# CloudFormation template sections
Every CloudFormation template consists of one or more sections, each serving a specific purpose.
The **Resources** section is required in every CloudFormation template and forms the core of the template. This section specifies the stack resources and their properties, such as an Amazon EC2 instance or an Amazon S3 bucket. Each resource is defined with a unique logical ID, type, and specific configuration details.
The **Parameters** section, while optional, plays an important role in making templates more flexible. It allows users to pass values at runtime when creating or updating a stack. These parameters can be referenced in the `Resources` and `Outputs` sections, enabling customization without altering the template itself. For instance, you might use parameters to specify instance types or environment settings that vary between deployments.
The **Outputs** section, also optional, defines the values that are returned when viewing a stack’s properties. Outputs provide useful information such as resource identifiers or URLs, which can be leveraged for operational purposes or for integration with other stacks. This section helps users retrieve and use important details about the resources created by the template.
Other optional sections include **Mappings**, which function like lookup tables to manage conditional values. With mappings, you define key-value pairs and use them with the `Fn::FindInMap` intrinsic function in the `Resources` and `Outputs` sections. This is useful for scenarios where you need to adjust configurations based on conditions such as AWS Region or environment.
**Metadata** and **Rules** sections, though less commonly used, provide additional functionality. `Metadata` can include additional information about the template, while `Rules` validates a parameter or a combination of parameters during stack creation or updates, ensuring they meet specific criteria. The **Conditions** section further enhances flexibility by controlling whether certain resources are created or properties are assigned a value based on conditions like environment type.
Lastly, the **Transform** section is used to apply macros during the processing of the template. For serverless applications (also referred to as Lambda applications), it specifies the version of the [AWS Serverless Application Model (AWS SAM)](https://github.com/awslabs/serverless-application-specification) to use. When you specify a transform, you can use AWS SAM syntax to declare resources in your template. The model defines the syntax that you can use and how it's processed. You can also use the `AWS::Include` transform to include template snippets that are stored separately from the main CloudFormation template.
The following topics provide more information and examples for using each section.
**Topics**
+ [Resources](resources-section-structure.md)
+ [Parameters](parameters-section-structure.md)
+ [Outputs](outputs-section-structure.md)
+ [Mappings](mappings-section-structure.md)
+ [Metadata](metadata-section-structure.md)
+ [Rules](rules-section-structure.md)
+ [Conditions](conditions-section-structure.md)
+ [Transform](transform-section-structure.md)
+ [Format version](format-version-structure.md)
+ [Description](template-description-structure.md)
# CloudFormation template Resources syntax
The `Resources` section is a required top-level section in a CloudFormation template. It declares the AWS resources that you want CloudFormation to provision and configure as part of your stack.
## Syntax
The `Resources` section uses the following syntax:
### JSON
```
"Resources" : {
"LogicalResourceName1" : {
"Type" : "AWS::ServiceName::ResourceType",
"Properties" : {
"PropertyName1" : "PropertyValue1",
...
}
},
"LogicalResourceName2" : {
"Type" : "AWS::ServiceName::ResourceType",
"Properties" : {
"PropertyName1" : "PropertyValue1",
...
}
}
}
```
### YAML
```
Resources:
LogicalResourceName1:
Type: AWS::ServiceName::ResourceType
Properties:
PropertyName1: PropertyValue1
...
LogicalResourceName2:
Type: AWS::ServiceName::ResourceType
Properties:
PropertyName1: PropertyValue1
...
```
## Logical ID (also called *logical name*)
Within a CloudFormation template, resources are identified by their logical resource names. These names must be alphanumeric (A-Za-z0-9) and unique within the template. Logical names are used to reference resources from other sections of the template.
## Resource type
Each resource must have a `Type` attribute, which defines the kind of AWS resource it is. The `Type` attribute has the format `AWS::ServiceName::ResourceType`. For example, the `Type` attribute for an Amazon S3 bucket is `AWS::S3::Bucket`.
For the full list of supported resource types, see the [AWS resource and property types reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-template-resource-type-ref.html).
## Resource properties
Resource properties are additional options that you can specify to define configuration details for the specific resource type. Some properties are required, while others are optional. Some properties have default values, so specifying those properties is optional.
For details on the properties supported for each resource type, see the topics in [AWS resource and property types reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-template-resource-type-ref.html).
Property values can be literal strings, lists of strings, Booleans, dynamic references, parameter references, pseudo references, or the value returned by a function. The following examples show you how to declare different property value types:
### JSON
```
"Properties" : {
"String" : "A string value",
"Number" : 123,
"LiteralList" : [ "first-value", "second-value" ],
"Boolean" : true
}
```
### YAML
```
Properties:
String: A string value
Number: 123
LiteralList:
- first-value
- second-value
Boolean: true
```
## Physical ID
In addition to the logical ID, certain resources also have a physical ID, which is the actual assigned name for that resource, such as an EC2 instance ID or an S3 bucket name. Use the physical IDs to identify resources outside of CloudFormation templates, but only after the resources have been created. For example, suppose you give an EC2 instance resource a logical ID of `MyEC2Instance`. When CloudFormation creates the instance, CloudFormation automatically generates and assigns a physical ID (such as `i-1234567890abcdef0`) to the instance. You can use this physical ID to identify the instance and view its properties (such as the DNS name) by using the Amazon EC2 console.
For Amazon S3 buckets and many other resources, CloudFormation automatically generates a unique physical name for the resource if you don't explicitly specify one. This physical name is based on a combination of the name of the CloudFormation stack, the resource's logical name specified in the CloudFormation template, and a unique ID. For example, if you have an Amazon S3 bucket with the logical name `MyBucket` in a stack named `MyStack`, CloudFormation might name the bucket with the following physical name `MyStack-MyBucket-abcdefghijk1`.
For resources that support custom names, you can assign your own physical names to help you quickly identify resources. For example, you can name an S3 bucket that stores logs as `MyPerformanceLogs`. For more information, see [Name type](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-name.html).
## Referencing resources
Often, you need to set properties on one resource based on the name or property of another resource. For example, you might create an EC2 instance that uses EC2 security groups, or a CloudFront distribution backed by an S3 bucket. All of these resources can be created in the same CloudFormation template.
CloudFormation provides intrinsic functions that you can use to refer to other resources and their properties. These functions allow you to create dependencies between resources and pass values from one resource to another.
### The `Ref` function
The `Ref` function is commonly used to retrieve an identifying property of resources defined within the same CloudFormation template. What it returns depends on the type of resource. For most resources, it returns the physical name of the resource. However, for some resource types, it might return a different value, such as an IP address for an `AWS::EC2::EIP` resource or an Amazon Resource Name (ARN) for an Amazon SNS topic.
The following examples demonstrate how to use the `Ref` function in properties. In each of these examples, the `Ref` function will return the actual name of the `LogicalResourceName` resource declared elsewhere in the template. The `!Ref` syntax example in the YAML example is just a shorter way of writing the `Ref` function.
#### JSON
```
"Properties" : {
"PropertyName" : { "Ref" : "LogicalResourceName" }
}
```
#### YAML
```
Properties:
PropertyName1:
Ref: LogicalResourceName
PropertyName2: !Ref LogicalResourceName
```
For more detailed information about the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html).
### The `Fn::GetAtt` function
The `Ref` function is helpful if the parameter or the value returned for a resource is exactly what you want. However, you may need other attributes of a resource. For example, if you want to create a CloudFront distribution with an S3 origin, you need to specify the bucket location by using a DNS-style address. A number of resources have additional attributes whose values you can use in your template. To get these attributes, you use the `Fn::GetAtt` function.
The following examples demonstrate how to use the `GetAtt` function in properties. The `Fn::GetAtt` function takes two parameters, the logical name of the resource and the name of the attribute to be retrieved. The `!GetAtt` syntax example in the YAML example is just a shorter way of writing the `GetAtt` function.
#### JSON
```
"Properties" : {
"PropertyName" : {
"Fn::GetAtt" : [ "LogicalResourceName", "AttributeName" ]
}
}
```
#### YAML
```
Properties:
PropertyName1:
Fn::GetAtt:
- LogicalResourceName
- AttributeName
PropertyName2: !GetAtt LogicalResourceName.AttributeName
```
For more detailed information about the `GetAtt` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html).
## Examples
The following examples illustrate how to declare resources and how CloudFormation templates can reference other resources defined within the same template and existing AWS resources.
**Topics**
+ [
### Declaring a single resource with a custom name
](#resources-section-structure-examples-single-resource)
+ [
### Referencing other resources with the `Ref` function
](#resources-section-structure-examples-ref)
+ [
### Referencing resource attributes using the `Fn::GetAtt` function
](#resources-section-structure-examples-getatt)
### Declaring a single resource with a custom name
The following examples declare a single resource of type `AWS::S3::Bucket` with the logical name `MyBucket`. The `BucketName` property is set to *amzn-s3-demo-bucket*, which should be replaced with the desired name for your S3 bucket.
If you use this resource declaration to create a stack, CloudFormation will create an Amazon S3 bucket with default settings. For other resources, such as an Amazon EC2 instance or Auto Scaling group, CloudFormation requires more information.
#### JSON
```
{
"Resources": {
"MyBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "amzn-s3-demo-bucket"
}
}
}
}
```
#### YAML
```
Resources:
MyBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: amzn-s3-demo-bucket
```
### Referencing other resources with the `Ref` function
The following examples show a resource declaration that defines an EC2 instance and a security group. The `Ec2Instance` resource references the `InstanceSecurityGroup` resource as part of its `SecurityGroupIds` property using the `Ref` function. It also includes an existing security group (`sg-12a4c434`) that's not declared in the template. You use literal strings to refer to existing AWS resources.
#### JSON
```
{
"Resources": {
"Ec2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"SecurityGroupIds": [
{
"Ref": "InstanceSecurityGroup"
},
"sg-12a4c434"
],
"KeyName": "MyKey",
"ImageId": "ami-1234567890abcdef0"
}
},
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable SSH access via port 22",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "0.0.0.0/0"
}
]
}
}
}
}
```
#### YAML
```
Resources:
Ec2Instance:
Type: AWS::EC2::Instance
Properties:
SecurityGroupIds:
- !Ref InstanceSecurityGroup
- sg-12a4c434
KeyName: MyKey
ImageId: ami-1234567890abcdef0
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
```
### Referencing resource attributes using the `Fn::GetAtt` function
The following examples show a resource declaration that defines a CloudFront distribution resource and an S3 bucket. The `MyDistribution` resource specifies the DNS name of the `MyBucket` resource using `Fn::GetAtt` function to get the bucket's `DomainName` attribute. You'll notice that the `Fn::GetAtt` function lists its two parameters in an array. For functions that take multiple parameters, you use an array to specify their parameters.
#### JSON
```
{
"Resources": {
"MyBucket": {
"Type": "AWS::S3::Bucket"
},
"MyDistribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"Origins": [
{
"DomainName": {
"Fn::GetAtt": [
"MyBucket",
"DomainName"
]
},
"Id": "MyS3Origin",
"S3OriginConfig": {}
}
],
"Enabled": "true",
"DefaultCacheBehavior": {
"TargetOriginId": "MyS3Origin",
"ForwardedValues": {
"QueryString": "false"
},
"ViewerProtocolPolicy": "allow-all"
}
}
}
}
}
}
```
#### YAML
```
Resources:
MyBucket:
Type: AWS::S3::Bucket
MyDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- DomainName: !GetAtt
- MyBucket
- DomainName
Id: MyS3Origin
S3OriginConfig: {}
Enabled: 'true'
DefaultCacheBehavior:
TargetOriginId: MyS3Origin
ForwardedValues:
QueryString: 'false'
ViewerProtocolPolicy: allow-all
```
# CloudFormation template Parameters syntax
Use the optional `Parameters` section to customize your templates. With parameters, you can input custom values to your template each time you create or update a stack. By using parameters in your templates, you can build reusable and flexible templates that can be tailored to specific scenarios.
By defining parameters of the appropriate type, you can choose from a list of identifiers of existing resources when you use the console to create your stack. For more information, see [Specify existing resources at runtime with CloudFormation-supplied parameter types](cloudformation-supplied-parameter-types.md).
Parameters are a popular way to specify property values of stack resources. However, there may be settings that are region dependent or are somewhat complex for users to figure out because of other conditions or dependencies. In these cases, you might want to put some logic in the template itself so that users can specify simpler values (or none at all) to get the results that they want, such as by using a mapping. For more information, see [CloudFormation template Mappings syntax](mappings-section-structure.md).
## Syntax
You declare parameters in a template's `Parameters` section, which uses the following general syntax:
### JSON
```
"Parameters" : {
"ParameterLogicalID" : {
"Description": "Information about the parameter",
"Type" : "DataType",
"Default" : "value",
"AllowedValues" : ["value1", "value2"]
}
}
```
### YAML
```
Parameters:
ParameterLogicalID:
Description: Information about the parameter
Type: DataType
Default: value
AllowedValues:
- value1
- value2
```
A parameter contains a list of attributes that define its value and constraints against its value. The only required attribute is `Type`, which can be `String`, `Number`, or a CloudFormation-supplied parameter type. You can also add a `Description` attribute that describes what kind of value you should specify. The parameter's name and description appear in the **Specify Parameters** page when you use the template in the **Create Stack** wizard.
**Note**
By default, the CloudFormation console lists input parameters alphabetically by their logical ID. To override this default ordering and group related parameters together, you can use the `AWS::CloudFormation::Interface` metadata key in your template. For more information, see [Organizing CloudFormation parameters with `AWS::CloudFormation::Interface` metadata](aws-cloudformation-interface.md).
For parameters with default values, CloudFormation uses the default values unless users specify another value. If you omit the default attribute, users are required to specify a value for that parameter. However, requiring the user to input a value does not ensure that the value is valid. To validate the value of a parameter, you can declare constraints or specify an AWS-specific parameter type.
For parameters without default values, users must specify a key name value at stack creation. If they don’t, CloudFormation fails to create the stack and throws an exception:
```
Parameters: [KeyName] must have values
```
## Properties
`AllowedPattern`
A regular expression that represents the patterns to allow for `String` or `CommaDelimitedList` types. When applied on a parameter of type `String`, the pattern must match the entire parameter value provided. When applied to a parameter of type `CommaDelimitedList`, the pattern must match each value in the list.
*Required*: No
`AllowedValues`
An array containing the list of values allowed for the parameter. When applied to a parameter of type `String`, the parameter value must be one of the allowed values. When applied to a parameter of type `CommaDelimitedList`, each value in the list must be one of the specified allowed values.
*Required*: No
If you're using YAML and you want to use `Yes` and `No` strings for `AllowedValues`, use single-quotes to prevent the YAML parser from considering these boolean values.
`ConstraintDescription`
A string that explains a constraint when the constraint is violated. For example, without a constraint description, a parameter that has an allowed pattern of `[A-Za-z0-9]+` displays the following error message when the user specifies an invalid value:
`Malformed input-Parameter MyParameter must match pattern [A-Za-z0-9]+`
By adding a constraint description, such as *must only contain letters (uppercase and lowercase) and numbers*, you can display the following customized error message:
`Malformed input-Parameter MyParameter must only contain uppercase and lowercase letters and numbers`
*Required*: No
`Default`
A value of the appropriate type for the template to use if no value is specified when a stack is created. If you define constraints for the parameter, you must specify a value that adheres to those constraints.
*Required*: No
`Description`
A string of up to 4000 characters that describes the parameter.
*Required*: No
`MaxLength`
An integer value that determines the largest number of characters you want to allow for `String` types.
*Required*: No
`MaxValue`
A numeric value that determines the largest numeric value you want to allow for `Number` types.
*Required*: No
`MinLength`
An integer value that determines the smallest number of characters you want to allow for `String` types.
*Required*: No
`MinValue`
A numeric value that determines the smallest numeric value you want to allow for `Number` types.
*Required*: No
`NoEcho`
Whether to mask the parameter value to prevent it from being displayed in the console, command line tools, or API. If you set the `NoEcho` attribute to `true`, CloudFormation returns the parameter value masked as asterisks (\$1\$1\$1\$1\$1) for any calls that describe the stack or stack events, except for information stored in the locations specified below.
*Required*: No
Using the `NoEcho` attribute does not mask any information stored in the following:
+ The `Metadata` template section. CloudFormation does not transform, modify, or redact any information you include in the `Metadata` section. For more information, see [Metadata](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html).
+ The `Outputs` template section. For more information, see [Outputs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html).
+ The `Metadata` attribute of a resource definition. For more information, see [`Metadata` attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-metadata.html).
We strongly recommend you do not use these mechanisms to include sensitive information, such as passwords or secrets.
Rather than embedding sensitive information directly in your CloudFormation templates, we recommend you use dynamic parameters in the stack template to reference sensitive information that is stored and managed outside of CloudFormation, such as in the AWS Systems Manager Parameter Store or AWS Secrets Manager.
For more information, see the [Do not embed credentials in your templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/security-best-practices.html#creds) best practice.
We strongly recommend against including `NoEcho` parameters, or any sensitive data, in resource properties that are part of a resource's primary identifier.
When a `NoEcho` parameter is included in a property that forms a primary resource identifier, CloudFormation may use the *actual plaintext value* in the primary resource identifier. This resource ID may appear in any derived outputs or destinations.
To determine which resource properties comprise a resource type's primary identifier, refer to the resource reference documentation for that resource in the [AWS resource and property types reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-template-resource-type-ref.html). In the **Return values** section, the `Ref` function return value represents the resource properties that comprise the resource type's primary identifier.
`Type`
The data type for the parameter (`DataType`).
*Required*: Yes
CloudFormation supports the following parameter types:
`String`
A literal string. You can use the following attributes to declare constraints: `MinLength`, `MaxLength`, `Default`, `AllowedValues`, and `AllowedPattern`.
For example, users could specify `"MyUserName"`.
`Number`
An integer or float. CloudFormation validates the parameter value as a number; however, when you use the parameter elsewhere in your template (for example, by using the `Ref` intrinsic function), the parameter value becomes a string.
You can use the following attributes to declare constraints: `MinValue`, `MaxValue`, `Default`, and `AllowedValues`.
For example, users could specify `"8888"`.
`List`
An array of integers or floats that are separated by commas. CloudFormation validates the parameter value as numbers; however, when you use the parameter elsewhere in your template (for example, by using the `Ref` intrinsic function), the parameter value becomes a list of strings.
For example, users could specify `"80,20"`, and a `Ref` would result in `["80","20"]`.
`CommaDelimitedList`
An array of literal strings that are separated by commas. The total number of strings should be one more than the total number of commas. Also, each member string is space trimmed.
For example, users could specify `"test,dev,prod"`, and a `Ref` would result in `["test","dev","prod"]`.
AWS-specific parameter types
AWS values such as Amazon EC2 key pair names and VPC IDs. For more information, see [Specify existing resources at runtime](cloudformation-supplied-parameter-types.md).
Systems Manager parameter types
Parameters that correspond to existing parameters in Systems Manager Parameter Store. You specify a Systems Manager parameter key as the value of the Systems Manager parameter type, and CloudFormation retrieves the latest value from Parameter Store to use for the stack. For more information, see [Specify existing resources at runtime](cloudformation-supplied-parameter-types.md).
## General requirements for parameters
The following requirements apply when using parameters:
+ You can have a maximum of 200 parameters in a CloudFormation template.
+ Each parameter must be given a logical name (also called logical ID) that must be alphanumeric and unique among all logical names within the template.
+ Each parameter must be assigned a parameter type that's supported by CloudFormation. For more information, see [Type](#parameters-section-structure-properties-type).
+ Each parameter must be assigned a value at runtime for CloudFormation to successfully provision the stack. You can optionally specify a default value for CloudFormation to use unless another value is provided.
+ Parameters must be declared and referenced from within the same template. You can reference parameters from the `Resources` and `Outputs` sections of the template.
## Examples
**Topics**
+ [
### Simple string parameter
](#parameters-section-structure-example-1)
+ [
### Password parameter
](#parameters-section-structure-example-2)
+ [
### Referencing parameters
](#parameters-section-structure-example-3)
+ [
### Comma-delimited list parameter
](#parameters-section-structure-example-4)
+ [
### Return a value from a comma-delimited list parameter
](#parameters-section-structure-example-5)
### Simple string parameter
The following example declares a parameter named `InstanceTypeParameter` of type `String`. This parameter lets you specify the Amazon EC2 instance type for the stack. If no value is provided during stack creation or update, CloudFormation uses the default value of `t2.micro`.
#### JSON
```
"Parameters" : {
"InstanceTypeParameter" : {
"Description" : "Enter t2.micro, m1.small, or m1.large. Default is t2.micro.",
"Type" : "String",
"Default" : "t2.micro",
"AllowedValues" : ["t2.micro", "m1.small", "m1.large"]
}
}
```
#### YAML
```
Parameters:
InstanceTypeParameter:
Description: Enter t2.micro, m1.small, or m1.large. Default is t2.micro.
Type: String
Default: t2.micro
AllowedValues:
- t2.micro
- m1.small
- m1.large
```
### Password parameter
The following example declares a parameter named `DBPwd` of type `String` with no default value. The `NoEcho` property is set to `true` to prevent the parameter value from being displayed in stack descriptions. The minimum length that can be specified is `1`, and the maximum length that can be specified is `41`. The pattern allows lowercase and uppercase alphabetical characters and numerals. This example also illustrates the use of a regular expression for the `AllowedPattern` property.
#### JSON
```
"Parameters" : {
"DBPwd" : {
"NoEcho" : "true",
"Description" : "The database admin account password",
"Type" : "String",
"MinLength" : "1",
"MaxLength" : "41",
"AllowedPattern" : "^[a-zA-Z0-9]*$"
}
}
```
#### YAML
```
Parameters:
DBPwd:
NoEcho: true
Description: The database admin account password
Type: String
MinLength: 1
MaxLength: 41
AllowedPattern: ^[a-zA-Z0-9]*$
```
### Referencing parameters
You use the `Ref` intrinsic function to reference a parameter, and CloudFormation uses the parameter's value to provision the stack. You can reference parameters from the `Resources` and `Outputs` sections of the same template.
In the following example, the `InstanceType` property of the EC2 instance resource references the `InstanceTypeParameter` parameter value:
#### JSON
```
"Ec2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"InstanceType" : { "Ref" : "InstanceTypeParameter" },
"ImageId" : "ami-0ff8a91507f77f867"
}
}
```
#### YAML
```
Ec2Instance:
Type: AWS::EC2::Instance
Properties:
InstanceType:
Ref: InstanceTypeParameter
ImageId: ami-0ff8a91507f77f867
```
### Comma-delimited list parameter
The `CommaDelimitedList` parameter type can be useful when you need to provide multiple values for a single property. The following example declares a parameter named `DbSubnetIpBlocks` with a default value of three CIDR blocks separated by commas.
#### JSON
```
"Parameters" : {
"DbSubnetIpBlocks": {
"Description": "Comma-delimited list of three CIDR blocks",
"Type": "CommaDelimitedList",
"Default": "10.0.48.0/24, 10.0.112.0/24, 10.0.176.0/24"
}
}
```
#### YAML
```
Parameters:
DbSubnetIpBlocks:
Description: "Comma-delimited list of three CIDR blocks"
Type: CommaDelimitedList
Default: "10.0.48.0/24, 10.0.112.0/24, 10.0.176.0/24"
```
### Return a value from a comma-delimited list parameter
To refer to a specific value in a parameter's comma-delimited list, use the `Fn::Select` intrinsic function in the `Resources` section of your template. Pass the index value of the object that you want and a list of objects, as shown in the following example.
#### JSON
```
{
"Parameters": {
"VPC": {
"Type": "String",
"Default": "vpc-123456"
},
"VpcAzs": {
"Type": "CommaDelimitedList",
"Default": "us-west-2a, us-west-2b, us-west-2c"
},
"DbSubnetIpBlocks": {
"Type": "CommaDelimitedList",
"Default": "172.16.0.0/26, 172.16.0.64/26, 172.16.0.128/26"
}
},
"Resources": {
"DbSubnet1": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": {
"Fn::Select": [
0,
{
"Ref": "VpcAzs"
}
]
},
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": {
"Fn::Select": [
0,
{ "Ref": "DbSubnetIpBlocks" }
]
}
}
},
"DbSubnet2": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": {
"Fn::Sub": [
"${AWS::Region}${AZ}",
{
"AZ": {
"Fn::Select": [
1,
{ "Ref": "VpcAzs" }
]
}
}
]
},
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": {
"Fn::Select": [
1,
{ "Ref": "DbSubnetIpBlocks" }
]
}
}
},
"DbSubnet3": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": {
"Fn::Sub": [
"${AWS::Region}${AZ}",
{
"AZ": {
"Fn::Select": [
2,
{ "Ref": "VpcAzs" }
]
}
}
]
},
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": {
"Fn::Select": [
2,
{ "Ref": "DbSubnetIpBlocks" }
]
}
}
}
}
}
```
#### YAML
```
Parameters:
VPC:
Type: String
Default: vpc-123456
VpcAzs:
Type: CommaDelimitedList
Default: us-west-2a, us-west-2b, us-west-2c
DbSubnetIpBlocks:
Type: CommaDelimitedList
Default: 172.16.0.0/26, 172.16.0.64/26, 172.16.0.128/26
Resources:
DbSubnet1:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: !Select
- 0
- !Ref VpcAzs
VpcId: !Ref VPC
CidrBlock: !Select
- 0
- !Ref DbSubnetIpBlocks
DbSubnet2:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: !Sub
- ${AWS::Region}${AZ}
- AZ: !Select
- 1
- !Ref VpcAzs
VpcId: !Ref VPC
CidrBlock: !Select
- 1
- !Ref DbSubnetIpBlocks
DbSubnet3:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: !Sub
- ${AWS::Region}${AZ}
- AZ: !Select
- 2
- !Ref VpcAzs
VpcId: !Ref VPC
CidrBlock: !Select
- 2
- !Ref DbSubnetIpBlocks
```
## Related resources
CloudFormation also supports the use of dynamic references to specify property values dynamically. For example, you might need to reference secure strings stored in Systems Manager Parameter Store. For more information, see [Get values stored in other services using dynamic references](dynamic-references.md).
You can also use pseudo parameters within a `Ref` or a `Sub` function to dynamically populate values. For more information, see [Get AWS values using pseudo parameters](pseudo-parameter-reference.md).
# CloudFormation template Outputs syntax
The optional `Outputs` section declares output values for the stack. These output values can be used in various ways:
+ **Capture important details about your resources** – An output is a convenient way to capture important information about your resources. For example, you can output the S3 bucket name for a stack to make the bucket easier to find. You can view output values in the **Outputs** tab of the CloudFormation console or by using the [describe-stacks](service_code_examples.md#describe-stacks-sdk) CLI command.
+ **Cross-stack references** – You can import output values into other stacks to [create references between stacks](using-cfn-stack-exports.md). This is helpful when you need to share resources or configurations across multiple stacks.
**Important**
CloudFormation doesn't redact or obfuscate any information you include in the `Outputs` section. We strongly recommend you don't use this section to output sensitive information, such as passwords or secrets.
Output values are available after the stack operation is complete. Stack output values aren't available when a stack status is in any of the `IN_PROGRESS` [statuses](view-stack-events.md#cfn-console-view-stack-data-resources-status-codes). We don't recommend establishing dependencies between a service runtime and the stack output value because output values might not be available at all times.
## Syntax
The `Outputs` section consists of the key name `Outputs`. You can declare a maximum of 200 outputs in a template.
The following example demonstrates the structure of the `Outputs` section.
### JSON
Use braces to enclose all output declarations. Delimit multiple outputs with commas.
```
"Outputs" : {
"OutputLogicalID" : {
"Description" : "Information about the value",
"Value" : "Value to return",
"Export" : {
"Name" : "Name of resource to export"
}
}
}
```
### YAML
```
Outputs:
OutputLogicalID:
Description: Information about the value
Value: Value to return
Export:
Name: Name of resource to export
```
### Output fields
The `Outputs` section can include the following fields.
**Logical ID (also called *logical name*)**
An identifier for the current output. The logical ID must be alphanumeric (`a–z`, `A–Z`, `0–9`) and unique within the template.
**`Description` (optional)**
A `String` type that describes the output value. The value for the description declaration must be a literal string that's between 0 and 1024 bytes in length. You can't use a parameter or function to specify the description.
**`Value` (required)**
The value of the property returned by the [describe-stacks](service_code_examples.md#describe-stacks-sdk) command. The value of an output can include literals, parameter references, pseudo parameters, a mapping value, or intrinsic functions.
**`Export` (optional)**
The name of the resource output to be exported for a cross-stack reference.
You can use intrinsic functions to customize the `Name` value of an export.
For more information, see [Get exported outputs from a deployed CloudFormation stack](using-cfn-stack-exports.md).
To associate a condition with an output, define the condition in the [Conditions](conditions-section-structure.md) section of the template.
## Examples
The following examples illustrate how stack output works.
**Topics**
+ [
### Stack output
](#outputs-section-structure-examples-stack-output)
+ [
### Customize export name using `Fn::Sub`
](#outputs-section-structure-examples-cross-stack)
+ [
### Customize export name using `Fn::Join`
](#outputs-section-structure-examples-join-export-name)
+ [
### Return a URL constructed using `Fn::Join`
](#outputs-section-structure-examples-join-export-url)
### Stack output
In the following example, the output named `BackupLoadBalancerDNSName` returns the DNS name for the resource with the logical ID `BackupLoadBalancer` only when the `CreateProdResources` condition is true. The output named `InstanceID` returns the ID of the EC2 instance with the logical ID `EC2Instance`.
#### JSON
```
"Outputs" : {
"BackupLoadBalancerDNSName" : {
"Description": "The DNSName of the backup load balancer",
"Value" : { "Fn::GetAtt" : [ "BackupLoadBalancer", "DNSName" ]},
"Condition" : "CreateProdResources"
},
"InstanceID" : {
"Description": "The Instance ID",
"Value" : { "Ref" : "EC2Instance" }
}
}
```
#### YAML
```
Outputs:
BackupLoadBalancerDNSName:
Description: The DNSName of the backup load balancer
Value: !GetAtt BackupLoadBalancer.DNSName
Condition: CreateProdResources
InstanceID:
Description: The Instance ID
Value: !Ref EC2Instance
```
### Customize export name using `Fn::Sub`
In the following examples, the output named `StackVPC` returns the ID of a VPC, and then exports the value for cross-stack referencing with the name `VPCID` appended to the stack's name.
#### JSON
```
"Outputs" : {
"StackVPC" : {
"Description" : "The ID of the VPC",
"Value" : { "Ref" : "MyVPC" },
"Export" : {
"Name" : {"Fn::Sub": "${AWS::StackName}-VPCID" }
}
}
}
```
#### YAML
```
Outputs:
StackVPC:
Description: The ID of the VPC
Value: !Ref MyVPC
Export:
Name: !Sub "${AWS::StackName}-VPCID"
```
For more information about the `Fn::Sub` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-sub.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-sub.html).
### Customize export name using `Fn::Join`
You can also use the `Fn::Join` function to construct values based on parameters, resource attributes, and other strings.
The following examples use the `Fn::Join` function to customize the export name instead of the `Fn::Sub` function. The example `Fn::Join` function concatenates the stack name with the name `VPCID` using a colon as a separator.
#### JSON
```
"Outputs" : {
"StackVPC" : {
"Description" : "The ID of the VPC",
"Value" : { "Ref" : "MyVPC" },
"Export" : {
"Name" : { "Fn::Join" : [ ":", [ { "Ref" : "AWS::StackName" }, "VPCID" ] ] }
}
}
}
```
#### YAML
```
Outputs:
StackVPC:
Description: The ID of the VPC
Value: !Ref MyVPC
Export:
Name: !Join [ ":", [ !Ref "AWS::StackName", VPCID ] ]
```
For more information about the `Fn::Join` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-join.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-join.html).
### Return a URL constructed using `Fn::Join`
In the following example for a template that creates a WordPress site, `InstallURL` is the string returned by a `Fn::Join` function call that concatenates `http://`, the DNS name of the resource `ElasticLoadBalancer`, and `/wp-admin/install.php`. The output value would be similar to the following:
```
http://mywptests-elasticl-1gb51l6sl8y5v-206169572.aws-region.elb.amazonaws.com/wp-admin/install.php
```
#### JSON
```
{
"Outputs": {
"InstallURL": {
"Value": {
"Fn::Join": [
"",
[
"http://",
{
"Fn::GetAtt": [
"ElasticLoadBalancer",
"DNSName"
]
},
"/wp-admin/install.php"
]
]
},
"Description": "Installation URL of the WordPress website"
}
}
}
```
#### YAML
```
Outputs:
InstallURL:
Value: !Join
- ''
- - 'http://'
- !GetAtt
- ElasticLoadBalancer
- DNSName
- /wp-admin/install.php
Description: Installation URL of the WordPress website
```
For more information about the `Fn::Join` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-join.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-join.html).
# CloudFormation template Mappings syntax
The optional `Mappings` section helps you create key-value pairs that can be used to specify values based on certain conditions or dependencies.
One common use case for the `Mappings` section is to set values based on the AWS Region where the stack is deployed. This can be achieved by using the `AWS::Region` pseudo parameter. The `AWS::Region` pseudo parameter is a value that CloudFormation resolves to the region where the stack is created. Pseudo parameters are resolved by CloudFormation when you create the stack.
To retrieve values in a map, you can use the `Fn::FindInMap` intrinsic function within the `Resources` section of your template.
## Syntax
The `Mappings` section uses the following syntax:
### JSON
```
"Mappings" : {
"MappingLogicalName" : {
"Key1" : {
"Name" : "Value1"
},
"Key2" : {
"Name" : "Value2"
},
"Key3" : {
"Name" : "Value3"
}
}
}
```
### YAML
```
Mappings:
MappingLogicalName:
Key1:
Name: Value1
Key2:
Name: Value2
Key3:
Name: Value3
```
+ `MappingLogicalName` is the logical name for the mapping.
+ Within the mapping, each map is a key followed by another mapping.
+ The key must be a map of name-value pairs and unique within the mapping.
+ The name-value pair is a label, and the value to map. By naming the values, you can map more than one set of values to a key.
+ The keys in mappings must be literal strings.
+ The values can be of type `String` or `List`.
**Note**
You can't include parameters, pseudo parameters, or intrinsic functions in the `Mappings` section.
If the values in a mapping aren't currently used by your stack, you cannot update the mapping alone. You must include changes that add, modify, or delete resources.
## Examples
**Topics**
+ [
### Basic mapping
](#mappings-section-structure-basic-example)
+ [
### Mapping with multiple values
](#mappings-section-structure-multiple-values-example)
+ [
### Return a value from a mapping
](#mappings-section-structure-return-value-example)
+ [
### Input parameter and `Fn::FindInMap`
](#mappings-section-structure-input-parameter-example)
### Basic mapping
The following example shows a `Mappings` section with a map `RegionToInstanceType`, which contains five keys that map to name-value pairs containing single string values. The keys are region names. Each name-value pair is an instance type from the T family that's available in the region represented by the key. The name-value pairs have a name (`InstanceType` in the example) and a value.
#### JSON
```
"Mappings" : {
"RegionToInstanceType" : {
"us-east-1" : { "InstanceType" : "t2.micro" },
"us-west-1" : { "InstanceType" : "t2.micro" },
"eu-west-1" : { "InstanceType" : "t2.micro" },
"eu-north-1" : { "InstanceType" : "t3.micro" },
"me-south-1" : { "InstanceType" : "t3.micro" }
}
}
```
#### YAML
```
Mappings:
RegionToInstanceType:
us-east-1:
InstanceType: t2.micro
us-west-1:
InstanceType: t2.micro
eu-west-1:
InstanceType: t2.micro
eu-north-1:
InstanceType: t3.micro
me-south-1:
InstanceType: t3.micro
```
### Mapping with multiple values
The following example has region keys that are mapped to two sets of values: one named `MyAMI1` and the other `MyAMI2`.
**Note**
The AMI IDs shown in these examples are placeholders for demonstration purposes. Whenever possible, consider using dynamic references to AWS Systems Manager parameters as an alternative to the `Mappings` section. To avoid updating all your templates with a new ID each time the AMI that you want to use changes, use a AWS Systems Manager parameter to retrieve the latest AMI ID when the stack is created or updated. The latest versions of commonly used AMIs are also available as public parameters in Systems Manager. For more information, see [Get values stored in other services using dynamic references](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html).
#### JSON
```
"Mappings" : {
"RegionToAMI" : {
"us-east-1" : { "MyAMI1" : "ami-12345678901234567", "MyAMI2" : "ami-23456789012345678" },
"us-west-1" : { "MyAMI1" : "ami-34567890123456789", "MyAMI2" : "ami-45678901234567890" },
"eu-west-1" : { "MyAMI1" : "ami-56789012345678901", "MyAMI2" : "ami-67890123456789012" },
"ap-southeast-1" : { "MyAMI1" : "ami-78901234567890123", "MyAMI2" : "ami-89012345678901234" },
"ap-northeast-1" : { "MyAMI1" : "ami-90123456789012345", "MyAMI2" : "ami-01234567890123456" }
}
}
```
#### YAML
```
Mappings:
RegionToAMI:
us-east-1:
MyAMI1: ami-12345678901234567
MyAMI2: ami-23456789012345678
us-west-1:
MyAMI1: ami-34567890123456789
MyAMI2: ami-45678901234567890
eu-west-1:
MyAMI1: ami-56789012345678901
MyAMI2: ami-67890123456789012
ap-southeast-1:
MyAMI1: ami-78901234567890123
MyAMI2: ami-89012345678901234
ap-northeast-1:
MyAMI1: ami-90123456789012345
MyAMI2: ami-01234567890123456
```
### Return a value from a mapping
You can use the `Fn::FindInMap` function to return a named value based on a specified key. The following example template contains an Amazon EC2 resource whose `InstanceType` property is assigned by the `FindInMap` function. The `FindInMap` function specifies key as the AWS Region where the stack is created (using the `AWS::Region` pseudo parameter) and `InstanceType` as the name of the value to map to. The `ImageId` uses a Systems Manager parameter to dynamically retrieve the latest Amazon Linux 2 AMI. For more information about pseudo parameters, see [Get AWS values using pseudo parameters](pseudo-parameter-reference.md).
#### JSON
```
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Mappings" : {
"RegionToInstanceType" : {
"us-east-1" : { "InstanceType" : "t2.micro" },
"us-west-1" : { "InstanceType" : "t2.micro" },
"eu-west-1" : { "InstanceType" : "t2.micro" },
"eu-north-1" : { "InstanceType" : "t3.micro" },
"me-south-1" : { "InstanceType" : "t3.micro" }
}
},
"Resources" : {
"myEC2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}",
"InstanceType" : { "Fn::FindInMap" : [ "RegionToInstanceType", { "Ref" : "AWS::Region" }, "InstanceType" ]}
}
}
}
}
```
#### YAML
```
AWSTemplateFormatVersion: 2010-09-09
Mappings:
RegionToInstanceType:
us-east-1:
InstanceType: t2.micro
us-west-1:
InstanceType: t2.micro
eu-west-1:
InstanceType: t2.micro
eu-north-1:
InstanceType: t3.micro
me-south-1:
InstanceType: t3.micro
Resources:
myEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}'
InstanceType: !FindInMap [RegionToInstanceType, !Ref 'AWS::Region', InstanceType]
```
### Input parameter and `Fn::FindInMap`
The following example template shows how to create an EC2 instance using multiple mappings. The template uses nested mappings to automatically select the appropriate instance type and security group based on the target AWS Region and environment type (`Dev` or `Prod`). It also uses a Systems Manager parameter to dynamically retrieve the latest Amazon Linux 2 AMI.
#### JSON
```
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Parameters" : {
"EnvironmentType" : {
"Description" : "The environment type (Dev or Prod)",
"Type" : "String",
"Default" : "Dev",
"AllowedValues" : [ "Dev", "Prod" ]
}
},
"Mappings" : {
"RegionAndEnvironmentToInstanceType" : {
"us-east-1" : { "Dev" : "t3.micro", "Prod" : "c5.large" },
"us-west-1" : { "Dev" : "t2.micro", "Prod" : "m5.large" }
},
"RegionAndEnvironmentToSecurityGroup" : {
"us-east-1" : { "Dev" : "sg-12345678", "Prod" : "sg-abcdef01" },
"us-west-1" : { "Dev" : "sg-ghijkl23", "Prod" : "sg-45678abc" }
}
},
"Resources" : {
"Ec2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}",
"InstanceType" : { "Fn::FindInMap": [ "RegionAndEnvironmentToInstanceType", { "Ref": "AWS::Region" }, { "Ref": "EnvironmentType" } ]},
"SecurityGroupIds" : [{ "Fn::FindInMap" : [ "RegionAndEnvironmentToSecurityGroup", { "Ref" : "AWS::Region" }, { "Ref" : "EnvironmentType" } ]}]
}
}
}
}
```
#### YAML
```
AWSTemplateFormatVersion: 2010-09-09
Parameters:
EnvironmentType:
Description: The environment type (Dev or Prod)
Type: String
Default: Dev
AllowedValues:
- Dev
- Prod
Mappings:
RegionAndEnvironmentToInstanceType:
us-east-1:
Dev: t3.micro
Prod: c5.large
us-west-1:
Dev: t2.micro
Prod: m5.large
RegionAndEnvironmentToSecurityGroup:
us-east-1:
Dev: sg-12345678
Prod: sg-abcdef01
us-west-1:
Dev: sg-ghijkl23
Prod: sg-45678abc
Resources:
Ec2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}'
InstanceType: !FindInMap [RegionAndEnvironmentToInstanceType, !Ref 'AWS::Region', !Ref EnvironmentType]
SecurityGroupIds:
- !FindInMap [RegionAndEnvironmentToSecurityGroup, !Ref 'AWS::Region', !Ref EnvironmentType]
```
## Related resources
These related topics can be helpful as you develop templates that use the `Fn::FindInMap` function.
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-findinmap.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-findinmap.html)
+ [Fn::FindInMap enhancements](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-findinmap-enhancements.html)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-sub.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-sub.html)
# CloudFormation template Metadata syntax
`Metadata` stores additional information using JSON or YAML objects. The types of template-level metadata you can use in your template include:
Custom metadata
Stores user-defined key-value pairs. For example, you can provide additional information that doesn't impact resource creation but offers additional context about the infrastructure, team, or deployment specifics.
`AWS::CloudFormation::Interface`
Defines the grouping and ordering of input parameters when they're displayed in the CloudFormation console. By default, the CloudFormation console alphabetically sorts parameters by their logical ID.
`AWS::CloudFormation::Designer`
CloudFormation Designer (Designer) reached end of life on February 5, 2025.
**Important**
During a stack update, you cannot update the `Metadata` section by itself. You can update it only when you include changes that add, modify, or delete resources.
CloudFormation does not transform, modify, or redact any information you include in the `Metadata` section. Because of this, we strongly recommend you do not use this section to store sensitive information, such as passwords or secrets.
## Syntax
To declare custom metadata in your CloudFormation template, use the following syntax:
### JSON
```
"Metadata" : {
"Instances" : {"Description" : "Information about the instances"},
"Databases" : {"Description" : "Information about the databases"}
}
```
### YAML
```
Metadata:
Instances:
Description: "Information about the instances"
Databases:
Description: "Information about the databases"
```
For the syntax for the `AWS::CloudFormation::Interface`, see [Organizing CloudFormation parameters with `AWS::CloudFormation::Interface` metadata](aws-cloudformation-interface.md).
# Organizing CloudFormation parameters with `AWS::CloudFormation::Interface` metadata
`AWS::CloudFormation::Interface` is a metadata key that defines how parameters are grouped and sorted in the CloudFormation console. By default, the console lists input parameters in alphabetical order by their logical IDs when you create or update stacks in the console. By using this key, you can define your own parameter grouping and ordering so that users can efficiently specify parameter values. For example, you could group all EC2-related parameters in one group and all VPC-related parameters in another group.
In the metadata key, you can specify the groups to create, the parameters to include in each group, and the order in which the console shows each parameter within its group.
You can also define labels for parameters. A label is a friendly name or description that the console displays instead of a parameter's logical ID. Labels are useful for helping users understand the values to specify for each parameter. For example, you could label a `KeyPair` parameter `Select an EC2 key pair`.
All parameters that you reference in the metadata key must be declared in the `Parameters` section of the template.
**Note**
Only the CloudFormation console uses the `AWS::CloudFormation::Interface` metadata key. AWS CLI and API calls don't use this key.
## Syntax
To declare this entity in your CloudFormation template, use the following syntax:
### JSON
```
"Metadata" : {
"AWS::CloudFormation::Interface" : {
"ParameterGroups": [
{
"Label": {
"default": "Group Label"
},
"Parameters": [
"Parameter1",
"Parameter2"
]
}
],
"ParameterLabels": {
"Parameter1": {
"default": "Friendly Name for Parameter1"
}
}
}
}
```
### YAML
```
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Group Label
Parameters:
- Parameter1
- Parameter2
ParameterLabels:
Parameter1:
default: Friendly Name for Parameter1
```
## Properties
`ParameterGroups`
A list of parameter group types, where you specify group names, the parameters in each group, and the order in which the parameters are shown.
*Required*: No
`Label`
A name for the parameter group.
*Required*: No
`default`
The default label that the CloudFormation console uses to name a parameter group.
*Required*: No
*Type*: String
`Parameters`
A list of case-sensitive parameter logical IDs to include in the group. Parameters must already be defined in the `Parameters` section of the template. A parameter can be included in only one parameter group.
The console lists the parameters that you don't associate with a parameter group in alphabetical order in the `Other parameters` group.
*Required*: No
*Type*: List of String values
`ParameterLabels`
A mapping of parameters and their friendly names that the CloudFormation console shows when a stack is created or updated.
*Required*: No
Parameter label
A label for a parameter. The label defines a friendly name or description that the CloudFormation console shows on the **Specify Parameters** page when a stack is created or updated. The parameter label must be the case-sensitive logical ID of a valid parameter that has been declared in the `Parameters` section of the template.
*Required*: No
`default`
The default label that the CloudFormation console uses to name a parameter.
*Required*: No
*Type*: String
## Example
The following example defines two parameter groups: `Network Configuration` and `Amazon EC2 Configuration`. The `Network Configuration` group includes the `VPCID`, `SubnetId`, and `SecurityGroupID` parameters, which are defined in the `Parameters` section of the template (not shown). The order in which the console shows these parameters is defined by the order in which the parameters are listed, starting with the `VPCID` parameter. The example similarly groups and orders the `Amazon EC2 Configuration` parameters.
The example also defines a label for the `VPCID` parameter. The console will show **Which VPC should this be deployed to?** instead of the parameter's logical ID (`VPCID`).
### JSON
```
"Metadata" : {
"AWS::CloudFormation::Interface" : {
"ParameterGroups" : [
{
"Label" : { "default" : "Network Configuration" },
"Parameters" : [ "VPCID", "SubnetId", "SecurityGroupID" ]
},
{
"Label" : { "default":"Amazon EC2 Configuration" },
"Parameters" : [ "InstanceType", "KeyName" ]
}
],
"ParameterLabels" : {
"VPCID" : { "default" : "Which VPC should this be deployed to?" }
}
}
}
```
### YAML
```
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: "Network Configuration"
Parameters:
- VPCID
- SubnetId
- SecurityGroupID
- Label:
default: "Amazon EC2 Configuration"
Parameters:
- InstanceType
- KeyName
ParameterLabels:
VPCID:
default: "Which VPC should this be deployed to?"
```
### Parameter groups in the console
Using the metadata key from this example, the following figure shows how the console displays parameter groups when a stack is created or updated: **Parameter groups in the console**
![\[Console showing parameter groups for this example.\]](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/images/console-create-stack-parameter-groups.png)
# CloudFormation template Rules syntax
The `Rules` section is an optional part of a CloudFormation template that enables custom validation logic. When included, this section contains rule functions that validate parameter values before CloudFormation creates or updates any resources.
Rules are useful when standard parameter constraints are insufficient. For example, when SSL is enabled, both a certificate and domain name must be provided. A rule can ensure that these dependencies are met.
## Syntax
The `Rules` section uses the following syntax:
### JSON
The `Rules` section of a template consists of the key name `Rules`, followed by a single colon. You must use braces to enclose all rule declarations. If you declare multiple rules, they're delimited by commas. For each rule, you declare a logical name in quotation marks followed by a colon and braces that enclose the rule condition and assertions.
```
{
"Rules": {
"LogicalRuleName1": {
"RuleCondition": {
"rule-specific intrinsic function": "Value"
},
"Assertions": [
{
"Assert": {
"rule-specific intrinsic function": "Value"
},
"AssertDescription": "Information about this assert"
},
{
"Assert": {
"rule-specific intrinsic function": "Value"
},
"AssertDescription": "Information about this assert"
}
]
},
"LogicalRuleName2": {
"Assertions": [
{
"Assert": {
"rule-specific intrinsic function": "Value"
},
"AssertDescription": "Information about this assert"
}
]
}
}
}
```
### YAML
```
Rules:
LogicalRuleName1:
RuleCondition:
rule-specific intrinsic function: Value
Assertions:
- Assert:
rule-specific intrinsic function: Value
AssertDescription: Information about this assert
- Assert:
rule-specific intrinsic function: Value
AssertDescription: Information about this assert
LogicalRuleName2:
Assertions:
- Assert:
rule-specific intrinsic function: Value
AssertDescription: Information about this assert
```
### Rules fields
The `Rules` section can include the following fields.
**Logical ID (also called *logical name*)**
A unique identifier for each rule.
**`RuleCondition` (optional)**
A property that determines when a rule takes effect. If you don't define a rule condition, the rule's assertions always take effect. For each rule, you can define only one rule condition.
**`Assertions` (required)**
One or more statements that specify the acceptable values for a particular parameter.
**`Assert`**
A condition that must evaluate to `true`.
**`AssertDescription`**
A message displayed when an assertion fails.
## Rule-specific intrinsic functions
To define your rules, you must use *rule-specific functions*, which are functions that can only be used in the `Rules` section of a template. While these functions can be nested, the final result of a rule condition or assertion must be either `true` or `false`.
The following rule functions are available:
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-and](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-and)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-contains](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-contains)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-eachmemberequals](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-eachmemberequals)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-eachmemberin](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-eachmemberin)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-equals](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-equals)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-if](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-if)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-not](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-not)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-or](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-or)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-refall](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-refall)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-valueof](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-valueof)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-valueofall](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-rules.html#fn-valueofall)
These functions are used in the condition or assertions of a rule. The condition property determines if CloudFormation applies the assertions. If the condition evaluates to `true`, CloudFormation evaluates the assertions to verify whether a parameter value is valid when a provisioned product is created or updated. If a parameter value is invalid, CloudFormation does not create or update the stack. If the condition evaluates to `false`, CloudFormation doesn't check the parameter value and proceeds with the stack operation.
## Examples
**Topics**
+ [
### Conditionally verify a parameter value
](#template-constraint-rules-example-verify)
+ [
### Cross-parameter validation
](#template-cross-parameter-rules-example)
### Conditionally verify a parameter value
In the following example, the two rules check the value of the `InstanceType` parameter. Depending on the value of the environment parameter (`test` or `prod`), the user must specify `t3.medium` or `t3.large` for the `InstanceType` parameter. The `InstanceType` and `Environment` parameters must be declared in the `Parameters` section of the same template.
#### JSON
```
{
"Rules": {
"testInstanceType": {
"RuleCondition": {
"Fn::Equals": [
{"Ref": "Environment"},
"test"
]
},
"Assertions": [
{
"Assert": {
"Fn::Contains": [
["t3.medium"],
{"Ref": "InstanceType"}
]
},
"AssertDescription": "For a test environment, the instance type must be t3.medium"
}
]
},
"prodInstanceType": {
"RuleCondition": {
"Fn::Equals": [
{"Ref": "Environment"},
"prod"
]
},
"Assertions": [
{
"Assert": {
"Fn::Contains": [
["t3.large"],
{"Ref": "InstanceType"}
]
},
"AssertDescription": "For a production environment, the instance type must be t3.large"
}
]
}
}
}
```
#### YAML
```
Rules:
testInstanceType:
RuleCondition: !Equals
- !Ref Environment
- test
Assertions:
- Assert:
'Fn::Contains':
- - t3.medium
- !Ref InstanceType
AssertDescription: 'For a test environment, the instance type must be t3.medium'
prodInstanceType:
RuleCondition: !Equals
- !Ref Environment
- prod
Assertions:
- Assert:
'Fn::Contains':
- - t3.large
- !Ref InstanceType
AssertDescription: 'For a production environment, the instance type must be t3.large'
```
### Cross-parameter validation
The following sample templates demonstrate the use of rules for cross-parameter validations. They create a sample website running on an Auto Scaling group behind a load balancer. The website is available on port 80 or 443 depending on input parameters. The instances in the Auto Scaling group can be configured to listen on any port (with 8888 as the default).
The rules in this template validate input parameters before stack creation. They verify that all subnets belong to the specified VPC and ensure that when the `UseSSL` parameter is set to `Yes`, both an SSL certificate ARN and hosted zone name are provided.
**Note**
You will be billed for the AWS resources used if you create a stack from this template.
#### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"VpcId": {
"Type": "AWS::EC2::VPC::Id",
"Description": "VpcId of your existing Virtual Private Cloud (VPC)",
"ConstraintDescription": "must be the VPC Id of an existing Virtual Private Cloud."
},
"Subnets": {
"Type": "List",
"Description": "The list of SubnetIds in your Virtual Private Cloud (VPC)",
"ConstraintDescription": "must be a list of at least two existing subnets associated with at least two different availability zones."
},
"InstanceType": {
"Description": "WebServer EC2 instance type",
"Type": "String",
"Default": "t2.micro",
"AllowedValues": ["t2.micro", "t3.micro"],
"ConstraintDescription": "must be a valid EC2 instance type."
},
"KeyName": {
"Description": "Name of an existing EC2 KeyPair to enable SSH access to the instances",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription": "must be the name of an existing EC2 KeyPair."
},
"SSHLocation": {
"Description": "The IP address range that can be used to SSH to the EC2 instances",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
},
"UseSSL": {
"AllowedValues": ["Yes", "No"],
"Default": "No",
"Description": "Select \"Yes\" to implement SSL, \"No\" to skip (default).",
"Type": "String"
},
"ALBSSLCertificateARN": {
"Default": "",
"Description": "[Optional] The ARN of the SSL certificate to be used for the Application Load Balancer",
"Type": "String"
},
"HostedZoneName": {
"AllowedPattern": "^$|(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])$",
"Default": "",
"Description": "[Optional] The domain name of a valid Hosted Zone on AWS.",
"Type": "String"
}
},
"Conditions": {
"UseALBSSL": {"Fn::Equals": [{"Ref": "UseSSL"}, "Yes"]}
},
"Rules": {
"SubnetsInVPC": {
"Assertions": [
{
"Assert": {"Fn::EachMemberEquals": [{"Fn::ValueOf": ["Subnets", "VpcId"]}, {"Ref": "VpcId"}]},
"AssertDescription": "All subnets must be in the VPC"
}
]
},
"ValidateHostedZone": {
"RuleCondition": {"Fn::Equals": [{"Ref": "UseSSL"}, "Yes"]},
"Assertions": [
{
"Assert": {"Fn::Not": [{"Fn::Equals": [{"Ref": "ALBSSLCertificateARN"}, ""]}]},
"AssertDescription": "ACM Certificate value cannot be empty if SSL is required"
},
{
"Assert": {"Fn::Not": [{"Fn::Equals": [{"Ref": "HostedZoneName"}, ""]}]},
"AssertDescription": "Route53 Hosted Zone Name is mandatory when SSL is required"
}
]
}
},
"Resources": {
"WebServerGroup": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"Properties": {
"VPCZoneIdentifier": {"Ref": "Subnets"},
"LaunchTemplate": {
"LaunchTemplateId": {"Ref": "LaunchTemplate"},
"Version": {"Fn::GetAtt": ["LaunchTemplate","LatestVersionNumber"]}
},
"MinSize": "2",
"MaxSize": "2",
"TargetGroupARNs": [{"Ref": "ALBTargetGroup"}]
},
"CreationPolicy": {
"ResourceSignal": {"Timeout": "PT15M"}
},
"UpdatePolicy": {
"AutoScalingRollingUpdate": {
"MinInstancesInService": "1",
"MaxBatchSize": "1",
"PauseTime": "PT15M",
"WaitOnResourceSignals": true
}
}
},
"LaunchTemplate": {
"Type": "AWS::EC2::LaunchTemplate",
"Metadata": {
"Comment": "Install a simple application",
"AWS::CloudFormation::Init": {
"config": {
"packages": {"yum": {"httpd": []}},
"files": {
"/var/www/html/index.html": {
"content": {"Fn::Join": ["\n", ["Congratulations, you have successfully launched the AWS CloudFormation sample.
"]]},
"mode": "000644",
"owner": "root",
"group": "root"
},
"/etc/cfn/cfn-hup.conf": {
"content": {"Fn::Join": ["", [
"[main]\n",
"stack=", {"Ref": "AWS::StackId"}, "\n",
"region=", {"Ref": "AWS::Region"}, "\n"
]]},
"mode": "000400",
"owner": "root",
"group": "root"
},
"/etc/cfn/hooks.d/cfn-auto-reloader.conf": {
"content": {"Fn::Join": ["", [
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.LaunchTemplate.Metadata.AWS::CloudFormation::Init\n",
"action=/opt/aws/bin/cfn-init -v ",
" --stack ", {"Ref": "AWS::StackName"},
" --resource LaunchTemplate ",
" --region ", {"Ref": "AWS::Region"}, "\n",
"runas=root\n"
]]},
"mode": "000400",
"owner": "root",
"group": "root"
}
},
"services": {
"sysvinit": {
"httpd": {
"enabled": "true",
"ensureRunning": "true"
},
"cfn-hup": {
"enabled": "true",
"ensureRunning": "true",
"files": [
"/etc/cfn/cfn-hup.conf",
"/etc/cfn/hooks.d/cfn-auto-reloader.conf"
]
}
}
}
}
}
},
"Properties": {
"LaunchTemplateName": {"Fn::Sub": "${AWS::StackName}-launch-template"},
"LaunchTemplateData": {
"ImageId": "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}",
"SecurityGroupIds": [{"Ref": "InstanceSecurityGroup"}],
"InstanceType": {"Ref": "InstanceType"},
"KeyName": {"Ref": "KeyName"},
"UserData": {
"Fn::Base64": {"Fn::Join": ["", [
"#!/bin/bash\n",
"yum install -y aws-cfn-bootstrap\n",
"/opt/aws/bin/cfn-init -v ",
" --stack ", {"Ref": "AWS::StackName"},
" --resource LaunchTemplate ",
" --region ", {"Ref": "AWS::Region"}, "\n",
"/opt/aws/bin/cfn-signal -e $? ",
" --stack ", {"Ref": "AWS::StackName"},
" --resource WebServerGroup ",
" --region ", {"Ref": "AWS::Region"}, "\n"
]]}
}
}
}
},
"ELBSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow access to the ELB",
"VpcId": {"Ref": "VpcId"},
"SecurityGroupIngress": [{
"Fn::If": [
"UseALBSSL",
{
"IpProtocol": "tcp",
"FromPort": 443,
"ToPort": 443,
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
]
}]
}
},
"ApplicationLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Subnets": {"Ref": "Subnets"},
"SecurityGroups": [{"Ref": "ELBSecurityGroup"}]
}
},
"ALBListener": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"DefaultActions": [{
"Type": "forward",
"TargetGroupArn": {"Ref": "ALBTargetGroup"}
}],
"LoadBalancerArn": {"Ref": "ApplicationLoadBalancer"},
"Port": {"Fn::If": ["UseALBSSL", 443, 80]},
"Protocol": {"Fn::If": ["UseALBSSL", "HTTPS", "HTTP"]},
"Certificates": [{
"Fn::If": [
"UseALBSSL",
{"CertificateArn": {"Ref": "ALBSSLCertificateARN"}},
{"Ref": "AWS::NoValue"}
]
}]
}
},
"ALBTargetGroup": {
"Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties": {
"HealthCheckIntervalSeconds": 30,
"HealthCheckTimeoutSeconds": 5,
"HealthyThresholdCount": 3,
"Port": 80,
"Protocol": "HTTP",
"UnhealthyThresholdCount": 5,
"VpcId": {"Ref": "VpcId"}
}
},
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable SSH access and HTTP access on the inbound port",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"SourceSecurityGroupId": {"Fn::Select": [0, {"Fn::GetAtt": ["ApplicationLoadBalancer", "SecurityGroups"]}]}
},
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": {"Ref": "SSHLocation"}
}
],
"VpcId": {"Ref": "VpcId"}
}
},
"RecordSet": {
"Type": "AWS::Route53::RecordSetGroup",
"Condition": "UseALBSSL",
"Properties": {
"HostedZoneName": {"Fn::Join": ["", [{"Ref": "HostedZoneName"}, "."]]},
"RecordSets": [{
"Name": {"Fn::Join": ["", [
{"Fn::Select": ["0", {"Fn::Split": [".", {"Fn::GetAtt": ["ApplicationLoadBalancer", "DNSName"]}]}]},
".",
{"Ref": "HostedZoneName"},
"."
]]},
"Type": "A",
"AliasTarget": {
"DNSName": {"Fn::GetAtt": ["ApplicationLoadBalancer", "DNSName"]},
"EvaluateTargetHealth": true,
"HostedZoneId": {"Fn::GetAtt": ["ApplicationLoadBalancer", "CanonicalHostedZoneID"]}
}
}]
}
}
},
"Outputs": {
"URL": {
"Description": "URL of the website",
"Value": {"Fn::Join": ["", [
{"Fn::If": [
"UseALBSSL",
{"Fn::Join": ["", [
"https://",
{"Fn::Join": ["", [
{"Fn::Select": ["0", {"Fn::Split": [".", {"Fn::GetAtt": ["ApplicationLoadBalancer", "DNSName"]}]}]},
".",
{"Ref": "HostedZoneName"},
"."
]]}
]]},
{"Fn::Join": ["", [
"http://",
{"Fn::GetAtt": ["ApplicationLoadBalancer", "DNSName"]}
]]}
]}
]]}
}
}
}
```
#### YAML
```
AWSTemplateFormatVersion: 2010-09-09
Parameters:
VpcId:
Type: AWS::EC2::VPC::Id
Description: VpcId of your existing Virtual Private Cloud (VPC)
ConstraintDescription: must be the VPC Id of an existing Virtual Private Cloud.
Subnets:
Type: List
Description: The list of SubnetIds in your Virtual Private Cloud (VPC)
ConstraintDescription: >-
must be a list of at least two existing subnets associated with at least
two different availability zones. They should be residing in the selected
Virtual Private Cloud.
InstanceType:
Description: WebServer EC2 instance type
Type: String
Default: t2.micro
AllowedValues:
- t2.micro
- t3.micro
ConstraintDescription: must be a valid EC2 instance type.
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instances
Type: AWS::EC2::KeyPair::KeyName
ConstraintDescription: must be the name of an existing EC2 KeyPair.
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})'
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
UseSSL:
AllowedValues:
- 'Yes'
- 'No'
ConstraintDescription: Select Yes to create a HTTPS Listener
Default: 'No'
Description: 'Select "Yes" to implement SSL, "No" to skip (default).'
Type: String
ALBSSLCertificateARN:
Default: ''
Description: >-
[Optional] The ARN of the SSL certificate to be used for the Application
Load Balancer
Type: String
HostedZoneName:
AllowedPattern: >-
^$|(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$
Default: ''
Description: '[Optional] The domain name of a valid Hosted Zone on AWS.'
Type: String
Conditions:
UseALBSSL: !Equals
- !Ref UseSSL
- 'Yes'
Rules:
SubnetsInVPC:
Assertions:
- Assert:
'Fn::EachMemberEquals':
- 'Fn::ValueOf':
- Subnets
- VpcId
- Ref: VpcId
AssertDescription: All subnets must be in the VPC
ValidateHostedZone:
RuleCondition: !Equals
- !Ref UseSSL
- 'Yes'
Assertions:
- Assert: !Not
- !Equals
- !Ref ALBSSLCertificateARN
- ''
AssertDescription: ACM Certificate value cannot be empty if SSL is required
- Assert: !Not
- !Equals
- !Ref HostedZoneName
- ''
AssertDescription: Route53 Hosted Zone Name is mandatory when SSL is required
Resources:
WebServerGroup:
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
VPCZoneIdentifier: !Ref Subnets
LaunchTemplate:
LaunchTemplateId: !Ref LaunchTemplate
Version: !GetAtt LaunchTemplate.LatestVersionNumber
MinSize: '2'
MaxSize: '2'
TargetGroupARNs:
- !Ref ALBTargetGroup
CreationPolicy:
ResourceSignal:
Timeout: PT15M
UpdatePolicy:
AutoScalingRollingUpdate:
MinInstancesInService: '1'
MaxBatchSize: '1'
PauseTime: PT15M
WaitOnResourceSignals: 'true'
LaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Metadata:
Comment: Install a simple application
AWS::CloudFormation::Init:
config:
packages:
yum:
httpd: []
files:
/var/www/html/index.html:
content: !Join
- |+
- - >-
Congratulations, you have successfully launched the AWS
CloudFormation sample.
mode: '000644'
owner: root
group: root
/etc/cfn/cfn-hup.conf:
content: !Sub |
[main]
stack=${AWS::StackId}
region=${AWS::Region}
mode: '000400'
owner: root
group: root
/etc/cfn/hooks.d/cfn-auto-reloader.conf:
content: !Sub |-
[cfn-auto-reloader-hook]
triggers=post.update
path=Resources.LaunchTemplate.Metadata.AWS::CloudFormation::Init
action=/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource LaunchTemplate --region ${AWS::Region}
runas=root
mode: '000400'
owner: root
group: root
services:
sysvinit:
httpd:
enabled: 'true'
ensureRunning: 'true'
cfn-hup:
enabled: 'true'
ensureRunning: 'true'
files:
- /etc/cfn/cfn-hup.conf
- /etc/cfn/hooks.d/cfn-auto-reloader.conf
Properties:
LaunchTemplateName: !Sub ${AWS::StackName}-launch-template
LaunchTemplateData:
ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}'
SecurityGroupIds:
- !Ref InstanceSecurityGroup
InstanceType: !Ref InstanceType
KeyName: !Ref KeyName
UserData: !Base64
Fn::Sub: |
#!/bin/bash
yum install -y aws-cfn-bootstrap
/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource LaunchTemplate --region ${AWS::Region}
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource WebServerGroup --region ${AWS::Region}
ELBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow access to the ELB
VpcId: !Ref VpcId
SecurityGroupIngress:
- !If
- UseALBSSL
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
ApplicationLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Subnets: !Ref Subnets
SecurityGroups:
- !Ref ELBSecurityGroup
ALBListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- Type: forward
TargetGroupArn: !Ref ALBTargetGroup
LoadBalancerArn: !Ref ApplicationLoadBalancer
Port: !If
- UseALBSSL
- 443
- 80
Protocol: !If
- UseALBSSL
- HTTPS
- HTTP
Certificates:
- !If
- UseALBSSL
- CertificateArn: !Ref ALBSSLCertificateARN
- !Ref 'AWS::NoValue'
ALBTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 30
HealthCheckTimeoutSeconds: 5
HealthyThresholdCount: 3
Port: 80
Protocol: HTTP
UnhealthyThresholdCount: 5
VpcId: !Ref VpcId
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable SSH access and HTTP access on the inbound port
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupId: !Select
- 0
- !GetAtt
- ApplicationLoadBalancer
- SecurityGroups
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: !Ref SSHLocation
VpcId: !Ref VpcId
RecordSet:
Type: AWS::Route53::RecordSetGroup
Condition: UseALBSSL
Properties:
HostedZoneName: !Join
- ''
- - !Ref HostedZoneName
- .
RecordSets:
- Name: !Join
- ''
- - !Select
- '0'
- !Split
- .
- !GetAtt
- ApplicationLoadBalancer
- DNSName
- .
- !Ref HostedZoneName
- .
Type: A
AliasTarget:
DNSName: !GetAtt
- ApplicationLoadBalancer
- DNSName
EvaluateTargetHealth: true
HostedZoneId: !GetAtt
- ApplicationLoadBalancer
- CanonicalHostedZoneID
Outputs:
URL:
Description: URL of the website
Value: !Join
- ''
- - !If
- UseALBSSL
- !Join
- ''
- - 'https://'
- !Join
- ''
- - !Select
- '0'
- !Split
- .
- !GetAtt
- ApplicationLoadBalancer
- DNSName
- .
- !Ref HostedZoneName
- .
- !Join
- ''
- - 'http://'
- !GetAtt
- ApplicationLoadBalancer
- DNSName
```
# CloudFormation template Conditions syntax
The optional `Conditions` section contains statements that define the circumstances under which entities are created or configured. For example, you can create a condition and associate it with a resource or output so that CloudFormation creates the resource or output only if the condition is true. Similarly, you can associate a condition with a property so that CloudFormation sets the property to a specific value only if the condition is true. If the condition is false, CloudFormation sets the property to an alternative value that you specify.
You can use conditions when you want to reuse a template to create resources in different contexts, such as test versus production environments. For example, in your template, you can add an `EnvironmentType` input parameter that accepts either `prod` or `test` as inputs. For the `prod` environment, you might include EC2 instances with certain capabilities, while for the `test` environment, you might use reduced capabilities to save money. This condition definition allows you to define which resources are created and how they're configured for each environment type.
## Syntax
The `Conditions` section consists of the key name `Conditions`. Each condition declaration includes a logical ID and one or more intrinsic functions.
### JSON
```
"Conditions": {
"LogicalConditionName1": {
"Intrinsic function": ...[
},
"LogicalConditionName2": {
"Intrinsic function": ...
}
}
```
### YAML
```
Conditions:
LogicalConditionName1:
Intrinsic function:
...
LogicalConditionName2:
Intrinsic function:
...
```
## How conditions work
To use conditions, follow these steps:
1. **Add a parameter definition** – Define the inputs that your conditions will evaluate in the `Parameters` section of your template. The conditions evaluate to true or false based on these input parameter values. Note that pseudo parameters are automatically available and don't require explicit definition in the `Parameters` section. For more information about pseudo parameters, see [Get AWS values using pseudo parameters](pseudo-parameter-reference.md).
1. **Add a condition definition** – Define conditions in the `Conditions` section using intrinsic functions such as `Fn::If` or `Fn::Equals`. These conditions determine when CloudFormation creates the associated resources. The conditions can be based on:
+ Input or pseudo parameter values
+ Other conditions
+ Mapping values
However, you can't reference resource logical IDs or their attributes in conditions.
1. **Associate conditions with resources or outputs** – Reference conditions in resources or outputs using the `Condition` key and a condition's logical ID. Optionally, use `Fn::If` in other parts of the template (such as property values) to set values based on a condition. For more information, see [Using the `Condition` key](#using-conditions-in-templates).
CloudFormation evaluates conditions when creating or updating a stack. CloudFormation creates entities that are associated with a true condition and ignores entities that are associated with a false condition. CloudFormation also re-evaluates these conditions during each stack update before modifying any resources. Entities that remain associated with a true condition are updated, while those that become associated with a false condition are deleted.
**Important**
During a stack update, you can't update conditions by themselves. You can update conditions only when you include changes that add, modify, or delete resources.
## Condition intrinsic functions
You can use the following intrinsic functions to define conditions:
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-and](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-and)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-equals](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-equals)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-foreach.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-foreach.html)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-if](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-if)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-not](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-not)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-or](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-or)
**Note**
`Fn::If` is only supported in the metadata attribute, update policy attribute, and property values in the `Resources` section and `Outputs` sections of a template.
## Using the `Condition` key
Once a condition is defined, you can apply it in several places in the template, such as `Resources` and `Outputs`, using the `Condition` key. The `Condition` key references a condition's logical name and returns the evaluated result of the specified condition.
**Topics**
+ [
### Associate conditions with resources
](#associate-conditions-with-resources)
+ [
### Associate conditions with outputs
](#associate-conditions-with-outputs)
+ [
### Reference conditions in other conditions
](#reference-conditions-in-other-conditions)
+ [
### Conditionally return property values using `Fn::If`
](#conditional-return-property-values-using-fn-if)
### Associate conditions with resources
To conditionally create resources, add the `Condition` key and the logical ID of the condition as an attribute to the resource. CloudFormation creates the resource only when the condition evaluates to true.
#### JSON
```
"NewVolume" : {
"Type" : "AWS::EC2::Volume",
"Condition" : "IsProduction",
"Properties" : {
"Size" : "100",
"AvailabilityZone" : { "Fn::GetAtt" : [ "EC2Instance", "AvailabilityZone" ]}
}
}
```
#### YAML
```
NewVolume:
Type: AWS::EC2::Volume
Condition: IsProduction
Properties:
Size: 100
AvailabilityZone: !GetAtt EC2Instance.AvailabilityZone
```
### Associate conditions with outputs
You can also associate conditions with outputs. CloudFormation creates the output only when the associated condition evaluates to true.
#### JSON
```
"Outputs" : {
"VolumeId" : {
"Condition" : "IsProduction",
"Value" : { "Ref" : "NewVolume" }
}
}
```
#### YAML
```
Outputs:
VolumeId:
Condition: IsProduction
Value: !Ref NewVolume
```
### Reference conditions in other conditions
When defining conditions in the `Conditions` section, you can reference other conditions using the `Condition` key. This allows you to create more complex conditional logic by combining multiple conditions.
In the following example, the `IsProdAndFeatureEnabled` condition evaluates to true only if the `IsProduction` and `IsFeatureEnabled` conditions evaluate to true.
#### JSON
```
"Conditions": {
"IsProduction" : {"Fn::Equals" : [{"Ref" : "Environment"}, "prod"]},
"IsFeatureEnabled" : { "Fn::Equals" : [{"Ref" : "FeatureFlag"}, "enabled"]},
"IsProdAndFeatureEnabled" : {
"Fn::And" : [
{"Condition" : "IsProduction"},
{"Condition" : "IsFeatureEnabled"}
]
}
}
```
#### YAML
```
Conditions:
IsProduction:
!Equals [!Ref Environment, "prod"]
IsFeatureEnabled:
!Equals [!Ref FeatureFlag, "enabled"]
IsProdAndFeatureEnabled: !And
- !Condition IsProduction
- !Condition IsFeatureEnabled
```
### Conditionally return property values using `Fn::If`
For more granular control, you can use the `Fn::If` intrinsic function to conditionally return one of two property values within resources or outputs. This function evaluates a condition and returns one value if the condition is true and another value if the condition is false.
#### Conditional property values
The following example demonstrates setting an EC2 instance type based on an environment condition. If the `IsProduction` condition evaluates to true, the instance type is set to `c5.xlarge`. Otherwise, it's set to `t3.small`.
##### JSON
```
"Properties" : {
"InstanceType" : {
"Fn::If" : [
"IsProduction",
"c5.xlarge",
"t3.small"
]
}
}
```
##### YAML
```
Properties:
InstanceType: !If
- IsProduction
- c5.xlarge
- t3.small
```
#### Conditional property removal
You can also use the `AWS::NoValue` pseudo parameter as a return value to remove the corresponding property when a condition is false.
##### JSON
```
"DBSnapshotIdentifier" : {
"Fn::If" : [
"UseDBSnapshot",
{"Ref" : "DBSnapshotName"},
{"Ref" : "AWS::NoValue"}
]
}
```
##### YAML
```
DBSnapshotIdentifier: !If
- UseDBSnapshot
- !Ref DBSnapshotName
- !Ref "AWS::NoValue"
```
## Examples
**Topics**
+ [
### Environment-based resource creation
](#environment-based-resource-creation)
+ [
### Multi-condition resource provisioning
](#multi-condition-resource-provisioning)
### Environment-based resource creation
This following examples provision an EC2 instance, and conditionally create and attach a new EBS volume only if the environment type is `prod`. If the environment is `test`, they just create the EC2 instance without the additional volume.
#### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"EnvType": {
"Description": "Environment type",
"Default": "test",
"Type": "String",
"AllowedValues": [
"prod",
"test"
],
"ConstraintDescription": "must specify prod or test"
}
},
"Conditions": {
"IsProduction": {
"Fn::Equals": [
{
"Ref": "EnvType"
},
"prod"
]
}
},
"Resources": {
"EC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-1234567890abcdef0",
"InstanceType": "c5.xlarge"
}
},
"MountPoint": {
"Type": "AWS::EC2::VolumeAttachment",
"Condition": "IsProduction",
"Properties": {
"InstanceId": {
"Ref": "EC2Instance"
},
"VolumeId": {
"Ref": "NewVolume"
},
"Device": "/dev/sdh"
}
},
"NewVolume": {
"Type": "AWS::EC2::Volume",
"Condition": "IsProduction",
"Properties": {
"Size": 100,
"AvailabilityZone": {
"Fn::GetAtt": [
"EC2Instance",
"AvailabilityZone"
]
}
}
}
}
}
```
#### YAML
```
AWSTemplateFormatVersion: 2010-09-09
Parameters:
EnvType:
Description: Environment type
Default: test
Type: String
AllowedValues:
- prod
- test
ConstraintDescription: must specify prod or test
Conditions:
IsProduction: !Equals
- !Ref EnvType
- prod
Resources:
EC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-1234567890abcdef0
InstanceType: c5.xlarge
MountPoint:
Type: AWS::EC2::VolumeAttachment
Condition: IsProduction
Properties:
InstanceId: !Ref EC2Instance
VolumeId: !Ref NewVolume
Device: /dev/sdh
NewVolume:
Type: AWS::EC2::Volume
Condition: IsProduction
Properties:
Size: 100
AvailabilityZone: !GetAtt
- EC2Instance
- AvailabilityZone
```
### Multi-condition resource provisioning
The following examples conditionally create an S3 bucket if a bucket name is provided, and attach a bucket policy only when the environment is set to `prod`. If no bucket name is given or the environment is `test`, no resources are created.
#### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"EnvType": {
"Type": "String",
"AllowedValues": [
"prod",
"test"
]
},
"BucketName": {
"Default": "",
"Type": "String"
}
},
"Conditions": {
"IsProduction": {
"Fn::Equals": [
{
"Ref": "EnvType"
},
"prod"
]
},
"CreateBucket": {
"Fn::Not": [
{
"Fn::Equals": [
{
"Ref": "BucketName"
},
""
]
}
]
},
"CreateBucketPolicy": {
"Fn::And": [
{
"Condition": "IsProduction"
},
{
"Condition": "CreateBucket"
}
]
}
},
"Resources": {
"Bucket": {
"Type": "AWS::S3::Bucket",
"Condition": "CreateBucket",
"Properties": {
"BucketName": {
"Ref": "BucketName"
}
}
},
"Policy": {
"Type": "AWS::S3::BucketPolicy",
"Condition": "CreateBucketPolicy",
"Properties": {
"Bucket": {
"Ref": "Bucket"
},
"PolicyDocument": { ... }
}
}
}
}
```
#### YAML
```
AWSTemplateFormatVersion: 2010-09-09
Parameters:
EnvType:
Type: String
AllowedValues:
- prod
- test
BucketName:
Default: ''
Type: String
Conditions:
IsProduction: !Equals
- !Ref EnvType
- prod
CreateBucket: !Not
- !Equals
- !Ref BucketName
- ''
CreateBucketPolicy: !And
- !Condition IsProduction
- !Condition CreateBucket
Resources:
Bucket:
Type: AWS::S3::Bucket
Condition: CreateBucket
Properties:
BucketName: !Ref BucketName
Policy:
Type: AWS::S3::BucketPolicy
Condition: CreateBucketPolicy
Properties:
Bucket: !Ref Bucket
PolicyDocument: ...
```
In this example, the `CreateBucketPolicy` condition demonstrates how to reference other conditions using the `Condition` key. The policy is created only when both the `IsProduction` and `CreateBucket` conditions evaluate to true.
**Note**
For more complex examples of using conditions, see the [Condition attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-condition.html) topic in the *CloudFormation Template Reference Guide*.
# CloudFormation template Transform section
The optional `Transform` section specifies one or more macros that CloudFormation uses to process your template in some way.
Macros can perform simple tasks like finding and replacing text, or they can make more extensive transformations to the entire template. CloudFormation executes macros in the order that they're specified. When you create a change set, CloudFormation generates a change set that includes the processed template content. You can then review the changes and execute the change set. For more information about how macros work, see [Perform custom processing on CloudFormation templates with template macros](template-macros.md).
CloudFormation also supports *transforms*, which are macros hosted by CloudFormation. CloudFormation treats these transforms the same as any macros you create in terms of execution order and scope. For more information, see [Transform reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/transform-reference.html).
To declare multiple macros, use a list format and specify one or more macros.
For example, in the template sample below, CloudFormation evaluates `MyMacro` and then `AWS::Serverless`, both of which can process the contents of the entire template because of their inclusion in the `Transform` section.
```
# Start of processable content for MyMacro and AWS::Serverless
Transform:
- MyMacro
- 'AWS::Serverless'
Resources:
WaitCondition:
Type: AWS::CloudFormation::WaitCondition
MyBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: amzn-s3-demo-bucket
Tags: [{"key":"value"}]
CorsConfiguration: []
MyEc2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-1234567890abcdef0
# End of processable content for MyMacro and AWS::Serverless
```
# CloudFormation template format version syntax
The `AWSTemplateFormatVersion` section (optional) identifies the template format version that the template conforms to. The latest template format version is `2010-09-09` and is currently the only valid value.
The template format version isn't the same as the API version. The template format version can change independently of the API versions.
The value for the template format version declaration must be a literal string. You can't use a parameter or function to specify the template format version. If you don't specify a value, CloudFormation assumes the latest template format version. The following snippet is an example of a valid template format version declaration:
## JSON
```
"AWSTemplateFormatVersion" : "2010-09-09"
```
## YAML
```
AWSTemplateFormatVersion: 2010-09-09
```
# CloudFormation template Description syntax
The `Description` section (optional) enables you to include a text string that describes the template. This section must always follow the template format version section.
The value for the description declaration must be a literal string that is between 0 and 1024 bytes in length. You cannot use a parameter or function to specify the description. The following snippet is an example of a description declaration:
**Important**
During a stack update, you cannot update the `Description` section by itself. You can update it only when you include changes that add, modify, or delete resources.
## JSON
```
"Description" : "Here are some details about the template."
```
## YAML
```
Description: > Here are some details about the template.
```