# Generate templates from existing resources with IaC generator
With the CloudFormation infrastructure as code generator (IaC generator), you can generate a template using AWS resources provisioned in your account that are not already managed by CloudFormation.
The following are benefits of the IaC generator:
+ Bring entire applications under CloudFormation management or migrate them into an AWS CDK app.
+ Generate templates without having to describe a resource property by property and then translate that into JSON or YAML syntax.
+ Use the template to replicate resources in a new account or Region.
The IaC generation process consists of the following steps:
1. **Scan resources** – The first step is to start a scan of your resources. This scan is region-wide and expires after 30 days. During this time, you can create multiple templates from the same scan.
1. **Create your template** – To create the template, you have two options:
+ Create a new template from scratch and add the scanned resources and related resources to it.
+ Use an existing CloudFormation stack as a starting point and add the scanned resources and related resources to its template.
1. **Import resources** – Use your template to import the resources as a CloudFormation stack or migrate them into an AWS CDK app.
The IaC generator feature is available in all commercial Regions and supports many common AWS resource types. For a full list of supported resources, see [Resource type support](resource-import-supported-resources.md).
**Topics**
+ [Considerations](#iac-generator-considerations)
+ [IAM permissions required for scanning resources](#iac-generator-permissions)
+ [Commonly used commands for template generation, management, and deletion](#iac-generator-commonly-used-commands)
+ [Migrate a template to the AWS CDK](#iac-generator-cdk-migrate)
+ [Start a resource scan with CloudFormation IaC generator](iac-generator-start-resource-scan.md)
+ [View the scan summary in the CloudFormation console](generate-IaC-view-scan-summary.md)
+ [Create a CloudFormation template from resources scanned with IaC generator](iac-generator-create-template-from-scanned-resources.md)
+ [Create a CloudFormation stack from scanned resources](iac-generator-create-stack-from-scanned-resources.md)
+ [Resolve write-only properties](generate-IaC-write-only-properties.md)
## Considerations
You can generate JSON or YAML templates for AWS resources that you have read access to. The templates for the IaC generator capability models cloud resources reliably and quickly without having to describe a resource property by property.
The following table lists the quotas available for the IaC generation feature.
| Name | Full scan | Partial scan |
| --- | --- | --- |
| Maximum number of resources that can be processed in a scan | 100,000 | 100,000 |
| Number of scans per day (for scans with less than 10,000 resources) | 10 | 10 |
| Number of scans per day (for scans with more than 10,000 resources) | 1 | 1 |
| Concurrent number of templates generating per account | 5 | 5 |
| Concurrent number of resources modeled for one template generation | 5 | 5 |
| Total number of resources that can be modeled in one template | 500 | 500 |
| Maximum number of generated templates per account | 1,000 | 1,000 |
**Important**
IaC generator only supports AWS resources that are supported by Cloud Control API in your Region. For more information, see [Resource type support](resource-import-supported-resources.md).
## IAM permissions required for scanning resources
To scan resources with IaC generator, your IAM principal (user, role, or group) must have:
+ CloudFormation scanning permissions
+ Read permissions for target AWS services
The scan scope is limited to resources you have read access to. Missing permissions won't cause scan failure but will exclude those resources.
For an example IAM policy that grants scanning and template management permissions, see [Allow all IaC generator operations](security_iam_id-based-policy-examples.md#iam-policy-example-for-iac-generator).
## Commonly used commands for template generation, management, and deletion
The commonly used commands for working with IaC generator include:
+ [start-resource-scan](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/start-resource-scan.html) to start a scan of the resources in the account in an AWS Region.
+ [describe-resource-scan](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/describe-resource-scan.html) to monitor the progress of a resource scan.
+ [list-resource-scans](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/list-resource-scans.html) to list the resource scans in an AWS Region.
+ [list-resource-scan-resources](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/list-resource-scan-resources.html) to list the resources found during the resource scan.
+ [list-resource-scan-related-resources](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/list-resource-scan-related-resources.html) to list the resources related to your scanned resources.
+ [create-generated-template](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-generated-template.html) to generate a CloudFormation template from a set of scanned resources.
+ [update-generated-template](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/update-generated-template.html) to update the generated template.
+ [describe-generated-template](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/describe-generated-template.html) to return information about a generated template.
+ [list-generated-templates](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/list-generated-templates.html) to list all generated templates in your account and current Region.
+ [delete-generated-template](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/delete-generated-template.html) to delete a generated template.
## Migrate a template to the AWS CDK
The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework that you can use to develop, manage, and deploy CloudFormation resources using popular programming languages.
The AWS CDK CLI provides an integration with IaC generator. Use the AWS CDK CLI `cdk migrate` command to convert the CloudFormation template and create a new CDK app that contains your resources. Then, you can use the AWS CDK to manage your resources and deploy to CloudFormation.
For more information, see [Migrate to AWS CDK](https://docs.aws.amazon.com/cdk/v2/guide/migrate.html) in the *AWS Cloud Development Kit (AWS CDK) Developer Guide*.
# Start a resource scan with CloudFormation IaC generator
Before you create a template from existing resources, you first must initiate a resource scan to discover your current resources and their relationships.
You can start a resource scan using one of the following options. For first-time users of IaC generator, we recommend the first option.
+ **Scan all resources (full scan)** – Scans all existing resources in the current account and Region. This scanning process can take up to 10 minutes for 1,000 resources.
+ **Scan specific resources (partial scan)** – Manually select which resource types to scan in the current account and Region. This option provides a faster and more focused scanning process, making it ideal for iterative template development.
After the scan completes, you can choose which resources and their related resources to include when generating your template. When using partial scanning, related resources will only be available during template generation if either:
+ You specifically selected them before starting the scan, or
+ They were required to discover your selected resource types.
For example, if you select `AWS::EKS::Nodegroup` without selecting `AWS::EKS::Cluster`, IaC generator automatically includes `AWS::EKS::Cluster` resources in the scan because discovering the node group requires discovering the cluster first. In all other cases, the scan will only include the resources you specifically select.
**Note**
Before you continue, confirm that you have the permissions required to work with IaC generator. For more information, see [IAM permissions required for scanning resources](generate-IaC.md#iac-generator-permissions).
**Topics**
+ [Start a resource scan (console)](#start-resource-scan-console)
+ [Start a resource scan (AWS CLI)](#start-resource-scan-cli)
## Start a resource scan (console)
**To start a resource scan of all resource types (full scan)**
1. Open the [IaC generator page](https://console.aws.amazon.com/cloudformation/home?#iac-generator) of the CloudFormation console.
1. On the navigation bar at the top of the screen, choose the AWS Region that contains the resources to scan.
1. From the **Scans** panel, choose **Start a new scan** and then choose **Scan all resources**.
**To start a resource scan of specific resource types (partial scan)**
1. Open the [IaC generator page](https://console.aws.amazon.com/cloudformation/home?#iac-generator) of the CloudFormation console.
1. On the navigation bar at the top of the screen, choose the AWS Region that contains the resources to scan.
1. From the **Scans** panel, choose **Start a new scan** and then choose **Scan specific resources**.
1. In the **Start partial scan** dialog box, select up to 100 resource types, and then choose **Start scan**.
## Start a resource scan (AWS CLI)
**To start a resource scan of all resource types (full scan)**
Use the following [start-resource-scan](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/start-resource-scan.html) command. Replace *us-east-1* with the AWS Region that contains the resources to scan.
```
aws cloudformation start-resource-scan --region us-east-1
```
If successful, this command returns the ARN of the scan. Note the ARN in the `ResourceScanId` property. You need it to create your template.
```
{
"ResourceScanId":
"arn:aws:cloudformation:region:account-id:resourceScan/0a699f15-489c-43ca-a3ef-3e6ecfa5da60"
}
```
**To start a resource scan of specific resource types (partial scan)**
1. Use the following [cat](https://en.wikipedia.org/wiki/Cat_(Unix)) command to store the resource types you want to scan in a JSON file named `config.json` in your home directory. The following is an example scanning configuration that scans for Amazon EC2 instances, security groups, and all Amazon S3 resources.
```
$ cat > config.json
[
{
"Types":[
"AWS::EC2::Instance",
"AWS::EC2::SecurityGroup",
"AWS::S3::*"
]
}
]
```
1. Use the [start-resource-scan](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/start-resource-scan.html) command with the `--scan-filters` option, along with the `config.json` file you created, to start the partial scan. Replace *us-east-1* with the AWS Region that contains the resources to scan.
```
aws cloudformation start-resource-scan --scan-filters file://config.json --region us-east-1
```
If successful, this command returns the ARN of the scan. Note the ARN in the `ResourceScanId` property. You need it to create your template.
```
{
"ResourceScanId":
"arn:aws:cloudformation:region:account-id:resourceScan/0a699f15-489c-43ca-a3ef-3e6ecfa5da60"
}
```
**To monitor the progress of a resource scan**
Use the [describe-resource-scan](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/describe-resource-scan.html) command. For the `--resource-scan-id` option, replace the sample ARN with the actual ARN.
```
aws cloudformation describe-resource-scan --region us-east-1 \
--resource-scan-id arn:aws:cloudformation:us-east-1:123456789012:resourceScan/0a699f15-489c-43ca-a3ef-3e6ecfa5da60
```
If successful, this command returns output similar to the following:
```
{
"ResourceScanId": "arn:aws:cloudformation:region:account-id:resourceScan/0a699f15-489c-43ca-a3ef-3e6ecfa5da60",
"Status": "COMPLETE",
"StartTime": "2023-08-21T03:10:38.485000+00:00",
"EndTime": "2023-08-21T03:20:28.485000+00:00",
"PercentageCompleted": 100.0,
"ResourceTypes": [
"AWS::CloudFront::CachePolicy",
"AWS::CloudFront::OriginRequestPolicy",
"AWS::EC2::DHCPOptions",
"AWS::EC2::InternetGateway",
"AWS::EC2::KeyPair",
"AWS::EC2::NetworkAcl",
"AWS::EC2::NetworkInsightsPath",
"AWS::EC2::NetworkInterface",
"AWS::EC2::PlacementGroup",
"AWS::EC2::Route",
"AWS::EC2::RouteTable",
"AWS::EC2::SecurityGroup",
"AWS::EC2::Subnet",
"AWS::EC2::SubnetCidrBlock",
"AWS::EC2::SubnetNetworkAclAssociation",
"AWS::EC2::SubnetRouteTableAssociation",
...
],
"ResourcesRead": 676
}
```
For a partial scan, the output will look similar to the following:
```
{
"ResourceScanId": "arn:aws:cloudformation:region:account-id:resourceScan/0a699f15-489c-43ca-a3ef-3e6ecfa5da60",
"Status": "COMPLETE",
"StartTime": "2025-03-06T18:24:19.542000+00:00",
"EndTime": "2025-03-06T18:25:23.142000+00:00",
"PercentageCompleted": 100.0,
"ResourceTypes": [
"AWS::EC2::Instance",
"AWS::EC2::SecurityGroup",
"AWS::S3::Bucket",
"AWS::S3::BucketPolicy"
],
"ResourcesRead": 65,
"ScanFilters": [
{
"Types": [
"AWS::EC2::Instance",
"AWS::EC2::SecurityGroup",
"AWS::S3::*"
]
}
]
}
```
For a description of the fields in the output, see [DescribeResourceScan](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_DescribeResourceScan.html) in the *AWS CloudFormation API Reference*.
# View the scan summary in the CloudFormation console
After the scan completes, you can view a visualization of resources found during the scan to help you identify the concentration of resources across different product types.
**To view information about resources found during the scan**
1. Open the [IaC generator page](https://console.aws.amazon.com/cloudformation/home?#iac-generator) of the CloudFormation console.
1. On the navigation bar at the top of the screen, choose the AWS Region that contains the resource scan to view.
1. From the navigation pane, choose **IaC generator**.
1. Under **Scanned resources breakdown**, you'll find a visual breakdown of the scanned resources by product type, for example, **Compute** and **Storage**.
1. To customize the number of product types displayed, choose **Filter displayed data**. This helps you tailor the visualization to focus on the product types that you're most interested in.
1. On the right side of the page is the **Scan summary details** panel. To open the panel, choose the **open panel** icon.
![\[The IaC generator console provides a visual breakdown of scanned resources.\]](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/images/IaC-generator-scan-summary.png)
# Create a CloudFormation template from resources scanned with IaC generator
This topic explains how to create a template from resources that were scanned using the IaC generator feature.
## Create a template from scanned resources (console)
**To create a stack template from scanned resources**
1. Open the [IaC generator page](https://console.aws.amazon.com/cloudformation/home?#iac-generator) of the CloudFormation console.
1. On the navigation bar at the top of the screen, choose the AWS Region that contains the scanned resources.
1. From the **Templates** section, choose **Create template**.
1. Choose **Start from a new template**.
1. For **Template name**, provide a name for your template.
1. (Optional) Configure your **Deletion policy** and **Update replace policy**.
1. Choose **Next** to add scanned resources to the template.
1. For **Add scanned resources**, browse the list of scanned resources and select the resources you want to add to your template. You can filter the resources by resource identifier, resource type, or tags. The filters are mutually inclusive.
1. When you've added all needed resources to your template, choose **Next** to exit the **Add scanned resources** page and proceed to the **Add related resources** page.
1. Review a recommended list of related resources. Related resources, such as Amazon EC2 instances and security groups, are interdependent and typically belong to the same workload. Select the related resources that you want to include in the generated template.
**Note**
We suggest that you add all related resources to this template.
1. Review the template details, scanned resources, and related resources.
1. Choose **Create template** to exit the **Review and create** page and create the template.
## Create a template from scanned resources (AWS CLI)
**To create a stack template from scanned resources**
1. Use the [list-resource-scan-resources](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/list-resource-scan-resources.html) command to list the resources found during the scan, optionally specifying the `--resource-identifier` option to limit the output. For the `--resource-scan-id` option, replace the sample ARN with the actual ARN.
```
aws cloudformation list-resource-scan-resources \
--resource-scan-id arn:aws:cloudformation:us-east-1:123456789012:resourceScan/0a699f15-489c-43ca-a3ef-3e6ecfa5da60 \
--resource-identifier MyApp
```
The following is an example response, where `ManagedByStack` indicates whether CloudFormation manages the resource already. Copy the output. You need it for the next step.
```
{
"Resources": [
{
"ResourceType": "AWS::EKS::Cluster",
"ResourceIdentifier": {
"ClusterName": "MyAppClusterName"
},
"ManagedByStack": false
},
{
"ResourceType": "AWS::AutoScaling::AutoScalingGroup",
"ResourceIdentifier": {
"AutoScalingGroupName": "MyAppASGName"
},
"ManagedByStack": false
}
]
}
```
For a description of the fields in the output, see [ScannedResource](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_ScannedResource.html) in the *AWS CloudFormation API Reference*.
1. Use the `cat` command to store the resource types and identifiers in a JSON file named `resources.json` in your home directory. The following is example JSON based on the example output in the previous step.
```
$ cat > resources.json
[
{
"ResourceType": "AWS::EKS::Cluster",
"ResourceIdentifier": {
"ClusterName": "MyAppClusterName"
}
},
{
"ResourceType": "AWS::AutoScaling::AutoScalingGroup",
"ResourceIdentifier": {
"AutoScalingGroupName": "MyAppASGName"
}
}
]
```
1. Use the [list-resource-scan-related-resources](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/list-resource-scan-related-resources.html) command, along with the `resources.json` file you created, to list the resources related to your scanned resources.
```
aws cloudformation list-resource-scan-related-resources \
--resource-scan-id arn:aws:cloudformation:us-east-1:123456789012:resourceScan/0a699f15-489c-43ca-a3ef-3e6ecfa5da60 \
--resources file://resources.json
```
The following is an example response, where `ManagedByStack` indicates whether CloudFormation manages the resource already. Add these resources to the JSON file you created in the previous step. You'll need it to create your template.
```
{
"RelatedResources": [
{
"ResourceType": "AWS::EKS::Nodegroup",
"ResourceIdentifier": {
"NodegroupName": "MyAppNodegroupName"
},
"ManagedByStack": false
},
{
"ResourceType": "AWS::IAM::Role",
"ResourceIdentifier": {
"RoleId": "arn:aws::iam::account-id:role/MyAppIAMRole"
},
"ManagedByStack": false
}
]
}
```
For a description of the fields in the output, see [ScannedResource](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_ScannedResource.html) in the *AWS CloudFormation API Reference*.
**Note**
The input list of resources can't exceed a length of 100. To list related resources for more than 100 resources, run the **list-resource-scan-related-resources** command in batches of 100 and consolidate the results.
Be aware that the output may contain duplicated resources in the list.
1. Use the [create-generated-template](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-generated-template.html) command to create a new stack template, as follows, with these modifications:
+ Replace `us-east-1` with the AWS Region that contains the scanned resources.
+ Replace `MyTemplate` with the name of the template to create.
```
aws cloudformation create-generated-template --region us-east-1 \
--generated-template-name MyTemplate \
--resources file://resources.json
```
The following is an example `resources.json` file.
```
[
{
"ResourceType": "AWS::EKS::Cluster",
"LogicalResourceId":"MyCluster",
"ResourceIdentifier": {
"ClusterName": "MyAppClusterName"
}
},
{
"ResourceType": "AWS::AutoScaling::AutoScalingGroup",
"LogicalResourceId":"MyASG",
"ResourceIdentifier": {
"AutoScalingGroupName": "MyAppASGName"
}
},
{
"ResourceType": "AWS::EKS::Nodegroup",
"LogicalResourceId":"MyNodegroup",
"ResourceIdentifier": {
"NodegroupName": "MyAppNodegroupName"
}
},
{
"ResourceType": "AWS::IAM::Role",
"LogicalResourceId":"MyRole",
"ResourceIdentifier": {
"RoleId": "arn:aws::iam::account-id:role/MyAppIAMRole"
}
}
]
```
If successful, this command returns the following.
```
{
"Arn":
"arn:aws:cloudformation:region:account-id:generatedtemplate/7fc8512c-d8cb-4e02-b266-d39c48344e48",
"Name": "MyTemplate"
}
```
# Create a CloudFormation stack from scanned resources
After you create your template, you can preview the generated template with Infrastructure Composer before creating the stack and importing the scanned resources. This helps you visualize the full application architecture with the resources and their relationships. For more information about Infrastructure Composer, see [Create templates visually with Infrastructure Composer](infrastructure-composer-for-cloudformation.md).
**To create the stack and import the scanned resources**
1. Open the [IaC generator page](https://console.aws.amazon.com/cloudformation/home?#iac-generator) of the CloudFormation console.
1. On the navigation bar at the top of the screen, choose the AWS Region for your template.
1. Choose the **Templates** tab, and then choose the name of your template to view more information.
1. On the **Template definition** tab, at the top of the **Template** section, you can switch the template from YAML to JSON syntax based on your preference.
1. Review the details of your template to make sure everything is set up correctly. To make it easier to review and understand the template, you can switch from the default code view to a graphical view of the infrastructure described in the template using Infrastructure Composer. To do so, under **Template**, choose **Canvas** instead of **Template**.
**Canvas actions**
+ To focus on the details of a specific resource within your template, double-click a card to bring up the **Resource properties** panel.
+ To visually arrange and organize cards on the canvas, choose **Arrange** from the upper left of the canvas.
+ To zoom in and out of your canvas, use the zoom controls in the lower right of the canvas.
1. To view a specific resource in the console, choose the **Template resources** tab and then choose the physical ID of the resource you want to look at. This takes you to the console for that specific resource. You can also add, remove, and resync resources in the template definition from the **Template resources** tab.
1. On the **Template definition** tab, IaC generator might issue warnings about resources that contain write-only properties. After reviewing the warnings, you can download the generated template and make any necessary changes. For more information, see [Resolve write-only properties](generate-IaC-write-only-properties.md).
1. When you are satisfied with your template definition, on the **Template definition** tab, choose **Import to stack** and then choose **Next**.
1. On the **Specify stack** panel of the **Specify stack details** page, enter the name of your stack, and then choose **Next**.
1. Review and enter the parameters for the stack. Choose **Next**.
1. Review your options on the **Review changes** page and choose **Next**.
1. Review your details on the **Review and import** page and choose **Import resources**.
# Resolve write-only properties
With the CloudFormation IaC generator, you can generate a template using resources provisioned in your account that are not already managed by CloudFormation. However, certain resource properties are designated as *write-only*, meaning they can be written but can't be read by CloudFormation, for example, a database password.
When generating CloudFormation templates from existing resources, write-only properties pose a challenge. In most cases, CloudFormation converts these properties into parameters in the generated template. This allows you to enter the properties as parameter values during import operations. However, there are scenarios where this conversion is not possible, and CloudFormation handles these cases differently.
## Mutually exclusive properties
Some resources have multiple sets of mutually exclusive properties, at least some of which are write-only. In these cases, the IaC generator can't determine which set of exclusive properties was applied to the resource during creation. For example, you can provide the code for a [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html) using one of these sets of properties.
+ `Code/S3Bucket`, `Code/S3Key`, and optionally `Code/S3ObjectVersion`
+ `Code/ImageUri`
+ `Code/ZipFile`
All of these properties are write-only. The IaC generator selects one of the exclusive sets of properties and adds them to the generated template. Parameters are added for each of the write-only properties. The parameter names include `OneOf` and the parameter descriptions indicate that the corresponding property can be replaced with other exclusive properties. The IaC generator sets a warning type of `MUTUALLY_EXCLUSIVE_PROPERTIES` for the included properties.
## Mutually exclusive types
In some cases, a write-only property can be of multiple data types. For example, the `Body` property of [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-apigateway-restapi.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-apigateway-restapi.html) can be either an `object` or a `string`. When this is the case, the IaC generator includes the property in the generated template using the type of `string` and sets a warning type of `MUTUALLY_EXCLUSIVE_TYPES`.
## Array properties
If a write-only property has a type of `array`, the IaC generator can't include it in the generated template because parameters can only be scalar values. In this case, the property is omitted from the template, and a warning type of `UNSUPPORTED_PROPERTIES` is set.
## Optional properties
For optional write-only properties, the IaC generator can’t detect if the property was used when setting up the resource. In this case, the property is omitted from the generated template, and a warning type of `UNSUPPORTED_PROPERTIES` is set.
## Warnings and next steps
To determine which properties are write-only, you must look at the warnings returned by the IaC generator console. The [AWS resource and property types reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-template-resource-type-ref.html) doesn't indicate if a property is write-only, or if it supports multiple types.
Alternatively, you can see which properties are write-only from the resource provider schemas. To download the resource provider schemas, see the [CloudFormation resource provider schemas](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/resource-type-schemas.html).
**To resolve issues with write-only properties**
1. Open the [IaC generator page](https://console.aws.amazon.com/cloudformation/home?#iac-generator) of the CloudFormation console.
1. On the navigation bar at the top of the screen, choose the AWS Region for your template.
1. Choose the **Templates** tab, and then choose the name of the template you created.
1. On the **Template definition** tab, when the generated template includes resources with write-only properties, the IaC generator console displays a warning with a summary of the type of issues. For example:
![\[IaC generator console warning about write-only properties in generated template\]](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/images/IaC-generator-write-only-property-warning.png)
1. Choose **View warning details** for more details. The resources with write-only properties are identified by the logical ID used in the generated template and resource type.
Use the list of warnings to identify resources with write-only properties and look at each resource to determine what changes (if any) need to be made to the generated template.
![\[IaC generator console detailed warnings about write-only properties in generated template\]](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/images/IaC-generator-write-only-property-resource-warning.png)
1. If your template must be updated to resolve issues with write-only properties, do the following:
1. Choose **Download** to download a copy of the template.
1. Edit your template.
1. When the changes are complete, you can choose the **Import edited template** button to continue the import process.
# How to resolve issues with write-only properties in AWS::ApiGateway::RestAPI resources
This topic explains how to resolve issues with write-only properties in [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-apigateway-restapi.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-apigateway-restapi.html) resources when using the IaC generator.
## Issue
When a generated template contains `AWS::ApiGateway::RestApi` resources, then warnings are generated stating that `Body`, `BodyS3Location`, and `CloneFrom` properties are identified as `UNSUPPORTED_PROPERTIES`. This is because these are optional write-only properties. The IaC generator doesn't know whether these properties were ever applied to the resource. Therefore, it omits these properties in the generated template.
## Resolution
To set the `Body` property for your REST API, update your generated template.
1. Use the Amazon API Gateway [https://docs.aws.amazon.com/apigateway/latest/api/API_GetExport.html](https://docs.aws.amazon.com/apigateway/latest/api/API_GetExport.html) API action to download the API. For example, by using the [https://docs.aws.amazon.com/cli/latest/reference/apigateway/get-export.html](https://docs.aws.amazon.com/cli/latest/reference/apigateway/get-export.html) AWS CLI command. For more information, see [Export a REST API from API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-export-api.html) in the *API Gateway Developer Guide*.
1. Retrieve the `Body` property from the response of the `GetExport` API action. Upload it to an Amazon S3 bucket.
1. Download the generated template.
1. Add the `BodyS3Location/Bucket` and `BodyS3Location/Key` properties to the template, specifying the bucket name and key where the `Body` is stored.
1. Open the generated template in the IaC generator console and choose **Import edited template**.
# How to resolve issues with write-only properties in AWS::Lambda::Function resources
This topic explains how to resolve issues with write-only properties in [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html) resources when using the IaC generator.
## Issue
The `AWS::Lambda::Function` resource has three mutually exclusive sets of properties for specifying the Lambda code:
+ `Code/S3Bucket` and `Code/S3Key` properties, and optionally the `Code/S3ObjectVersion` property
+ `Code/ImageUri` property
+ `Code/ZipFile` property
Only one of these sets can be used for a given `AWS::Lambda::Function` resource.
The IaC generator can't determine which set of exclusive write-only properties was used to create or update the resource. As a result, it includes only the first set of properties in the generated template. The `Code/ImageUri` and `Code/ZipFile` properties are omitted.
Additionally, the IaC generator issues the following warnings:
+ **`MUTUALLY_EXCLUSIVE_PROPERTIES`** – Warns that `Code/S3Bucket` and `Code/S3Key` are identified as mutually exclusive properties.
+ **`UNSUPPORTED_PROPERTIES`** – Warns that the `Code/S3ObjectVersion` property is unsupported.
To include `AWS::Lambda::Function` resources in a generated template, you must download and update the template with the correct code properties.
## Resolution
**If you store your Lambda code in an Amazon S3 bucket and do not use the `S3ObjectVersion` property**, you can import the generated template without any modifications. The IaC generator will ask you for the Amazon S3 bucket and key as template parameters during the import operation.
****If you store your Lambda code as an Amazon ECR repository**, you can update your template using the following instructions:**
1. Download the generated template.
1. Remove the properties and corresponding parameters for the `Code/S3Bucket` and `Code/S3Key` properties from the generated template.
1. Replace the removed properties in the generated template with the `Code/ImageUri` property, specifying the URL for the Amazon ECR repository.
1. Open the generated template in the IaC generator console and choose the **Import edited template** button.
****If you store your Lambda code as in a zip file**, you can update your template using the following instructions:**
1. Download the generated template.
1. Remove the properties and corresponding parameters for the `Code/S3Bucket` and `Code/S3Key` properties from the generated template.
1. Replace the removed properties in the generated template with the `Code/ZipFile` property.
1. Open the generated template in the IaC generator console and choose the **Import edited template** button.
****If you don’t have a copy of your Lambda code**, you can update your template using the following instructions:**
1. Use the AWS Lambda [https://docs.aws.amazon.com/lambda/latest/api/API_GetFunction.html](https://docs.aws.amazon.com/lambda/latest/api/API_GetFunction.html) API action (for example, by using the [https://docs.aws.amazon.com/cli/latest/reference/lambda/get-function.html](https://docs.aws.amazon.com/cli/latest/reference/lambda/get-function.html) AWS CLI command.
1. In the response, the `RepositoryType` parameter is `S3` if the code is in a Amazon S3 bucket, or `ECR` if the code is in an Amazon ECR repository.
1. In the response, the `Location` parameter contains a pre-signed URL that you can use to download the deployment package for 10 minutes. Download the code.
1. Upload the code to a Amazon S3 bucket.
1. Run an import operation with t he generated template and provide the bucket name and key as parameter values.