}"}}, "true" ] } } ] }, "Resources": { "WaitConditionHandle": { "Type": "AWS::CloudFormation::WaitConditionHandle" } } } ``` ### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::LanguageExtensions Parameters: ParamA: Type: String AllowedValues: - 'true' - 'false' ParamB: Type: String AllowedValues: - 'true' - 'false' ParamC: Type: String AllowedValues: - 'true' - 'false' ParamD: Type: String AllowedValues: - 'true' - 'false' Conditions: 'Fn::ForEach::CheckTrue': - Identifier - [A, B, C, D] - 'IsParam${Identifier}Enabled': !Equals - !Ref 'Fn::Sub': 'Param${Identifier}' - 'true' Resources: WaitConditionHandle: Type: AWS::CloudFormation::WaitConditionHandle ``` The transformed template will be equivalent to the following template: ``` AWSTemplateFormatVersion: 2010-09-09 Parameters: ParamA: Type: String AllowedValues: - 'true' - 'false' ParamB: Type: String AllowedValues: - 'true' - 'false' ParamC: Type: String AllowedValues: - 'true' - 'false' ParamD: Type: String AllowedValues: - 'true' - 'false' Conditions: IsParamAEnabled: !Equals - !Ref ParamA - 'true' IsParamBEnabled: !Equals - !Ref ParamB - 'true' IsParamCEnabled: !Equals - !Ref ParamC - 'true' IsParamDEnabled: !Equals - !Ref ParamD - 'true' Resources: WaitConditionHandle: Type: AWS::CloudFormation::WaitConditionHandle ``` # `Fn::GetAtt` The `Fn::GetAtt` intrinsic function returns the value of an attribute from a resource in the template. ## Declaration ### JSON ``` { "Fn::GetAtt" : [ "logicalNameOfResource", "attributeName" ] } ``` ### YAML Syntax for the full function name: ``` Fn::GetAtt: [ logicalNameOfResource, attributeName ] ``` Syntax for the short form: ``` !GetAtt logicalNameOfResource.attributeName ``` ## Parameters `logicalNameOfResource` The logical name (also called *logical ID*) of the resource that contains the attribute that you want. `attributeName` The name of the resource-specific attribute whose value you want. See the resource's reference page for details about the attributes available for that resource type. ## Return value The attribute value. For information about `GetAtt` return values for resources, see the documentation for the resources in the [Resource and property reference](aws-template-resource-type-ref.md). ## Examples ### Return an attribute value The following examples return a string containing the DNS name of the load balancer with the logical name `myELB`. #### JSON ``` "Fn::GetAtt" : [ "myELB" , "DNSName" ] ``` #### YAML ``` !GetAtt myELB.DNSName ``` #### Return multiple attribute values The following examples return the `SourceSecurityGroup.OwnerAlias` and `SourceSecurityGroup.GroupName` of the load balancer with the logical name `myELB`. ##### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "myELB": { "Type": "AWS::ElasticLoadBalancing::LoadBalancer", "Properties": { "AvailabilityZones": [ "eu-west-1a" ], "Listeners": [ { "LoadBalancerPort": "80", "InstancePort": "80", "Protocol": "HTTP" } ] } }, "myELBIngressGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "ELB ingress group", "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "SourceSecurityGroupOwnerId": { "Fn::GetAtt": [ "myELB", "SourceSecurityGroup.OwnerAlias" ] }, "SourceSecurityGroupName": { "Fn::GetAtt": [ "myELB", "SourceSecurityGroup.GroupName" ] } } ] } } } } ``` ##### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: myELB: Type: AWS::ElasticLoadBalancing::LoadBalancer Properties: AvailabilityZones: - eu-west-1a Listeners: - LoadBalancerPort: '80' InstancePort: '80' Protocol: HTTP myELBIngressGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: ELB ingress group SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 SourceSecurityGroupOwnerId: !GetAtt myELB.SourceSecurityGroup.OwnerAlias SourceSecurityGroupName: !GetAtt myELB.SourceSecurityGroup.GroupName ``` #### Use `Fn::Sub` inside `Fn::GetAtt` function **Note** When you use the `AWS::LanguageExtensions` transform, you can use `Fn::GetAtt` in combination with other intrinsic functions. For supported functions, see [Supported functions](#getatt-supported-functions). The following examples show how to use `Fn::GetAtt` with [`Fn::Sub`](intrinsic-function-reference-sub.md), in conjuction with [`Fn::ForEach`](intrinsic-function-reference-foreach.md), in the `Outputs` section of a template to reduce the template length and verbosity. The use of `Fn::Sub` within `Fn::GetAtt` allows the template to contain one intrinsic function that can reference a different bucket at every iteration of the `Fn::ForEach` call. ##### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::LanguageExtensions", "Mappings": { "Buckets": { "Properties": { "Identifiers": ["A", "B", "C"] } } }, "Resources": { "Fn::ForEach::Buckets": [ "Identifier", {"Fn::FindInMap": ["Buckets", "Properties", "Identifiers"]}, { "S3Bucket${Identifier}": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "PublicRead", "MetricsConfigurations": [ { "Id": {"Fn::Sub": "EntireBucket${Identifier}"} } ], "WebsiteConfiguration": { "IndexDocument": "index.html", "ErrorDocument": "error.html", "RoutingRules": [ { "RoutingRuleCondition": { "HttpErrorCodeReturnedEquals": "404", "KeyPrefixEquals": "out1/" }, "RedirectRule": { "HostName": "ec2-11-22-333-44.compute-1.amazonaws.com", "ReplaceKeyPrefixWith": "report-404/" } } ] } }, "DeletionPolicy": "Retain", "UpdateReplacePolicy": "Retain" } } ] }, "Outputs": { "Fn::ForEach::BucketOutputs": [ "Identifier", {"Fn::FindInMap": ["Buckets", "Properties", "Identifiers"]}, { "Fn::ForEach::GetAttLoop": [ "Property", ["Arn", "DomainName", "WebsiteURL"], { "S3Bucket${Identifier}${Property}": { "Value": { "Fn::GetAtt": [{"Fn::Sub": "S3Bucket${Identifier}"}, {"Ref": "Property"}] } } } ] } ] } } ``` ##### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::LanguageExtensions Mappings: Buckets: Properties: Identifiers: - A - B - C Resources: 'Fn::ForEach::Buckets': - Identifier - Fn::FindInMap: - Buckets - Properties - Identifiers - 'S3Bucket${Identifier}': Type: AWS::S3::Bucket Properties: AccessControl: PublicRead MetricsConfigurations: - Id: Fn::Sub: 'EntireBucket${Identifier}' WebsiteConfiguration: IndexDocument: index.html ErrorDocument: error.html RoutingRules: - RoutingRuleCondition: HttpErrorCodeReturnedEquals: '404' KeyPrefixEquals: out1/ RedirectRule: HostName: ec2-11-22-333-44.compute-1.amazonaws.com ReplaceKeyPrefixWith: report-404/ DeletionPolicy: Retain UpdateReplacePolicy: Retain Outputs: 'Fn::ForEach::BucketOutputs': - Identifier - Fn::FindInMap: - Buckets - Properties - Identifiers - 'Fn::ForEach::GetAttLoop': - Property - - Arn - DomainName - WebsiteURL - 'S3Bucket${Identifier}${Property}': Value: !GetAtt - !Sub 'S3Bucket${Identifier}' - !Ref Property ``` ## Supported functions When you use the [AWS::LanguageExtensions transform](transform-aws-languageextensions.md), you can use the following functions within the `Fn::GetAtt` function. This is true with either the `Fn::GetAtt` logical resource name or the `Fn::GetAtt` attribute name. + [`Fn::Base64`](intrinsic-function-reference-base64.md) + [`Fn::FindInMap`](intrinsic-function-reference-findinmap.md) + [`Fn::If`](intrinsic-function-reference-conditions.md#intrinsic-function-reference-conditions-if) + [`Fn::Join`](intrinsic-function-reference-join.md) + [`Fn::Sub`](intrinsic-function-reference-sub.md) + [`Fn::ToJsonString`](intrinsic-function-reference-ToJsonString.md) + [`Ref`](intrinsic-function-reference-ref.md) When the `AWS::LanguageExtensions` transform is not used: + The `Fn::GetAtt` attribute name can only use the [`Ref`](intrinsic-function-reference-ref.md) function. + The `Fn::GetAtt` logical resource name can't use functions. You must specify a string that's a resource's logical ID. # `Fn::GetAZs` The intrinsic function `Fn::GetAZs` returns an array that lists Availability Zones for a specified Region in alphabetical order. Because customers have access to different Availability Zones, the intrinsic function `Fn::GetAZs` enables template authors to write templates that adapt to the calling user's access. That way you don't have to hard-code a full list of Availability Zones for a specified Region. **Important** The `Fn::GetAZs` function returns only Availability Zones that have a default subnet unless none of the Availability Zones has a default subnet; in that case, all Availability Zones are returned. Similarly to the response from the `describe-availability-zones` AWS CLI command, the order of the results from the `Fn::GetAZs` function isn't guaranteed and can change when new Availability Zones are added. IAM permissions The permissions that you need in order to use the `Fn::GetAZs` function depend on the platform in which you're launching Amazon EC2 instances. For both platforms, you need permissions to the Amazon EC2 `DescribeAvailabilityZones` and `DescribeAccountAttributes` actions. For EC2-VPC, you also need permissions to the Amazon EC2 `DescribeSubnets` action. ## Declaration ### JSON ``` { "Fn::GetAZs" : "region" } ``` ### YAML Syntax for the full function name: ``` Fn::GetAZs: region ``` Syntax for the short form: ``` !GetAZs region ``` ## Parameters region The name of the Region for which you want to get the Availability Zones. You can use the `AWS::Region` pseudo parameter to specify the Region in which the stack is created. Specifying an empty string is equivalent to specifying `AWS::Region`. ## Return value The list of Availability Zones for the Region. ## Examples ### Evaluate a Region For these examples, CloudFormation evaluates `Fn::GetAZs` to the following array—assuming that the user has created the stack in the `us-east-1` Region: `[ "us-east-1a", "us-east-1b", "us-east-1c", "us-east-1d", "us-east-1e" ]` #### JSON ``` 1. { "Fn::GetAZs" : "" } 2. { "Fn::GetAZs" : { "Ref" : "AWS::Region" } } 3. { "Fn::GetAZs" : "us-east-1" } ``` #### YAML ``` 1. Fn::GetAZs: "" 2. Fn::GetAZs: 3. Ref: "AWS::Region" 4. Fn::GetAZs: us-east-1 ``` ### Specify a subnet's Availability Zone The following example uses `Fn::GetAZs` to specify a subnet's Availability Zone: #### JSON ``` "mySubnet" : { "Type" : "AWS::EC2::Subnet", "Properties" : { "VpcId" : { "Ref" : "VPC" }, "CidrBlock" : "10.0.0.0/24", "AvailabilityZone" : { "Fn::Select" : [ 0, { "Fn::GetAZs" : "" } ] } } } ``` #### YAML ``` mySubnet: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 10.0.0.0/24 AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: "" ``` ### Nested functions with short form YAML The following examples show valid patterns for using nested intrinsic functions using short form YAML. You can't nest short form functions consecutively, so a pattern like `!GetAZs !Ref` isn't valid. #### YAML ``` 1. AvailabilityZone: !Select 2. - 0 3. - !GetAZs 4. Ref: 'AWS::Region' ``` #### YAML ``` 1. AvailabilityZone: !Select 2. - 0 3. - Fn::GetAZs: !Ref 'AWS::Region' ``` ## Supported functions You can use the `Ref` function in the `Fn::GetAZs` function. # `Fn::ImportValue` The intrinsic function `Fn::ImportValue` returns the value of an output exported by another stack. You typically use this function to create cross-stack references. For more information, see [Walkthrough: Refer to resource outputs in another CloudFormation stack](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/walkthrough-crossstackref.html) in the *AWS CloudFormation User Guide*. In the following example template snippets, Stack A exports VPC security group values and Stack B imports them. **Note** The following restrictions apply to cross-stack references: For each AWS account, `Export` names must be unique within a Region. You can't create cross-stack references across Regions. You can use the intrinsic function `Fn::ImportValue` to import only values that have been exported within the same Region. For outputs, the value of the `Name` property of an `Export` can't use `Ref` or `GetAtt` functions that depend on a resource. Similarly, the `ImportValue` function can't include `Ref` or `GetAtt` functions that depend on a resource. After another stack imports an output value, you can't delete the stack that is exporting the output value or modify the exported output value. All the imports must be removed before you can delete the exporting stack or modify the output value. ## JSON Stack A Export ``` "Outputs" : { "PublicSubnet" : { "Description" : "The subnet ID to use for public web servers", "Value" : { "Ref" : "PublicSubnet" }, "Export" : { "Name" : {"Fn::Sub": "${AWS::StackName}-SubnetID" }} }, "WebServerSecurityGroup" : { "Description" : "The security group ID to use for public web servers", "Value" : { "Fn::GetAtt" : ["WebServerSecurityGroup", "GroupId"] }, "Export" : { "Name" : {"Fn::Sub": "${AWS::StackName}-SecurityGroupID" }} } } ``` ## YAML Stack A Export ``` Outputs: PublicSubnet: Description: The subnet ID to use for public web servers Value: Ref: PublicSubnet Export: Name: 'Fn::Sub': '${AWS::StackName}-SubnetID' WebServerSecurityGroup: Description: The security group ID to use for public web servers Value: 'Fn::GetAtt': - WebServerSecurityGroup - GroupId Export: Name: 'Fn::Sub': '${AWS::StackName}-SecurityGroupID' ``` ## JSON Stack B Import ``` "Resources" : { "WebServerInstance" : { "Type" : "AWS::EC2::Instance", "Properties" : { "InstanceType" : "t2.micro", "ImageId" : "ami-a1b23456", "NetworkInterfaces" : [{ "GroupSet" : [{"Fn::ImportValue" : {"Fn::Sub" : "${NetworkStackNameParameter}-SecurityGroupID"}}], "AssociatePublicIpAddress" : "true", "DeviceIndex" : "0", "DeleteOnTermination" : "true", "SubnetId" : {"Fn::ImportValue" : {"Fn::Sub" : "${NetworkStackNameParameter}-SubnetID"}} }] } } } ``` ## YAML Stack B Import ``` Resources: WebServerInstance: Type: AWS::EC2::Instance Properties: InstanceType: t2.micro ImageId: ami-a1b23456 NetworkInterfaces: - GroupSet: - Fn::ImportValue: 'Fn::Sub': '${NetworkStackNameParameter}-SecurityGroupID' AssociatePublicIpAddress: 'true' DeviceIndex: '0' DeleteOnTermination: 'true' SubnetId: Fn::ImportValue: 'Fn::Sub': '${NetworkStackNameParameter}-SubnetID' ``` ## Declaration ### JSON ``` { "Fn::ImportValue" : sharedValueToImport } ``` ### YAML You can use the full function name: ``` Fn::ImportValue: sharedValueToImport ``` Alternatively, you can use the short form: ``` !ImportValue sharedValueToImport ``` **Important** You can't use the short form of `!ImportValue` when it contains the short form of `!Sub`. ``` # do not use !ImportValue !Sub '${NetworkStack}-SubnetID' ``` Instead, you must use the full function name, for example: ``` Fn::ImportValue: !Sub "${NetworkStack}-SubnetID" ``` ## Parameters sharedValueToImport The stack output value that you want to import. ## Return value The stack output value. ## Example ### JSON ``` { "Fn::ImportValue" : {"Fn::Sub": "${NetworkStackNameParameter}-SubnetID" } } ``` ### YAML ``` Fn::ImportValue: !Sub "${NetworkStackName}-SecurityGroupID" ``` ## Supported functions You can use the following functions in the `Fn::ImportValue` function. The value of these functions can't depend on a resource. + `Fn::Base64` + `Fn::FindInMap` + `Fn::If` + `Fn::Join` + `Fn::Select` + `Fn::Sub` + `Ref` # `Fn::Join` The intrinsic function `Fn::Join` appends a set of values into a single value, separated by the specified delimiter. If a delimiter is the empty string, the set of values are concatenated with no delimiter. ## Declaration ### JSON ``` { "Fn::Join" : [ "delimiter", [ comma-delimited list of values ] ] } ``` ### YAML Syntax for the full function name: ``` Fn::Join: [ delimiter, [ comma-delimited list of values ] ] ``` Syntax for the short form: ``` !Join [ delimiter, [ comma-delimited list of values ] ] ``` ## Parameters delimiter The value you want to occur between fragments. The delimiter will occur between fragments only. It won't terminate the final value. ListOfValues The list of values you want combined. ## Return value The combined string. ## Examples ### Join a simple string array The following example returns: `"a:b:c"`. #### JSON ``` "Fn::Join" : [ ":", [ "a", "b", "c" ] ] ``` #### YAML ``` !Join [ ":", [ a, b, c ] ] ``` ### Join using the ref function with parameters The following example uses `Fn::Join` to construct a string value. It uses the `Ref` function with the `AWS::Partition` parameter and the `AWS::AccountId` pseudo parameter. #### JSON ``` { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::elasticbeanstalk-*-", { "Ref": "AWS::AccountId" } ] ] } ``` #### YAML ``` !Join - '' - - 'arn:' - !Ref AWS::Partition - ':s3:::elasticbeanstalk-*-' - !Ref AWS::AccountId ``` **Note** Also see the [`Fn::Sub`](intrinsic-function-reference-sub.md) function for similar functionality. ## Supported functions For the `Fn::Join` delimiter, you can't use any functions. You must specify a string value. For the `Fn::Join` list of values, you can use the following functions: + `Fn::Base64` + `Fn::FindInMap` + `Fn::GetAtt` + `Fn::GetAZs` + `Fn::If` + `Fn::ImportValue` + `Fn::Join` + `Fn::Split` + `Fn::Select` + `Fn::Sub` + `Ref` # `Fn::Length` The intrinsic function `Fn::Length` returns the number of elements within an array or an intrinsic function that returns an array. **Important** You must use the [`AWS::LanguageExtensions` transform](transform-aws-languageextensions.md) to use the `Fn::Length` intrinsic function. ## Declaration ### JSON ``` { "Fn::Length" : IntrinsicFunction } ``` ``` { "Fn::Length" : Array } ``` ### YAML ``` Fn::Length : IntrinsicFunction ``` ``` Fn::Length : Array ``` ## Parameters `IntrinsicFunction` The intrinsic function that returns an array that you want to return a number of elements from. `Array` The array you want to return the number of elements from. ## Return value The number of elements in the intrinsic function that returns an array or in the array passed to the intrinsic function. ## Examples ### Return the number of elements in an intrinsic function that returns an array This example snippet returns the number of elements in an intrinsic function that returns an array. The function returns 3. #### JSON ``` { //... "Transform": "AWS::LanguageExtensions" //... "Fn::Length" : { "Fn::Split": ["|", "a|b|c"] } //... } ``` #### YAML ``` Transform: 'AWS::LanguageExtensions' #... Fn::Length: !Split ["|", "a|b|c"] #... ``` ### Return the number of elements in a Ref intrinsic function that refers to a list parameter type This example snippet returns the number of elements in a `Ref` intrinsic function that refers to a list parameter type. If the parameter with the name `ListParameter` is a list with 3 elements, the function returns 3. #### JSON ``` { //... "Transform": "AWS::LanguageExtensions" //... "Fn::Length": { "Ref": "ListParameter" } //... } ``` #### YAML ``` Transform: 'AWS::LanguageExtensions' #... Fn::Length: !Ref ListParameter #... ``` ### Return the number of elements in an array This example snippet returns the number of elements in the array passed to the intrinsic function. The function returns 3. #### JSON ``` 1. { 2. //... 3. "Transform": "AWS::LanguageExtensions" 4. //... 5. "Fn::Length": [ 6. 1, 7. {"Ref": "ParameterName"}, 8. 3 9. ] 10. //... 11. } ``` #### YAML ``` Transform: 'AWS::LanguageExtensions' #... Fn::Length: - 1 - !Ref ParameterName - 3 #... ``` ## Supported functions You can use the following functions in the `Fn::Length` intrinsic function or array: + `Condition Functions` + `Fn::Base64` + `Fn::FindInMap` + `Fn::Join` + `Fn::Length` + `Fn::Select` + `Fn::Split` + `Fn::Sub` + `Fn::ToJsonString` + `Ref` # `Fn::Select` The intrinsic function `Fn::Select` returns a single object from a list of objects by index. **Important** `Fn::Select` doesn't check for null values or if the index is out of bounds of the array. Both conditions will result in a stack error, so you should be certain that the index you choose is valid, and that the list contains non-null values. ## Declaration ### JSON ``` { "Fn::Select" : [ index, listOfObjects ] } ``` ### YAML Syntax for the full function name: ``` Fn::Select: [ index, listOfObjects ] ``` Syntax for the short form: ``` !Select [ index, listOfObjects ] ``` ## Parameters index The index of the object to retrieve. This must be a value from zero to N-1, where N represents the number of elements in the array. listOfObjects The list of objects to select from. This list must not be null, nor can it have null entries. ## Return value The selected object. ## Examples ### Basic example The following example returns: `"grapes"`. #### JSON ``` { "Fn::Select" : [ "1", [ "apples", "grapes", "oranges", "mangoes" ] ] } ``` #### YAML ``` !Select [ "1", [ "apples", "grapes", "oranges", "mangoes" ] ] ``` ### Comma-delimited list parameter type You can use `Fn::Select` to select an object from a `CommaDelimitedList` parameter. You might use a `CommaDelimitedList` parameter to combine the values of related parameters, which reduces the total number of parameters in your template. For example, the following parameter specifies a comma-delimited list of three CIDR blocks: #### JSON ``` "Parameters" : { "DbSubnetIpBlocks": { "Description": "Comma-delimited list of three CIDR blocks", "Type": "CommaDelimitedList", "Default": "10.0.48.0/24, 10.0.112.0/24, 10.0.176.0/24" } } ``` #### YAML ``` Parameters: DbSubnetIpBlocks: Description: "Comma-delimited list of three CIDR blocks" Type: CommaDelimitedList Default: "10.0.48.0/24, 10.0.112.0/24, 10.0.176.0/24" ``` To specify one of the three CIDR blocks, use `Fn::Select` in the Resources section of the same template, as shown in the following sample snippet: #### JSON ``` "Subnet0": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" }, "CidrBlock": { "Fn::Select" : [ "0", {"Ref": "DbSubnetIpBlocks"} ] } } } ``` #### YAML ``` Subnet0: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: !Select [ 0, !Ref DbSubnetIpBlocks ] ``` ### Nested functions with short form YAML The following examples show valid patterns for using nested intrinsic functions with the `!Select` short form. You can't nest short form functions consecutively, so a pattern like `!GetAZs !Ref` isn't valid. #### YAML ``` AvailabilityZone: !Select - 0 - !GetAZs Ref: 'AWS::Region' ``` #### YAML ``` AvailabilityZone: !Select - 0 - Fn::GetAZs: !Ref 'AWS::Region' ``` ## Supported functions For the `Fn::Select` index value, you can use the `Ref` and `Fn::FindInMap` functions. For the `Fn::Select` list of objects, you can use the following functions: + `Fn::FindInMap` + `Fn::GetAtt` + `Fn::GetAZs` + `Fn::If` + `Fn::Split` + `Ref` # `Fn::Split` To split a string into a list of string values so that you can select an element from the resulting string list, use the `Fn::Split` intrinsic function. Specify the location of splits with a delimiter, such as `,` (a comma). After you split a string, use the [`Fn::Select`](intrinsic-function-reference-select.md) function to pick a specific element. For example, if a comma-delimited string of subnet IDs is imported to your stack template, you can split the string at each comma. From the list of subnet IDs, use the `Fn::Select` intrinsic function to specify a subnet ID for a resource. ## Declaration ### JSON ``` { "Fn::Split" : [ "delimiter", "source string" ] } ``` ### YAML Syntax for the full function name: ``` Fn::Split: [ delimiter, source string ] ``` Syntax for the short form: ``` !Split [ delimiter, source string ] ``` ## Parameters You must specify both parameters. delimiter A string value that determines where the source string is divided. source string The string value that you want to split. ## Return value A list of string values. ## Examples The following examples demonstrate the behavior of the `Fn::Split` function. ### Simple list The following example splits a string at each vertical bar (`|`). The function returns `["a", "b", "c"]`. #### JSON ``` { "Fn::Split" : [ "|" , "a|b|c" ] } ``` #### YAML ``` !Split [ "|" , "a|b|c" ] ``` ### List with empty string values If you split a string with consecutive delimiters, the resulting list will include an empty string. The following example shows how a string with two consecutive delimiters and an appended delimiter is split. The function returns `["a", "", "c", ""]`. #### JSON ``` { "Fn::Split" : [ "|" , "a||c|" ] } ``` #### YAML ``` !Split [ "|" , "a||c|" ] ``` ### Split an imported output value The following example splits an imported output value, and then selects the third element from the resulting list of subnet IDs, as specified by the `Fn::Select` function. #### JSON ``` { "Fn::Select" : [ "2", { "Fn::Split": [",", {"Fn::ImportValue": "AccountSubnetIDs"}]}] } ``` #### YAML ``` !Select [2, !Split [",", !ImportValue AccountSubnetIDs]] ``` ## Supported functions For the `Fn::Split` delimiter, you can't use any functions. You must specify a string value. For the `Fn::Split` list of values, you can use the following functions: + `Fn::Base64` + `Fn::FindInMap` + `Fn::GetAtt` + `Fn::GetAZs` + `Fn::If` + `Fn::ImportValue` + `Fn::Join` + `Fn::Select` + `Fn::Sub` + `Ref` # `Fn::Sub` The intrinsic function `Fn::Sub` substitutes variables in an input string with values that you specify. In your templates, you can use this function to construct commands or outputs that include values that aren't available until you create or update a stack. ## Declaration The following sections show the function's syntax. ### JSON ``` { "Fn::Sub" : [ String, { Var1Name: Var1Value, Var2Name: Var2Value } ] } ``` If you're substituting only template parameters, resource logical IDs, or resource attributes in the `String` parameter, don't specify a variable map. ``` { "Fn::Sub" : String } ``` ### YAML Syntax for the full function name: ``` Fn::Sub: - String - Var1Name: Var1Value Var2Name: Var2Value ``` Syntax for the short form: ``` !Sub - String - Var1Name: Var1Value Var2Name: Var2Value ``` If you're substituting only template parameters, resource logical IDs, or resource attributes in the `String` parameter, don't specify a variable map. Syntax for the full function name: ``` Fn::Sub: String ``` Syntax for the short form: ``` !Sub String ``` ## Parameters `String` A string with variables that CloudFormation substitutes with their associated values at runtime. Write variables as `${MyVarName}`. Variables can be template parameter names, resource logical IDs, resource attributes, or a variable in a key-value map. If you specify only template parameter names, resource logical IDs, and resource attributes, don't specify a key-value map. If you specify template parameter names or resource logical IDs, such as `${InstanceTypeParameter}`, CloudFormation returns the same values as if you used the `Ref` intrinsic function. If you specify resource attributes, such as `${MyInstance.PublicIp}`, CloudFormation returns the same values as if you used the `Fn::GetAtt` intrinsic function. To write a dollar sign and curly braces (`${}`) literally, add an exclamation point (`!`) after the open curly brace, such as `${!Literal}`. CloudFormation resolves this text as `${Literal}`. If you're using a launch template, add a backslash `\` before the dollar sign, such as `\${!Literal}`, otherwise the literal will resolve as an empty string. `VarName` The name of a variable that you included in the `String` parameter. `VarValue` The value that CloudFormation substitutes for the associated variable name at runtime. ## Return value CloudFormation returns the original string, substituting the values for all the variables. ## Examples The following examples demonstrate how to use the `Fn::Sub` function. ### Use `Fn::Sub` without a key-value map In this simple example, the `InstanceSecurityGroup` resource's description is dynamically created with the `AWS::StackName` pseudo parameter. For instance, if the stack name is "VPC-EC2-ALB-Stack", the resulting description is "SSH security group for VPC-EC2-ALB-Stack". #### JSON ``` "InstanceSecurityGroup" : { "Type" : "AWS::EC2::SecurityGroup", "Properties" : { "GroupDescription" : {"Fn::Sub": "SSH security group for ${AWS::StackName}"} }} ``` #### YAML ``` InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: !Sub "SSH security group for ${AWS::StackName}" ``` ### Use `Fn::Sub` with a key-value map In this example, the `WWWBucket` resource's name is dynamically created with a key-value map. The `Fn::Sub` function substitutes `${Domain}` in the input string `www.${Domain}` with the value from a `Ref` function that references the `RootDomainName` parameter that's defined within the same stack template. For instance, if the root domain name is "mydomain.com", the resulting name for this resource is "www.mydomain.com". #### JSON ``` "WWWBucket":{ "Type":"AWS::S3::Bucket", "Properties":{ "BucketName":{ "Fn::Sub":[ "www.${Domain}", { "Domain":{ "Ref":"RootDomainName" } } ] } } } ``` #### YAML ``` WWWBucket: Type: AWS::S3::Bucket Properties: BucketName: !Sub - 'www.${Domain}' - Domain: !Ref RootDomainName ``` ### Use multiple variables to construct ARNs The following example uses `Fn::Sub` with the `AWS::Region` and `AWS::AccountId` pseudo parameters and the `vpc` resource logical ID to create an Amazon Resource Name (ARN) for a VPC. #### JSON ``` { "Fn::Sub": "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}" } ``` #### YAML ``` !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}' ``` ### Pass parameter values in user data scripts The following example uses `Fn::Sub` to substitute the `AWS::StackName` and `AWS::Region` pseudo parameters for the actual stack name and Region at runtime. #### JSON For readability, the JSON example uses the `Fn::Join` function to separate each command, instead of specifying the entire user data script in a single string value. ``` "UserData": { "Fn::Base64": { "Fn::Join": ["\n", [ "#!/bin/bash -xe", "yum update -y aws-cfn-bootstrap", { "Fn::Sub": "/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource LaunchConfig --configsets wordpress_install --region ${AWS::Region}" }, { "Fn::Sub": "/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource WebServerGroup --region ${AWS::Region}" }]] }} ``` #### YAML The YAML example uses a literal block to specify the user data script. ``` UserData: Fn::Base64: !Sub | #!/bin/bash -xe yum update -y aws-cfn-bootstrap /opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource LaunchConfig --configsets wordpress_install --region ${AWS::Region} /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource WebServerGroup --region ${AWS::Region} ``` ### Specify conditional values using mappings In this example, the `myLogGroup` resource's name is dynamically created by substituting the `log_group_name` variable with the resulting value from the `Fn::FindInMap` function. #### JSON ``` { "Mappings": { "LogGroupMapping": { "Test": { "Name": "test_log_group" }, "Prod": { "Name": "prod_log_group" } } }, "Resources": { "myLogGroup": { "Type": "AWS::Logs::LogGroup", "Properties": { "LogGroupName": { "Fn::Sub": [ "cloud_watch_${log_group_name}", { "log_group_name": { "Fn::FindInMap": [ "LogGroupMapping", "Test", "Name" ] } } ] } } } } } ``` #### YAML ``` Mappings: LogGroupMapping: Test: Name: test_log_group Prod: Name: prod_log_group Resources: myLogGroup: Type: AWS::Logs::LogGroup Properties: LogGroupName: !Sub - 'cloud_watch_${log_group_name}' - log_group_name: !FindInMap - LogGroupMapping - Test - Name ``` ## Supported functions For the `String` parameter, you can't use any functions. You must specify a string value. For the `VarName` and `VarValue` parameters, you can use the following functions: + [`Fn::Base64`](intrinsic-function-reference-base64.md) + [`Fn::FindInMap`](intrinsic-function-reference-findinmap.md) + [`Fn::GetAtt`](intrinsic-function-reference-getatt.md) + [`Fn::GetAZs`](intrinsic-function-reference-getavailabilityzones.md) + [`Fn::If`](intrinsic-function-reference-conditions.md#intrinsic-function-reference-conditions-if) + [`Fn::ImportValue`](intrinsic-function-reference-importvalue.md) + [`Fn::Join`](intrinsic-function-reference-join.md) + [`Fn::Select`](intrinsic-function-reference-select.md) + [`Fn::Sub`](#intrinsic-function-reference-sub) + [`Ref`](intrinsic-function-reference-ref.md) # `Fn::ToJsonString` The `Fn::ToJsonString` intrinsic function converts an object or array to its corresponding JSON string. **Important** You must use the [`AWS::LanguageExtensions` transform](transform-aws-languageextensions.md) to use the `Fn::ToJsonString` intrinsic function. ## Declaration ### JSON ``` { "Fn::ToJsonString": Object } ``` ``` { "Fn::ToJsonString": Array } ``` ### YAML ``` Fn::ToJsonString: Object ``` ``` Fn::ToJsonString: Array ``` ## Parameters `Object` The object you want to convert to a JSON string. `Array` The array you want to convert to a JSON string. ## Return value The object or array converted to a JSON string. ## Examples ### Convert an object to a JSON string This example snippet converts the object passed to the intrinsic function to a JSON string. #### JSON ``` { //... "Transform": "AWS::LanguageExtensions" //... "Fn::ToJsonString": { "key1": "value1", "key2": { "Ref": "ParameterName" } } //... } ``` #### YAML ``` Transform: 'AWS::LanguageExtensions' #... Fn::ToJsonString: key1: value1 key2: !Ref ParameterName #... ``` In both of these examples, if the `Ref` to `ParameterName` resolves to `resolvedValue`, the function resolves to the following JSON string: ``` "{\"key1\":\"value1\",\"key2\":\"resolvedValue\"}" ``` ### Convert an array to a JSON string This example snippet converts the array passed to the intrinsic function to a JSON string. #### JSON ``` { //... "Transform": "AWS::LanguageExtensions" //... "Fn::ToJsonString": [{ "key1": "value1", "key2": { "Ref": "ParameterName" } }] //... } ``` #### YAML ``` Transform: 'AWS::LanguageExtensions' #... Fn::ToJsonString: - key1: value1 key2: !Ref ParameterName #... ``` In both of these examples, if the `Ref` to `ParameterName` resolves to `resolvedValue`, the function resolves to the following JSON String: ``` "[{\"key1\":\"value1\"},{\"key2\":\"resolvedValue\"}]" ``` ## Supported functions You can use the following functions in the `Fn::ToJsonString` intrinsic function or array: + `Fn::Base64` + `Fn::FindInMap` + `Fn::GetAtt` + `Fn::GetAZs` + `Fn::If` + `Fn::ImportValue` + `Fn::Join` + `Fn::Length` + `Fn::Select` + `Fn::Split` + `Fn::Sub` + `Fn::ToJsonString` + `Ref` # `Fn::Transform` The intrinsic function `Fn::Transform` specifies a macro to perform custom processing on part of a stack template. Macros enable you to perform custom processing on templates, from simple actions like find-and-replace operations to extensive transformations of entire templates. For more information, see [Using CloudFormation macros to perform custom processing on templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-macros.html) in the *AWS CloudFormation User Guide*. You can also use `Fn::Transform` to call the [`AWS::Include` transform](transform-aws-include.md) transform, which is a macro hosted by CloudFormation. ## Declaration ### JSON Syntax for the full function name: ``` { "Fn::Transform": { "Name": "macro name", "Parameters": { "Key": "value" } } } ``` Syntax for the short form: ``` { "Transform": { "Name": "macro name", "Parameters": { "Key": "value" } } } ``` ### YAML Syntax for the full function name: ``` Fn::Transform: Name : macro name Parameters : Key : value ``` Syntax for the short form: ``` !Transform Name: macro name Parameters: Key: value ``` ## Parameters `Name` The name of the macro you want to perform the processing. `Parameters` The list parameters, specified as key-value pairs, to pass to the macro. ## Return value The processed template snippet to be included in the processed stack template. ## Examples The following example calls the `AWS::Include` transform, specifying that the location to retrieve a template snippet from is passed in the `InputValue` parameter. ### JSON ``` { "Fn::Transform": { "Name": "AWS::Include", "Parameters": { "Location": { "Ref": "InputValue" } } } } ``` ### YAML ``` Fn::Transform: Name: AWS::Include Parameters: Location: !Ref InputValue ``` ## Supported functions None. CloudFormation passes any intrinsic function calls included in `Fn::Transform` to the specified macro as literal strings. # `Ref` The intrinsic function `Ref` returns the value of a specified parameter, resource, or another intrinsic function. This function is commonly used to create references between resources within a CloudFormation template. ## Declaration ### JSON ``` { "Ref" : "logicalName" } ``` ``` { "Ref" : "IntrinsicFunction" } ``` ### YAML Syntax for the full function name: ``` Ref: logicalName ``` ``` Ref: IntrinsicFunction ``` Syntax for the short form: ``` !Ref logicalName ``` ``` !Ref IntrinsicFunction ``` ## Parameters logicalName The logical name of the resource or parameter you want to reference. IntrinsicFunction The intrinsic function that resolves to a valid string. It should contain references to parameters or identifiers, and should not contain resource logical identifiers. ## Return value The return value of `Ref` depends on the type of entity being referenced: + When you specify a parameter's logical name, it returns the value of the parameter. For more information, see [CloudFormation template Parameters syntax](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html). + When you specify a resource's logical name, it returns a value that you use to identify that resource. Usually, that's the name of the resource. However, for some resources, an identifier is returned that has another significant meaning in the context of the resource. For example, the `AWS::EC2::EIP` resource returns the IP address, and the `AWS::EC2::Instance` returns the instance ID. For more information about `Ref` return values for a resource, see the documentation for that resource in the [Resource and property reference](aws-template-resource-type-ref.md). + When you specify an intrinsic function, it returns the output of that function. ## Examples ### Create references between resources The following resource declaration for an Elastic IP address needs the instance ID of an EC2 instance. It uses the `Ref` function to specify the instance ID of the `MyEC2Instance` resource declared elsewhere in the template. #### JSON ``` { "AWSTemplateFormatVersion":"2010-09-09", "Resources":{ ... "MyEIP":{ "Type":"AWS::EC2::EIP", "Properties":{ "InstanceId":{ "Ref":"MyEC2Instance" } } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: ... MyEIP: Type: AWS::EC2::EIP Properties: InstanceId: !Ref MyEC2Instance ``` ### Return a resource identifier as stack output The following examples show how to use the `Ref` function to return the name of an Amazon S3 bucket with the logical name `MyBucket` as stack output. #### JSON ``` { "AWSTemplateFormatVersion":"2010-09-09", "Resources":{ "MyBucket":{ "Type":"AWS::S3::Bucket", "Properties":{ "BucketName":{ "Fn::Sub": "${AWS::StackName}-mybucket" } } } }, "Outputs":{ "BucketNameOutput":{ "Description":"The name of the S3 bucket", "Value":{ "Ref":"MyBucket" } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: MyBucket: Type: AWS::S3::Bucket Properties: BucketName: !Sub ${AWS::StackName}-mybucket Outputs: BucketNameOutput: Description: The name of the S3 bucket Value: !Ref MyBucket ``` ### Use `Fn::Join` intrinsic function inside `Ref` function **Note** When you use the `AWS::LanguageExtensions` transform, you can use `Ref` in combination with other intrinsic functions. For supported functions, see [Supported functions](#ref-supported-functions). The following examples show how to set identifiers of resources using the `Fn::Sub` intrinsic function, conditions, and the input for the `Stage` parameter. The `Ref` and the `Fn::GetAtt` functions then reference the appropriate values, based on the stage. `Fn::Sub` is first used with `Fn::GetAtt` to obtain the ARN of the appropriate Amazon SQS queue to set the dimensions of the Amazon CloudWatch alarm. Next, [`Fn::Join`](intrinsic-function-reference-join.md) is used with `Ref` to create the name of the SNS topic for the `AlarmActions` property. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::LanguageExtensions", "Parameters": { "Stage": { "Type": "String", "Default": "Dev", "AllowedValues": [ "Dev", "Prod" ] } }, "Conditions": { "isProd": { "Fn::Equals": [ {"Ref": "Stage"}, "Prod" ] }, "isDev": { "Fn::Equals": [ {"Ref": "Stage"}, "Dev" ] } }, "Resources": { "DevQueue": { "Type": "AWS::SQS::Queue", "Condition": "isDev", "Properties": { "QueueName": {"Fn::Sub": "My${Stage}Queue"} } }, "ProdQueue": { "Type": "AWS::SQS::Queue", "Condition": "isProd", "Properties": { "QueueName": {"Fn::Sub": "My${Stage}Queue"} } }, "DevTopic": { "Condition": "isDev", "Type": "AWS::SNS::Topic" }, "ProdTopic": { "Condition": "isProd", "Type": "AWS::SNS::Topic" }, "MyAlarm": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmDescription": "Alarm if queue depth grows beyond 10 messages", "Namespace": "AWS/SQS", "MetricName": "ApproximateNumberOfMessagesVisible", "Dimensions":[ { "Name": {"Fn::Sub": "${Stage}Queue"}, "Value": {"Fn::GetAtt": [{"Fn::Sub": "${Stage}Queue"}, "QueueName"]} } ], "Statistic": "Sum", "Period": 300, "EvaluationPeriods": 1, "Threshold": 10, "ComparisonOperator": "GreaterThanThreshold", "AlarmActions": [ { "Ref": {"Fn::Join": ["", [{"Ref": "Stage"}, "Topic"]]} } ] } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Transform: AWS::LanguageExtensions Parameters: Stage: Type: String Default: Dev AllowedValues: - Dev - Prod Conditions: isProd: !Equals - !Ref Stage - Prod isDev: !Equals - !Ref Stage - Dev Resources: DevQueue: Type: AWS::SQS::Queue Condition: isDev Properties: QueueName: !Sub My${Stage}Queue ProdQueu: Type: AWS::SQS::Queue Condition: isProd Properties: QueueName: !Sub My${Stage}Queue DevTopic: Condition: isDev Type: AWS::SNS::Topic ProdTopic: Condition: isProd Type: AWS::SNS::Topic MyAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmDescription: Alarm if queue depth grows beyond 10 messages Namespace: AWS/SQS MetricName: ApproximateNumberOfMessagesVisible Dimensions: - Name: !Sub '${Stage}Queue' Value: !GetAtt - !Sub '${Stage}Queue' - QueueName Statistic: Sum Period: 300 EvaluationPeriods: 1 Threshold: 10 ComparisonOperator: GreaterThanThreshold AlarmActions: - !Ref 'Fn::Join': - '' - - !Ref Stage - Topic ``` ## Supported functions When you use the [AWS::LanguageExtensions transform](transform-aws-languageextensions.md), you can use the following functions within the `Ref` function. + [`Fn::Base64`](intrinsic-function-reference-base64.md) + [`Fn::FindInMap`](intrinsic-function-reference-findinmap.md) + [`Fn::If`](intrinsic-function-reference-conditions.md#intrinsic-function-reference-conditions-if) + [`Fn::ImportValue`](intrinsic-function-reference-importvalue.md) + [`Fn::Join`](intrinsic-function-reference-join.md) + [`Fn::Sub`](intrinsic-function-reference-sub.md) + [`Fn::ToJsonString`](intrinsic-function-reference-ToJsonString.md) + `Ref` # Rule functions Rule functions are special functions that work only in the `Rules` section of a CloudFormation template. These functions help you validate parameter values using custom logic. All validations occur before CloudFormation creates or updates any resources. Rules are useful when standard parameter constraints are insufficient. For example, when SSL is enabled, both a certificate and domain name must be provided. A rule can ensure that these dependencies are met. In the condition or assertions of a rule, you can use intrinsic functions, such as `Fn::Equals`, `Fn::Not`, and `Fn::RefAll`. The condition property determines if CloudFormation applies the assertions. If the condition evaluates to `true`, CloudFormation evaluates the assertions to verify whether a parameter value is valid when a stack is created or updated. If a parameter value isn't valid, CloudFormation doesn't create or update the stack. If the condition evaluates to `false`, CloudFormation doesn't check the parameter value and proceeds with the stack operation. If you're new to using rules in your templates, we recommend you first review the [CloudFormation template Rules syntax](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/rules-section-structure.html) topic in the *AWS CloudFormation User Guide*. **Topics** + [ ## `Fn::And` ](#fn-and) + [ ## `Fn::Contains` ](#fn-contains) + [ ## `Fn::EachMemberEquals` ](#fn-eachmemberequals) + [ ## `Fn::EachMemberIn` ](#fn-eachmemberin) + [ ## `Fn::Equals` ](#fn-equals) + [ ## `Fn::Not` ](#fn-not) + [ ## `Fn::Or` ](#fn-or) + [ ## `Fn::RefAll` ](#fn-refall) + [ ## `Fn::ValueOf` ](#fn-valueof) + [ ## `Fn::ValueOfAll` ](#fn-valueofall) + [ ## Supported functions ](#supported-rule-functions) + [ ## Supported attributes ](#rules-parameter-attributes) ## `Fn::And` Returns `true` if all the specified conditions evaluate to `true`; returns `false` if any one of the conditions evaluates to `false`. `Fn::And` acts as an AND operator. The minimum number of conditions that you can include is two, and the maximum is ten. ### Declaration ``` "Fn::And" : [{condition}, {...}] ``` ### Parameters *condition* A rule-specific intrinsic function that evaluates to `true` or `false`. ### Example The following example evaluates to `true` if the referenced security group name is equal to `sg-mysggroup` and if the `InstanceType` parameter value is either `t3.large` or `t3.small`: ``` "Fn::And": [ { "Fn::Equals": [ "sg-mysggroup", {"Ref": "ASecurityGroup"} ] }, { "Fn::Contains": [ [ "t3.large", "t3.small" ], {"Ref": "InstanceType"} ] } ] ``` ## `Fn::Contains` Returns `true` if a specified string matches at least one value in a list of strings. ### Declaration ``` "Fn::Contains" : [[list_of_strings], string] ``` ### Parameters *list\$1of\$1strings* A list of strings, such as `"A", "B", "C"`. *string* A string, such as `"A"`, that you want to compare against a list of strings. ### Example The following function evaluates to `true` if the `InstanceType` parameter value is contained in the list (`t3.large` or `t3.small`): ``` "Fn::Contains" : [ ["t3.large", "t3.small"], {"Ref" : "InstanceType"} ] ``` ## `Fn::EachMemberEquals` Returns `true` if a specified string matches all values in a list. ### Declaration ``` "Fn::EachMemberEquals" : [[list_of_strings], string] ``` ### Parameters *list\$1of\$1strings* A list of strings, such as `"A", "B", "C"`. *string* A string, such as `"A"`, that you want to compare against a list of strings. ### Example The following function returns `true` if the `Department` tag for all parameters of type `AWS::EC2::VPC::Id` have a value of `IT`: ``` "Fn::EachMemberEquals" : [ {"Fn::ValueOfAll" : ["AWS::EC2::VPC::Id", "Tags.Department"]}, "IT" ] ``` ## `Fn::EachMemberIn` Returns `true` if each member in a list of strings matches at least one value in a second list of strings. ### Declaration ``` "Fn::EachMemberIn" : [[strings_to_check], [strings_to_match]] ``` ### Parameters *strings\$1to\$1check* A list of strings, such as `"A", "B", "C"`. CloudFormation checks whether each member in the `strings_to_check` parameter is in the `strings_to_match` parameter. *strings\$1to\$1match* A list of strings, such as `"A", "B", "C"`. Each member in the `strings_to_match` parameter is compared against the members of the `strings_to_check` parameter. ### Example The following function checks whether users specify a subnet that's in a valid virtual private cloud (VPC). The VPC must be in the account and the Region in which users are working with the stack. The function applies to all parameters of type `AWS::EC2::Subnet::Id`. ``` "Fn::EachMemberIn" : [ {"Fn::ValueOfAll" : ["AWS::EC2::Subnet::Id", "VpcId"]}, {"Fn::RefAll" : "AWS::EC2::VPC::Id"} ] ``` ## `Fn::Equals` Compares two values to determine whether they're equal. Returns `true` if the two values are equal and `false` if they aren't. ### Declaration ``` "Fn::Equals" : ["value_1", "value_2"] ``` ### Parameters *`value`* A value of any type that you want to compare with another value. ### Example The following example evaluates to `true` if the value for the `EnvironmentType` parameter is equal to `prod`: ``` "Fn::Equals" : [{"Ref" : "EnvironmentType"}, "prod"] ``` ## `Fn::Not` Returns `true` for a condition that evaluates to `false`, and returns `false` for a condition that evaluates to `true`. `Fn::Not` acts as a NOT operator. ### Declaration ``` "Fn::Not" : [{condition}] ``` ### Parameters *`condition`* A rule-specific intrinsic function that evaluates to `true` or `false`. ### Example The following example evaluates to `true` if the value for the `EnvironmentType` parameter isn't equal to `prod`: ``` "Fn::Not" : [{"Fn::Equals" : [{"Ref" : "EnvironmentType"}, "prod"]}] ``` ## `Fn::Or` Returns `true` if any one of the specified conditions evaluates to `true`; returns `false` if all the conditions evaluate to `false`. `Fn::Or` acts as an OR operator. The minimum number of conditions that you can include is two, and the maximum is ten. ### Declaration ``` "Fn::Or" : [{condition}, {...}] ``` ### Parameters *`condition`* A rule-specific intrinsic function that evaluates to `true` or `false`. ### Example The following example evaluates to `true` if the referenced security group name is equal to `sg-mysggroup` or if the `InstanceType` parameter value is either `t3.large` or `t3.small`: ``` "Fn::Or" : [ {"Fn::Equals" : ["sg-mysggroup", {"Ref" : "ASecurityGroup"}]}, {"Fn::Contains" : [["t3.large", "t3.small"], {"Ref" : "InstanceType"}]} ] ``` ## `Fn::RefAll` Returns all values for a specified parameter type. ### Declaration ``` "Fn::RefAll" : "parameter_type" ``` ### Parameters *parameter\$1type* An AWS-specific parameter type, such as `AWS::EC2::SecurityGroup::Id` or `AWS::EC2::VPC::Id`. For more information, see [Supported AWS-specific parameter types](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-supplied-parameter-types.html#aws-specific-parameter-types-supported) in the *AWS CloudFormation User Guide*. ### Example The following function returns a list of all VPC IDs for the Region and AWS account in which the stack is being created or updated: ``` "Fn::RefAll" : "AWS::EC2::VPC::Id" ``` ## `Fn::ValueOf` Returns an attribute value or list of values for a specific parameter and attribute. ### Declaration ``` "Fn::ValueOf" : [ "parameter_logical_id", "attribute" ] ``` ### Parameters *attribute* The name of an attribute to retrieve a value from. For more information about attributes, see [Supported attributes](#rules-parameter-attributes). *parameter\$1logical\$1id* The name of a parameter to retrieve attribute values from. The parameter must be declared in the `Parameters` section of the template. ### Examples The following example returns the value of the `Department` tag for the VPC that's specified by the `ElbVpc` parameter: ``` "Fn::ValueOf" : ["ElbVpc", "Tags.Department"] ``` If you specify multiple values for a parameter, the Fn::ValueOf function can return a list. For example, you can specify multiple subnets and get a list of Availability Zones where each member is the Availability Zone of a particular subnet: ``` "Fn::ValueOf" : ["ListOfElbSubnets", "AvailabilityZone"] ``` ## `Fn::ValueOfAll` Returns a list of all attribute values for a given parameter type and attribute. ### Declaration ``` "Fn::ValueOfAll" : ["parameter_type", "attribute"] ``` ### Parameters *attribute* The name of an attribute from which you want to retrieve a value. For more information about attributes, see [Supported attributes](#rules-parameter-attributes). *parameter\$1type* An AWS-specific parameter type, such as `AWS::EC2::SecurityGroup::Id` or `AWS::EC2::VPC::Id`. For more information, see [Supported AWS-specific parameter types](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-supplied-parameter-types.html#aws-specific-parameter-types-supported) in the *AWS CloudFormation User Guide*. ### Example In the following example, the `Fn::ValueOfAll` function returns a list of values, where each member is the `Department` tag value for VPCs with that tag: ``` "Fn::ValueOfAll" : ["AWS::EC2::VPC::Id", "Tags.Department"] ``` ## Supported functions You can't use another function within the `Fn::ValueOf` and `Fn::ValueOfAll` functions. However, you can use the following functions within all other rule-specific intrinsic functions: + `Ref` + Other rule-specific intrinsic functions ## Supported attributes The following list describes the attribute values that you can retrieve for specific resources and parameter types: The `AWS::EC2::VPC::Id` parameter type or VPC IDs. + DefaultNetworkAcl + DefaultSecurityGroup + Tags.*tag\$1key* The `AWS::EC2::Subnet::Id` parameter type or subnet IDs, + AvailabilityZone + Tags.*tag\$1key* + VpcId The `AWS::EC2::SecurityGroup::Id` parameter type or security group IDs. + Tags.*tag\$1key*