Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'
InstanceType:
Description: WebServer EC2 instance type
Type: String
Default: t3.micro
AllowedValues:
- t3.nano
- t3.micro
- t3.small
- t3.medium
- t3a.nano
- t3a.micro
- t3a.small
- t3a.medium
- m5.large
- m5.xlarge
- m5.2xlarge
- m5a.large
- m5a.xlarge
- m5a.2xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
ConstraintDescription: must be a valid EC2 instance type.
Resources:
WebServerInstance:
Type: AWS::EC2::Instance
Properties:
ImageId: !Ref LatestAmiId
InstanceType: !Ref InstanceType
SecurityGroupIds:
- !Ref WebServerSecurityGroup
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
# Get the latest CloudFormation package
yum update -y aws-cfn-bootstrap
# Run cfn-init
/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource WebServerInstance --region ${AWS::Region} || error_exit 'Failed to run cfn-init'
# Start up the cfn-hup daemon to listen for changes to the EC2 instance metadata
/opt/aws/bin/cfn-hup || error_exit 'Failed to start cfn-hup'
# Signal success or failure
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource WebServerInstance --region ${AWS::Region}
Metadata:
AWS::CloudFormation::Init:
config:
packages:
yum:
httpd: []
php: []
files:
/var/www/html/index.php:
content: |
Hello World!";
?>
mode: '000644'
owner: apache
group: apache
/etc/cfn/cfn-hup.conf:
content: !Sub |
[main]
stack=${AWS::StackId}
region=${AWS::Region}
# The interval used to check for changes to the resource metadata in minutes. Default is 15
interval=2
mode: '000400'
owner: root
group: root
/etc/cfn/hooks.d/cfn-auto-reloader.conf:
content: !Sub |
[cfn-auto-reloader-hook]
triggers=post.update
path=Resources.WebServerInstance.Metadata.AWS::CloudFormation::Init
action=/opt/aws/bin/cfn-init -s ${AWS::StackId} -r WebServerInstance --region ${AWS::Region}
runas=root
services:
systemd:
httpd:
enabled: true
ensureRunning: true
cfn-hup:
enabled: true
ensureRunning: true
files:
- /etc/cfn/cfn-hup.conf
- /etc/cfn/hooks.d/cfn-auto-reloader.conf
CreationPolicy:
ResourceSignal:
Timeout: PT5M
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP access via port 80
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Outputs:
WebsiteURL:
Value: !Sub 'http://${WebServerInstance.PublicDnsName}'
Description: URL of the web application
```
**To launch a stack from this template**
1. Copy the template and save it locally on your system as a text file. Note the location because you'll need to use the file in a subsequent step.
1. Sign in to the AWS Management Console and open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. Choose **Create stack, With new resources (standard)**.
1. Choose **Choose an existing template**.
1. Under **Specify template**, choose **Upload a template file** and browse to the file that you created in the first step, and then choose **Next**.
1. On the **Specify stack details** page, enter **UpdateTutorial** as the stack name.
1. Under **Parameters**, keep all parameters the same and choose **Next** twice.
1. On the **Review and create** screen, choose **Submit**.
After the status of your stack is `CREATE_COMPLETE`, the **Outputs** tab will display the URL of your website. If you choose the value of the `WebsiteURL` output, you will see your new PHP application working.
## Step 2: Update the application
Now that we have deployed the stack, let's update the application. We'll make a simple change to the text that's printed out by the application. To do so, we'll add an echo command to the index.php file as shown in this template snippet:
```
files:
/var/www/html/index.php:
content: |
Hello World!";
echo "This is an updated version of our application.
";
?>
mode: '000644'
owner: apache
group: apache
```
Use a text editor to manually edit the template file that you saved locally.
Now, update the stack.
**To update the stack with your updated template**
1. In the CloudFormation console, select your **UpdateTutorial** stack.
1. Choose **Update, Make a direct update**.
1. Choose **Replace existing template**.
1. Under **Specify template**, choose **Upload a template file** and upload your modified template file, and then choose **Next**.
1. On the **Specify stack details** page, keep all parameters the same and choose **Next** twice.
1. On the **Review** page, review the changes. Under **Changes**, you should see that CloudFormation will update the `WebServerInstance` resource.
1. Choose **Submit**.
When your stack is in the `UPDATE_COMPLETE` state, you can choose the `WebsiteURL` output value again to verify that the changes to your application have taken effect. The `cfn-hup` daemon runs every 2 minutes, so it may take up to 2 minutes for the application to change once the stack has been updated.
To see the set of resources that were updated, go to the CloudFormation console. On the **Events** tab, look at the stack events. In this particular case, the metadata for the Amazon EC2 instance `WebServerInstance` was updated, which caused CloudFormation to also reevaluate the other resources (`WebServerSecurityGroup`) to ensure that there were no other changes. None of the other stack resources were modified. CloudFormation will update only those resources in the stack that are affected by any changes to the stack. Such changes can be direct, such as property or metadata changes, or they can be due to dependencies or data flows through `Ref`, `GetAtt`, or other intrinsic template functions. For more information, see [Intrinsic function reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html).
This simple update illustrates the process. However, you can make much more complex changes to the files and packages that are deployed to your Amazon EC2 instances. For example, you might decide that you need to add MySQL to the instance, along with PHP support for MySQL. To do so, simply add the additional packages and files along with any additional services to the configuration and then update the stack to deploy the changes.
```
packages:
yum:
httpd: []
php: []
mysql: []
php-mysql: []
mysql-server: []
mysql-libs: []
...
services:
systemd:
httpd:
enabled: true
ensureRunning: true
cfn-hup:
enabled: true
ensureRunning: true
files:
- /etc/cfn/cfn-hup.conf
- /etc/cfn/hooks.d/cfn-auto-reloader.conf
mysqld:
enabled: true
ensureRunning: true
```
You can update the CloudFormation metadata to update to new versions of the packages used by the application. In the previous examples, the version property for each package is empty, indicating that `cfn-init` should install the latest version of the package.
```
packages:
yum:
httpd: []
php: []
```
You can optionally specify a version string for a package. If you change the version string in subsequent update stack calls, the new version of the package will be deployed. Here's an example of using version numbers for RubyGems packages. Any package that supports versioning can have specific versions.
```
packages:
rubygems:
mysql: []
rubygems-update:
- "1.6.2"
rake:
- "0.8.7"
rails:
- "2.3.11"
```
## Step 3: Add SSH access with a key pair
You can also update a resource in the template to add properties that weren't originally specified in the template. To illustrate that, we'll add an Amazon EC2 key pair to an existing EC2 instance and then open up port 22 in the Amazon EC2 security group so that you can use Secure Shell (SSH) to access the instance.
**To add SSH access to an existing Amazon EC2 instance**
1. Add two additional parameters to the template to pass in the name of an existing Amazon EC2 key pair and SSH location.
```
Parameters:
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
Type: AWS::EC2::KeyPair::KeyName
ConstraintDescription: must be the name of an existing EC2 KeyPair.
SSHLocation:
Description: The IP address that can be used to SSH to the EC2 instances in CIDR format (e.g. 203.0.113.1/32)
Type: String
MinLength: 9
MaxLength: 18
Default: 0.0.0.0/0
AllowedPattern: '^(\d{1,3}\.){3}\d{1,3}\/\d{1,2}$'
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
```
1. Add the `KeyName` property to the Amazon EC2 instance.
```
WebServerInstance:
Type: AWS::EC2::Instance
Properties:
ImageId: !Ref LatestAmiId
InstanceType: !Ref InstanceType
KeyName: !Ref KeyName
SecurityGroupIds:
- !Ref WebServerSecurityGroup
```
1. Add port 22 and the SSH location to the ingress rules for the Amazon EC2 security group.
```
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP access via port 80 and SSH access via port 22
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: !Ref SSHLocation
```
1. Update the stack using the same steps as explained in [Step 2: Update the application](#update-stack-update-application).
## Step 4: Update the instance type
Now let's demonstrate how to update the underlying infrastructure by changing the instance type.
The stack we have built so far uses a t3.micro Amazon EC2 instance. Let's suppose that your newly created website is getting more traffic than a t3.micro instance can handle, and now you want to move to an m5.large Amazon EC2 instance type. If the architecture of the instance type changes, the instance must be created with a different AMI. However, both the t3.micro and m5.large use the same CPU architectures and run Amazon Linux 2 (x86\$164) AMIs . For more information, see [Compatibility for changing the instance type](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/resize-limitations.html) in the *Amazon EC2 User Guide*.
Let's use the template that we modified in the previous step to change the instance type. Because `InstanceType` was an input parameter to the template, we don't need to modify the template; we can change the value of the parameter on the **Specify stack details** page.
**To update the stack with a new parameter value**
1. In the CloudFormation console, select your **UpdateTutorial** stack.
1. Choose **Update, Make a direct update**.
1. Choose **Use existing template**, and then choose **Next**.
1. On the **Specify stack details** page, change the value of the **InstanceType** text box from `t3.micro` to `m5.large`. Then, choose **Next** twice.
1. On the **Review** page, review the changes. Under **Changes**, you should see that CloudFormation will update the `WebServerInstance` resource.
1. Choose **Submit**.
You can dynamically change the instance type of an EBS-backed Amazon EC2 instance by starting and stopping the instance. CloudFormation tries to optimize the change by updating the instance type and restarting the instance, so the instance ID doesn't change. When the instance is restarted, however, the public IP address of the instance does change. To ensure that the Elastic IP address is bound correctly after the change, CloudFormation will also update the Elastic IP address. You can see the changes in the CloudFormation console on the **Events** tab.
To check the instance type from the AWS Management Console, open the Amazon EC2 console, and locate your instance there.
## Step 5: Update the AMI
Now let's update our stack to use Amazon Linux 2023, which is the next generation of Amazon Linux.
Updating the AMI is a major change that requires replacing the instance. We can't simply start and stop the instance to modify the AMI; CloudFormation considers this a change to an immutable property of the resource. In order to make a change to an immutable property, CloudFormation must launch a replacement resource, in this case a new Amazon EC2 instance running the new AMI.
Let's look at how we might update our stack template to use Amazon Linux 2023. The key changes include updating the AMI parameter and changing from `yum` to `dnf` package manager.
```
AWSTemplateFormatVersion: 2010-09-09
Parameters:
LatestAmiId:
Description: The latest Amazon Linux 2023 AMI from the Parameter Store
Type: AWS::SSM::Parameter::Value
Default: '/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64'
InstanceType:
Description: WebServer EC2 instance type
Type: String
Default: t3.micro
AllowedValues:
- t3.nano
- t3.micro
- t3.small
- t3.medium
- t3a.nano
- t3a.micro
- t3a.small
- t3a.medium
- m5.large
- m5.xlarge
- m5.2xlarge
- m5a.large
- m5a.xlarge
- m5a.2xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
ConstraintDescription: must be a valid EC2 instance type.
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
Type: AWS::EC2::KeyPair::KeyName
ConstraintDescription: must be the name of an existing EC2 KeyPair.
SSHLocation:
Description: The IP address that can be used to SSH to the EC2 instances in CIDR format (e.g. 203.0.113.1/32)
Type: String
MinLength: 9
MaxLength: 18
Default: 0.0.0.0/0
AllowedPattern: '^(\d{1,3}\.){3}\d{1,3}\/\d{1,2}$'
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
Resources:
WebServerInstance:
Type: AWS::EC2::Instance
Properties:
ImageId: !Ref LatestAmiId
InstanceType: !Ref InstanceType
KeyName: !Ref KeyName
SecurityGroupIds:
- !Ref WebServerSecurityGroup
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
# Get the latest CloudFormation package
dnf update -y aws-cfn-bootstrap
# Run cfn-init
/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource WebServerInstance --region ${AWS::Region} || error_exit 'Failed to run cfn-init'
# Start up the cfn-hup daemon to listen for changes to the EC2 instance metadata
/opt/aws/bin/cfn-hup || error_exit 'Failed to start cfn-hup'
# Signal success or failure
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource WebServerInstance --region ${AWS::Region}
Metadata:
AWS::CloudFormation::Init:
config:
packages:
dnf:
httpd: []
php: []
files:
/var/www/html/index.php:
content: |
Hello World!";
echo "This is an updated version of our application.
";
echo "Running on Amazon Linux 2023!
";
?>
mode: '000644'
owner: apache
group: apache
/etc/cfn/cfn-hup.conf:
content: !Sub |
[main]
stack=${AWS::StackId}
region=${AWS::Region}
# The interval used to check for changes to the resource metadata in minutes. Default is 15
interval=2
mode: '000400'
owner: root
group: root
/etc/cfn/hooks.d/cfn-auto-reloader.conf:
content: !Sub |
[cfn-auto-reloader-hook]
triggers=post.update
path=Resources.WebServerInstance.Metadata.AWS::CloudFormation::Init
action=/opt/aws/bin/cfn-init -s ${AWS::StackId} -r WebServerInstance --region ${AWS::Region}
runas=root
services:
systemd:
httpd:
enabled: true
ensureRunning: true
cfn-hup:
enabled: true
ensureRunning: true
files:
- /etc/cfn/cfn-hup.conf
- /etc/cfn/hooks.d/cfn-auto-reloader.conf
CreationPolicy:
ResourceSignal:
Timeout: PT5M
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP access via port 80 and SSH access via port 22
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: !Ref SSHLocation
Outputs:
WebsiteURL:
Value: !Sub 'http://${WebServerInstance.PublicDnsName}'
Description: URL of the web application
```
Update the stack using the same steps as explained in [Step 2: Update the application](#update-stack-update-application).
After the new instance is running, CloudFormation updates the other resources in the stack to point to the new resource. When all new resources are created, the old resource is deleted, a process known as `UPDATE_CLEANUP`. This time, you will notice that the instance ID and application URL of the instance in the stack has changed as a result of the update. The events in the **Event** table contain a description "Requested update has a change to an immutable property and hence creating a new physical resource" to indicate that a resource was replaced.
Alternatively: If you have application code written into the AMI that you want to update, you can use the same stack update mechanism to update the AMI to load your new application.
**To update the AMI with custom application code**
1. Create your new AMI containing your application or operating system changes. For more information, see [Create an Amazon EBS-backed AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html) in the *Amazon EC2 User Guide*.
1. Update your template to incorporate the new AMI ID.
1. Update the stack using the same steps as explained in [Step 2: Update the application](#update-stack-update-application).
When you update the stack, CloudFormation detects that the AMI ID has changed, and then it triggers a stack update in the same way as we initiated the one above.
## Availability and impact considerations
Different properties have different impacts on the resources in the stack. You can use CloudFormation to update any property; however, before you make any changes, you should consider these questions:
1. How does the update affect the resource itself? For example, updating an alarm threshold will render the alarm inactive during the update. As we have seen, changing the instance type requires that the instance be stopped and restarted. CloudFormation uses the update or modify actions for the underlying resources to make changes to resources. To understand the impact of updates, you should check the documentation for the specific resources.
1. Is the change mutable or immutable? Some changes to resource properties, such as changing the AMI on an Amazon EC2 instance, aren't supported by the underlying services. In the case of mutable changes, CloudFormation will use the Update or Modify type APIs for the underlying resources. For immutable property changes, CloudFormation will create new resources with the updated properties and then link them to the stack before deleting the old resources. Although CloudFormation tries to reduce the down time of the stack resources, replacing a resource is a multistep process, and it will take time. During stack reconfiguration, your application will not be fully operational. For example, it may not be able to serve requests or access a database.
## Related resources
For more information about using CloudFormation to start applications and on integrating with other configuration and deployment services such as Puppet and Opscode Chef, see the following whitepapers:
+ [Bootstrapping applications via CloudFormation](https://s3.amazonaws.com/cloudformation-examples/BoostrappingApplicationsWithAWSCloudFormation.pdf)
+ [Integrating CloudFormation with Opscode Chef](https://s3.amazonaws.com/cloudformation-examples/IntegratingAWSCloudFormationWithOpscodeChef.pdf)
+ [Integrating CloudFormation with Puppet](https://s3.amazonaws.com/cloudformation-examples/IntegratingAWSCloudFormationWithPuppet.pdf)
# Create a scaled and load-balanced application
For this walkthrough, you create a stack that helps you set up a scaled and load-balanced application. The walkthrough provides a sample template that you use to create the stack. The example template provisions an Auto Scaling group, an Application Load Balancer, security groups that control traffic to the load balancer and to the Auto Scaling group, and an Amazon SNS notification configuration to publish notifications about scaling activities.
This template creates one or more Amazon EC2 instances and an Application Load Balancer. You will be billed for the AWS resources used if you create a stack from this template.
## Full stack template
Let's start with the template.
**YAML**
```
AWSTemplateFormatVersion: 2010-09-09
Parameters:
InstanceType:
Description: The EC2 instance type
Type: String
Default: t3.micro
AllowedValues:
- t3.micro
- t3.small
- t3.medium
KeyName:
Description: Name of an existing EC2 key pair to allow SSH access to the instances
Type: AWS::EC2::KeyPair::KeyName
LatestAmiId:
Description: The latest Amazon Linux 2 AMI from the Parameter Store
Type: AWS::SSM::Parameter::Value
Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'
OperatorEmail:
Description: The email address to notify when there are any scaling activities
Type: String
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: 9
MaxLength: 18
Default: 0.0.0.0/0
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
Subnets:
Type: 'List'
Description: At least two public subnets in different Availability Zones in the selected VPC
VPC:
Type: AWS::EC2::VPC::Id
Description: A virtual private cloud (VPC) that enables resources in public subnets to connect to the internet
Resources:
ELBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: ELB Security Group
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
EC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: EC2 Security Group
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupId:
Fn::GetAtt:
- ELBSecurityGroup
- GroupId
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: !Ref SSHLocation
EC2TargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 30
HealthCheckProtocol: HTTP
HealthCheckTimeoutSeconds: 15
HealthyThresholdCount: 5
Matcher:
HttpCode: '200'
Name: EC2TargetGroup
Port: 80
Protocol: HTTP
TargetGroupAttributes:
- Key: deregistration_delay.timeout_seconds
Value: '20'
UnhealthyThresholdCount: 3
VpcId: !Ref VPC
ALBListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- Type: forward
TargetGroupArn: !Ref EC2TargetGroup
LoadBalancerArn: !Ref ApplicationLoadBalancer
Port: 80
Protocol: HTTP
ApplicationLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Scheme: internet-facing
Subnets: !Ref Subnets
SecurityGroups:
- !GetAtt ELBSecurityGroup.GroupId
LaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: !Sub ${AWS::StackName}-launch-template
LaunchTemplateData:
ImageId: !Ref LatestAmiId
InstanceType: !Ref InstanceType
KeyName: !Ref KeyName
SecurityGroupIds:
- !Ref EC2SecurityGroup
UserData:
Fn::Base64: !Sub |
#!/bin/bash
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "Hello World!
" > /var/www/html/index.html
NotificationTopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint: !Ref OperatorEmail
Protocol: email
WebServerGroup:
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
LaunchTemplate:
LaunchTemplateId: !Ref LaunchTemplate
Version: !GetAtt LaunchTemplate.LatestVersionNumber
MaxSize: '3'
MinSize: '1'
NotificationConfigurations:
- TopicARN: !Ref NotificationTopic
NotificationTypes: ['autoscaling:EC2_INSTANCE_LAUNCH', 'autoscaling:EC2_INSTANCE_LAUNCH_ERROR', 'autoscaling:EC2_INSTANCE_TERMINATE', 'autoscaling:EC2_INSTANCE_TERMINATE_ERROR']
TargetGroupARNs:
- !Ref EC2TargetGroup
VPCZoneIdentifier: !Ref Subnets
```
**JSON**
```
{
"AWSTemplateFormatVersion":"2010-09-09",
"Parameters":{
"InstanceType":{
"Description":"The EC2 instance type",
"Type":"String",
"Default":"t3.micro",
"AllowedValues":[
"t3.micro",
"t3.small",
"t3.medium"
]
},
"KeyName":{
"Description":"Name of an existing EC2 key pair to allow SSH access to the instances",
"Type":"AWS::EC2::KeyPair::KeyName"
},
"LatestAmiId":{
"Description":"The latest Amazon Linux 2 AMI from the Parameter Store",
"Type":"AWS::SSM::Parameter::Value",
"Default":"/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2"
},
"OperatorEmail":{
"Description":"The email address to notify when there are any scaling activities",
"Type":"String"
},
"SSHLocation":{
"Description":"The IP address range that can be used to SSH to the EC2 instances",
"Type":"String",
"MinLength":9,
"MaxLength":18,
"Default":"0.0.0.0/0",
"ConstraintDescription":"Must be a valid IP CIDR range of the form x.x.x.x/x."
},
"Subnets":{
"Type":"List",
"Description":"At least two public subnets in different Availability Zones in the selected VPC"
},
"VPC":{
"Type":"AWS::EC2::VPC::Id",
"Description":"A virtual private cloud (VPC) that enables resources in public subnets to connect to the internet"
}
},
"Resources":{
"ELBSecurityGroup":{
"Type":"AWS::EC2::SecurityGroup",
"Properties":{
"GroupDescription":"ELB Security Group",
"VpcId":{
"Ref":"VPC"
},
"SecurityGroupIngress":[
{
"IpProtocol":"tcp",
"FromPort":80,
"ToPort":80,
"CidrIp":"0.0.0.0/0"
}
]
}
},
"EC2SecurityGroup":{
"Type":"AWS::EC2::SecurityGroup",
"Properties":{
"GroupDescription":"EC2 Security Group",
"VpcId":{
"Ref":"VPC"
},
"SecurityGroupIngress":[
{
"IpProtocol":"tcp",
"FromPort":80,
"ToPort":80,
"SourceSecurityGroupId":{
"Fn::GetAtt":[
"ELBSecurityGroup",
"GroupId"
]
}
},
{
"IpProtocol":"tcp",
"FromPort":22,
"ToPort":22,
"CidrIp":{
"Ref":"SSHLocation"
}
}
]
}
},
"EC2TargetGroup":{
"Type":"AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties":{
"HealthCheckIntervalSeconds":30,
"HealthCheckProtocol":"HTTP",
"HealthCheckTimeoutSeconds":15,
"HealthyThresholdCount":5,
"Matcher":{
"HttpCode":"200"
},
"Name":"EC2TargetGroup",
"Port":80,
"Protocol":"HTTP",
"TargetGroupAttributes":[
{
"Key":"deregistration_delay.timeout_seconds",
"Value":"20"
}
],
"UnhealthyThresholdCount":3,
"VpcId":{
"Ref":"VPC"
}
}
},
"ALBListener":{
"Type":"AWS::ElasticLoadBalancingV2::Listener",
"Properties":{
"DefaultActions":[
{
"Type":"forward",
"TargetGroupArn":{
"Ref":"EC2TargetGroup"
}
}
],
"LoadBalancerArn":{
"Ref":"ApplicationLoadBalancer"
},
"Port":80,
"Protocol":"HTTP"
}
},
"ApplicationLoadBalancer":{
"Type":"AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties":{
"Scheme":"internet-facing",
"Subnets":{
"Ref":"Subnets"
},
"SecurityGroups":[
{
"Fn::GetAtt":[
"ELBSecurityGroup",
"GroupId"
]
}
]
}
},
"LaunchTemplate":{
"Type":"AWS::EC2::LaunchTemplate",
"Properties":{
"LaunchTemplateName":{
"Fn::Sub":"${AWS::StackName}-launch-template"
},
"LaunchTemplateData":{
"ImageId":{
"Ref":"LatestAmiId"
},
"InstanceType":{
"Ref":"InstanceType"
},
"KeyName":{
"Ref":"KeyName"
},
"SecurityGroupIds":[
{
"Ref":"EC2SecurityGroup"
}
],
"UserData":{
"Fn::Base64":{
"Fn::Join":[
"",
[
"#!/bin/bash\n",
"yum update -y\n",
"yum install -y httpd\n",
"systemctl start httpd\n",
"systemctl enable httpd\n",
"echo \"Hello World!
\" > /var/www/html/index.html"
]
]
}
}
}
}
},
"NotificationTopic":{
"Type":"AWS::SNS::Topic",
"Properties":{
"Subscription":[
{
"Endpoint":{
"Ref":"OperatorEmail"
},
"Protocol":"email"
}
]
}
},
"WebServerGroup":{
"Type":"AWS::AutoScaling::AutoScalingGroup",
"Properties":{
"LaunchTemplate":{
"LaunchTemplateId":{
"Ref":"LaunchTemplate"
},
"Version":{
"Fn::GetAtt":[
"LaunchTemplate",
"LatestVersionNumber"
]
}
},
"MaxSize":"3",
"MinSize":"1",
"NotificationConfigurations":[
{
"TopicARN":{
"Ref":"NotificationTopic"
},
"NotificationTypes":[
"autoscaling:EC2_INSTANCE_LAUNCH",
"autoscaling:EC2_INSTANCE_LAUNCH_ERROR",
"autoscaling:EC2_INSTANCE_TERMINATE",
"autoscaling:EC2_INSTANCE_TERMINATE_ERROR"
]
}
],
"TargetGroupARNs":[
{
"Ref":"EC2TargetGroup"
}
],
"VPCZoneIdentifier":{
"Ref":"Subnets"
}
}
}
}
}
```
## Template walkthrough
The first part of this template specifies the `Parameters`. Each parameter must be assigned a value at runtime for CloudFormation to successfully provision the stack. Resources specified later in the template reference these values and use the data.
+ `InstanceType`: The type of EC2 instance that Amazon EC2 Auto Scaling provisions. If not specified, a default of `t3.micro` is used.
+ `KeyName`: An existing EC2 key pair to allow SSH access to the instances.
+ `LatestAmiId`: The Amazon Machine Image (AMI) for the instances. If not specified, your instances are launched with an Amazon Linux 2 AMI, using an AWS Systems Manager public parameter maintained by AWS. For more information, see [Finding public parameters](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-finding-public-parameters.html) in the *AWS Systems Manager User Guide*.
+ `OperatorEmail`: The email address where you want to send scaling activity notifications.
+ `SSHLocation`: The IP address range that can be used to SSH to the instances.
+ `Subnets`: At least two public subnets in different Availability Zones.
+ `VPC`: A virtual private cloud (VPC) in your account that enables resources in public subnets to connect to the internet.
**Note**
You can use the default VPC and default subnets to allow instances to access the internet. If using your own VPC, make sure that it has a subnet mapped to each Availability Zone of the Region you are working in. At minimum, you must have two public subnets available to create the load balancer.
The next part of this template specifies the `Resources`. This section specifies the stack resources and their properties.
[https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) resource `ELBSecurityGroup`
+ `SecurityGroupIngress` contains a TCP ingress rule that allows access from *all IP addresses* ("CidrIp" : "0.0.0.0/0") on port 80.
[https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) resource `EC2SecurityGroup`
+ `SecurityGroupIngress` contains two ingress rules: 1) a TCP ingress rule that allows SSH access (port 22) from the IP address range that you provide for the `SSHLocation` input parameter and 2) a TCP ingress rule that allows access from the load balancer by specifying the load balancer's security group. The [GetAtt](resources-section-structure.md#resource-properties-getatt) function is used to get the ID of the security group with the logical name `ELBSecurityGroup`.
[AWS::ElasticLoadBalancingV2::TargetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html) resource `EC2TargetGroup`
+ `Port`, `Protocol`, and `HealthCheckProtocol` specify the EC2 instance port (80) and protocol (HTTP) that the `ApplicationLoadBalancer` routes traffic to and that Elastic Load Balancing uses to check the health of the EC2 instances.
+ `HealthCheckIntervalSeconds` specifies that the EC2 instances have an interval of 30 seconds between health checks. The `HealthCheckTimeoutSeconds` is defined as the length of time Elastic Load Balancing waits for a response from the health check target (15 seconds in this example). After the timeout period lapses, Elastic Load Balancing marks that EC2 instance's health check as unhealthy. When an EC2 instance fails three consecutive health checks (`UnhealthyThresholdCount`), Elastic Load Balancing stops routing traffic to that EC2 instance until that instance has five consecutive healthy health checks (`HealthyThresholdCount`). At that point, Elastic Load Balancing considers the instance healthy and begins routing traffic to the instance again.
+ `TargetGroupAttributes` updates the deregistration delay value of the target group to 20 seconds. By default, Elastic Load Balancing waits 300 seconds before completing the deregistration process.
[AWS::ElasticLoadBalancingV2::Listener](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html) resource `ALBListener`
+ `DefaultActions` specifies the port that the load balancer listens to, the target group where the load balancer forwards requests, and the protocol used to route requests.
[AWS::ElasticLoadBalancingV2::LoadBalancer](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-loadbalancer.html) resource `ApplicationLoadBalancer`
+ `Subnets` takes the value of the `Subnets` input parameter as the list of public subnets where the load balancer nodes will be created.
+ `SecurityGroup` gets the ID of the security group that acts as a virtual firewall for your load balancer nodes to control incoming traffic. The [GetAtt](resources-section-structure.md#resource-properties-getatt) function is used to get the ID of the security group with the logical name `ELBSecurityGroup`.
[AWS::EC2::LaunchTemplate](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) resource `LaunchTemplate`
+ `ImageId` takes the value of the `LatestAmiId` input parameter as the AMI to use.
+ `KeyName` takes the value of the `KeyName` input parameter as the EC2 key pair to use.
+ `SecurityGroupIds` gets the ID of the security group with the logical name `EC2SecurityGroup` that acts as a virtual firewall for your EC2 instances to control incoming traffic.
+ `UserData` is a configuration script that runs after the instance is up and running. In this example, the script installs Apache and creates an index.html file.
[AWS::SNS::Topic](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html) resource `NotificationTopic`
+ `Subscription` takes the value of the `OperatorEmail` input parameter as the email address for the recipient of the notifications when there are any scaling activities.
[AWS::AutoScaling::AutoScalingGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) resource `WebServerGroup`
+ `MinSize` and `MaxSize` set the minimum and maximum number of EC2 instances in the Auto Scaling group.
+ `TargetGroupARNs` takes the ARN of the target group with the logical name `EC2TargetGroup`. As this Auto Scaling group scales, it automatically registers and deregisters instances with this target group.
+ `VPCZoneIdentifier` takes the value of the `Subnets` input parameter as the list of public subnets where the EC2 instances can be created.
## Step 1: Launch the stack
Before you launch the stack, check that you have AWS Identity and Access Management (IAM) permissions to use all of the following services: Amazon EC2, Amazon EC2 Auto Scaling, AWS Systems Manager, Elastic Load Balancing, Amazon SNS, and CloudFormation.
The following procedure involves uploading the sample stack template from a file. Open a text editor on your local machine and add one of the templates. Save the file with the name `sampleloadbalancedappstack.template`.
**To launch the stack template**
1. Sign in to the AWS Management Console and open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. Choose **Create stack**, **With new resources (standard)**.
1. Under **Specify template**, choose **Upload a template file**, **Choose file** to upload the `sampleloadbalancedappstack.template` file.
1. Choose **Next**.
1. On the **Specify stack details** page, type the stack name (for example, **SampleLoadBalancedAppStack**).
1. Under **Parameters**, review the parameters for the stack and provide values for all parameters that don't have default values, including **OperatorEmail**, **SSHLocation**, **KeyName**, **VPC**, and **Subnets**.
1. Choose **Next** twice.
1. On the **Review** page, review and confirm the settings.
1. Choose **Submit**.
You can view the status of the stack in the CloudFormation console in the **Status** column. When CloudFormation has successfully created the stack, you receive a status of **CREATE\$1COMPLETE**.
**Note**
After you create the stack, you must confirm the subscription before the email address can start to receive notifications. For more information, see [Get Amazon SNS notifications when your Auto Scaling group scales](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-sns-notifications.html) in the *Amazon EC2 Auto Scaling User Guide*.
## Step 2: Clean up your sample resources
To make sure that you aren't charged for unused sample resources, delete the stack.
**To delete the stack**
1. In the CloudFormation console, select the **SampleLoadBalancedAppStack** stack.
1. Choose **Delete**.
1. In the confirmation message, choose **Delete stack**.
The status for **SampleLoadBalancedAppStack** changes to **DELETE\$1IN\$1PROGRESS**. When CloudFormation completes the deletion of the stack, it removes the stack from the list.
Use the sample template from this walkthrough to build your own stack templates. For more information, see [Tutorial: Set up a scaled and load-balanced application](https://docs.aws.amazon.com/autoscaling/ec2/userguide/tutorial-ec2-auto-scaling-load-balancer.html) in the *Amazon EC2 Auto Scaling User Guide*.
# Peer with a VPC in another AWS account
You can peer with a Virtual Private Cloud (VPC) in another AWS account by using [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-vpcpeeringconnection.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-vpcpeeringconnection.html). This creates a networking connection between two VPCs that enables you to route traffic between them so they can communicate as if they were within the same network. A VPC peering connection can help facilitate data access and data transfer.
To establish a VPC peering connection, you need to authorize two separate AWS accounts within a single CloudFormation stack.
For more information about VPC peering and its limitations, see the [Amazon VPC Peering Guide](https://docs.aws.amazon.com/vpc/latest/peering/).
## Prerequisites
1. You need a peer VPC ID, a peer AWS account ID, and a [cross-account access role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) for the peering connection.
**Note**
This walkthrough refers to two accounts: First is an account that allows cross-account peering (the *accepter account*). Second is an account that requests the peering connection (the *requester account*).
1. To accept the VPC peering connection, the cross-account access role must be assumable by you. The resource behaves the same way as a VPC peering connection resource in the same account. For information about how an IAM administrator grants permissions to assume the cross-account role, see [Grant a user permissions to switch roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html) in the *IAM User Guide*.
## Step 1: Create a VPC and a cross-account role
In this step, you'll create the VPC and role in the *accepter account*.
**To create a VPC and a cross-account access role**
1. Sign in to the AWS Management Console and open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. From the **Stacks** page, choose **Create stack** at top right, and then choose **With new resources (standard)**.
1. For **Prerequisite - Prepare template**, choose **Choose an existing template** and then **Upload a template file**, **Choose file**.
1. Open a text editor on your local machine and add one of the following templates. Save the file and return to the console to select it as the template file.
**Example JSON**
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create a VPC and an assumable role for cross account VPC peering.",
"Parameters": {
"PeerRequesterAccountId": {
"Type": "String"
}
},
"Resources": {
"vpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.1.0.0/16",
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "default"
}
},
"peerRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Principal": {
"AWS": {
"Ref": "PeerRequesterAccountId"
}
},
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow"
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:AcceptVpcPeeringConnection",
"Resource": "*"
}
]
}
}
]
}
}
},
"Outputs": {
"VPCId": {
"Value": {
"Ref": "vpc"
}
},
"RoleARN": {
"Value": {
"Fn::GetAtt": [
"peerRole",
"Arn"
]
}
}
}
}
```
**Example YAML**
```
AWSTemplateFormatVersion: 2010-09-09
Description: Create a VPC and an assumable role for cross account VPC peering.
Parameters:
PeerRequesterAccountId:
Type: String
Resources:
vpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.1.0.0/16
EnableDnsSupport: false
EnableDnsHostnames: false
InstanceTenancy: default
peerRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Principal:
AWS: !Ref PeerRequesterAccountId
Action:
- 'sts:AssumeRole'
Effect: Allow
Path: /
Policies:
- PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: 'ec2:AcceptVpcPeeringConnection'
Resource: '*'
Outputs:
VPCId:
Value: !Ref vpc
RoleARN:
Value: !GetAtt
- peerRole
- Arn
```
1. Choose **Next**.
1. Give the stack a name (for example, **VPC-owner**), and then enter the AWS account ID of the *requester account* in the **PeerRequesterAccountId** field.
1. Accept the defaults, and then choose **Next**.
1. Choose **I acknowledge that CloudFormation might create IAM resources**, and then choose **Create stack**.
## Step 2: Create a template that includes `AWS::EC2::VPCPeeringConnection`
Now that you've created the VPC and cross-account role, you can peer with the VPC using another AWS account (the *requester account*).
**To create a template that includes the [AWS::EC2::VPCPeeringConnection](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-vpcpeeringconnection.html) resource**
1. Go back to the CloudFormation console home page.
1. From the **Stacks** page, choose **Create stack** at top right, and then choose **With new resources (standard)**.
1. For **Prerequisite - Prepare template**, choose **Choose an existing template** and then **Upload a template file**, **Choose file**.
1. Open a text editor on your local machine and add one of the following templates. Save the file and return to the console to select it as the template file.
**Example JSON**
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create a VPC and a VPC Peering connection using the PeerRole to accept.",
"Parameters": {
"PeerVPCAccountId": {
"Type": "String"
},
"PeerVPCId": {
"Type": "String"
},
"PeerRoleArn": {
"Type": "String"
}
},
"Resources": {
"vpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.2.0.0/16",
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "default"
}
},
"vpcPeeringConnection": {
"Type": "AWS::EC2::VPCPeeringConnection",
"Properties": {
"VpcId": {
"Ref": "vpc"
},
"PeerVpcId": {
"Ref": "PeerVPCId"
},
"PeerOwnerId": {
"Ref": "PeerVPCAccountId"
},
"PeerRoleArn": {
"Ref": "PeerRoleArn"
}
}
}
},
"Outputs": {
"VPCId": {
"Value": {
"Ref": "vpc"
}
},
"VPCPeeringConnectionId": {
"Value": {
"Ref": "vpcPeeringConnection"
}
}
}
}
```
**Example YAML**
```
AWSTemplateFormatVersion: 2010-09-09
Description: Create a VPC and a VPC Peering connection using the PeerRole to accept.
Parameters:
PeerVPCAccountId:
Type: String
PeerVPCId:
Type: String
PeerRoleArn:
Type: String
Resources:
vpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.2.0.0/16
EnableDnsSupport: false
EnableDnsHostnames: false
InstanceTenancy: default
vpcPeeringConnection:
Type: AWS::EC2::VPCPeeringConnection
Properties:
VpcId: !Ref vpc
PeerVpcId: !Ref PeerVPCId
PeerOwnerId: !Ref PeerVPCAccountId
PeerRoleArn: !Ref PeerRoleArn
Outputs:
VPCId:
Value: !Ref vpc
VPCPeeringConnectionId:
Value: !Ref vpcPeeringConnection
```
1. Choose **Next**.
1. Give the stack a name (for example, **VPC-peering-connection**).
1. Accept the defaults, and then choose **Next**.
1. Choose **I acknowledge that CloudFormation might create IAM resources**, and then choose **Create stack**.
## Create a template with a highly restrictive policy
You might want to create a highly restrictive policy for peering your VPC with another AWS account.
The following example template shows how to change the VPC peer owner template (the *accepter account* created in Step 1 above) so that it's more restrictive.
**Example JSON**
```
{
"AWSTemplateFormatVersion":"2010-09-09",
"Description":"Create a VPC and an assumable role for cross account VPC peering.",
"Parameters":{
"PeerRequesterAccountId":{
"Type":"String"
}
},
"Resources":{
"peerRole":{
"Type":"AWS::IAM::Role",
"Properties":{
"AssumeRolePolicyDocument":{
"Statement":[
{
"Action":[
"sts:AssumeRole"
],
"Effect":"Allow",
"Principal":{
"AWS":{
"Ref":"PeerRequesterAccountId"
}
}
}
]
},
"Path":"/",
"Policies":[
{
"PolicyDocument":{
"Statement":[
{
"Action":"ec2:acceptVpcPeeringConnection",
"Effect":"Allow",
"Resource":{
"Fn::Sub":"arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}"
}
},
{
"Action":"ec2:acceptVpcPeeringConnection",
"Condition":{
"StringEquals":{
"ec2:AccepterVpc":{
"Fn::Sub":"arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}"
}
}
},
"Effect":"Allow",
"Resource":{
"Fn::Sub":"arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc-peering-connection/*"
}
}
],
"Version":"2012-10-17"
},
"PolicyName":"root"
}
]
}
},
"vpc":{
"Type":"AWS::EC2::VPC",
"Properties":{
"CidrBlock":"10.1.0.0/16",
"EnableDnsHostnames":false,
"EnableDnsSupport":false,
"InstanceTenancy":"default"
}
}
},
"Outputs":{
"RoleARN":{
"Value":{
"Fn::GetAtt":[
"peerRole",
"Arn"
]
}
},
"VPCId":{
"Value":{
"Ref":"vpc"
}
}
}
}
```
**Example YAML**
```
AWSTemplateFormatVersion: 2010-09-09
Description: Create a VPC and an assumable role for cross account VPC peering.
Parameters:
PeerRequesterAccountId:
Type: String
Resources:
peerRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- 'sts:AssumeRole'
Effect: Allow
Principal:
AWS:
Ref: PeerRequesterAccountId
Path: /
Policies:
- PolicyDocument:
Statement:
- Action: 'ec2:acceptVpcPeeringConnection'
Effect: Allow
Resource:
'Fn::Sub': 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}'
- Action: 'ec2:acceptVpcPeeringConnection'
Condition:
StringEquals:
'ec2:AccepterVpc':
'Fn::Sub': 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}'
Effect: Allow
Resource:
'Fn::Sub': >-
arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc-peering-connection/*
Version: 2012-10-17
PolicyName: root
vpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.1.0.0/16
EnableDnsHostnames: false
EnableDnsSupport: false
InstanceTenancy: default
Outputs:
RoleARN:
Value:
'Fn::GetAtt':
- peerRole
- Arn
VPCId:
Value:
Ref: vpc
```
To access the VPC, you can use the same requester template as in Step 2 above.
For more information, see [Identity and access management for VPC peering](https://docs.aws.amazon.com/vpc/latest/peering/security-iam.html) in the *Amazon VPC Peering Guide*.
# Perform ECS blue/green deployments through CodeDeploy using CloudFormation
To update an application running on Amazon Elastic Container Service (Amazon ECS), you can use a CodeDeploy blue/green deployment strategy. This strategy helps minimize interruptions caused by changing application versions.
In a blue/green deployment, you create a new application environment (referred to as *green*) alongside your current, live environment (referred to as *blue*). This allows you to monitor and test the green environment before routing live traffic from the blue environment to the green environment. After the green environment is serving live traffic, you can safely terminate the blue environment.
To perform CodeDeploy blue/green deployments on ECS using CloudFormation, you include the following information in your stack template:
+ A `Hooks` section that describes a `AWS::CodeDeploy::BlueGreen` hook.
+ A `Transform` section that specifies the `AWS::CodeDeployBlueGreen` transform.
The following topics guide you through setting up a CloudFormation template for a blue/green deployment on ECS.
**Topics**
+ [
# About blue/green deployments
](about-blue-green-deployments.md)
+ [
# Considerations when managing ECS blue/green deployments using CloudFormation
](blue-green-considerations.md)
+ [
# `AWS::CodeDeploy::BlueGreen` hook syntax
](blue-green-hook-syntax.md)
+ [
# Blue/green deployment template example
](blue-green-template-example.md)
# About blue/green deployments
This topic provides an overview of how performing blue/green deployments with CloudFormation works. It also explains how to prepare your CloudFormation template for blue/green deployments.
**Topics**
+ [
## How it works
](#blue-green-how-it-works)
+ [Resource updates that initiate green deployments](#blue-green-resources)
+ [Preparing your template](#blue-green-setup)
+ [Modeling your blue/green deployment](#blue-green-required)
+ [Change sets](#blue-green-changesets)
+ [Monitoring stack events](#blue-green-events)
+ [IAM permissions](#blue-green-iam)
## How it works
When using CloudFormation to perform ECS blue/green deployments through CodeDeploy, you start by creating a stack template that defines the resources for both your blue and green application environments, including specifying the traffic routing and stabilization settings to use. Next, you create a stack from that template. This generates your blue (current) application. CloudFormation only creates the blue resources during stack creation. Resources for a green deployment aren't created until they're required.
Then, if in a future stack update you update the task definition or task set resources in your blue application, CloudFormation does the following:
+ Generates all the necessary green application environment resources
+ Shifts the traffic based on the specified traffic routing parameters
+ Deletes the blue resources
If an error occurs at any point before the green deployment is successful and finalized, CloudFormation rolls the stack back to its state before the entire green deployment was initiated.
## Resource updates that initiate green deployments
When you perform a stack update that updates certain properties of specific ECS resources, CloudFormation initiates a green deployment process. The resources that initiate this process are:
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-taskdefinition.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-taskdefinition.html)
+ [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-taskset.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-taskset.html)
However, if the updates to these resources don't involve property changes that require replacement, a green deployment won't be initiated. For more information, see [Understand update behaviors of stack resources](using-cfn-updating-stacks-update-behaviors.md).
It's important to note that you can't combine updates to the above resources with updates to other resources in the same stack update operation. If you need to update both the listed resources and other resources within the same stack, you have two options:
+ Perform two separate stack update operations: one that includes only the updates to the above resources, and a separate stack update that includes changes to any other resources.
+ Remove the `Transform` and `Hooks` sections from your template and then perform the stack update. In this case, CloudFormation won't perform a green deployment.
## Preparing your template to perform ECS blue/green deployments
To enable blue/green deployments on your stack, include the following sections in your stack template before performing a stack update.
+ Add a reference to the `AWS::CodeDeployBlueGreen` transform to your template:
```
"Transform": [
"AWS::CodeDeployBlueGreen"
],
```
+ Add a `Hooks` section that invokes the `AWS::CodeDeploy::BlueGreen` hook and specifies the properties for your deployment. For more information, see [`AWS::CodeDeploy::BlueGreen` hook syntax](blue-green-hook-syntax.md).
+ In the `Resources` section, define the blue and green resources for your deployment.
You can add these sections when you first create the template (that's, before creating the stack itself), or you can add them to an existing template before performing a stack update. If you specify the blue/green deployment for a new stack, CloudFormation only creates the blue resources during stack creation — resources for the green deployment aren't created until they're required during a stack update.
## Modeling your blue/green deployment using CloudFormation resources
To perform CodeDeploy blue/green deployment on ECS, your CloudFormation template needs to include the resources that model your deployment, such as an Amazon ECS service and load balancer. For more details on what these resources represent, see [Before you begin an Amazon ECS deployment](https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-steps-ecs.html#deployment-steps-prerequisites-ecs) in the *AWS CodeDeploy User Guide*.
| Requirement | Resource | Required/Optional | Initiates blue/green deployment if replaced? |
| --- | --- | --- | --- |
| Amazon ECS cluster | [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-cluster.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-cluster.html) | Optional. The default cluster can be used. | No |
| Amazon ECS service | [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-service.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-service.html) | Required. | No |
| Application or Network Load Balancer | [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-ecs-service-loadbalancer.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-ecs-service-loadbalancer.html) | Required. | No |
| Production listener | [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html) | Required. | No |
| Test listener | [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html) | Optional. | No |
| Two target groups | [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html) | Required. | No |
| Amazon ECS task definition | [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-taskdefinition.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-taskdefinition.html) | Required. | Yes |
| Container for your Amazon ECS application | [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-ecs-taskdefinition-containerdefinition.html#cfn-ecs-taskdefinition-containerdefinition-name](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-ecs-taskdefinition-containerdefinition.html#cfn-ecs-taskdefinition-containerdefinition-name) | Required. | No |
| Port for your replacement task set | [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-ecs-taskdefinition-portmapping.html#cfn-ecs-taskdefinition-portmapping-containerport](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-ecs-taskdefinition-portmapping.html#cfn-ecs-taskdefinition-portmapping-containerport) | Required. | No |
## Change sets
We strongly recommend that you create a change set before performing a stack update that will initiate a green deployment. This allows you to see the actual changes that will be made to your stack before performing stack update. Be aware that resource changes may not be listed in the order in which they will be performed during the stack update. For more information, see [Update CloudFormation stacks using change sets](using-cfn-updating-stacks-changesets.md).
## Monitoring stack events
You can view the stack events generated at each step of the ECS deployment on the **Events** tab of the **Stack** page, and using the AWS CLI. For more information, see [Monitor stack progress](monitor-stack-progress.md).
## IAM permissions for blue/green deployments
In order for CloudFormation to successfully perform the blue-green deployments, you must have the following CodeDeploy permissions:
+ `codedeploy:Get*`
+ `codedeploy:CreateCloudFormationDeployment`
For more information, see [Actions, resources, and condition keys for CodeDeploy](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodedeploy.html) in the *Service Authorization Reference*.
# Considerations when managing ECS blue/green deployments using CloudFormation
The process of using CloudFormation to perform your ECS blue/green deployments through CodeDeploy is different from a standard ECS deployment using just CodeDeploy. For a detailed understanding of these differences, see [Differences between Amazon ECS blue/green deployments through CodeDeploy and CloudFormation](https://docs.aws.amazon.com/codedeploy/latest/userguide/deployments-create-ecs-cfn.html#differences-ecs-bg-cfn) in the *AWS CodeDeploy User Guide*.
When managing your blue/green deployment using CloudFormation, there are certain limitations and considerations to keep in mind:
+ Only updates to certain resources will initiate a green deployment. For more information, see [Resource updates that initiate green deployments](about-blue-green-deployments.md#blue-green-resources).
+ You can't include updates to resources that initiate green deployments and updates to other resources in the same stack update. For more information, see [Resource updates that initiate green deployments](about-blue-green-deployments.md#blue-green-resources).
+ You can only specify a single ECS service as the deployment target.
+ Parameters whose values are obfuscated by CloudFormation can't be updated by CodeDeploy during a green deployment, and will lead to an error and stack update failure. These include:
+ Parameters defined with the `NoEcho` attribute.
+ Parameters that use dynamic references to retrieve their values from external services. For more information about dynamic references, see [Get values stored in other services using dynamic references](dynamic-references.md).
+ To cancel a green deployment that's still in progress, cancel the stack update in CloudFormation, not CodeDeploy or ECS. For more information, see [Cancel a stack update](using-cfn-stack-update-cancel.md). After an update has finished, you can't cancel it. However, you can update a stack again with any previous settings.
+ The following CloudFormation features are not currently supported for templates that define ECS blue/green deployments:
+ Declaring [outputs](outputs-section-structure.md) or using [Fn::ImportValue](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-importvalue.html) to import values from other stacks.
+ Importing resources. For more information about importing resources, see [Import AWS resources into a CloudFormation stack](import-resources.md).
+ Using the `AWS::CodeDeploy::BlueGreen` hook in a template that includes nested stack resources. For more information about nested stacks, see [Split a template into reusable pieces using nested stacks](using-cfn-nested-stacks.md).
+ Using the `AWS::CodeDeploy::BlueGreen` hook in a nested stack.
# `AWS::CodeDeploy::BlueGreen` hook syntax
The following syntax describes the structure of an `AWS::CodeDeploy::BlueGreen` hook for ECS blue/green deployments.
## Syntax
```
"Hooks": {
"Logical ID": {
"Type": "AWS::CodeDeploy::BlueGreen",
"Properties": {
"TrafficRoutingConfig": {
"Type": "Traffic routing type",
"TimeBasedCanary": {
"StepPercentage": Integer,
"BakeTimeMins": Integer
},
"TimeBasedLinear": {
"StepPercentage": Integer,
"BakeTimeMins": Integer
}
},
"AdditionalOptions": {"TerminationWaitTimeInMinutes": Integer},
"LifecycleEventHooks": {
"BeforeInstall": "FunctionName",
"AfterInstall": "FunctionName",
"AfterAllowTestTraffic": "FunctionName",
"BeforeAllowTraffic": "FunctionName",
"AfterAllowTraffic": "FunctionName"
},
"ServiceRole": "CodeDeployServiceRoleName",
"Applications": [
{
"Target": {
"Type": "AWS::ECS::Service",
"LogicalID": "Logical ID of AWS::ECS::Service"
},
"ECSAttributes": {
"TaskDefinitions": [
"Logical ID of AWS::ECS::TaskDefinition (Blue)",
"Logical ID of AWS::ECS::TaskDefinition (Green)"
],
"TaskSets": [
"Logical ID of AWS::ECS::TaskSet (Blue)",
"Logical ID of AWS::ECS::TaskSet (Green)"
],
"TrafficRouting": {
"ProdTrafficRoute": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"LogicalID": "Logical ID of AWS::ElasticLoadBalancingV2::Listener (Production)"
},
"TestTrafficRoute": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"LogicalID": "Logical ID of AWS::ElasticLoadBalancingV2::Listener (Test)"
},
"TargetGroups": [
"Logical ID of AWS::ElasticLoadBalancingV2::TargetGroup (Blue)",
"Logical ID of AWS::ElasticLoadBalancingV2::TargetGroup (Green)"
]
}
}
}
]
}
}
}
```
## Properties
Logical ID (also called *logical name*)
The logical ID of a hook declared in the `Hooks` section of the template. The logical ID must be alphanumeric (A-Za-z0-9) and unique within the template.
*Required*: Yes
`Type`
The type of hook. `AWS::CodeDeploy::BlueGreen`
*Required*: Yes
`Properties`
Properties of the hook.
*Required*: Yes
`TrafficRoutingConfig`
Traffic routing configuration settings.
*Required*: No
The default configuration is time-based canary traffic shifting, with a 15% step percentage and a five minute bake time.
`Type`
The type of traffic shifting used by the deployment configuration.
Valid values: AllAtOnce \$1 TimeBasedCanary \$1 TimeBasedLinear
*Required*: Yes
`TimeBasedCanary`
Specifies a configuration that shifts traffic from one version of the deployment to another in two increments.
*Required*: Conditional: If you specify `TimeBasedCanary` as the traffic routing type, you must include the `TimeBasedCanary` parameter.
`StepPercentage`
The percentage of traffic to shift in the first increment of a `TimeBasedCanary` deployment. The step percentage must be 14% or greater.
*Required*: No
`BakeTimeMins`
The number of minutes between the first and second traffic shifts of a `TimeBasedCanary` deployment.
*Required*: No
`TimeBasedLinear`
Specifies a configuration that shifts traffic from one version of the deployment to another in equal increments, with an equal number of minutes between each increment.
*Required*: Conditional: If you specify `TimeBasedLinear` as the traffic routing type, you must include the `TimeBasedLinear` parameter.
`StepPercentage`
The percentage of traffic that's shifted at the start of each increment of a `TimeBasedLinear` deployment. The step percentage must be 14% or greater.
*Required*: No
`BakeTimeMins`
The number of minutes between each incremental traffic shift of a `TimeBasedLinear` deployment.
*Required*: No
`AdditionalOptions`
Additional options for the blue/green deployment.
*Required*: No
`TerminationWaitTimeInMinutes`
Specifies time to wait, in minutes, before terminating the blue resources.
*Required*: No
`LifecycleEventHooks`
Use lifecycle event hooks to specify a Lambda function that CodeDeploy can call to validate a deployment. You can use the same function or a different one for deployment lifecyle events. Following completion of the validation tests, the Lambda `AfterAllowTraffic` function calls back CodeDeploy and delivers a result of `Succeeded` or `Failed`. For more information, see [AppSpec 'hooks' section](https://docs.aws.amazon.com/codedeploy/latest/userguide/reference-appspec-file-structure-hooks.html) in the *AWS CodeDeploy User Guide.*
*Required*: No
`BeforeInstall`
Function to use to run tasks before the replacement task set is created.
*Required*: No
`AfterInstall`
Function to use to run tasks after the replacement task set is created and one of the target groups is associated with it.
*Required*: No
`AfterAllowTestTraffic`
Function to use to run tasks after the test listener serves traffic to the replacement task set.
*Required*: No
`BeforeAllowTraffic`
Function to use to run tasks after the second target group is associated with the replacement task set, but before traffic is shifted to the replacement task set.
*Required*: No
`AfterAllowTraffic`
Function to use to run tasks after the second target group serves traffic to the replacement task set.
*Required*: No
`ServiceRole`
The execution role for CloudFormation to use to perform the blue-green deployments. For a list of the necessary permissions, see [IAM permissions for blue/green deployments](about-blue-green-deployments.md#blue-green-iam).
*Required*: No
`Applications`
Specifies properties of the Amazon ECS application.
*Required*: Yes
`Target`
*Required*: Yes
`Type`
The type of the resource.
*Required*: Yes
`LogicalID`
The logical id of the resource.
*Required*: Yes
`ECSAttributes`
The resources that represent the various requirements of your Amazon ECS application deployment.
*Required*: Yes
`TaskDefinitions`
The logical ID of the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-taskdefinition.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-taskdefinition.html) resource to run the Docker container that contains your Amazon ECS application.
*Required*: Yes
`TaskSets`
The logical IDs of the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-taskset.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-taskset.html) resources to use as task sets for the application.
*Required*: Yes
`TrafficRouting`
Specifies resources used for traffic routing.
*Required*: Yes
`ProdTrafficRoute`
The listener to be used by your load balancer to direct traffic to your target groups.
*Required*: Yes
`Type`
The type of the resource. `AWS::ElasticLoadBalancingV2::Listener`
*Required*: Yes
`LogicalID`
The logical ID of the resource.
*Required*: Yes
`TestTrafficRoute`
The listener to be used by your load balancer to direct traffic to your target groups.
*Required*: Yes
`Type`
The type of the resource. `AWS::ElasticLoadBalancingV2::Listener`
*Required*: Yes
`LogicalID`
The logical ID of the resource.
*Required*: No
`TargetGroups`
Logical ID of resources to use as target groups to route traffic to the registered target.
*Required*: Yes
# Blue/green deployment template example
The following example template sets up a CodeDeploy blue/green deployment on ECS, with a traffic routing progress of 15 percent per step and a stabilization period of 5 minutes between each step.
Creating a stack with the template will provision the initial configuration of the deployment. If you then made any changes to properties in the `BlueTaskSet` resource that require that resource be replaced, CloudFormation will then initiate a green deployment as part of the stack update.
## JSON
```
{
"AWSTemplateFormatVersion":"2010-09-09",
"Parameters":{
"Vpc":{ "Type":"AWS::EC2::VPC::Id" },
"Subnet1":{ "Type":"AWS::EC2::Subnet::Id" },
"Subnet2":{ "Type":"AWS::EC2::Subnet::Id" }
},
"Transform":[ "AWS::CodeDeployBlueGreen" ],
"Hooks":{
"CodeDeployBlueGreenHook":{
"Type":"AWS::CodeDeploy::BlueGreen",
"Properties":{
"TrafficRoutingConfig":{
"Type":"TimeBasedCanary",
"TimeBasedCanary":{
"StepPercentage":15,
"BakeTimeMins":5
}
},
"Applications":[
{
"Target":{
"Type":"AWS::ECS::Service",
"LogicalID":"ECSDemoService"
},
"ECSAttributes":{
"TaskDefinitions":[ "BlueTaskDefinition","GreenTaskDefinition" ],
"TaskSets":[ "BlueTaskSet","GreenTaskSet" ],
"TrafficRouting":{
"ProdTrafficRoute":{
"Type":"AWS::ElasticLoadBalancingV2::Listener",
"LogicalID":"ALBListenerProdTraffic"
},
"TargetGroups":[ "ALBTargetGroupBlue","ALBTargetGroupGreen" ]
}
}
}
]
}
}
},
"Resources":{
"ExampleSecurityGroup":{
"Type":"AWS::EC2::SecurityGroup",
"Properties":{
"GroupDescription":"Security group for ec2 access",
"VpcId":{ "Ref":"Vpc" },
"SecurityGroupIngress":[
{
"IpProtocol":"tcp",
"FromPort":80,
"ToPort":80,
"CidrIp":"0.0.0.0/0"
},
{
"IpProtocol":"tcp",
"FromPort":8080,
"ToPort":8080,
"CidrIp":"0.0.0.0/0"
},
{
"IpProtocol":"tcp",
"FromPort":22,
"ToPort":22,
"CidrIp":"0.0.0.0/0"
}
]
}
},
"ALBTargetGroupBlue":{
"Type":"AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties":{
"HealthCheckIntervalSeconds":5,
"HealthCheckPath":"/",
"HealthCheckPort":"80",
"HealthCheckProtocol":"HTTP",
"HealthCheckTimeoutSeconds":2,
"HealthyThresholdCount":2,
"Matcher":{ "HttpCode":"200" },
"Port":80,
"Protocol":"HTTP",
"Tags":[{ "Key":"Group","Value":"Example" }],
"TargetType":"ip",
"UnhealthyThresholdCount":4,
"VpcId":{ "Ref":"Vpc" }
}
},
"ALBTargetGroupGreen":{
"Type":"AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties":{
"HealthCheckIntervalSeconds":5,
"HealthCheckPath":"/",
"HealthCheckPort":"80",
"HealthCheckProtocol":"HTTP",
"HealthCheckTimeoutSeconds":2,
"HealthyThresholdCount":2,
"Matcher":{ "HttpCode":"200" },
"Port":80,
"Protocol":"HTTP",
"Tags":[{ "Key":"Group","Value":"Example" }],
"TargetType":"ip",
"UnhealthyThresholdCount":4,
"VpcId":{ "Ref":"Vpc" }
}
},
"ExampleALB":{
"Type":"AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties":{
"Scheme":"internet-facing",
"SecurityGroups":[{ "Ref":"ExampleSecurityGroup" }],
"Subnets":[{ "Ref":"Subnet1" },{ "Ref":"Subnet2" }],
"Tags":[{ "Key":"Group","Value":"Example" }],
"Type":"application",
"IpAddressType":"ipv4"
}
},
"ALBListenerProdTraffic":{
"Type":"AWS::ElasticLoadBalancingV2::Listener",
"Properties":{
"DefaultActions":[
{
"Type":"forward",
"ForwardConfig":{
"TargetGroups":[
{
"TargetGroupArn":{ "Ref":"ALBTargetGroupBlue" },
"Weight":1
}
]
}
}
],
"LoadBalancerArn":{ "Ref":"ExampleALB" },
"Port":80,
"Protocol":"HTTP"
}
},
"ALBListenerProdRule":{
"Type":"AWS::ElasticLoadBalancingV2::ListenerRule",
"Properties":{
"Actions":[
{
"Type":"forward",
"ForwardConfig":{
"TargetGroups":[
{
"TargetGroupArn":{ "Ref":"ALBTargetGroupBlue" },
"Weight":1
}
]
}
}
],
"Conditions":[
{
"Field":"http-header",
"HttpHeaderConfig":{
"HttpHeaderName":"User-Agent",
"Values":[ "Mozilla" ]
}
}
],
"ListenerArn":{ "Ref":"ALBListenerProdTraffic" },
"Priority":1
}
},
"ECSTaskExecutionRole":{
"Type":"AWS::IAM::Role",
"Properties":{
"AssumeRolePolicyDocument":{
"Version": "2012-10-17",
"Statement":[
{
"Sid":"",
"Effect":"Allow",
"Principal":{
"Service":"ecs-tasks.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
},
"ManagedPolicyArns":[ "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" ]
}
},
"BlueTaskDefinition":{
"Type":"AWS::ECS::TaskDefinition",
"Properties":{
"ExecutionRoleArn":{
"Fn::GetAtt":[ "ECSTaskExecutionRole","Arn" ]
},
"ContainerDefinitions":[
{
"Name":"DemoApp",
"Image":"nginxdemos/hello:latest",
"Essential":true,
"PortMappings":[
{
"HostPort":80,
"Protocol":"tcp",
"ContainerPort":80
}
]
}
],
"RequiresCompatibilities":[ "FARGATE" ],
"NetworkMode":"awsvpc",
"Cpu":"256",
"Memory":"512",
"Family":"ecs-demo"
}
},
"ECSDemoCluster":{
"Type":"AWS::ECS::Cluster",
"Properties":{}
},
"ECSDemoService":{
"Type":"AWS::ECS::Service",
"Properties":{
"Cluster":{ "Ref":"ECSDemoCluster" },
"DesiredCount":1,
"DeploymentController":{ "Type":"EXTERNAL" }
}
},
"BlueTaskSet":{
"Type":"AWS::ECS::TaskSet",
"Properties":{
"Cluster":{ "Ref":"ECSDemoCluster" },
"LaunchType":"FARGATE",
"NetworkConfiguration":{
"AwsVpcConfiguration":{
"AssignPublicIp":"ENABLED",
"SecurityGroups":[{ "Ref":"ExampleSecurityGroup" }],
"Subnets":[{ "Ref":"Subnet1" },{ "Ref":"Subnet2" }]
}
},
"PlatformVersion":"1.4.0",
"Scale":{
"Unit":"PERCENT",
"Value":100
},
"Service":{ "Ref":"ECSDemoService"},
"TaskDefinition":{ "Ref":"BlueTaskDefinition" },
"LoadBalancers":[
{
"ContainerName":"DemoApp",
"ContainerPort":80,
"TargetGroupArn":{ "Ref":"ALBTargetGroupBlue" }
}
]
}
},
"PrimaryTaskSet":{
"Type":"AWS::ECS::PrimaryTaskSet",
"Properties":{
"Cluster":{ "Ref":"ECSDemoCluster" },
"Service":{ "Ref":"ECSDemoService" },
"TaskSetId":{ "Fn::GetAtt":[ "BlueTaskSet","Id" ]
}
}
}
}
}
```
## YAML
```
AWSTemplateFormatVersion: 2010-09-09
Parameters:
Vpc:
Type: AWS::EC2::VPC::Id
Subnet1:
Type: AWS::EC2::Subnet::Id
Subnet2:
Type: AWS::EC2::Subnet::Id
Transform:
- 'AWS::CodeDeployBlueGreen'
Hooks:
CodeDeployBlueGreenHook:
Type: AWS::CodeDeploy::BlueGreen
Properties:
TrafficRoutingConfig:
Type: TimeBasedCanary
TimeBasedCanary:
StepPercentage: 15
BakeTimeMins: 5
Applications:
- Target:
Type: AWS::ECS::Service
LogicalID: ECSDemoService
ECSAttributes:
TaskDefinitions:
- BlueTaskDefinition
- GreenTaskDefinition
TaskSets:
- BlueTaskSet
- GreenTaskSet
TrafficRouting:
ProdTrafficRoute:
Type: AWS::ElasticLoadBalancingV2::Listener
LogicalID: ALBListenerProdTraffic
TargetGroups:
- ALBTargetGroupBlue
- ALBTargetGroupGreen
Resources:
ExampleSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for ec2 access
VpcId: !Ref Vpc
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 8080
ToPort: 8080
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
ALBTargetGroupBlue:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 5
HealthCheckPath: /
HealthCheckPort: '80'
HealthCheckProtocol: HTTP
HealthCheckTimeoutSeconds: 2
HealthyThresholdCount: 2
Matcher:
HttpCode: '200'
Port: 80
Protocol: HTTP
Tags:
- Key: Group
Value: Example
TargetType: ip
UnhealthyThresholdCount: 4
VpcId: !Ref Vpc
ALBTargetGroupGreen:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 5
HealthCheckPath: /
HealthCheckPort: '80'
HealthCheckProtocol: HTTP
HealthCheckTimeoutSeconds: 2
HealthyThresholdCount: 2
Matcher:
HttpCode: '200'
Port: 80
Protocol: HTTP
Tags:
- Key: Group
Value: Example
TargetType: ip
UnhealthyThresholdCount: 4
VpcId: !Ref Vpc
ExampleALB:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Scheme: internet-facing
SecurityGroups:
- !Ref ExampleSecurityGroup
Subnets:
- !Ref Subnet1
- !Ref Subnet2
Tags:
- Key: Group
Value: Example
Type: application
IpAddressType: ipv4
ALBListenerProdTraffic:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- Type: forward
ForwardConfig:
TargetGroups:
- TargetGroupArn: !Ref ALBTargetGroupBlue
Weight: 1
LoadBalancerArn: !Ref ExampleALB
Port: 80
Protocol: HTTP
ALBListenerProdRule:
Type: AWS::ElasticLoadBalancingV2::ListenerRule
Properties:
Actions:
- Type: forward
ForwardConfig:
TargetGroups:
- TargetGroupArn: !Ref ALBTargetGroupBlue
Weight: 1
Conditions:
- Field: http-header
HttpHeaderConfig:
HttpHeaderName: User-Agent
Values:
- Mozilla
ListenerArn: !Ref ALBListenerProdTraffic
Priority: 1
ECSTaskExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy'
BlueTaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
ExecutionRoleArn: !GetAtt
- ECSTaskExecutionRole
- Arn
ContainerDefinitions:
- Name: DemoApp
Image: 'nginxdemos/hello:latest'
Essential: true
PortMappings:
- HostPort: 80
Protocol: tcp
ContainerPort: 80
RequiresCompatibilities:
- FARGATE
NetworkMode: awsvpc
Cpu: '256'
Memory: '512'
Family: ecs-demo
ECSDemoCluster:
Type: AWS::ECS::Cluster
Properties: {}
ECSDemoService:
Type: AWS::ECS::Service
Properties:
Cluster: !Ref ECSDemoCluster
DesiredCount: 1
DeploymentController:
Type: EXTERNAL
BlueTaskSet:
Type: AWS::ECS::TaskSet
Properties:
Cluster: !Ref ECSDemoCluster
LaunchType: FARGATE
NetworkConfiguration:
AwsVpcConfiguration:
AssignPublicIp: ENABLED
SecurityGroups:
- !Ref ExampleSecurityGroup
Subnets:
- !Ref Subnet1
- !Ref Subnet2
PlatformVersion: 1.4.0
Scale:
Unit: PERCENT
Value: 100
Service: !Ref ECSDemoService
TaskDefinition: !Ref BlueTaskDefinition
LoadBalancers:
- ContainerName: DemoApp
ContainerPort: 80
TargetGroupArn: !Ref ALBTargetGroupBlue
PrimaryTaskSet:
Type: AWS::ECS::PrimaryTaskSet
Properties:
Cluster: !Ref ECSDemoCluster
Service: !Ref ECSDemoService
TaskSetId: !GetAtt
- BlueTaskSet
- Id
```
# CloudFormation template snippets
This section provides a number of example scenarios that you can use to understand how to declare various CloudFormation template parts. You can also use the snippets as a starting point for sections of your custom templates.
**Topics**
+ [
# General template snippets
](quickref-general.md)
+ [
# Auto scaling CloudFormation template snippets
](quickref-autoscaling.md)
+ [
# AWS Billing Console template snippets
](quickref-billingconductor.md)
+ [
# CloudFormation template snippets
](quickref-cloudformation.md)
+ [
# Amazon CloudFront template snippets
](quickref-cloudfront.md)
+ [
# Amazon CloudWatch template snippets
](quickref-cloudwatch.md)
+ [
# Amazon CloudWatch Logs template snippets
](quickref-cloudwatchlogs.md)
+ [
# Amazon DynamoDB template snippets
](quickref-dynamodb.md)
+ [
# Amazon EC2 CloudFormation template snippets
](quickref-ec2.md)
+ [
# Amazon Elastic Container Service sample templates
](quickref-ecs.md)
+ [
# Amazon Elastic File System Sample Template
](quickref-efs.md)
+ [
# Elastic Beanstalk template snippets
](quickref-elasticbeanstalk.md)
+ [
# Elastic Load Balancing template snippets
](quickref-elb.md)
+ [
# AWS Identity and Access Management template snippets
](quickref-iam.md)
+ [
# AWS Lambda template
](quickref-lambda.md)
+ [
# Amazon Redshift template snippets
](quickref-redshift.md)
+ [
# Amazon RDS template snippets
](quickref-rds.md)
+ [
# Route 53 template snippets
](quickref-route53.md)
+ [
# Amazon S3 template snippets
](quickref-s3.md)
+ [
# Amazon SNS template snippets
](quickref-sns.md)
+ [
# Amazon SQS template snippets
](scenario-sqs-queue.md)
+ [
# Amazon Timestream template snippets
](scenario-timestream-queue.md)
# General template snippets
The following examples show different CloudFormation template features that aren't specific to an AWS service.
**Topics**
+ [
## Base64 encoded UserData property
](#scenario-userdata-base64)
+ [
## Base64 encoded UserData property with AccessKey and SecretKey
](#scenario-userdata-base64-with-keys)
+ [
## Parameters section with one literal string parameter
](#scenario-one-string-parameter)
+ [
## Parameters section with string parameter with regular expression constraint
](#scenario-constraint-string-parameter)
+ [
## Parameters section with number parameter with MinValue and MaxValue constraints
](#scenario-one-number-min-parameter)
+ [
## Parameters section with number parameter with AllowedValues constraint
](#scenario-one-number-parameter)
+ [
## Parameters section with one literal CommaDelimitedList parameter
](#scenario-one-list-parameter)
+ [
## Parameters section with parameter value based on pseudo parameter
](#scenario-one-pseudo-parameter)
+ [
## Mapping section with three mappings
](#scenario-mapping-with-four-maps)
+ [
## Description based on literal string
](#scenario-description-from-literal-string)
+ [
## Outputs section with one literal string output
](#scenario-output-with-literal-string)
+ [
## Outputs section with one resource reference and one pseudo reference output
](#scenario-output-with-ref-and-pseudo-ref)
+ [
## Outputs section with an output based on a function, a literal string, a reference, and a pseudo parameter
](#scenario-output-with-complex-spec)
+ [
## Template format version
](#scenario-format-version)
+ [
## AWS Tags property
](#scenario-format-aws-tag)
## Base64 encoded UserData property
This example shows the assembly of a `UserData` property using the `Fn::Base64` and `Fn::Join` functions. The references `MyValue` and `MyName` are parameters that must be defined in the `Parameters` section of the template. The literal string `Hello World` is just another value this example passes in as part of the `UserData`.
### JSON
```
1. "UserData" : {
2. "Fn::Base64" : {
3. "Fn::Join" : [ ",", [
4. { "Ref" : "MyValue" },
5. { "Ref" : "MyName" },
6. "Hello World" ] ]
7. }
8. }
```
### YAML
```
1. UserData:
2. Fn::Base64: !Sub |
3. Ref: MyValue
4. Ref: MyName
5. Hello World
```
## Base64 encoded UserData property with AccessKey and SecretKey
This example shows the assembly of a `UserData` property using the `Fn::Base64` and `Fn::Join` functions. It includes the `AccessKey` and `SecretKey` information. The references `AccessKey` and `SecretKey` are parameters that must be defined in the Parameters section of the template.
### JSON
```
1. "UserData" : {
2. "Fn::Base64" : {
3. "Fn::Join" : [ "", [
4. "ACCESS_KEY=", { "Ref" : "AccessKey" },
5. "SECRET_KEY=", { "Ref" : "SecretKey" } ]
6. ]
7. }
8. }
```
### YAML
```
1. UserData:
2. Fn::Base64: !Sub |
3. ACCESS_KEY=${AccessKey}
4. SECRET_KEY=${SecretKey}
```
## Parameters section with one literal string parameter
The following example depicts a valid Parameters section declaration in which a single `String` type parameter is declared.
### JSON
```
1. "Parameters" : {
2. "UserName" : {
3. "Type" : "String",
4. "Default" : "nonadmin",
5. "Description" : "Assume a vanilla user if no command-line spec provided"
6. }
7. }
```
### YAML
```
1. Parameters:
2. UserName:
3. Type: String
4. Default: nonadmin
5. Description: Assume a vanilla user if no command-line spec provided
```
## Parameters section with string parameter with regular expression constraint
The following example depicts a valid Parameters section declaration in which a single `String` type parameter is declared. The `AdminUserAccount` parameter has a default of `admin`. The parameter value must have a minimum length of 1, a maximum length of 16, and contains alphabetical characters and numbers but must begin with an alphabetical character.
### JSON
```
1. "Parameters" : {
2. "AdminUserAccount": {
3. "Default": "admin",
4. "NoEcho": "true",
5. "Description" : "The admin account user name",
6. "Type": "String",
7. "MinLength": "1",
8. "MaxLength": "16",
9. "AllowedPattern" : "[a-zA-Z][a-zA-Z0-9]*"
10. }
11. }
```
### YAML
```
1. Parameters:
2. AdminUserAccount:
3. Default: admin
4. NoEcho: true
5. Description: The admin account user name
6. Type: String
7. MinLength: 1
8. MaxLength: 16
9. AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
```
## Parameters section with number parameter with MinValue and MaxValue constraints
The following example depicts a valid Parameters section declaration in which a single `Number` type parameter is declared. The `WebServerPort` parameter has a default of 80 and a minimum value 1 and maximum value 65535.
### JSON
```
1. "Parameters" : {
2. "WebServerPort": {
3. "Default": "80",
4. "Description" : "TCP/IP port for the web server",
5. "Type": "Number",
6. "MinValue": "1",
7. "MaxValue": "65535"
8. }
9. }
```
### YAML
```
1. Parameters:
2. WebServerPort:
3. Default: 80
4. Description: TCP/IP port for the web server
5. Type: Number
6. MinValue: 1
7. MaxValue: 65535
```
## Parameters section with number parameter with AllowedValues constraint
The following example depicts a valid Parameters section declaration in which a single `Number` type parameter is declared. The `WebServerPort` parameter has a default of 80 and allows only values of 80 and 8888.
### JSON
```
1. "Parameters" : {
2. "WebServerPortLimited": {
3. "Default": "80",
4. "Description" : "TCP/IP port for the web server",
5. "Type": "Number",
6. "AllowedValues" : ["80", "8888"]
7. }
8. }
```
### YAML
```
1. Parameters:
2. WebServerPortLimited:
3. Default: 80
4. Description: TCP/IP port for the web server
5. Type: Number
6. AllowedValues:
7. - 80
8. - 8888
```
## Parameters section with one literal CommaDelimitedList parameter
The following example depicts a valid `Parameters` section declaration in which a single `CommaDelimitedList` type parameter is declared. The `NoEcho` property is set to `TRUE`, which will mask its value with asterisks (\$1\$1\$1\$1\$1) in the **describe-stacks** output, except for information stored in the locations specified below.
**Important**
Using the `NoEcho` attribute does not mask any information stored in the following:
The `Metadata` template section. CloudFormation does not transform, modify, or redact any information you include in the `Metadata` section. For more information, see [Metadata](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html).
The `Outputs` template section. For more information, see [Outputs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html).
The `Metadata` attribute of a resource definition. For more information, see [`Metadata` attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-metadata.html).
We strongly recommend you do not use these mechanisms to include sensitive information, such as passwords or secrets.
**Important**
Rather than embedding sensitive information directly in your CloudFormation templates, we recommend you use dynamic parameters in the stack template to reference sensitive information that is stored and managed outside of CloudFormation, such as in the AWS Systems Manager Parameter Store or AWS Secrets Manager.
For more information, see the [Do not embed credentials in your templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/security-best-practices.html#creds) best practice.
### JSON
```
1. "Parameters" : {
2. "UserRoles" : {
3. "Type" : "CommaDelimitedList",
4. "Default" : "guest,newhire",
5. "NoEcho" : "TRUE"
6. }
7. }
```
### YAML
```
1. Parameters:
2. UserRoles:
3. Type: CommaDelimitedList
4. Default: "guest,newhire"
5. NoEcho: true
```
## Parameters section with parameter value based on pseudo parameter
The following example shows commands in the EC2 user data that use the pseudo parameters `AWS::StackName` and `AWS::Region`. For more information about pseudo parameters, see [Get AWS values using pseudo parameters](pseudo-parameter-reference.md).
### JSON
```
1. "UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
2. "#!/bin/bash -xe\n",
3. "yum install -y aws-cfn-bootstrap\n",
4.
5. "/opt/aws/bin/cfn-init -v ",
6. " --stack ", { "Ref" : "AWS::StackName" },
7. " --resource LaunchConfig ",
8. " --region ", { "Ref" : "AWS::Region" }, "\n",
9.
10. "/opt/aws/bin/cfn-signal -e $? ",
11. " --stack ", { "Ref" : "AWS::StackName" },
12. " --resource WebServerGroup ",
13. " --region ", { "Ref" : "AWS::Region" }, "\n"
14. ]]}}
15. }
```
### YAML
```
1. UserData:
2. Fn::Base64: !Sub |
3. #!/bin/bash -xe
4. yum update -y aws-cfn-bootstrap
5. /opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource LaunchConfig --region ${AWS::Region}
6. /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource WebServerGroup --region ${AWS::Region}
```
## Mapping section with three mappings
The following example depicts a valid `Mapping` section declaration that contains three mappings. The map, when matched with a mapping key of `Stop`, `SlowDown`, or `Go`, provides the RGB values assigned to the corresponding `RGBColor` attribute.
### JSON
```
1. "Mappings" : {
2. "LightColor" : {
3. "Stop" : {
4. "Description" : "red",
5. "RGBColor" : "RED 255 GREEN 0 BLUE 0"
6. },
7. "SlowDown" : {
8. "Description" : "yellow",
9. "RGBColor" : "RED 255 GREEN 255 BLUE 0"
10. },
11. "Go" : {
12. "Description" : "green",
13. "RGBColor" : "RED 0 GREEN 128 BLUE 0"
14. }
15. }
16. }
```
### YAML
```
1. Mappings:
2. LightColor:
3. Stop:
4. Description: red
5. RGBColor: "RED 255 GREEN 0 BLUE 0"
6. SlowDown:
7. Description: yellow
8. RGBColor: "RED 255 GREEN 255 BLUE 0"
9. Go:
10. Description: green
11. RGBColor: "RED 0 GREEN 128 BLUE 0"
```
## Description based on literal string
The following example depicts a valid `Description` section declaration where the value is based on a literal string. This snippet can be for templates, parameters, resources, properties, or outputs.
### JSON
```
1. "Description" : "Replace this value"
```
### YAML
```
1. Description: "Replace this value"
```
## Outputs section with one literal string output
This example shows a output assignment based on a literal string.
### JSON
```
1. "Outputs" : {
2. "MyPhone" : {
3. "Value" : "Please call 555-5555",
4. "Description" : "A random message for aws cloudformation describe-stacks"
5. }
6. }
```
### YAML
```
1. Outputs:
2. MyPhone:
3. Value: Please call 555-5555
4. Description: A random message for aws cloudformation describe-stacks
```
## Outputs section with one resource reference and one pseudo reference output
This example shows an `Outputs` section with two output assignments. One is based on a resource, and the other is based on a pseudo reference.
### JSON
```
1. "Outputs" : {
2. "SNSTopic" : { "Value" : { "Ref" : "MyNotificationTopic" } },
3. "StackName" : { "Value" : { "Ref" : "AWS::StackName" } }
4. }
```
### YAML
```
1. Outputs:
2. SNSTopic:
3. Value: !Ref MyNotificationTopic
4. StackName:
5. Value: !Ref AWS::StackName
```
## Outputs section with an output based on a function, a literal string, a reference, and a pseudo parameter
This example shows an Outputs section with one output assignment. The Join function is used to concatenate the value, using a percent sign as the delimiter.
### JSON
```
1. "Outputs" : {
2. "MyOutput" : {
3. "Value" : { "Fn::Join" :
4. [ "%", [ "A-string", {"Ref" : "AWS::StackName" } ] ]
5. }
6. }
7. }
```
### YAML
```
1. Outputs:
2. MyOutput:
3. Value: !Join [ %, [ 'A-string', !Ref 'AWS::StackName' ]]
```
## Template format version
The following snippet depicts a valid `AWSTemplateFormatVersion` section declaration.
### JSON
```
1. "AWSTemplateFormatVersion" : "2010-09-09"
```
### YAML
```
1. AWSTemplateFormatVersion: '2010-09-09'
```
## AWS Tags property
This example shows an AWS `Tags` property. You would specify this property within the Properties section of a resource. When the resource is created, it will be tagged with the tags you declare.
### JSON
```
1. "Tags" : [
2. {
3. "Key" : "keyname1",
4. "Value" : "value1"
5. },
6. {
7. "Key" : "keyname2",
8. "Value" : "value2"
9. }
10. ]
```
### YAML
```
1. Tags:
2. -
3. Key: "keyname1"
4. Value: "value1"
5. -
6. Key: "keyname2"
7. Value: "value2"
```
# Auto scaling CloudFormation template snippets
With Amazon EC2 Auto Scaling, you can automatically scale Amazon EC2 instances, either with scaling policies or with scheduled scaling. Auto Scaling groups are collections of Amazon EC2 instances that enable automatic scaling and fleet management features, such as scaling policies, scheduled actions, health checks, lifecycle hooks, and load balancing.
Application Auto Scaling provides automatic scaling of different resources beyond Amazon EC2, either with scaling policies or with scheduled scaling.
You can create and configure Auto Scaling groups, scaling policies, scheduled actions, and other auto scaling resources as part of your infrastructure using CloudFormation templates. Templates make it easy to manage and automate the deployment of auto scaling resources in a repeatable and consistent manner.
The following example template snippets describe CloudFormation resources or components for Amazon EC2 Auto Scaling and Application Auto Scaling. These snippets are designed to be integrated into a template and are not intended to be run independently.
**Topics**
+ [Configure Amazon EC2 Auto Scaling resources](quickref-ec2-auto-scaling.md)
+ [Configure Application Auto Scaling resources](quickref-application-auto-scaling.md)
# Configure Amazon EC2 Auto Scaling resources with CloudFormation
The following examples show different snippets to include in templates for use with Amazon EC2 Auto Scaling.
**Topics**
+ [
## Create a single instance Auto Scaling group
](#scenario-single-instance-as-group)
+ [
## Create an Auto Scaling group with an attached load balancer
](#scenario-as-group)
+ [
## Create an Auto Scaling group with notifications
](#scenario-as-notification)
+ [
## Create an Auto Scaling group that uses a `CreationPolicy` and an `UpdatePolicy`
](#scenario-as-updatepolicy)
+ [
## Create a step scaling policy
](#scenario-step-scaling-policy)
+ [
## Mixed instances group examples
](#scenario-mixed-instances-group-template-examples)
+ [
## Launch configuration examples
](#scenario-launch-config-template-examples)
## Create a single instance Auto Scaling group
This example shows an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) resource with a single instance to help you get started. The `VPCZoneIdentifier` property of the Auto Scaling group specifies a list of existing subnets in three different Availability Zones. You must specify the applicable subnet IDs from your account before you create your stack. The `LaunchTemplate` property references an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) resource with the logical name `myLaunchTemplate` that is defined elsewhere in your template.
**Note**
For examples of launch templates, see [Create launch templates with CloudFormation](quickref-ec2-launch-templates.md) in the Amazon EC2 snippets section and the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html#aws-resource-ec2-launchtemplate--examples) section in the `AWS::EC2::LaunchTemplate` resource.
### JSON
```
1. "myASG" : {
2. "Type" : "AWS::AutoScaling::AutoScalingGroup",
3. "Properties" : {
4. "VPCZoneIdentifier" : [ "subnetIdAz1", "subnetIdAz2", "subnetIdAz3" ],
5. "LaunchTemplate" : {
6. "LaunchTemplateId" : {
7. "Ref" : "myLaunchTemplate"
8. },
9. "Version" : {
10. "Fn::GetAtt" : [
11. "myLaunchTemplate",
12. "LatestVersionNumber"
13. ]
14. }
15. },
16. "MaxSize" : "1",
17. "MinSize" : "1"
18. }
19. }
```
### YAML
```
1. myASG:
2. Type: AWS::AutoScaling::AutoScalingGroup
3. Properties:
4. VPCZoneIdentifier:
5. - subnetIdAz1
6. - subnetIdAz2
7. - subnetIdAz3
8. LaunchTemplate:
9. LaunchTemplateId: !Ref myLaunchTemplate
10. Version: !GetAtt myLaunchTemplate.LatestVersionNumber
11. MaxSize: '1'
12. MinSize: '1'
```
## Create an Auto Scaling group with an attached load balancer
This example shows an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) resource for load balancing over multiple servers. It specifies the logical names of AWS resources declared elsewhere in the same template.
1. The `VPCZoneIdentifier` property specifies the logical names of two [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-subnet.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-subnet.html) resources where the Auto Scaling group's EC2 instances will be created: `myPublicSubnet1` and `myPublicSubnet2`.
1. The `LaunchTemplate` property specifies an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) resource with the logical name `myLaunchTemplate`.
1. The `TargetGroupARNs` property lists the target groups for an Application Load Balancer or Network Load Balancer used to route traffic to the Auto Scaling group. In this example, one target group is specified, an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html) resource with the logical name `myTargetGroup`.
### JSON
```
1. "myServerGroup" : {
2. "Type" : "AWS::AutoScaling::AutoScalingGroup",
3. "Properties" : {
4. "VPCZoneIdentifier" : [ { "Ref" : "myPublicSubnet1" }, { "Ref" : "myPublicSubnet2" } ],
5. "LaunchTemplate" : {
6. "LaunchTemplateId" : {
7. "Ref" : "myLaunchTemplate"
8. },
9. "Version" : {
10. "Fn::GetAtt" : [
11. "myLaunchTemplate",
12. "LatestVersionNumber"
13. ]
14. }
15. },
16. "MaxSize" : "5",
17. "MinSize" : "1",
18. "TargetGroupARNs" : [ { "Ref" : "myTargetGroup" } ]
19. }
20. }
```
### YAML
```
1. myServerGroup:
2. Type: AWS::AutoScaling::AutoScalingGroup
3. Properties:
4. VPCZoneIdentifier:
5. - !Ref myPublicSubnet1
6. - !Ref myPublicSubnet2
7. LaunchTemplate:
8. LaunchTemplateId: !Ref myLaunchTemplate
9. Version: !GetAtt myLaunchTemplate.LatestVersionNumber
10. MaxSize: '5'
11. MinSize: '1'
12. TargetGroupARNs:
13. - !Ref myTargetGroup
```
### See also
For a detailed example that creates an Auto Scaling group with a target tracking scaling policy based on the `ALBRequestCountPerTarget` predefined metric for your Application Load Balancer, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-scalingpolicy.html#aws-resource-autoscaling-scalingpolicy--examples) section in the `AWS::AutoScaling::ScalingPolicy` resource.
## Create an Auto Scaling group with notifications
This example shows an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) resource that sends Amazon SNS notifications when the specified events take place. The `NotificationConfigurations` property specifies the SNS topic where CloudFormation sends a notification and the events that will cause CloudFormation to send notifications. When the events specified by `NotificationTypes` occur, CloudFormation will send a notification to the SNS topic specified by `TopicARN`. When you launch the stack, CloudFormation creates an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-subscription.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-subscription.html) resource (`snsTopicForAutoScalingGroup`) that's declared within the same template.
The `VPCZoneIdentifier` property of the Auto Scaling group specifies a list of existing subnets in three different Availability Zones. You must specify the applicable subnet IDs from your account before you create your stack. The `LaunchTemplate` property references the logical name of an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) resource declared elsewhere in the same template.
### JSON
```
1. "myASG" : {
2. "Type" : "AWS::AutoScaling::AutoScalingGroup",
3. "DependsOn": [
4. "snsTopicForAutoScalingGroup"
5. ],
6. "Properties" : {
7. "VPCZoneIdentifier" : [ "subnetIdAz1", "subnetIdAz2", "subnetIdAz3" ],
8. "LaunchTemplate" : {
9. "LaunchTemplateId" : {
10. "Ref" : "logicalName"
11. },
12. "Version" : {
13. "Fn::GetAtt" : [
14. "logicalName",
15. "LatestVersionNumber"
16. ]
17. }
18. },
19. "MaxSize" : "5",
20. "MinSize" : "1",
21. "NotificationConfigurations" : [
22. {
23. "TopicARN" : { "Ref" : "snsTopicForAutoScalingGroup" },
24. "NotificationTypes" : [
25. "autoscaling:EC2_INSTANCE_LAUNCH",
26. "autoscaling:EC2_INSTANCE_LAUNCH_ERROR",
27. "autoscaling:EC2_INSTANCE_TERMINATE",
28. "autoscaling:EC2_INSTANCE_TERMINATE_ERROR",
29. "autoscaling:TEST_NOTIFICATION"
30. ]
31. }
32. ]
33. }
34. }
```
### YAML
```
1. myASG:
2. Type: AWS::AutoScaling::AutoScalingGroup
3. DependsOn:
4. - snsTopicForAutoScalingGroup
5. Properties:
6. VPCZoneIdentifier:
7. - subnetIdAz1
8. - subnetIdAz2
9. - subnetIdAz3
10. LaunchTemplate:
11. LaunchTemplateId: !Ref logicalName
12. Version: !GetAtt logicalName.LatestVersionNumber
13. MaxSize: '5'
14. MinSize: '1'
15. NotificationConfigurations:
16. - TopicARN: !Ref snsTopicForAutoScalingGroup
17. NotificationTypes:
18. - autoscaling:EC2_INSTANCE_LAUNCH
19. - autoscaling:EC2_INSTANCE_LAUNCH_ERROR
20. - autoscaling:EC2_INSTANCE_TERMINATE
21. - autoscaling:EC2_INSTANCE_TERMINATE_ERROR
22. - autoscaling:TEST_NOTIFICATION
```
## Create an Auto Scaling group that uses a `CreationPolicy` and an `UpdatePolicy`
The following example shows how to add `CreationPolicy` and `UpdatePolicy` attributes to an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) resource.
The sample creation policy prevents the Auto Scaling group from reaching `CREATE_COMPLETE` status until CloudFormation receives `Count` number of success signals when the group is ready. To signal that the Auto Scaling group is ready, a `cfn-signal` helper script added to the launch template's user data (not shown) is run on the instances. If the instances don't send a signal within the specified `Timeout`, CloudFormation assumes that the instances were not created, the resource creation fails, and CloudFormation rolls the stack back.
The sample update policy instructs CloudFormation to perform a rolling update using the `AutoScalingRollingUpdate` property. The rolling update makes changes to the Auto Scaling group in small batches (for this example, instance by instance) based on the `MaxBatchSize` and a pause time between batches of updates based on the `PauseTime`. The `MinInstancesInService` attribute specifies the minimum number of instances that must be in service within the Auto Scaling group while CloudFormation updates old instances.
The `WaitOnResourceSignals` attribute is set to `true`. CloudFormation must receive a signal from each new instance within the specified `PauseTime` before continuing the update. While the stack update is in progress, the following EC2 Auto Scaling processes are suspended: `HealthCheck`, `ReplaceUnhealthy`, `AZRebalance`, `AlarmNotification`, and `ScheduledActions`. Note: Don't suspend the `Launch`, `Terminate`, or `AddToLoadBalancer` (if the Auto Scaling group is being used with Elastic Load Balancing) process types because doing so can prevent the rolling update from functioning properly.
The `VPCZoneIdentifier` property of the Auto Scaling group specifies a list of existing subnets in three different Availability Zones. You must specify the applicable subnet IDs from your account before you create your stack. The `LaunchTemplate` property references the logical name of an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) resource declared elsewhere in the same template.
For more information about the `CreationPolicy` and `UpdatePolicy` attributes, see [Resource attribute reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-product-attribute-reference.html).
### JSON
```
{
"Resources":{
"myASG":{
"CreationPolicy":{
"ResourceSignal":{
"Count":"3",
"Timeout":"PT15M"
}
},
"UpdatePolicy":{
"AutoScalingRollingUpdate":{
"MinInstancesInService":"3",
"MaxBatchSize":"1",
"PauseTime":"PT12M5S",
"WaitOnResourceSignals":"true",
"SuspendProcesses":[
"HealthCheck",
"ReplaceUnhealthy",
"AZRebalance",
"AlarmNotification",
"ScheduledActions",
"InstanceRefresh"
]
}
},
"Type":"AWS::AutoScaling::AutoScalingGroup",
"Properties":{
"VPCZoneIdentifier":[ "subnetIdAz1", "subnetIdAz2", "subnetIdAz3" ],
"LaunchTemplate":{
"LaunchTemplateId":{
"Ref":"logicalName"
},
"Version":{
"Fn::GetAtt":[
"logicalName",
"LatestVersionNumber"
]
}
},
"MaxSize":"5",
"MinSize":"3"
}
}
}
}
```
### YAML
```
---
Resources:
myASG:
CreationPolicy:
ResourceSignal:
Count: '3'
Timeout: PT15M
UpdatePolicy:
AutoScalingRollingUpdate:
MinInstancesInService: '3'
MaxBatchSize: '1'
PauseTime: PT12M5S
WaitOnResourceSignals: true
SuspendProcesses:
- HealthCheck
- ReplaceUnhealthy
- AZRebalance
- AlarmNotification
- ScheduledActions
- InstanceRefresh
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
VPCZoneIdentifier:
- subnetIdAz1
- subnetIdAz2
- subnetIdAz3
LaunchTemplate:
LaunchTemplateId: !Ref logicalName
Version: !GetAtt logicalName.LatestVersionNumber
MaxSize: '5'
MinSize: '3'
```
## Create a step scaling policy
This example shows an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-scalingpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-scalingpolicy.html) resource that scales out the Auto Scaling group using a step scaling policy. The `AdjustmentType` property specifies `ChangeInCapacity`, which means that the `ScalingAdjustment` represents the number of instances to add (if `ScalingAdjustment` is positive) or delete (if it is negative). In this example, `ScalingAdjustment` is 1; therefore, the policy increments the number of EC2 instances in the group by 1 when the alarm threshold is breached.
The [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudwatch-alarm.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudwatch-alarm.html) resource `CPUAlarmHigh` specifies the scaling policy `ASGScalingPolicyHigh` as the action to run when the alarm is in an ALARM state (`AlarmActions`). The `Dimensions` property references the logical name of an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) resource declared elsewhere in the same template.
### JSON
```
1. {
2. "Resources":{
3. "ASGScalingPolicyHigh":{
4. "Type":"AWS::AutoScaling::ScalingPolicy",
5. "Properties":{
6. "AutoScalingGroupName":{ "Ref":"logicalName" },
7. "PolicyType":"StepScaling",
8. "AdjustmentType":"ChangeInCapacity",
9. "StepAdjustments":[
10. {
11. "MetricIntervalLowerBound":0,
12. "ScalingAdjustment":1
13. }
14. ]
15. }
16. },
17. "CPUAlarmHigh":{
18. "Type":"AWS::CloudWatch::Alarm",
19. "Properties":{
20. "EvaluationPeriods":"2",
21. "Statistic":"Average",
22. "Threshold":"90",
23. "AlarmDescription":"Scale out if CPU > 90% for 2 minutes",
24. "Period":"60",
25. "AlarmActions":[ { "Ref":"ASGScalingPolicyHigh" } ],
26. "Namespace":"AWS/EC2",
27. "Dimensions":[
28. {
29. "Name":"AutoScalingGroupName",
30. "Value":{ "Ref":"logicalName" }
31. }
32. ],
33. "ComparisonOperator":"GreaterThanThreshold",
34. "MetricName":"CPUUtilization"
35. }
36. }
37. }
38. }
```
### YAML
```
1. ---
2. Resources:
3. ASGScalingPolicyHigh:
4. Type: AWS::AutoScaling::ScalingPolicy
5. Properties:
6. AutoScalingGroupName: !Ref logicalName
7. PolicyType: StepScaling
8. AdjustmentType: ChangeInCapacity
9. StepAdjustments:
10. - MetricIntervalLowerBound: 0
11. ScalingAdjustment: 1
12. CPUAlarmHigh:
13. Type: AWS::CloudWatch::Alarm
14. Properties:
15. EvaluationPeriods: 2
16. Statistic: Average
17. Threshold: 90
18. AlarmDescription: 'Scale out if CPU > 90% for 2 minutes'
19. Period: 60
20. AlarmActions:
21. - !Ref ASGScalingPolicyHigh
22. Namespace: AWS/EC2
23. Dimensions:
24. - Name: AutoScalingGroupName
25. Value:
26. !Ref logicalName
27. ComparisonOperator: GreaterThanThreshold
28. MetricName: CPUUtilization
```
### See also
For more example templates for scaling policies, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-scalingpolicy.html#aws-resource-autoscaling-scalingpolicy--examples) section in the `AWS::AutoScaling::ScalingPolicy` resource.
## Mixed instances group examples
### Create an Auto Scaling group using attribute-based instance type selection
This example shows an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) resource that contains the information to launch a mixed instances group using attribute-based instance type selection. You specify the minimum and maximum values for the `VCpuCount` property and the minimum value for the `MemoryMiB` property. Any instance types used by the Auto Scaling group must match your required instance attributes.
The `VPCZoneIdentifier` property of the Auto Scaling group specifies a list of existing subnets in three different Availability Zones. You must specify the applicable subnet IDs from your account before you create your stack. The `LaunchTemplate` property references the logical name of an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) resource declared elsewhere in the same template.
#### JSON
```
1. {
2. "Resources":{
3. "myASG":{
4. "Type":"AWS::AutoScaling::AutoScalingGroup",
5. "Properties":{
6. "VPCZoneIdentifier":[
7. "subnetIdAz1",
8. "subnetIdAz2",
9. "subnetIdAz3"
10. ],
11. "MixedInstancesPolicy":{
12. "LaunchTemplate":{
13. "LaunchTemplateSpecification":{
14. "LaunchTemplateId":{
15. "Ref":"logicalName"
16. },
17. "Version":{
18. "Fn::GetAtt":[
19. "logicalName",
20. "LatestVersionNumber"
21. ]
22. }
23. },
24. "Overrides":[
25. {
26. "InstanceRequirements":{
27. "VCpuCount":{
28. "Min":2,
29. "Max":4
30. },
31. "MemoryMiB":{
32. "Min":2048
33. }
34. }
35. }
36. ]
37. }
38. },
39. "MaxSize":"5",
40. "MinSize":"1"
41. }
42. }
43. }
44. }
```
#### YAML
```
1. ---
2. Resources:
3. myASG:
4. Type: AWS::AutoScaling::AutoScalingGroup
5. Properties:
6. VPCZoneIdentifier:
7. - subnetIdAz1
8. - subnetIdAz2
9. - subnetIdAz3
10. MixedInstancesPolicy:
11. LaunchTemplate:
12. LaunchTemplateSpecification:
13. LaunchTemplateId: !Ref logicalName
14. Version: !GetAtt logicalName.LatestVersionNumber
15. Overrides:
16. - InstanceRequirements:
17. VCpuCount:
18. Min: 2
19. Max: 4
20. MemoryMiB:
21. Min: 2048
22. MaxSize: '5'
23. MinSize: '1'
```
## Launch configuration examples
### Create a launch configuration
This example shows an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-launchconfiguration.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-launchconfiguration.html) resource for an Auto Scaling group where you specify values for the `ImageId`, `InstanceType`, and `SecurityGroups` properties. The `SecurityGroups` property specifies both the logical name of an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) resource that's specified elsewhere in the template, and an existing EC2 security group named `myExistingEC2SecurityGroup`.
#### JSON
```
1. "mySimpleConfig" : {
2. "Type" : "AWS::AutoScaling::LaunchConfiguration",
3. "Properties" : {
4. "ImageId" : "ami-02354e95b3example",
5. "InstanceType" : "t3.micro",
6. "SecurityGroups" : [ { "Ref" : "logicalName" }, "myExistingEC2SecurityGroup" ]
7. }
8. }
```
#### YAML
```
1. mySimpleConfig:
2. Type: AWS::AutoScaling::LaunchConfiguration
3. Properties:
4. ImageId: ami-02354e95b3example
5. InstanceType: t3.micro
6. SecurityGroups:
7. - !Ref logicalName
8. - myExistingEC2SecurityGroup
```
### Create an Auto Scaling group that uses a launch configuration
This example shows an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) resource with a single instance. The `VPCZoneIdentifier` property of the Auto Scaling group specifies a list of existing subnets in three different Availability Zones. You must specify the applicable subnet IDs from your account before you create your stack. The `LaunchConfigurationName` property references an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-launchconfiguration.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-launchconfiguration.html) resource with the logical name `mySimpleConfig` that is defined in your template.
#### JSON
```
1. "myASG" : {
2. "Type" : "AWS::AutoScaling::AutoScalingGroup",
3. "Properties" : {
4. "VPCZoneIdentifier" : [ "subnetIdAz1", "subnetIdAz2", "subnetIdAz3" ],
5. "LaunchConfigurationName" : { "Ref" : "mySimpleConfig" },
6. "MaxSize" : "1",
7. "MinSize" : "1"
8. }
9. }
```
#### YAML
```
1. myASG:
2. Type: AWS::AutoScaling::AutoScalingGroup
3. Properties:
4. VPCZoneIdentifier:
5. - subnetIdAz1
6. - subnetIdAz2
7. - subnetIdAz3
8. LaunchConfigurationName: !Ref mySimpleConfig
9. MaxSize: '1'
10. MinSize: '1'
```
# Configure Application Auto Scaling resources with CloudFormation
This section provides CloudFormation template examples for Application Auto Scaling scaling policies and scheduled actions for different AWS resources.
**Important**
When an Application Auto Scaling snippet is included in the template, you might need to declare a dependency on the specific scalable resource that's created through the template using the `DependsOn` attribute. This overrides the default parallelism and directs CloudFormation to operate on resources in a specified order. Otherwise, the scaling configuration might be applied before the resource has been set up completely.
For more information, see [DependsOn attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-dependson.html).
**Topics**
+ [
## Create a scaling policy for an AppStream fleet
](#w2aac11c41c15c19b9)
+ [
## Create a scaling policy for an Aurora DB cluster
](#w2aac11c41c15c19c11)
+ [
## Create a scaling policy for a DynamoDB table
](#w2aac11c41c15c19c13)
+ [
## Create a scaling policy for an Amazon ECS service (metrics: average CPU and memory)
](#w2aac11c41c15c19c15)
+ [
## Create a scaling policy for an Amazon ECS service (metric: average request count per target)
](#w2aac11c41c15c19c17)
+ [
## Create a scheduled action with a cron expression for a Lambda function
](#w2aac11c41c15c19c19)
+ [
## Create a scheduled action with an `at` expression for a Spot Fleet
](#w2aac11c41c15c19c21)
## Create a scaling policy for an AppStream fleet
This snippet shows how to create a policy and apply it to an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-appstream-fleet.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-appstream-fleet.html) resource using the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html) resource. The [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) resource declares a scalable target to which this policy is applied. Application Auto Scaling can scale the number of fleet instances at a minimum of 1 instance and a maximum of 20. The policy keeps the average capacity utilization of the fleet at 75 percent, with scale-out and scale-in cooldown periods of 300 seconds (5 minutes).
It uses the `Fn::Join` and `Rev` intrinsic functions to construct the `ResourceId` property with the logical name of the `AWS::AppStream::Fleet` resource that's specified in the same template. For more information, see [Intrinsic function reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html).
### JSON
```
{
"Resources" : {
"ScalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : 20,
"MinCapacity" : 1,
"RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/appstream.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_AppStreamFleet" },
"ServiceNamespace" : "appstream",
"ScalableDimension" : "appstream:fleet:DesiredCapacity",
"ResourceId" : {
"Fn::Join" : [
"/",
[
"fleet",
{
"Ref" : "logicalName"
}
]
]
}
}
},
"ScalingPolicyAppStreamFleet" : {
"Type" : "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties" : {
"PolicyName" : { "Fn::Sub" : "${AWS::StackName}-target-tracking-cpu75" },
"PolicyType" : "TargetTrackingScaling",
"ServiceNamespace" : "appstream",
"ScalableDimension" : "appstream:fleet:DesiredCapacity",
"ResourceId" : {
"Fn::Join" : [
"/",
[
"fleet",
{
"Ref" : "logicalName"
}
]
]
},
"TargetTrackingScalingPolicyConfiguration" : {
"TargetValue" : 75,
"PredefinedMetricSpecification" : {
"PredefinedMetricType" : "AppStreamAverageCapacityUtilization"
},
"ScaleInCooldown" : 300,
"ScaleOutCooldown" : 300
}
}
}
}
}
```
### YAML
```
---
Resources:
ScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 20
MinCapacity: 1
RoleARN:
Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/appstream.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_AppStreamFleet'
ServiceNamespace: appstream
ScalableDimension: appstream:fleet:DesiredCapacity
ResourceId: !Join
- /
- - fleet
- !Ref logicalName
ScalingPolicyAppStreamFleet:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: !Sub ${AWS::StackName}-target-tracking-cpu75
PolicyType: TargetTrackingScaling
ServiceNamespace: appstream
ScalableDimension: appstream:fleet:DesiredCapacity
ResourceId: !Join
- /
- - fleet
- !Ref logicalName
TargetTrackingScalingPolicyConfiguration:
TargetValue: 75
PredefinedMetricSpecification:
PredefinedMetricType: AppStreamAverageCapacityUtilization
ScaleInCooldown: 300
ScaleOutCooldown: 300
```
## Create a scaling policy for an Aurora DB cluster
In this snippet, you register an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbcluster.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbcluster.html) resource. The [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) resource indicates that the DB cluster should be dynamically scaled to have from one to eight Aurora Replicas. You also apply a target tracking scaling policy to the cluster using the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html) resource.
In this configuration, the `RDSReaderAverageCPUUtilization` predefined metric is used to adjust an Aurora DB cluster based on an average CPU utilization of 40 percent across all Aurora Replicas in that Aurora DB cluster. The configuration provides a scale-in cooldown period of 10 minutes and a scale-out cooldown period of 5 minutes.
This example uses the `Fn::Sub` intrinsic function to construct the `ResourceId` property with the logical name of the `AWS::RDS::DBCluster` resource that is specified in the same template. For more information, see [Intrinsic function reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html).
### JSON
```
{
"Resources" : {
"ScalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : 8,
"MinCapacity" : 1,
"RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/rds.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_RDSCluster" },
"ServiceNamespace" : "rds",
"ScalableDimension" : "rds:cluster:ReadReplicaCount",
"ResourceId" : { "Fn::Sub" : "cluster:${logicalName}" }
}
},
"ScalingPolicyDBCluster" : {
"Type" : "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties" : {
"PolicyName" : { "Fn::Sub" : "${AWS::StackName}-target-tracking-cpu40" },
"PolicyType" : "TargetTrackingScaling",
"ServiceNamespace" : "rds",
"ScalableDimension" : "rds:cluster:ReadReplicaCount",
"ResourceId" : { "Fn::Sub" : "cluster:${logicalName}" },
"TargetTrackingScalingPolicyConfiguration" : {
"TargetValue" : 40,
"PredefinedMetricSpecification" : {
"PredefinedMetricType" : "RDSReaderAverageCPUUtilization"
},
"ScaleInCooldown" : 600,
"ScaleOutCooldown" : 300
}
}
}
}
}
```
### YAML
```
---
Resources:
ScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 8
MinCapacity: 1
RoleARN:
Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/rds.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_RDSCluster'
ServiceNamespace: rds
ScalableDimension: rds:cluster:ReadReplicaCount
ResourceId: !Sub cluster:${logicalName}
ScalingPolicyDBCluster:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: !Sub ${AWS::StackName}-target-tracking-cpu40
PolicyType: TargetTrackingScaling
ServiceNamespace: rds
ScalableDimension: rds:cluster:ReadReplicaCount
ResourceId: !Sub cluster:${logicalName}
TargetTrackingScalingPolicyConfiguration:
TargetValue: 40
PredefinedMetricSpecification:
PredefinedMetricType: RDSReaderAverageCPUUtilization
ScaleInCooldown: 600
ScaleOutCooldown: 300
```
## Create a scaling policy for a DynamoDB table
This snippet shows how to create a policy with the `TargetTrackingScaling` policy type and apply it to an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-table.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-table.html) resource using the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html) resource. The [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) resource declares a scalable target to which this policy is applied, with a minimum of five write capacity units and a maximum of 15. The scaling policy scales the table's write capacity throughput to maintain the target utilization at 50 percent based on the `DynamoDBWriteCapacityUtilization` predefined metric.
It uses the `Fn::Join` and `Ref` intrinsic functions to construct the `ResourceId` property with the logical name of the `AWS::DynamoDB::Table` resource that's specified in the same template. For more information, see [Intrinsic function reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html).
**Note**
For more information about how to create an CloudFormation template for DynamoDB resources, see the blog post [How to use CloudFormation to configure auto scaling for Amazon DynamoDB tables and indexes](https://aws.amazon.com/blogs/database/how-to-use-aws-cloudformation-to-configure-auto-scaling-for-amazon-dynamodb-tables-and-indexes/) on the AWS Database Blog.
### JSON
```
{
"Resources" : {
"WriteCapacityScalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : 15,
"MinCapacity" : 5,
"RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable" },
"ServiceNamespace" : "dynamodb",
"ScalableDimension" : "dynamodb:table:WriteCapacityUnits",
"ResourceId" : {
"Fn::Join" : [
"/",
[
"table",
{
"Ref" : "logicalName"
}
]
]
}
}
},
"WriteScalingPolicy" : {
"Type" : "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties" : {
"PolicyName" : "WriteScalingPolicy",
"PolicyType" : "TargetTrackingScaling",
"ScalingTargetId" : { "Ref" : "WriteCapacityScalableTarget" },
"TargetTrackingScalingPolicyConfiguration" : {
"TargetValue" : 50.0,
"ScaleInCooldown" : 60,
"ScaleOutCooldown" : 60,
"PredefinedMetricSpecification" : {
"PredefinedMetricType" : "DynamoDBWriteCapacityUtilization"
}
}
}
}
}
}
```
### YAML
```
---
Resources:
WriteCapacityScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 15
MinCapacity: 5
RoleARN:
Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable'
ServiceNamespace: dynamodb
ScalableDimension: dynamodb:table:WriteCapacityUnits
ResourceId: !Join
- /
- - table
- !Ref logicalName
WriteScalingPolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: WriteScalingPolicy
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref WriteCapacityScalableTarget
TargetTrackingScalingPolicyConfiguration:
TargetValue: 50.0
ScaleInCooldown: 60
ScaleOutCooldown: 60
PredefinedMetricSpecification:
PredefinedMetricType: DynamoDBWriteCapacityUtilization
```
## Create a scaling policy for an Amazon ECS service (metrics: average CPU and memory)
This snippet shows how to create a policy and apply it to an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-service.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-service.html) resource using the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalingpolicy.html) resource. The [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) resource declares a scalable target to which this policy is applied. Application Auto Scaling can scale the number of tasks at a minimum of 1 task and a maximum of 6.
It creates two scaling policies with the `TargetTrackingScaling` policy type. The policies are used to scale the ECS service based on the service's average CPU and memory usage. It uses the `Fn::Join` and `Ref` intrinsic functions to construct the `ResourceId` property with the logical names of the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-cluster.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-cluster.html) (`myContainerCluster`) and `AWS::ECS::Service` (`myService`) resources that are specified in the same template. For more information, see [Intrinsic function reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html).
### JSON
```
{
"Resources" : {
"ECSScalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : "6",
"MinCapacity" : "1",
"RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService" },
"ServiceNamespace" : "ecs",
"ScalableDimension" : "ecs:service:DesiredCount",
"ResourceId" : {
"Fn::Join" : [
"/",
[
"service",
{
"Ref" : "myContainerCluster"
},
{
"Fn::GetAtt" : [
"myService",
"Name"
]
}
]
]
}
}
},
"ServiceScalingPolicyCPU" : {
"Type" : "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties" : {
"PolicyName" : { "Fn::Sub" : "${AWS::StackName}-target-tracking-cpu70" },
"PolicyType" : "TargetTrackingScaling",
"ScalingTargetId" : { "Ref" : "ECSScalableTarget" },
"TargetTrackingScalingPolicyConfiguration" : {
"TargetValue" : 70.0,
"ScaleInCooldown" : 180,
"ScaleOutCooldown" : 60,
"PredefinedMetricSpecification" : {
"PredefinedMetricType" : "ECSServiceAverageCPUUtilization"
}
}
}
},
"ServiceScalingPolicyMem" : {
"Type" : "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties" : {
"PolicyName" : { "Fn::Sub" : "${AWS::StackName}-target-tracking-mem90" },
"PolicyType" : "TargetTrackingScaling",
"ScalingTargetId" : { "Ref" : "ECSScalableTarget" },
"TargetTrackingScalingPolicyConfiguration" : {
"TargetValue" : 90.0,
"ScaleInCooldown" : 180,
"ScaleOutCooldown" : 60,
"PredefinedMetricSpecification" : {
"PredefinedMetricType" : "ECSServiceAverageMemoryUtilization"
}
}
}
}
}
}
```
### YAML
```
---
Resources:
ECSScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 6
MinCapacity: 1
RoleARN:
Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService'
ServiceNamespace: ecs
ScalableDimension: 'ecs:service:DesiredCount'
ResourceId: !Join
- /
- - service
- !Ref myContainerCluster
- !GetAtt myService.Name
ServiceScalingPolicyCPU:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: !Sub ${AWS::StackName}-target-tracking-cpu70
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref ECSScalableTarget
TargetTrackingScalingPolicyConfiguration:
TargetValue: 70.0
ScaleInCooldown: 180
ScaleOutCooldown: 60
PredefinedMetricSpecification:
PredefinedMetricType: ECSServiceAverageCPUUtilization
ServiceScalingPolicyMem:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: !Sub ${AWS::StackName}-target-tracking-mem90
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref ECSScalableTarget
TargetTrackingScalingPolicyConfiguration:
TargetValue: 90.0
ScaleInCooldown: 180
ScaleOutCooldown: 60
PredefinedMetricSpecification:
PredefinedMetricType: ECSServiceAverageMemoryUtilization
```
## Create a scaling policy for an Amazon ECS service (metric: average request count per target)
The following example applies a target tracking scaling policy with the `ALBRequestCountPerTarget` predefined metric to an ECS service. The policy is used to add capacity to the ECS service when the request count per target (per minute) exceeds the target value. Because the value of `DisableScaleIn` is set to `true`, the target tracking policy won't remove capacity from the scalable target.
It uses the `Fn::Join` and `Fn::GetAtt` intrinsic functions to construct the `ResourceLabel` property with the logical names of the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-loadbalancer.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-loadbalancer.html) (`myLoadBalancer`) and [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.html) (`myTargetGroup`) resources that are specified in the same template. For more information, see [Intrinsic function reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html).
The `MaxCapacity` and `MinCapacity` properties of the scalable target and the `TargetValue` property of the scaling policy reference parameter values that you pass to the template when creating or updating a stack.
### JSON
```
{
"Resources" : {
"ECSScalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : { "Ref" : "MaxCount" },
"MinCapacity" : { "Ref" : "MinCount" },
"RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService" },
"ServiceNamespace" : "ecs",
"ScalableDimension" : "ecs:service:DesiredCount",
"ResourceId" : {
"Fn::Join" : [
"/",
[
"service",
{
"Ref" : "myContainerCluster"
},
{
"Fn::GetAtt" : [
"myService",
"Name"
]
}
]
]
}
}
},
"ServiceScalingPolicyALB" : {
"Type" : "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties" : {
"PolicyName" : "alb-requests-per-target-per-minute",
"PolicyType" : "TargetTrackingScaling",
"ScalingTargetId" : { "Ref" : "ECSScalableTarget" },
"TargetTrackingScalingPolicyConfiguration" : {
"TargetValue" : { "Ref" : "ALBPolicyTargetValue" },
"ScaleInCooldown" : 180,
"ScaleOutCooldown" : 30,
"DisableScaleIn" : true,
"PredefinedMetricSpecification" : {
"PredefinedMetricType" : "ALBRequestCountPerTarget",
"ResourceLabel" : {
"Fn::Join" : [
"/",
[
{
"Fn::GetAtt" : [
"myLoadBalancer",
"LoadBalancerFullName"
]
},
{
"Fn::GetAtt" : [
"myTargetGroup",
"TargetGroupFullName"
]
}
]
]
}
}
}
}
}
}
}
```
### YAML
```
---
Resources:
ECSScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: !Ref MaxCount
MinCapacity: !Ref MinCount
RoleARN:
Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService'
ServiceNamespace: ecs
ScalableDimension: 'ecs:service:DesiredCount'
ResourceId: !Join
- /
- - service
- !Ref myContainerCluster
- !GetAtt myService.Name
ServiceScalingPolicyALB:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: alb-requests-per-target-per-minute
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref ECSScalableTarget
TargetTrackingScalingPolicyConfiguration:
TargetValue: !Ref ALBPolicyTargetValue
ScaleInCooldown: 180
ScaleOutCooldown: 30
DisableScaleIn: true
PredefinedMetricSpecification:
PredefinedMetricType: ALBRequestCountPerTarget
ResourceLabel: !Join
- '/'
- - !GetAtt myLoadBalancer.LoadBalancerFullName
- !GetAtt myTargetGroup.TargetGroupFullName
```
## Create a scheduled action with a cron expression for a Lambda function
This snippet registers the provisioned concurrency for a function alias ([https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-alias.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-alias.html)) named `BLUE` using the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) resource. It also creates a scheduled action with a recurring schedule using a cron expression. The time zone for the recurring schedule is UTC.
It uses the `Fn::Join` and `Ref` intrinsic functions in the `RoleARN` property to specify the ARN of the service-linked role. It uses the `Fn::Sub` intrinsic function to construct the `ResourceId` property with the logical name of the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html) or [https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html) resource that is specified in the same template. For more information, see [Intrinsic function reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html).
**Note**
You can't allocate provisioned concurrency on an alias that points to the unpublished version (`$LATEST`).
For more information about how to create an CloudFormation template for Lambda resources, see the blog post [Scheduling AWS Lambda Provisioned Concurrency for recurring peak usage](https://aws.amazon.com/blogs/compute/scheduling-aws-lambda-provisioned-concurrency-for-recurring-peak-usage/) on the AWS Compute Blog.
### JSON
```
{
"ScalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : 250,
"MinCapacity" : 0,
"RoleARN" : {
"Fn::Join" : [
":",
[
"arn:aws:iam:",
{
"Ref" : "AWS::AccountId"
},
"role/aws-service-role/lambda.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_LambdaConcurrency"
]
]
},
"ServiceNamespace" : "lambda",
"ScalableDimension" : "lambda:function:ProvisionedConcurrency",
"ResourceId" : { "Fn::Sub" : "function:${logicalName}:BLUE" },
"ScheduledActions" : [
{
"ScalableTargetAction" : {
"MinCapacity" : "250"
},
"ScheduledActionName" : "my-scale-out-scheduled-action",
"Schedule" : "cron(0 18 * * ? *)",
"EndTime" : "2022-12-31T12:00:00.000Z"
}
]
}
}
}
```
### YAML
```
ScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 250
MinCapacity: 0
RoleARN: !Join
- ':'
- - 'arn:aws:iam:'
- !Ref 'AWS::AccountId'
- role/aws-service-role/lambda.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_LambdaConcurrency
ServiceNamespace: lambda
ScalableDimension: lambda:function:ProvisionedConcurrency
ResourceId: !Sub function:${logicalName}:BLUE
ScheduledActions:
- ScalableTargetAction:
MinCapacity: 250
ScheduledActionName: my-scale-out-scheduled-action
Schedule: 'cron(0 18 * * ? *)'
EndTime: '2022-12-31T12:00:00.000Z'
```
## Create a scheduled action with an `at` expression for a Spot Fleet
This snippet shows how to create two scheduled actions that occur only once for an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-spotfleet.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-spotfleet.html) resource using the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-applicationautoscaling-scalabletarget.html) resource. The time zone for each one-time scheduled action is UTC.
It uses the `Fn::Join` and `Ref` intrinsic functions to construct the `ResourceId` property with the logical name of the `AWS::EC2::SpotFleet` resource that is specified in the same template. For more information, see [Intrinsic function reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference.html).
**Note**
The Spot Fleet request must have a request type of `maintain`. Automatic scaling isn't supported for one-time requests or Spot blocks.
### JSON
```
{
"Resources" : {
"SpotFleetScalableTarget" : {
"Type" : "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties" : {
"MaxCapacity" : 0,
"MinCapacity" : 0,
"RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ec2.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest" },
"ServiceNamespace" : "ec2",
"ScalableDimension" : "ec2:spot-fleet-request:TargetCapacity",
"ResourceId" : {
"Fn::Join" : [
"/",
[
"spot-fleet-request",
{
"Ref" : "logicalName"
}
]
]
},
"ScheduledActions" : [
{
"ScalableTargetAction" : {
"MaxCapacity" : "10",
"MinCapacity" : "10"
},
"ScheduledActionName" : "my-scale-out-scheduled-action",
"Schedule" : "at(2022-05-20T13:00:00)"
},
{
"ScalableTargetAction" : {
"MaxCapacity" : "0",
"MinCapacity" : "0"
},
"ScheduledActionName" : "my-scale-in-scheduled-action",
"Schedule" : "at(2022-05-20T21:00:00)"
}
]
}
}
}
}
```
### YAML
```
---
Resources:
SpotFleetScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 0
MinCapacity: 0
RoleARN:
Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ec2.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest'
ServiceNamespace: ec2
ScalableDimension: 'ec2:spot-fleet-request:TargetCapacity'
ResourceId: !Join
- /
- - spot-fleet-request
- !Ref logicalName
ScheduledActions:
- ScalableTargetAction:
MaxCapacity: 10
MinCapacity: 10
ScheduledActionName: my-scale-out-scheduled-action
Schedule: 'at(2022-05-20T13:00:00)'
- ScalableTargetAction:
MaxCapacity: 0
MinCapacity: 0
ScheduledActionName: my-scale-in-scheduled-action
Schedule: 'at(2022-05-20T21:00:00)'
```
# AWS Billing Console template snippets
This example creates one pricing plan with a 10% global markup pricing rule. This pricing plan is attached to the billing group. The billing group also has two custom line items which applies a \$110 charge and a 10% charge on top of the billing group total cost.
## JSON
```
1. {
2. "Parameters": {
3. "LinkedAccountIds": {
4. "Type": "ListNumber"
5. },
6. "PrimaryAccountId": {
7. "Type": "Number"
8. }
9. },
10. "Resources": {
11. "TestPricingRule": {
12. "Type": "AWS::BillingConductor::PricingRule",
13. "Properties": {
14. "Name": "TestPricingRule",
15. "Description": "Test pricing rule created through Cloudformation. Mark everything by 10%.",
16. "Type": "MARKUP",
17. "Scope": "GLOBAL",
18. "ModifierPercentage": 10
19. }
20. },
21. "TestPricingPlan": {
22. "Type": "AWS::BillingConductor::PricingPlan",
23. "Properties": {
24. "Name": "TestPricingPlan",
25. "Description": "Test pricing plan created through Cloudformation.",
26. "PricingRuleArns": [
27. {"Fn::GetAtt": ["TestPricingRule", "Arn"]}
28. ]
29. }
30. },
31. "TestBillingGroup": {
32. "Type": "AWS::BillingConductor::BillingGroup",
33. "Properties": {
34. "Name": "TestBillingGroup",
35. "Description": "Test billing group created through Cloudformation with 1 linked account. The linked account is also the primary account.",
36. "PrimaryAccountId": {
37. "Ref": "PrimaryAccountId"
38. },
39. "AccountGrouping": {
40. "LinkedAccountIds": null
41. },
42. "ComputationPreference": {
43. "PricingPlanArn": {
44. "Fn::GetAtt": ["TestPricingPlan", "Arn"]
45. }
46. }
47. }
48. },
49. "TestFlatCustomLineItem": {
50. "Type": "AWS::BillingConductor::CustomLineItem",
51. "Properties": {
52. "Name": "TestFlatCustomLineItem",
53. "Description": "Test flat custom line item created through Cloudformation for a $10 charge.",
54. "BillingGroupArn": {
55. "Fn::GetAtt": ["TestBillingGroup", "Arn"]
56. },
57. "CustomLineItemChargeDetails": {
58. "Flat": {
59. "ChargeValue": 10
60. },
61. "Type": "FEE"
62. }
63. }
64. },
65. "TestPercentageCustomLineItem": {
66. "Type": "AWS::BillingConductor::CustomLineItem",
67. "Properties": {
68. "Name": "TestPercentageCustomLineItem",
69. "Description": "Test percentage custom line item created through Cloudformation for a %10 additional charge on the overall total bill of the billing group.",
70. "BillingGroupArn": {
71. "Fn::GetAtt": ["TestBillingGroup", "Arn"]
72. },
73. "CustomLineItemChargeDetails": {
74. "Percentage": {
75. "PercentageValue": 10,
76. "ChildAssociatedResources": [
77. {"Fn::GetAtt": ["TestBillingGroup", "Arn"]}
78. ]
79. },
80. "Type": "FEE"
81. }
82. }
83. }
84. }
85. }
```
## YAML
```
1. Parameters:
2. LinkedAccountIds:
3. Type: ListNumber
4. PrimaryAccountId:
5. Type: Number
6. Resources:
7. TestPricingRule:
8. Type: AWS::BillingConductor::PricingRule
9. Properties:
10. Name: 'TestPricingRule'
11. Description: 'Test pricing rule created through Cloudformation. Mark everything by 10%.'
12. Type: 'MARKUP'
13. Scope: 'GLOBAL'
14. ModifierPercentage: 10
15. TestPricingPlan:
16. Type: AWS::BillingConductor::PricingPlan
17. Properties:
18. Name: 'TestPricingPlan'
19. Description: 'Test pricing plan created through Cloudformation.'
20. PricingRuleArns:
21. - !GetAtt TestPricingRule.Arn
22. TestBillingGroup:
23. Type: AWS::BillingConductor::BillingGroup
24. Properties:
25. Name: 'TestBillingGroup'
26. Description: 'Test billing group created through Cloudformation with 1 linked account. The linked account is also the primary account.'
27. PrimaryAccountId: !Ref PrimaryAccountId
28. AccountGrouping:
29. LinkedAccountIds: !Ref LinkedAccountIds
30. ComputationPreference:
31. PricingPlanArn: !GetAtt TestPricingPlan.Arn
32. TestFlatCustomLineItem:
33. Type: AWS::BillingConductor::CustomLineItem
34. Properties:
35. Name: 'TestFlatCustomLineItem'
36. Description: 'Test flat custom line item created through Cloudformation for a $10 charge.'
37. BillingGroupArn: !GetAtt TestBillingGroup.Arn
38. CustomLineItemChargeDetails:
39. Flat:
40. ChargeValue: 10
41. Type: 'FEE'
42. TestPercentageCustomLineItem:
43. Type: AWS::BillingConductor::CustomLineItem
44. Properties:
45. Name: 'TestPercentageCustomLineItem'
46. Description: 'Test percentage custom line item created through Cloudformation for a %10 additional charge on the overall total bill of the billing group.'
47. BillingGroupArn: !GetAtt TestBillingGroup.Arn
48. CustomLineItemChargeDetails:
49. Percentage:
50. PercentageValue: 10
51. ChildAssociatedResources:
52. - !GetAtt TestBillingGroup.Arn
53. Type: 'FEE'
```
# CloudFormation template snippets
**Topics**
+ [
## Nested stacks
](#w2aac11c41c23b5)
+ [
## Wait condition
](#w2aac11c41c23b7)
## Nested stacks
### Nesting a stack in a template
This example template contains a nested stack resource called `myStack`. When CloudFormation creates a stack from the template, it creates the `myStack`, whose template is specified in the `TemplateURL` property. The output value `StackRef` returns the stack ID for `myStack` and the value `OutputFromNestedStack` returns the output value `BucketName` from within the `myStack` resource. The `Outputs.nestedstackoutputname` format is reserved for specifying output values from nested stacks and can be used anywhere within the containing template.
For more information, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudformation-stack.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudformation-stack.html).
#### JSON
```
1. {
2. "AWSTemplateFormatVersion" : "2010-09-09",
3. "Resources" : {
4. "myStack" : {
5. "Type" : "AWS::CloudFormation::Stack",
6. "Properties" : {
7. "TemplateURL" : "https://s3.amazonaws.com/cloudformation-templates-us-east-1/S3_Bucket.template",
8. "TimeoutInMinutes" : "60"
9. }
10. }
11. },
12. "Outputs": {
13. "StackRef": {"Value": { "Ref" : "myStack"}},
14. "OutputFromNestedStack" : {
15. "Value" : { "Fn::GetAtt" : [ "myStack", "Outputs.BucketName" ] }
16. }
17. }
18. }
```
#### YAML
```
1. AWSTemplateFormatVersion: '2010-09-09'
2. Resources:
3. myStack:
4. Type: AWS::CloudFormation::Stack
5. Properties:
6. TemplateURL: https://s3.amazonaws.com/cloudformation-templates-us-east-1/S3_Bucket.template
7. TimeoutInMinutes: '60'
8. Outputs:
9. StackRef:
10. Value: !Ref myStack
11. OutputFromNestedStack:
12. Value: !GetAtt myStack.Outputs.BucketName
```
### Nesting a stack with input parameters in a template
This example template contains a stack resource that specifies input parameters. When CloudFormation creates a stack from this template, it uses the value pairs declared within the `Parameters` property as the input parameters for the template used to create the `myStackWithParams` stack. In this example, the `InstanceType` and `KeyName` parameters are specified.
For more information, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudformation-stack.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudformation-stack.html).
#### JSON
```
1. {
2. "AWSTemplateFormatVersion" : "2010-09-09",
3. "Resources" : {
4. "myStackWithParams" : {
5. "Type" : "AWS::CloudFormation::Stack",
6. "Properties" : {
7. "TemplateURL" : "https://s3.amazonaws.com/cloudformation-templates-us-east-1/EC2ChooseAMI.template",
8. "Parameters" : {
9. "InstanceType" : "t2.micro",
10. "KeyName" : "mykey"
11. }
12. }
13. }
14. }
15. }
```
#### YAML
```
1. AWSTemplateFormatVersion: '2010-09-09'
2. Resources:
3. myStackWithParams:
4. Type: AWS::CloudFormation::Stack
5. Properties:
6. TemplateURL: https://s3.amazonaws.com/cloudformation-templates-us-east-1/EC2ChooseAMI.template
7. Parameters:
8. InstanceType: t2.micro
9. KeyName: mykey
```
## Wait condition
### Using a wait condition with an Amazon EC2 instance
**Important**
For Amazon EC2 and Auto Scaling resources, we recommend that you use a CreationPolicy attribute instead of wait conditions. Add a CreationPolicy attribute to those resources, and use the cfn-signal helper script to signal when an instance creation process has completed successfully.
If you can't use a creation policy, you view the following example template, which declares an Amazon EC2 instance with a wait condition. The `myWaitCondition` wait condition uses `myWaitConditionHandle` for signaling, uses the `DependsOn` attribute to specify that the wait condition will trigger after the Amazon EC2 instance resource has been created, and uses the `Timeout` property to specify a duration of 4500 seconds for the wait condition. In addition, the presigned URL that signals the wait condition is passed to the Amazon EC2 instance with the `UserData` property of the `Ec2Instance` resource, thus allowing an application or script running on that Amazon EC2 instance to retrieve the presigned URL and employ it to signal a success or failure to the wait condition. You need to use `cfn-signal` or create the application or script that signals the wait condition. The output value `ApplicationData` contains the data passed back from the wait condition signal.
For more information, see [Create wait conditions in a CloudFormation template](using-cfn-waitcondition.md).
#### JSON
```
1. {
2. "AWSTemplateFormatVersion" : "2010-09-09",
3. "Mappings" : {
4. "RegionMap" : {
5. "us-east-1" : {
6. "AMI" : "ami-0123456789abcdef0"
7. },
8. "us-west-1" : {
9. "AMI" : "ami-0987654321fedcba0"
10. },
11. "eu-west-1" : {
12. "AMI" : "ami-0abcdef123456789a"
13. },
14. "ap-northeast-1" : {
15. "AMI" : "ami-0fedcba987654321b"
16. },
17. "ap-southeast-1" : {
18. "AMI" : "ami-0c1d2e3f4a5b6c7d8"
19. }
20. }
21. },
22. "Resources" : {
23. "Ec2Instance" : {
24. "Type" : "AWS::EC2::Instance",
25. "Properties" : {
26. "UserData" : { "Fn::Base64" : {"Ref" : "myWaitHandle"}},
27. "ImageId" : { "Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "AMI" ]}
28. }
29. },
30. "myWaitHandle" : {
31. "Type" : "AWS::CloudFormation::WaitConditionHandle",
32. "Properties" : {
33. }
34. },
35. "myWaitCondition" : {
36. "Type" : "AWS::CloudFormation::WaitCondition",
37. "DependsOn" : "Ec2Instance",
38. "Properties" : {
39. "Handle" : { "Ref" : "myWaitHandle" },
40. "Timeout" : "4500"
41. }
42. }
43. },
44. "Outputs" : {
45. "ApplicationData" : {
46. "Value" : { "Fn::GetAtt" : [ "myWaitCondition", "Data" ]},
47. "Description" : "The data passed back as part of signalling the WaitCondition."
48. }
49. }
50. }
```
#### YAML
```
1. AWSTemplateFormatVersion: '2010-09-09'
2. Mappings:
3. RegionMap:
4. us-east-1:
5. AMI: ami-0123456789abcdef0
6. us-west-1:
7. AMI: ami-0987654321fedcba0
8. eu-west-1:
9. AMI: ami-0abcdef123456789a
10. ap-northeast-1:
11. AMI: ami-0fedcba987654321b
12. ap-southeast-1:
13. AMI: ami-0c1d2e3f4a5b6c7d8
14. Resources:
15. Ec2Instance:
16. Type: AWS::EC2::Instance
17. Properties:
18. UserData:
19. Fn::Base64: !Ref myWaitHandle
20. ImageId:
21. Fn::FindInMap:
22. - RegionMap
23. - Ref: AWS::Region
24. - AMI
25. myWaitHandle:
26. Type: AWS::CloudFormation::WaitConditionHandle
27. Properties: {}
28. myWaitCondition:
29. Type: AWS::CloudFormation::WaitCondition
30. DependsOn: Ec2Instance
31. Properties:
32. Handle: !Ref myWaitHandle
33. Timeout: '4500'
34. Outputs:
35. ApplicationData:
36. Value: !GetAtt myWaitCondition.Data
37. Description: The data passed back as part of signalling the WaitCondition.
```
### Using the cfn-signal helper script to signal a wait condition
This example shows a `cfn-signal` command line that signals success to a wait condition. You need to define the command line in the `UserData` property of the EC2 instance.
#### JSON
```
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"#!/bin/bash -xe\n",
"/opt/aws/bin/cfn-signal --exit-code 0 '",
{
"Ref": "myWaitHandle"
},
"'\n"
]
]
}
}
```
#### YAML
```
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
/opt/aws/bin/cfn-signal --exit-code 0 '${myWaitHandle}'
```
### Using Curl to signal a wait condition
This example shows a Curl command line that signals success to a wait condition.
```
1. curl -T /tmp/a "https://cloudformation-waitcondition-test.s3.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-east-1%3A034017226601%3Astack%2Fstack-gosar-20110427004224-test-stack-with-WaitCondition--VEYW%2Fe498ce60-70a1-11e0-81a7-5081d0136786%2FmyWaitConditionHandle?Expires=1303976584&AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE&Signature=ik1twT6hpS4cgNAw7wyOoRejVoo%3D"
```
Where the file /tmp/a contains the following JSON structure:
```
1. {
2. "Status" : "SUCCESS",
3. "Reason" : "Configuration Complete",
4. "UniqueId" : "ID1234",
5. "Data" : "Application has completed configuration."
6. }
```
This example shows a Curl command line that sends the same success signal except it sends the JSON as a parameter on the command line.
```
1. curl -X PUT -H 'Content-Type:' --data-binary '{"Status" : "SUCCESS","Reason" : "Configuration Complete","UniqueId" : "ID1234","Data" : "Application has completed configuration."}' "https://cloudformation-waitcondition-test.s3.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-east-1%3A034017226601%3Astack%2Fstack-gosar-20110427004224-test-stack-with-WaitCondition--VEYW%2Fe498ce60-70a1-11e0-81a7-5081d0136786%2FmyWaitConditionHandle?Expires=1303976584&AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE&Signature=ik1twT6hpS4cgNAw7wyOoRejVoo%3D"
```
# Amazon CloudFront template snippets
Use these sample template snippets with your Amazon CloudFront distribution resource in CloudFormation. For more information, see the [Amazon CloudFront resource type reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/AWS_CloudFront.html).
**Topics**
+ [
## Amazon CloudFront distribution resource with an Amazon S3 origin
](#scenario-cloudfront-s3origin)
+ [
## Amazon CloudFront distribution resource with custom origin
](#scenario-cloudfront-customorigin)
+ [
## Amazon CloudFront distribution with multi-origin support
](#scenario-cloudfront-multiorigin)
+ [
## Amazon CloudFront distribution with a Lambda function as origin
](#scenario-cloudfront-lambda-origin)
+ [
## See also
](#w2aac11c41c27c15)
## Amazon CloudFront distribution resource with an Amazon S3 origin
The following example template shows an Amazon CloudFront [Distribution](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.html) using an [S3Origin](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-s3originconfig.html) and legacy origin access identity (OAI). For information about using origin access control (OAC) instead, see [Restricting access to an Amazon Simple Storage Service origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) in the *Amazon CloudFront Developer Guide*.
### JSON
```
1. {
2. "AWSTemplateFormatVersion" : "2010-09-09",
3. "Resources" : {
4. "myDistribution" : {
5. "Type" : "AWS::CloudFront::Distribution",
6. "Properties" : {
7. "DistributionConfig" : {
8. "Origins" : [ {
9. "DomainName" : "amzn-s3-demo-bucket.s3.amazonaws.com",
10. "Id" : "myS3Origin",
11. "S3OriginConfig" : {
12. "OriginAccessIdentity" : "origin-access-identity/cloudfront/E127EXAMPLE51Z"
13. }
14. }],
15. "Enabled" : "true",
16. "Comment" : "Some comment",
17. "DefaultRootObject" : "index.html",
18. "Logging" : {
19. "IncludeCookies" : "false",
20. "Bucket" : "amzn-s3-demo-logging-bucket.s3.amazonaws.com",
21. "Prefix" : "myprefix"
22. },
23. "Aliases" : [ "mysite.example.com", "yoursite.example.com" ],
24. "DefaultCacheBehavior" : {
25. "AllowedMethods" : [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ],
26. "TargetOriginId" : "myS3Origin",
27. "ForwardedValues" : {
28. "QueryString" : "false",
29. "Cookies" : { "Forward" : "none" }
30. },
31. "TrustedSigners" : [ "1234567890EX", "1234567891EX" ],
32. "ViewerProtocolPolicy" : "allow-all"
33. },
34. "PriceClass" : "PriceClass_200",
35. "Restrictions" : {
36. "GeoRestriction" : {
37. "RestrictionType" : "whitelist",
38. "Locations" : [ "AQ", "CV" ]
39. }
40. },
41. "ViewerCertificate" : { "CloudFrontDefaultCertificate" : "true" }
42. }
43. }
44. }
45. }
46. }
```
### YAML
```
1. AWSTemplateFormatVersion: '2010-09-09'
2. Resources:
3. myDistribution:
4. Type: AWS::CloudFront::Distribution
5. Properties:
6. DistributionConfig:
7. Origins:
8. - DomainName: amzn-s3-demo-bucket.s3.amazonaws.com
9. Id: myS3Origin
10. S3OriginConfig:
11. OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z
12. Enabled: 'true'
13. Comment: Some comment
14. DefaultRootObject: index.html
15. Logging:
16. IncludeCookies: 'false'
17. Bucket: amzn-s3-demo-logging-bucket.s3.amazonaws.com
18. Prefix: myprefix
19. Aliases:
20. - mysite.example.com
21. - yoursite.example.com
22. DefaultCacheBehavior:
23. AllowedMethods:
24. - DELETE
25. - GET
26. - HEAD
27. - OPTIONS
28. - PATCH
29. - POST
30. - PUT
31. TargetOriginId: myS3Origin
32. ForwardedValues:
33. QueryString: 'false'
34. Cookies:
35. Forward: none
36. TrustedSigners:
37. - 1234567890EX
38. - 1234567891EX
39. ViewerProtocolPolicy: allow-all
40. PriceClass: PriceClass_200
41. Restrictions:
42. GeoRestriction:
43. RestrictionType: whitelist
44. Locations:
45. - AQ
46. - CV
47. ViewerCertificate:
48. CloudFrontDefaultCertificate: 'true'
```
## Amazon CloudFront distribution resource with custom origin
The following example template shows an Amazon CloudFront [Distribution](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.html) using a [CustomOrigin](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-customoriginconfig.html).
### JSON
```
1. {
2. "AWSTemplateFormatVersion" : "2010-09-09",
3. "Resources" : {
4. "myDistribution" : {
5. "Type" : "AWS::CloudFront::Distribution",
6. "Properties" : {
7. "DistributionConfig" : {
8. "Origins" : [ {
9. "DomainName" : "www.example.com",
10. "Id" : "myCustomOrigin",
11. "CustomOriginConfig" : {
12. "HTTPPort" : "80",
13. "HTTPSPort" : "443",
14. "OriginProtocolPolicy" : "http-only"
15. }
16. } ],
17. "Enabled" : "true",
18. "Comment" : "Somecomment",
19. "DefaultRootObject" : "index.html",
20. "Logging" : {
21. "IncludeCookies" : "true",
22. "Bucket" : "amzn-s3-demo-logging-bucket.s3.amazonaws.com",
23. "Prefix": "myprefix"
24. },
25. "Aliases" : [
26. "mysite.example.com",
27. "*.yoursite.example.com"
28. ],
29. "DefaultCacheBehavior" : {
30. "TargetOriginId" : "myCustomOrigin",
31. "SmoothStreaming" : "false",
32. "ForwardedValues" : {
33. "QueryString" : "false",
34. "Cookies" : { "Forward" : "all" }
35. },
36. "TrustedSigners" : [
37. "1234567890EX",
38. "1234567891EX"
39. ],
40. "ViewerProtocolPolicy" : "allow-all"
41. },
42. "CustomErrorResponses" : [ {
43. "ErrorCode" : "404",
44. "ResponsePagePath" : "/error-pages/404.html",
45. "ResponseCode" : "200",
46. "ErrorCachingMinTTL" : "30"
47. } ],
48. "PriceClass" : "PriceClass_200",
49. "Restrictions" : {
50. "GeoRestriction" : {
51. "RestrictionType" : "whitelist",
52. "Locations" : [ "AQ", "CV" ]
53. }
54. },
55. "ViewerCertificate": { "CloudFrontDefaultCertificate" : "true" }
56. }
57. }
58. }
59. }
60. }
```
### YAML
```
1. AWSTemplateFormatVersion: '2010-09-09'
2. Resources:
3. myDistribution:
4. Type: AWS::CloudFront::Distribution
5. Properties:
6. DistributionConfig:
7. Origins:
8. - DomainName: www.example.com
9. Id: myCustomOrigin
10. CustomOriginConfig:
11. HTTPPort: '80'
12. HTTPSPort: '443'
13. OriginProtocolPolicy: http-only
14. Enabled: 'true'
15. Comment: Somecomment
16. DefaultRootObject: index.html
17. Logging:
18. IncludeCookies: 'true'
19. Bucket: amzn-s3-demo-logging-bucket.s3.amazonaws.com
20. Prefix: myprefix
21. Aliases:
22. - mysite.example.com
23. - "*.yoursite.example.com"
24. DefaultCacheBehavior:
25. TargetOriginId: myCustomOrigin
26. SmoothStreaming: 'false'
27. ForwardedValues:
28. QueryString: 'false'
29. Cookies:
30. Forward: all
31. TrustedSigners:
32. - 1234567890EX
33. - 1234567891EX
34. ViewerProtocolPolicy: allow-all
35. CustomErrorResponses:
36. - ErrorCode: '404'
37. ResponsePagePath: "/error-pages/404.html"
38. ResponseCode: '200'
39. ErrorCachingMinTTL: '30'
40. PriceClass: PriceClass_200
41. Restrictions:
42. GeoRestriction:
43. RestrictionType: whitelist
44. Locations:
45. - AQ
46. - CV
47. ViewerCertificate:
48. CloudFrontDefaultCertificate: 'true'
```
## Amazon CloudFront distribution with multi-origin support
The following example template shows how to declare a CloudFront [Distribution](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.html) with multi-origin support. In the [DistributionConfig](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-distributionconfig.html), a list of origins is provided and a [DefaultCacheBehavior](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-defaultcachebehavior.html) is set.
### JSON
```
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"myDistribution" : {
"Type" : "AWS::CloudFront::Distribution",
"Properties" : {
"DistributionConfig" : {
"Origins" : [ {
"Id" : "myS3Origin",
"DomainName" : "amzn-s3-demo-bucket.s3.amazonaws.com",
"S3OriginConfig" : {
"OriginAccessIdentity" : "origin-access-identity/cloudfront/E127EXAMPLE51Z"
}
},
{
"Id" : "myCustomOrigin",
"DomainName" : "www.example.com",
"CustomOriginConfig" : {
"HTTPPort" : "80",
"HTTPSPort" : "443",
"OriginProtocolPolicy" : "http-only"
}
}
],
"Enabled" : "true",
"Comment" : "Some comment",
"DefaultRootObject" : "index.html",
"Logging" : {
"IncludeCookies" : "true",
"Bucket" : "amzn-s3-demo-logging-bucket.s3.amazonaws.com",
"Prefix" : "myprefix"
},
"Aliases" : [ "mysite.example.com", "yoursite.example.com" ],
"DefaultCacheBehavior" : {
"TargetOriginId" : "myS3Origin",
"ForwardedValues" : {
"QueryString" : "false",
"Cookies" : { "Forward" : "all" }
},
"TrustedSigners" : [ "1234567890EX", "1234567891EX" ],
"ViewerProtocolPolicy" : "allow-all",
"MinTTL" : "100",
"SmoothStreaming" : "true"
},
"CacheBehaviors" : [ {
"AllowedMethods" : [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ],
"TargetOriginId" : "myS3Origin",
"ForwardedValues" : {
"QueryString" : "true",
"Cookies" : { "Forward" : "none" }
},
"TrustedSigners" : [ "1234567890EX", "1234567891EX" ],
"ViewerProtocolPolicy" : "allow-all",
"MinTTL" : "50",
"PathPattern" : "images1/*.jpg"
},
{
"AllowedMethods" : [ "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT" ],
"TargetOriginId" : "myCustomOrigin",
"ForwardedValues" : {
"QueryString" : "true",
"Cookies" : { "Forward" : "none" }
},
"TrustedSigners" : [ "1234567890EX", "1234567891EX" ],
"ViewerProtocolPolicy" : "allow-all",
"MinTTL" : "50",
"PathPattern" : "images2/*.jpg"
}
],
"CustomErrorResponses" : [ {
"ErrorCode" : "404",
"ResponsePagePath" : "/error-pages/404.html",
"ResponseCode" : "200",
"ErrorCachingMinTTL" : "30"
} ],
"PriceClass" : "PriceClass_All",
"ViewerCertificate" : { "CloudFrontDefaultCertificate" : "true" }
}
}
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- Id: myS3Origin
DomainName: amzn-s3-demo-bucket.s3.amazonaws.com
S3OriginConfig:
OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z
- Id: myCustomOrigin
DomainName: www.example.com
CustomOriginConfig:
HTTPPort: '80'
HTTPSPort: '443'
OriginProtocolPolicy: http-only
Enabled: 'true'
Comment: Some comment
DefaultRootObject: index.html
Logging:
IncludeCookies: 'true'
Bucket: amzn-s3-demo-logging-bucket.s3.amazonaws.com
Prefix: myprefix
Aliases:
- mysite.example.com
- yoursite.example.com
DefaultCacheBehavior:
TargetOriginId: myS3Origin
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: all
TrustedSigners:
- 1234567890EX
- 1234567891EX
ViewerProtocolPolicy: allow-all
MinTTL: '100'
SmoothStreaming: 'true'
CacheBehaviors:
- AllowedMethods:
- DELETE
- GET
- HEAD
- OPTIONS
- PATCH
- POST
- PUT
TargetOriginId: myS3Origin
ForwardedValues:
QueryString: 'true'
Cookies:
Forward: none
TrustedSigners:
- 1234567890EX
- 1234567891EX
ViewerProtocolPolicy: allow-all
MinTTL: '50'
PathPattern: images1/*.jpg
- AllowedMethods:
- DELETE
- GET
- HEAD
- OPTIONS
- PATCH
- POST
- PUT
TargetOriginId: myCustomOrigin
ForwardedValues:
QueryString: 'true'
Cookies:
Forward: none
TrustedSigners:
- 1234567890EX
- 1234567891EX
ViewerProtocolPolicy: allow-all
MinTTL: '50'
PathPattern: images2/*.jpg
CustomErrorResponses:
- ErrorCode: '404'
ResponsePagePath: "/error-pages/404.html"
ResponseCode: '200'
ErrorCachingMinTTL: '30'
PriceClass: PriceClass_All
ViewerCertificate:
CloudFrontDefaultCertificate: 'true'
```
## Amazon CloudFront distribution with a Lambda function as origin
The following example creates a CloudFront distribution that fronts a specified Lambda function URL (provided as a parameter), enabling HTTPS-only access, caching, compression, and global delivery. It configures the Lambda URL as a custom HTTPS origin and applies a standard AWS caching policy. The distribution is optimized for performance with HTTP/2 and IPv6 support and outputs the CloudFront domain name, allowing users to access the Lambda function through a secure, CDN-backed endpoint. For more information, see [Using Amazon CloudFront with AWS Lambda as origin to accelerate your web applications](https://aws.amazon.com/blogs/networking-and-content-delivery/using-amazon-cloudfront-with-aws-lambda-as-origin-to-accelerate-your-web-applications/) on the AWS Blog.
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"LambdaEndpoint": {
"Type": "String",
"Description": "The Lambda function URL endpoint without the 'https://'"
}
},
"Resources": {
"MyDistribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"PriceClass": "PriceClass_All",
"HttpVersion": "http2",
"IPV6Enabled": true,
"Origins": [
{
"DomainName": {
"Ref": "LambdaEndpoint"
},
"Id": "LambdaOrigin",
"CustomOriginConfig": {
"HTTPSPort": 443,
"OriginProtocolPolicy": "https-only"
}
}
],
"Enabled": "true",
"DefaultCacheBehavior": {
"TargetOriginId": "LambdaOrigin",
"CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
"ViewerProtocolPolicy": "redirect-to-https",
"SmoothStreaming": "false",
"Compress": "true"
}
}
}
}
},
"Outputs": {
"CloudFrontDomain": {
"Description": "CloudFront default domain name configured",
"Value": {
"Fn::Sub": "https://${MyDistribution.DomainName}/"
}
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: 2010-09-09
Parameters:
LambdaEndpoint:
Type: String
Description: The Lambda function URL endpoint without the 'https://'
Resources:
MyDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
PriceClass: PriceClass_All
HttpVersion: http2
IPV6Enabled: true
Origins:
- DomainName: !Ref LambdaEndpoint
Id: LambdaOrigin
CustomOriginConfig:
HTTPSPort: 443
OriginProtocolPolicy: https-only
Enabled: 'true'
DefaultCacheBehavior:
TargetOriginId: LambdaOrigin
CachePolicyId: '658327ea-f89d-4fab-a63d-7e88639e58f6'
ViewerProtocolPolicy: redirect-to-https
SmoothStreaming: 'false'
Compress: 'true'
Outputs:
CloudFrontDomain:
Description: CloudFront default domain name configured
Value: !Sub https://${MyDistribution.DomainName}/
```
## See also
For an example of adding a custom alias to a Route 53 record to make a friendly name for a CloudFront distribution, see [Alias resource record set for a CloudFront distribution](quickref-route53.md#scenario-user-friendly-url-for-cloudfront-distribution).
# Amazon CloudWatch template snippets
Use these sample template snippets to help describe your Amazon CloudWatch resources in CloudFormation. For more information, see the [Amazon CloudWatch resource type reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/AWS_CloudWatch.html).
**Topics**
+ [
## Billing alarm
](#cloudwatch-sample-billing-alarm)
+ [
## CPU utilization alarm
](#cloudwatch-sample-cpu-utilization-alarm)
+ [
## Recover an Amazon Elastic Compute Cloud instance
](#cloudwatch-sample-recover-instance)
+ [
## Create a basic dashboard
](#cloudwatch-sample-dashboard-basic)
+ [
## Create a dashboard with side-by-side widgets
](#cloudwatch-sample-dashboard-sidebyside)
## Billing alarm
In the following sample, Amazon CloudWatch sends an email notification when charges to your AWS account exceed the alarm threshold. To receive usage notifications, enable billing alerts. For more information, see [Create a billing alarm to monitor your estimated AWS charges](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/monitor_estimated_charges_with_cloudwatch.html) in the *Amazon CloudWatch User Guide*.>
### JSON
```
"SpendingAlarm": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": { "Fn::Join": ["", [
"Alarm if AWS spending is over $",
{ "Ref": "AlarmThreshold" }
]]},
"Namespace": "AWS/Billing",
"MetricName": "EstimatedCharges",
"Dimensions": [{
"Name": "Currency",
"Value" : "USD"
}],
"Statistic": "Maximum",
"Period": "21600",
"EvaluationPeriods": "1",
"Threshold": { "Ref": "AlarmThreshold" },
"ComparisonOperator": "GreaterThanThreshold",
"AlarmActions": [{
"Ref": "BillingAlarmNotification"
}],
"InsufficientDataActions": [{
"Ref": "BillingAlarmNotification"
}]
}
}
```
### YAML
```
SpendingAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription:
'Fn::Join':
- ''
- - Alarm if AWS spending is over $
- !Ref: AlarmThreshold
Namespace: AWS/Billing
MetricName: EstimatedCharges
Dimensions:
- Name: Currency
Value: USD
Statistic: Maximum
Period: '21600'
EvaluationPeriods: '1'
Threshold:
!Ref: "AlarmThreshold"
ComparisonOperator: GreaterThanThreshold
AlarmActions:
- !Ref: "BillingAlarmNotification"
InsufficientDataActions:
- !Ref: "BillingAlarmNotification"
```
## CPU utilization alarm
The following sample snippet creates an alarm that sends a notification when the average CPU utilization of an Amazon EC2 instance exceeds 90 percent for more than 60 seconds over three evaluation periods.
### JSON
```
1. "CPUAlarm" : {
2. "Type" : "AWS::CloudWatch::Alarm",
3. "Properties" : {
4. "AlarmDescription" : "CPU alarm for my instance",
5. "AlarmActions" : [ { "Ref" : "logical name of an AWS::SNS::Topic resource" } ],
6. "MetricName" : "CPUUtilization",
7. "Namespace" : "AWS/EC2",
8. "Statistic" : "Average",
9. "Period" : "60",
10. "EvaluationPeriods" : "3",
11. "Threshold" : "90",
12. "ComparisonOperator" : "GreaterThanThreshold",
13. "Dimensions" : [ {
14. "Name" : "InstanceId",
15. "Value" : { "Ref" : "logical name of an AWS::EC2::Instance resource" }
16. } ]
17. }
18. }
```
### YAML
```
1. CPUAlarm:
2. Type: AWS::CloudWatch::Alarm
3. Properties:
4. AlarmDescription: CPU alarm for my instance
5. AlarmActions:
6. - !Ref: "logical name of an AWS::SNS::Topic resource"
7. MetricName: CPUUtilization
8. Namespace: AWS/EC2
9. Statistic: Average
10. Period: '60'
11. EvaluationPeriods: '3'
12. Threshold: '90'
13. ComparisonOperator: GreaterThanThreshold
14. Dimensions:
15. - Name: InstanceId
16. Value: !Ref: "logical name of an AWS::EC2::Instance resource"
```
## Recover an Amazon Elastic Compute Cloud instance
The following CloudWatch alarm recovers an EC2 instance when it has status check failures for 15 consecutive minutes. For more information about alarm actions, see [Create alarms to stop, terminate, reboot, or recover an EC2 instance](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/UsingAlarmActions.html) in the *Amazon CloudWatch User Guide*.
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters" : {
"RecoveryInstance" : {
"Description" : "The EC2 instance ID to associate this alarm with.",
"Type" : "AWS::EC2::Instance::Id"
}
},
"Resources": {
"RecoveryTestAlarm": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "Trigger a recovery when instance status check fails for 15 consecutive minutes.",
"Namespace": "AWS/EC2" ,
"MetricName": "StatusCheckFailed_System",
"Statistic": "Minimum",
"Period": "60",
"EvaluationPeriods": "15",
"ComparisonOperator": "GreaterThanThreshold",
"Threshold": "0",
"AlarmActions": [ {"Fn::Join" : ["", ["arn:aws:automate:", { "Ref" : "AWS::Region" }, ":ec2:recover" ]]} ],
"Dimensions": [{"Name": "InstanceId","Value": {"Ref": "RecoveryInstance"}}]
}
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
RecoveryInstance:
Description: The EC2 instance ID to associate this alarm with.
Type: AWS::EC2::Instance::Id
Resources:
RecoveryTestAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription: Trigger a recovery when instance status check fails for 15
consecutive minutes.
Namespace: AWS/EC2
MetricName: StatusCheckFailed_System
Statistic: Minimum
Period: '60'
EvaluationPeriods: '15'
ComparisonOperator: GreaterThanThreshold
Threshold: '0'
AlarmActions: [ !Sub "arn:aws:automate:${AWS::Region}:ec2:recover" ]
Dimensions:
- Name: InstanceId
Value: !Ref: RecoveryInstance
```
## Create a basic dashboard
The following example creates a simple CloudWatch dashboard with one metric widget displaying CPU utilization, and one text widget displaying a message.
### JSON
```
{
"BasicDashboard": {
"Type": "AWS::CloudWatch::Dashboard",
"Properties": {
"DashboardName": "Dashboard1",
"DashboardBody": "{\"widgets\":[{\"type\":\"metric\",\"x\":0,\"y\":0,\"width\":12,\"height\":6,\"properties\":{\"metrics\":[[\"AWS/EC2\",\"CPUUtilization\",\"InstanceId\",\"i-012345\"]],\"period\":300,\"stat\":\"Average\",\"region\":\"us-east-1\",\"title\":\"EC2 Instance CPU\"}},{\"type\":\"text\",\"x\":0,\"y\":7,\"width\":3,\"height\":3,\"properties\":{\"markdown\":\"Hello world\"}}]}"
}
}
}
```
### YAML
```
BasicDashboard:
Type: AWS::CloudWatch::Dashboard
Properties:
DashboardName: Dashboard1
DashboardBody: '{"widgets":[{"type":"metric","x":0,"y":0,"width":12,"height":6,"properties":{"metrics":[["AWS/EC2","CPUUtilization","InstanceId","i-012345"]],"period":300,"stat":"Average","region":"us-east-1","title":"EC2 Instance CPU"}},{"type":"text","x":0,"y":7,"width":3,"height":3,"properties":{"markdown":"Hello world"}}]}'
```
## Create a dashboard with side-by-side widgets
The following example creates a dashboard with two metric widgets that appear side by side.
### JSON
```
{
"DashboardSideBySide": {
"Type": "AWS::CloudWatch::Dashboard",
"Properties": {
"DashboardName": "Dashboard1",
"DashboardBody": "{\"widgets\":[{\"type\":\"metric\",\"x\":0,\"y\":0,\"width\":12,\"height\":6,\"properties\":{\"metrics\":[[\"AWS/EC2\",\"CPUUtilization\",\"InstanceId\",\"i-012345\"]],\"period\":300,\"stat\":\"Average\",\"region\":\"us-east-1\",\"title\":\"EC2 Instance CPU\"}},{\"type\":\"metric\",\"x\":12,\"y\":0,\"width\":12,\"height\":6,\"properties\":{\"metrics\":[[\"AWS/S3\",\"BucketSizeBytes\",\"BucketName\",\"amzn-s3-demo-bucket\"]],\"period\":86400,\"stat\":\"Maximum\",\"region\":\"us-east-1\",\"title\":\"amzn-s3-demo-bucket bytes\"}}]}"
}
}
}
```
### YAML
```
DashboardSideBySide:
Type: AWS::CloudWatch::Dashboard
Properties:
DashboardName: Dashboard1
DashboardBody: '{"widgets":[{"type":"metric","x":0,"y":0,"width":12,"height":6,"properties":{"metrics":[["AWS/EC2","CPUUtilization","InstanceId","i-012345"]],"period":300,"stat":"Average","region":"us-east-1","title":"EC2 Instance CPU"}},{"type":"metric","x":12,"y":0,"width":12,"height":6,"properties":{"metrics":[["AWS/S3","BucketSizeBytes","BucketName","amzn-s3-demo-bucket"]],"period":86400,"stat":"Maximum","region":"us-east-1","title":"amzn-s3-demo-bucket bytes"}}]}'
```
# Amazon CloudWatch Logs template snippets
Amazon CloudWatch Logs can monitor your system, application, and custom log files from Amazon EC2 instances or other sources. You can use CloudFormation to provision and manage log groups and metric filters. For more information about Amazon CloudWatch Logs, see the [Amazon CloudWatch Logs User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html).
**Topics**
+ [
## Send logs to CloudWatch Logs from a Linux instance
](#quickref-cloudwatchlogs-example1)
+ [
## Send logs to CloudWatch Logs from a Windows instance
](#quickref-cloudwatchlogs-example2)
+ [
## See also
](#w2aac11c41c35c11)
## Send logs to CloudWatch Logs from a Linux instance
The following template demonstrates how to set up a web server on Amazon Linux 2023 with CloudWatch Logs integration. The template performs the following tasks:
+ Installs Apache and PHP.
+ Configures the CloudWatch agent to forward Apache access logs to CloudWatch Logs.
+ Sets up an IAM role to allow the CloudWatch agent to send log data to CloudWatch Logs.
+ Creates custom alarms and notifications to monitor for 404 errors or high bandwidth usage.
Log events from the web server provide metric data for CloudWatch alarms. The two metric filters describe how the log information is transformed into CloudWatch metrics. The 404 metric counts the number of 404 occurrences. The size metric tracks the size of a request. The two CloudWatch alarms will send notifications if there are more than two 404s within 2 minutes or if the average request size is over 3500 KB over 10 minutes.
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Sample template that sets up and configures CloudWatch Logs on Amazon Linux 2023 instance.",
"Parameters": {
"KeyName": {
"Description": "Name of an existing EC2 KeyPair to enable SSH access to the instances",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription": "must be the name of an existing EC2 KeyPair."
},
"SSHLocation": {
"Description": "The IP address range that can be used to SSH to the EC2 instances",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
},
"OperatorEmail": {
"Description": "Email address to notify when CloudWatch alarms are triggered (404 errors or high bandwidth usage)",
"Type": "String"
}
},
"Resources": {
"LogRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "LogRolePolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:DescribeLogStreams",
"logs:DescribeLogGroups",
"logs:CreateLogGroup",
"logs:CreateLogStream"
],
"Resource": "*"
}
]
}
}
]
}
},
"LogRoleInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [{"Ref": "LogRole"}]
}
},
"WebServerSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable HTTP access via port 80 and SSH access via port 22",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": {"Ref": "SSHLocation"}
}
]
}
},
"WebServerHost": {
"Type": "AWS::EC2::Instance",
"Metadata": {
"Comment": "Install a simple PHP application on Amazon Linux 2023",
"AWS::CloudFormation::Init": {
"config": {
"packages": {
"dnf": {
"httpd": [],
"php": [],
"php-fpm": []
}
},
"files": {
"/etc/amazon-cloudwatch-agent/amazon-cloudwatch-agent.json": {
"content": {
"logs": {
"logs_collected": {
"files": {
"collect_list": [{
"file_path": "/var/log/httpd/access_log",
"log_group_name": {"Ref": "WebServerLogGroup"},
"log_stream_name": "{instance_id}/apache.log",
"timestamp_format": "%d/%b/%Y:%H:%M:%S %z"
}]
}
}
}
},
"mode": "000644",
"owner": "root",
"group": "root"
},
"/var/www/html/index.php": {
"content": "AWS CloudFormation sample PHP application on Amazon Linux 2023';\n?>\n",
"mode": "000644",
"owner": "apache",
"group": "apache"
},
"/etc/cfn/cfn-hup.conf": {
"content": {
"Fn::Join": [
"",
[
"[main]\n",
"stack=",
{"Ref": "AWS::StackId"},
"\n",
"region=",
{"Ref": "AWS::Region"},
"\n"
]
]
},
"mode": "000400",
"owner": "root",
"group": "root"
},
"/etc/cfn/hooks.d/cfn-auto-reloader.conf": {
"content": {
"Fn::Join": [
"",
[
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.WebServerHost.Metadata.AWS::CloudFormation::Init\n",
"action=/opt/aws/bin/cfn-init -s ",
{"Ref": "AWS::StackId"},
" -r WebServerHost ",
" --region ",
{"Ref": "AWS::Region"},
"\n",
"runas=root\n"
]
]
}
}
},
"services": {
"systemd": {
"httpd": {
"enabled": "true",
"ensureRunning": "true"
},
"php-fpm": {
"enabled": "true",
"ensureRunning": "true"
}
}
}
}
}
},
"CreationPolicy": {
"ResourceSignal": {
"Timeout": "PT5M"
}
},
"Properties": {
"ImageId": "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64}}",
"KeyName": {"Ref": "KeyName"},
"InstanceType": "t3.micro",
"SecurityGroupIds": [{"Ref": "WebServerSecurityGroup"}],
"IamInstanceProfile": {"Ref": "LogRoleInstanceProfile"},
"UserData": {"Fn::Base64": {"Fn::Join": [ "", [
"#!/bin/bash\n",
"dnf update -y aws-cfn-bootstrap\n",
"dnf install -y amazon-cloudwatch-agent\n",
"/opt/aws/bin/cfn-init -v --stack ", {"Ref": "AWS::StackName"}, " --resource WebServerHost --region ", {"Ref": "AWS::Region"}, "\n",
"\n",
"# Verify Apache log directory exists and create if needed\n",
"mkdir -p /var/log/httpd\n",
"\n",
"# Start CloudWatch agent\n",
"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/etc/amazon-cloudwatch-agent/amazon-cloudwatch-agent.json -s\n",
"\n",
"# Signal success\n",
"/opt/aws/bin/cfn-signal -e $? --stack ", {"Ref": "AWS::StackName"}, " --resource WebServerHost --region ", {"Ref": "AWS::Region"}, "\n"
]]}}
}
},
"WebServerLogGroup": {
"Type": "AWS::Logs::LogGroup",
"DeletionPolicy": "Retain",
"UpdateReplacePolicy": "Retain",
"Properties": {
"RetentionInDays": 7
}
},
"404MetricFilter": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"LogGroupName": {"Ref": "WebServerLogGroup"},
"FilterPattern": "[ip, identity, user_id, timestamp, request, status_code = 404, size, ...]",
"MetricTransformations": [
{
"MetricValue": "1",
"MetricNamespace": "test/404s",
"MetricName": "test404Count"
}
]
}
},
"BytesTransferredMetricFilter": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"LogGroupName": {"Ref": "WebServerLogGroup"},
"FilterPattern": "[ip, identity, user_id, timestamp, request, status_code, size, ...]",
"MetricTransformations": [
{
"MetricValue": "$size",
"MetricNamespace": "test/BytesTransferred",
"MetricName": "testBytesTransferred"
}
]
}
},
"404Alarm": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "The number of 404s is greater than 2 over 2 minutes",
"MetricName": "test404Count",
"Namespace": "test/404s",
"Statistic": "Sum",
"Period": "60",
"EvaluationPeriods": "2",
"Threshold": "2",
"AlarmActions": [{"Ref": "AlarmNotificationTopic"}],
"ComparisonOperator": "GreaterThanThreshold"
}
},
"BandwidthAlarm": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "The average volume of traffic is greater 3500 KB over 10 minutes",
"MetricName": "testBytesTransferred",
"Namespace": "test/BytesTransferred",
"Statistic": "Average",
"Period": "300",
"EvaluationPeriods": "2",
"Threshold": "3500",
"AlarmActions": [{"Ref": "AlarmNotificationTopic"}],
"ComparisonOperator": "GreaterThanThreshold"
}
},
"AlarmNotificationTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"Subscription": [{"Endpoint": {"Ref": "OperatorEmail"}, "Protocol": "email"}]
}
}
},
"Outputs": {
"InstanceId": {
"Description": "The instance ID of the web server",
"Value": {"Ref": "WebServerHost"}
},
"WebsiteURL": {
"Value": {"Fn::Sub": "http://${WebServerHost.PublicDnsName}"},
"Description": "URL for the web server"
},
"PublicIP": {
"Description": "Public IP address of the web server",
"Value": {"Fn::GetAtt": ["WebServerHost","PublicIp"]
}
},
"CloudWatchLogGroupName": {
"Description": "The name of the CloudWatch log group",
"Value": {"Ref": "WebServerLogGroup"}
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: 2010-09-09
Description: Sample template that sets up and configures CloudWatch Logs on Amazon Linux 2023 instance.
Parameters:
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instances
Type: AWS::EC2::KeyPair::KeyName
ConstraintDescription: must be the name of an existing EC2 KeyPair.
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})'
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
OperatorEmail:
Description: Email address to notify when CloudWatch alarms are triggered (404 errors or high bandwidth usage)
Type: String
Resources:
LogRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: LogRolePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:PutLogEvents'
- 'logs:DescribeLogStreams'
- 'logs:DescribeLogGroups'
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
Resource: '*'
LogRoleInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref LogRole
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP access via port 80 and SSH access via port 22
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: !Ref SSHLocation
WebServerHost:
Type: AWS::EC2::Instance
Metadata:
Comment: Install a simple PHP application on Amazon Linux 2023
'AWS::CloudFormation::Init':
config:
packages:
dnf:
httpd: []
php: []
php-fpm: []
files:
/etc/amazon-cloudwatch-agent/amazon-cloudwatch-agent.json:
content: !Sub |
{
"logs": {
"logs_collected": {
"files": {
"collect_list": [
{
"file_path": "/var/log/httpd/access_log",
"log_group_name": "${WebServerLogGroup}",
"log_stream_name": "{instance_id}/apache.log",
"timestamp_format": "%d/%b/%Y:%H:%M:%S %z"
}
]
}
}
}
}
mode: '000644'
owner: root
group: root
/var/www/html/index.php:
content: |
AWS CloudFormation sample PHP application on Amazon Linux 2023';
?>
mode: '000644'
owner: apache
group: apache
/etc/cfn/cfn-hup.conf:
content: !Sub |
[main]
stack=${AWS::StackId}
region=${AWS::Region}
mode: '000400'
owner: root
group: root
/etc/cfn/hooks.d/cfn-auto-reloader.conf:
content: !Sub |
[cfn-auto-reloader-hook]
triggers=post.update
path=Resources.WebServerHost.Metadata.AWS::CloudFormation::Init
action=/opt/aws/bin/cfn-init -s ${AWS::StackId} -r WebServerHost --region ${AWS::Region}
runas=root
services:
systemd:
httpd:
enabled: 'true'
ensureRunning: 'true'
php-fpm:
enabled: 'true'
ensureRunning: 'true'
CreationPolicy:
ResourceSignal:
Timeout: PT5M
Properties:
ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64}}'
KeyName: !Ref KeyName
InstanceType: t3.micro
SecurityGroupIds:
- !Ref WebServerSecurityGroup
IamInstanceProfile: !Ref LogRoleInstanceProfile
UserData: !Base64
Fn::Sub: |
#!/bin/bash
dnf update -y aws-cfn-bootstrap
dnf install -y amazon-cloudwatch-agent
/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource WebServerHost --region ${AWS::Region}
# Verify Apache log directory exists and create if needed
mkdir -p /var/log/httpd
# Start CloudWatch agent
/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/etc/amazon-cloudwatch-agent/amazon-cloudwatch-agent.json -s
# Signal success
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource WebServerHost --region ${AWS::Region}
echo "Done"
WebServerLogGroup:
Type: AWS::Logs::LogGroup
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Properties:
RetentionInDays: 7
404MetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref WebServerLogGroup
FilterPattern: >-
[ip, identity, user_id, timestamp, request, status_code = 404, size, ...]
MetricTransformations:
- MetricValue: '1'
MetricNamespace: test/404s
MetricName: test404Count
BytesTransferredMetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref WebServerLogGroup
FilterPattern: '[ip, identity, user_id, timestamp, request, status_code, size, ...]'
MetricTransformations:
- MetricValue: $size
MetricNamespace: test/BytesTransferred
MetricName: testBytesTransferred
404Alarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription: The number of 404s is greater than 2 over 2 minutes
MetricName: test404Count
Namespace: test/404s
Statistic: Sum
Period: '60'
EvaluationPeriods: '2'
Threshold: '2'
AlarmActions:
- !Ref AlarmNotificationTopic
ComparisonOperator: GreaterThanThreshold
BandwidthAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription: The average volume of traffic is greater 3500 KB over 10 minutes
MetricName: testBytesTransferred
Namespace: test/BytesTransferred
Statistic: Average
Period: '300'
EvaluationPeriods: '2'
Threshold: '3500'
AlarmActions:
- !Ref AlarmNotificationTopic
ComparisonOperator: GreaterThanThreshold
AlarmNotificationTopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint: !Ref OperatorEmail
Protocol: email
Outputs:
InstanceId:
Description: The instance ID of the web server
Value: !Ref WebServerHost
WebsiteURL:
Value: !Sub 'http://${WebServerHost.PublicDnsName}'
Description: URL for the web server
PublicIP:
Description: Public IP address of the web server
Value: !GetAtt WebServerHost.PublicIp
CloudWatchLogGroupName:
Description: The name of the CloudWatch log group
Value: !Ref WebServerLogGroup
```
## Send logs to CloudWatch Logs from a Windows instance
The following template configures CloudWatch Logs for a Windows 2012R2 instance.
The CloudWatch Logs agent on Windows (SSM agent on Windows 2012R2 and Windows 2016 AMIs) only sends logs after it's started, so any logs that are generated before startup aren't sent. To work around this, the template helps to ensure that the agent starts before any logs are written by:
+ Configuring the agent setup as the first `config` item in cfn-init `configSets`.
+ Using `waitAfterCompletion` to insert a pause after the command that starts the agent.
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Sample template that sets up and configures CloudWatch Logs on Windows 2012R2 instance.",
"Parameters": {
"KeyPair": {
"Description": "Name of an existing EC2 KeyPair to enable RDP access to the instances",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription": "must be the name of an existing EC2 KeyPair."
},
"RDPLocation": {
"Description": "The IP address range that can be used to RDP to the EC2 instances",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
},
"OperatorEmail": {
"Description": "Email address to notify when CloudWatch alarms are triggered (404 errors)",
"Type": "String"
}
},
"Resources": {
"WebServerSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable HTTP access via port 80 and RDP access via port 3389",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "3389",
"ToPort": "3389",
"CidrIp": {"Ref": "RDPLocation"}
}
]
}
},
"LogRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
],
"Path": "/",
"Policies": [
{
"PolicyName": "LogRolePolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:Create*",
"logs:PutLogEvents",
"s3:GetObject"
],
"Resource": [
"arn:aws:logs:*:*:*",
"arn:aws:s3:::*"
]
}
]
}
}
]
}
},
"LogRoleInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [{"Ref": "LogRole"}]
}
},
"WebServerHost": {
"Type": "AWS::EC2::Instance",
"CreationPolicy": {
"ResourceSignal": {
"Timeout": "PT15M"
}
},
"Metadata": {
"AWS::CloudFormation::Init": {
"configSets": {
"config": [
"00-ConfigureCWLogs",
"01-InstallWebServer",
"02-ConfigureApplication",
"03-Finalize"
]
},
"00-ConfigureCWLogs": {
"files": {
"C:\\Program Files\\Amazon\\SSM\\Plugins\\awsCloudWatch\\AWS.EC2.Windows.CloudWatch.json": {
"content": {
"EngineConfiguration": {
"Components": [
{
"FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "ApplicationEventLog",
"Parameters": {
"Levels": "7",
"LogName": "Application"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "SystemEventLog",
"Parameters": {
"Levels": "7",
"LogName": "System"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "SecurityEventLog",
"Parameters": {
"Levels": "7",
"LogName": "Security"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "EC2ConfigLog",
"Parameters": {
"CultureName": "en-US",
"Encoding": "ASCII",
"Filter": "EC2ConfigLog.txt",
"LogDirectoryPath": "C:\\Program Files\\Amazon\\Ec2ConfigService\\Logs",
"TimeZoneKind": "UTC",
"TimestampFormat": "yyyy-MM-ddTHH:mm:ss.fffZ:"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "CfnInitLog",
"Parameters": {
"CultureName": "en-US",
"Encoding": "ASCII",
"Filter": "cfn-init.log",
"LogDirectoryPath": "C:\\cfn\\log",
"TimeZoneKind": "Local",
"TimestampFormat": "yyyy-MM-dd HH:mm:ss,fff"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "IISLogs",
"Parameters": {
"CultureName": "en-US",
"Encoding": "UTF-8",
"Filter": "",
"LineCount": "3",
"LogDirectoryPath": "C:\\inetpub\\logs\\LogFiles\\W3SVC1",
"TimeZoneKind": "UTC",
"TimestampFormat": "yyyy-MM-dd HH:mm:ss"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.PerformanceCounterComponent.PerformanceCounterInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "MemoryPerformanceCounter",
"Parameters": {
"CategoryName": "Memory",
"CounterName": "Available MBytes",
"DimensionName": "",
"DimensionValue": "",
"InstanceName": "",
"MetricName": "Memory",
"Unit": "Megabytes"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchApplicationEventLog",
"Parameters": {
"AccessKey": "",
"LogGroup": {"Ref": "LogGroup"},
"LogStream": "{instance_id}/ApplicationEventLog",
"Region": {"Ref": "AWS::Region"},
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchSystemEventLog",
"Parameters": {
"AccessKey": "",
"LogGroup": {"Ref": "LogGroup"},
"LogStream": "{instance_id}/SystemEventLog",
"Region": {"Ref": "AWS::Region"},
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchSecurityEventLog",
"Parameters": {
"AccessKey": "",
"LogGroup": {"Ref": "LogGroup"},
"LogStream": "{instance_id}/SecurityEventLog",
"Region": {"Ref": "AWS::Region"},
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchEC2ConfigLog",
"Parameters": {
"AccessKey": "",
"LogGroup": {"Ref": "LogGroup"},
"LogStream": "{instance_id}/EC2ConfigLog",
"Region": {"Ref": "AWS::Region"},
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchCfnInitLog",
"Parameters": {
"AccessKey": "",
"LogGroup": {"Ref": "LogGroup"},
"LogStream": "{instance_id}/CfnInitLog",
"Region": {"Ref": "AWS::Region"},
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchIISLogs",
"Parameters": {
"AccessKey": "",
"LogGroup": {"Ref": "LogGroup"},
"LogStream": "{instance_id}/IISLogs",
"Region": {"Ref": "AWS::Region"},
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatch.CloudWatchOutputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatch",
"Parameters": {
"AccessKey": "",
"NameSpace": "Windows/Default",
"Region": {"Ref": "AWS::Region"},
"SecretKey": ""
}
}
],
"Flows": {
"Flows": [
"ApplicationEventLog,CloudWatchApplicationEventLog",
"SystemEventLog,CloudWatchSystemEventLog",
"SecurityEventLog,CloudWatchSecurityEventLog",
"EC2ConfigLog,CloudWatchEC2ConfigLog",
"CfnInitLog,CloudWatchCfnInitLog",
"IISLogs,CloudWatchIISLogs",
"MemoryPerformanceCounter,CloudWatch"
]
},
"PollInterval": "00:00:05"
},
"IsEnabled": true
}
}
},
"commands": {
"0-enableSSM": {
"command": "powershell.exe -Command \"Set-Service -Name AmazonSSMAgent -StartupType Automatic\" ",
"waitAfterCompletion": "0"
},
"1-restartSSM": {
"command": "powershell.exe -Command \"Restart-Service AmazonSSMAgent \"",
"waitAfterCompletion": "30"
}
}
},
"01-InstallWebServer": {
"commands": {
"01_install_webserver": {
"command": "powershell.exe -Command \"Install-WindowsFeature Web-Server -IncludeAllSubFeature\"",
"waitAfterCompletion": "0"
}
}
},
"02-ConfigureApplication": {
"files": {
"c:\\Inetpub\\wwwroot\\index.htm": {
"content": " Test Application Page Congratulations!! Your IIS server is configured.
"
}
}
},
"03-Finalize": {
"commands": {
"00_signal_success": {
"command": {
"Fn::Sub": "cfn-signal.exe -e 0 --resource WebServerHost --stack ${AWS::StackName} --region ${AWS::Region}"
},
"waitAfterCompletion": "0"
}
}
}
}
},
"Properties": {
"KeyName": {
"Ref": "KeyPair"
},
"ImageId": "{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2012-R2_RTM-English-64Bit-Base}}",
"InstanceType": "t2.xlarge",
"SecurityGroupIds": [{"Ref": "WebServerSecurityGroup"}],
"IamInstanceProfile": {"Ref": "LogRoleInstanceProfile"},
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"\n"
]
]
}
}
}
},
"LogGroup": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"RetentionInDays": 7
}
},
"404MetricFilter": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"LogGroupName": {"Ref": "LogGroup"},
"FilterPattern": "[timestamps, serverip, method, uri, query, port, dash, clientip, useragent, status_code = 404, ...]",
"MetricTransformations": [
{
"MetricValue": "1",
"MetricNamespace": "test/404s",
"MetricName": "test404Count"
}
]
}
},
"404Alarm": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmDescription": "The number of 404s is greater than 2 over 2 minutes",
"MetricName": "test404Count",
"Namespace": "test/404s",
"Statistic": "Sum",
"Period": "60",
"EvaluationPeriods": "2",
"Threshold": "2",
"AlarmActions": [{"Ref": "AlarmNotificationTopic"}],
"ComparisonOperator": "GreaterThanThreshold"
}
},
"AlarmNotificationTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"Subscription": [{"Endpoint": {"Ref": "OperatorEmail"}, "Protocol": "email"}]
}
}
},
"Outputs": {
"InstanceId": {
"Description": "The instance ID of the web server",
"Value": {"Ref": "WebServerHost"}
},
"WebsiteURL": {
"Value": {"Fn::Sub": "http://${WebServerHost.PublicDnsName}"},
"Description": "URL for the web server"
},
"PublicIP": {
"Description": "Public IP address of the web server",
"Value": {"Fn::GetAtt": ["WebServerHost","PublicIp"]}
},
"CloudWatchLogGroupName": {
"Description": "The name of the CloudWatch log group",
"Value": {"Ref": "LogGroup"}
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: 2010-09-09
Description: >-
Sample template that sets up and configures CloudWatch Logs on Windows 2012R2 instance.
Parameters:
KeyPair:
Description: Name of an existing EC2 KeyPair to enable RDP access to the instances
Type: AWS::EC2::KeyPair::KeyName
ConstraintDescription: must be the name of an existing EC2 KeyPair.
RDPLocation:
Description: The IP address range that can be used to RDP to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})'
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
OperatorEmail:
Description: Email address to notify when CloudWatch alarms are triggered (404 errors)
Type: String
Resources:
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP access via port 80 and RDP access via port 3389
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '3389'
ToPort: '3389'
CidrIp: !Ref RDPLocation
LogRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore'
Path: /
Policies:
- PolicyName: LogRolePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:Create*'
- 'logs:PutLogEvents'
- 's3:GetObject'
Resource:
- 'arn:aws:logs:*:*:*'
- 'arn:aws:s3:::*'
LogRoleInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref LogRole
WebServerHost:
Type: AWS::EC2::Instance
CreationPolicy:
ResourceSignal:
Timeout: PT15M
Metadata:
'AWS::CloudFormation::Init':
configSets:
config:
- 00-ConfigureCWLogs
- 01-InstallWebServer
- 02-ConfigureApplication
- 03-Finalize
00-ConfigureCWLogs:
files:
'C:\Program Files\Amazon\SSM\Plugins\awsCloudWatch\AWS.EC2.Windows.CloudWatch.json':
content: !Sub |
{
"EngineConfiguration": {
"Components": [
{
"FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "ApplicationEventLog",
"Parameters": {
"Levels": "7",
"LogName": "Application"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "SystemEventLog",
"Parameters": {
"Levels": "7",
"LogName": "System"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "SecurityEventLog",
"Parameters": {
"Levels": "7",
"LogName": "Security"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "EC2ConfigLog",
"Parameters": {
"CultureName": "en-US",
"Encoding": "ASCII",
"Filter": "EC2ConfigLog.txt",
"LogDirectoryPath": "C:\\Program Files\\Amazon\\Ec2ConfigService\\Logs",
"TimeZoneKind": "UTC",
"TimestampFormat": "yyyy-MM-ddTHH:mm:ss.fffZ:"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "CfnInitLog",
"Parameters": {
"CultureName": "en-US",
"Encoding": "ASCII",
"Filter": "cfn-init.log",
"LogDirectoryPath": "C:\\cfn\\log",
"TimeZoneKind": "Local",
"TimestampFormat": "yyyy-MM-dd HH:mm:ss,fff"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "IISLogs",
"Parameters": {
"CultureName": "en-US",
"Encoding": "UTF-8",
"Filter": "",
"LineCount": "3",
"LogDirectoryPath": "C:\\inetpub\\logs\\LogFiles\\W3SVC1",
"TimeZoneKind": "UTC",
"TimestampFormat": "yyyy-MM-dd HH:mm:ss"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.PerformanceCounterComponent.PerformanceCounterInputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "MemoryPerformanceCounter",
"Parameters": {
"CategoryName": "Memory",
"CounterName": "Available MBytes",
"DimensionName": "",
"DimensionValue": "",
"InstanceName": "",
"MetricName": "Memory",
"Unit": "Megabytes"
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchApplicationEventLog",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/ApplicationEventLog",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchSystemEventLog",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/SystemEventLog",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchSecurityEventLog",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/SecurityEventLog",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchEC2ConfigLog",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/EC2ConfigLog",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchCfnInitLog",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/CfnInitLog",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatchLogsOutput,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatchIISLogs",
"Parameters": {
"AccessKey": "",
"LogGroup": "${LogGroup}",
"LogStream": "{instance_id}/IISLogs",
"Region": "${AWS::Region}",
"SecretKey": ""
}
},
{
"FullName": "AWS.EC2.Windows.CloudWatch.CloudWatch.CloudWatchOutputComponent,AWS.EC2.Windows.CloudWatch",
"Id": "CloudWatch",
"Parameters": {
"AccessKey": "",
"NameSpace": "Windows/Default",
"Region": "${AWS::Region}",
"SecretKey": ""
}
}
],
"Flows": {
"Flows": [
"ApplicationEventLog,CloudWatchApplicationEventLog",
"SystemEventLog,CloudWatchSystemEventLog",
"SecurityEventLog,CloudWatchSecurityEventLog",
"EC2ConfigLog,CloudWatchEC2ConfigLog",
"CfnInitLog,CloudWatchCfnInitLog",
"IISLogs,CloudWatchIISLogs",
"MemoryPerformanceCounter,CloudWatch"
]
},
"PollInterval": "00:00:05"
},
"IsEnabled": true
}
commands:
0-enableSSM:
command: >-
powershell.exe -Command "Set-Service -Name AmazonSSMAgent
-StartupType Automatic"
waitAfterCompletion: '0'
1-restartSSM:
command: powershell.exe -Command "Restart-Service AmazonSSMAgent "
waitAfterCompletion: '30'
01-InstallWebServer:
commands:
01_install_webserver:
command: >-
powershell.exe -Command "Install-WindowsFeature Web-Server
-IncludeAllSubFeature"
waitAfterCompletion: '0'
02-ConfigureApplication:
files:
'c:\Inetpub\wwwroot\index.htm':
content: >-
Test Application Page
Congratulations !! Your IIS server is
configured.
03-Finalize:
commands:
00_signal_success:
command: !Sub >-
cfn-signal.exe -e 0 --resource WebServerHost --stack
${AWS::StackName} --region ${AWS::Region}
waitAfterCompletion: '0'
Properties:
KeyName: !Ref KeyPair
ImageId: "{{resolve:ssm:/aws/service/ami-windows-latest/Windows_Server-2012-R2_RTM-English-64Bit-Base}}"
InstanceType: t2.xlarge
SecurityGroupIds:
- !Ref WebServerSecurityGroup
IamInstanceProfile: !Ref LogRoleInstanceProfile
UserData: !Base64
'Fn::Sub': >
LogGroup:
Type: AWS::Logs::LogGroup
Properties:
RetentionInDays: 7
404MetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref LogGroup
FilterPattern: >-
[timestamps, serverip, method, uri, query, port, dash, clientip,
useragent, status_code = 404, ...]
MetricTransformations:
- MetricValue: '1'
MetricNamespace: test/404s
MetricName: test404Count
404Alarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription: The number of 404s is greater than 2 over 2 minutes
MetricName: test404Count
Namespace: test/404s
Statistic: Sum
Period: '60'
EvaluationPeriods: '2'
Threshold: '2'
AlarmActions:
- !Ref AlarmNotificationTopic
ComparisonOperator: GreaterThanThreshold
AlarmNotificationTopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint: !Ref OperatorEmail
Protocol: email
Outputs:
InstanceId:
Description: The instance ID of the web server
Value: !Ref WebServerHost
WebsiteURL:
Value: !Sub 'http://${WebServerHost.PublicDnsName}'
Description: URL for the web server
PublicIP:
Description: Public IP address of the web server
Value: !GetAtt
- WebServerHost
- PublicIp
CloudWatchLogGroupName:
Description: The name of the CloudWatch log group
Value: !Ref LogGroup
```
## See also
For more information about CloudWatch Logs resources, see [AWS::Logs::LogGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-logs-loggroup.html) or [AWS::Logs::MetricFilter](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-logs-metricfilter.html).
# Amazon DynamoDB template snippets
**Topics**
+ [
## Application Auto Scaling with an Amazon DynamoDB table
](#quickref-dynamodb-application-autoscaling)
+ [
## See also
](#w2aac11c41c39b7)
## Application Auto Scaling with an Amazon DynamoDB table
This example sets up Application Auto Scaling for a `AWS::DynamoDB::Table` resource. The template defines a `TargetTrackingScaling` scaling policy that scales up the `WriteCapacityUnits` throughput for the table.
### JSON
```
{
"Resources": {
"DDBTable": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "ArtistId",
"AttributeType": "S"
},
{
"AttributeName": "Concert",
"AttributeType": "S"
},
{
"AttributeName": "TicketSales",
"AttributeType": "S"
}
],
"KeySchema": [
{
"AttributeName": "ArtistId",
"KeyType": "HASH"
},
{
"AttributeName": "Concert",
"KeyType": "RANGE"
}
],
"GlobalSecondaryIndexes": [
{
"IndexName": "GSI",
"KeySchema": [
{
"AttributeName": "TicketSales",
"KeyType": "HASH"
}
],
"Projection": {
"ProjectionType": "KEYS_ONLY"
},
"ProvisionedThroughput": {
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5
}
}
],
"ProvisionedThroughput": {
"ReadCapacityUnits": 5,
"WriteCapacityUnits": 5
}
}
},
"WriteCapacityScalableTarget": {
"Type": "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties": {
"MaxCapacity": 15,
"MinCapacity": 5,
"ResourceId": {
"Fn::Join": [
"/",
[
"table",
{
"Ref": "DDBTable"
}
]
]
},
"RoleARN" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable" },
"ScalableDimension": "dynamodb:table:WriteCapacityUnits",
"ServiceNamespace": "dynamodb"
}
},
"WriteScalingPolicy": {
"Type": "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties": {
"PolicyName": "WriteAutoScalingPolicy",
"PolicyType": "TargetTrackingScaling",
"ScalingTargetId": {
"Ref": "WriteCapacityScalableTarget"
},
"TargetTrackingScalingPolicyConfiguration": {
"TargetValue": 50,
"ScaleInCooldown": 60,
"ScaleOutCooldown": 60,
"PredefinedMetricSpecification": {
"PredefinedMetricType": "DynamoDBWriteCapacityUtilization"
}
}
}
}
}
}
```
### YAML
```
Resources:
DDBTable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeName: "ArtistId"
AttributeType: "S"
- AttributeName: "Concert"
AttributeType: "S"
- AttributeName: "TicketSales"
AttributeType: "S"
KeySchema:
- AttributeName: "ArtistId"
KeyType: "HASH"
- AttributeName: "Concert"
KeyType: "RANGE"
GlobalSecondaryIndexes:
- IndexName: "GSI"
KeySchema:
- AttributeName: "TicketSales"
KeyType: "HASH"
Projection:
ProjectionType: "KEYS_ONLY"
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
WriteCapacityScalableTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MaxCapacity: 15
MinCapacity: 5
ResourceId: !Join
- /
- - table
- !Ref DDBTable
RoleARN:
Fn::Sub: 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable'
ScalableDimension: dynamodb:table:WriteCapacityUnits
ServiceNamespace: dynamodb
WriteScalingPolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: WriteAutoScalingPolicy
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref WriteCapacityScalableTarget
TargetTrackingScalingPolicyConfiguration:
TargetValue: 50.0
ScaleInCooldown: 60
ScaleOutCooldown: 60
PredefinedMetricSpecification:
PredefinedMetricType: DynamoDBWriteCapacityUtilization
```
## See also
For more information, see the blog post [How to use CloudFormation to configure auto scaling for DynamoDB tables and indexes](https://aws.amazon.com/blogs/database/how-to-use-aws-cloudformation-to-configure-auto-scaling-for-amazon-dynamodb-tables-and-indexes/) on the AWS Database Blog.
For more information about DynamoDB resources, see [AWS::DynamoDB::Table](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-table.html).
# Amazon EC2 CloudFormation template snippets
Amazon EC2 provides scalable compute capacity in the AWS Cloud. You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage. These virtual servers, known as instances, can run a variety of operating systems and applications, and can be customized to meet your specific requirements. Amazon EC2 enables you to scale up or down to handle changes in requirements or spikes in usage.
You can define and provision Amazon EC2 instances as part of your infrastructure using CloudFormation templates. Templates make it easy to manage and automate the deployment of Amazon EC2 resources in a repeatable and consistent manner.
The following example template snippets describe CloudFormation resources or components for Amazon EC2. These snippets are designed to be integrated into a template and are not intended to be run independently.
**Topics**
+ [Configure EC2 instances](quickref-ec2-instance-config.md)
+ [Create launch templates](quickref-ec2-launch-templates.md)
+ [Manage security groups](quickref-ec2-sg.md)
+ [Allocate Elastic IPs](quickref-ec2-elastic-ip.md)
+ [Configure VPC resources](quickref-ec2-vpc.md)
# Configure Amazon EC2 instances with CloudFormation
The following snippets demonstrate how to configure Amazon EC2 instances using CloudFormation.
**Topics**
+ [
## General Amazon EC2 configurations
](#quickref-ec2-instance-config-general)
+ [
## Specify the block device mappings for an instance
](#scenario-ec2-bdm)
## General Amazon EC2 configurations
The following snippets demonstrate general configurations for Amazon EC2 instances using CloudFormation.
**Topics**
+ [
### Create an Amazon EC2 instance in a specified Availability Zone
](#scenario-ec2-instance)
+ [
### Configure a tagged Amazon EC2 instance with an EBS volume and user data
](#scenario-ec2-instance-with-vol-and-tags)
+ [
### Define DynamoDB table name in user data for Amazon EC2 instance launch
](#scenario-ec2-with-sdb-domain)
+ [
### Create an Amazon EBS volume with `DeletionPolicy`
](#scenario-ec2-volume)
### Create an Amazon EC2 instance in a specified Availability Zone
The following snippet creates an Amazon EC2 instance in the specified Availability Zone using an [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) resource. The code for an Availability Zone is its Region code followed by a letter identifier. You can launch an instance into a single Availability Zone.
#### JSON
```
1. "Ec2Instance": {
2. "Type": "AWS::EC2::Instance",
3. "Properties": {
4. "AvailabilityZone": "aa-example-1a",
5. "ImageId": "ami-1234567890abcdef0"
6. }
7. }
```
#### YAML
```
1. Ec2Instance:
2. Type: AWS::EC2::Instance
3. Properties:
4. AvailabilityZone: aa-example-1a
5. ImageId: ami-1234567890abcdef0
```
### Configure a tagged Amazon EC2 instance with an EBS volume and user data
The following snippet creates an Amazon EC2 instance with a tag, an EBS volume, and user data. It uses an [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) resource. In the same template, you must define an [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) resource, an [AWS::SNS::Topic](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html) resource, and an [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) resource. The `KeyName` must be defined in the `Parameters` section of the template.
Tags can help you to categorize AWS resources based on your preferences, such as by purpose, owner, or environment. User data allows for the provisioning of custom scripts or data to an instance during launch. This data facilitates task automation, software configuration, package installation, and other actions on an instance during initialization.
For more information about tagging your resources, see [Tag your Amazon EC2 resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html) in the *Amazon EC2 User Guide*.
For information about user data, see [Use instance metadata to manage your EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) in the *Amazon EC2 User Guide*.
#### JSON
```
1. "Ec2Instance": {
2. "Type": "AWS::EC2::Instance",
3. "Properties": {
4. "KeyName": { "Ref": "KeyName" },
5. "SecurityGroups": [ { "Ref": "Ec2SecurityGroup" } ],
6. "UserData": {
7. "Fn::Base64": {
8. "Fn::Join": [ ":", [
9. "PORT=80",
10. "TOPIC=",
11. { "Ref": "MySNSTopic" }
12. ]
13. ]
14. }
15. },
16. "InstanceType": "aa.size",
17. "AvailabilityZone": "aa-example-1a",
18. "ImageId": "ami-1234567890abcdef0",
19. "Volumes": [
20. {
21. "VolumeId": { "Ref": "MyVolumeResource" },
22. "Device": "/dev/sdk"
23. }
24. ],
25. "Tags": [ { "Key": "Name", "Value": "MyTag" } ]
26. }
27. }
```
#### YAML
```
1. Ec2Instance:
2. Type: AWS::EC2::Instance
3. Properties:
4. KeyName: !Ref KeyName
5. SecurityGroups:
6. - !Ref Ec2SecurityGroup
7. UserData:
8. Fn::Base64:
9. Fn::Join:
10. - ":"
11. - - "PORT=80"
12. - "TOPIC="
13. - !Ref MySNSTopic
14. InstanceType: aa.size
15. AvailabilityZone: aa-example-1a
16. ImageId: ami-1234567890abcdef0
17. Volumes:
18. - VolumeId: !Ref MyVolumeResource
19. Device: "/dev/sdk"
20. Tags:
21. - Key: Name
22. Value: MyTag
```
### Define DynamoDB table name in user data for Amazon EC2 instance launch
The following snippet creates an Amazon EC2 instance and defines a DynamoDB table name in the user data to pass to the instance at launch. It uses an [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) resource. You can define parameters or dynamic values in the user data to pass an EC2 instance at launch.
For more information about user data, see [Use instance metadata to manage your EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) in the *Amazon EC2 User Guide*.
#### JSON
```
1. "Ec2Instance": {
2. "Type": "AWS::EC2::Instance",
3. "Properties": {
4. "UserData": {
5. "Fn::Base64": {
6. "Fn::Join": [
7. "",
8. [
9. "TableName=",
10. {
11. "Ref": "DynamoDBTableName"
12. }
13. ]
14. ]
15. }
16. },
17. "AvailabilityZone": "aa-example-1a",
18. "ImageId": "ami-1234567890abcdef0"
19. }
20. }
```
#### YAML
```
1. Ec2Instance:
2. Type: AWS::EC2::Instance
3. Properties:
4. UserData:
5. Fn::Base64:
6. Fn::Join:
7. - ''
8. - - 'TableName='
9. - Ref: DynamoDBTableName
10. AvailabilityZone: aa-example-1a
11. ImageId: ami-1234567890abcdef0
```
### Create an Amazon EBS volume with `DeletionPolicy`
The following snippets create an Amazon EBS volume using an Amazon EC2 [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) resource. You can use the `Size` or `SnapshotID` properties to define the volume, but not both. A `DeletionPolicy` attribute is set to create a snapshot of the volume when the stack is deleted.
For more information about the `DeletionPolicy` attribute, see [DeletionPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-deletionpolicy.html).
For more information about creating Amazon EBS volumes, see [Create an Amazon EBS volume](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-creating-volume.html).
#### JSON
This snippet creates an Amazon EBS volume with a specified **size**. The size is set to 10, but you can adjust it as needed. The [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) resource allows you to specify either the size or a snapshot ID but not both.
```
1. "MyEBSVolume": {
2. "Type": "AWS::EC2::Volume",
3. "Properties": {
4. "Size": "10",
5. "AvailabilityZone": {
6. "Ref": "AvailabilityZone"
7. }
8. },
9. "DeletionPolicy": "Snapshot"
10. }
```
This snippet creates an Amazon EBS volume using a provided **snapshot ID**. The [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) resource allows you to specify either the size or a snapshot ID but not both.
```
1. "MyEBSVolume": {
2. "Type": "AWS::EC2::Volume",
3. "Properties": {
4. "SnapshotId" : "snap-1234567890abcdef0",
5. "AvailabilityZone": {
6. "Ref": "AvailabilityZone"
7. }
8. },
9. "DeletionPolicy": "Snapshot"
10. }
```
#### YAML
This snippet creates an Amazon EBS volume with a specified **size**. The size is set to 10, but you can adjust it as needed. The [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) resource allows you to specify either the size or a snapshot ID but not both.
```
1. MyEBSVolume:
2. Type: AWS::EC2::Volume
3. Properties:
4. Size: 10
5. AvailabilityZone:
6. Ref: AvailabilityZone
7. DeletionPolicy: Snapshot
```
This snippet creates an Amazon EBS volume using a provided **snapshot ID**. The [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) resource allows you to specify either the size or a snapshot ID but not both.
```
1. MyEBSVolume:
2. Type: AWS::EC2::Volume
3. Properties:
4. SnapshotId: snap-1234567890abcdef0
5. AvailabilityZone:
6. Ref: AvailabilityZone
7. DeletionPolicy: Snapshot
```
## Specify the block device mappings for an instance
A block device mapping defines the block devices, which includes instance store volumes and EBS volumes, to attach to an instance. You can specify a block device mapping when creating an AMI so that the mapping is used by all instances launched from the AMI. Alternatively, you can specify a block device mapping when you launch an instance, so that the mapping overrides the one specified in the AMI from which the instance was launched.
You can use the following template snippets to specify the block device mappings for your EBS or instance store volumes using the `BlockDeviceMappings` property of an [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) resource.
For more information about block device mappings, see [Block device mappings for volumes on Amazon EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html) in the *Amazon EC2 User Guide*.
**Topics**
+ [
### Specify the block device mappings for two EBS volumes
](#w2aac11c41c43c13b9c11)
+ [
### Specify the block device mapping for an instance store volume
](#w2aac11c41c43c13b9c13)
### Specify the block device mappings for two EBS volumes
#### JSON
```
"Ec2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}",
"KeyName": { "Ref": "KeyName" },
"InstanceType": { "Ref": "InstanceType" },
"SecurityGroups": [{ "Ref": "Ec2SecurityGroup" }],
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": { "VolumeSize": "50" }
},
{
"DeviceName": "/dev/sdm",
"Ebs": { "VolumeSize": "100" }
}
]
}
}
}
```
#### YAML
```
EC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}'
KeyName: !Ref KeyName
InstanceType: !Ref InstanceType
SecurityGroups:
- !Ref Ec2SecurityGroup
BlockDeviceMappings:
-
DeviceName: /dev/sda1
Ebs:
VolumeSize: 50
-
DeviceName: /dev/sdm
Ebs:
VolumeSize: 100
```
### Specify the block device mapping for an instance store volume
#### JSON
```
"Ec2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}",
"KeyName" : { "Ref" : "KeyName" },
"InstanceType": { "Ref": "InstanceType" },
"SecurityGroups" : [{ "Ref" : "Ec2SecurityGroup" }],
"BlockDeviceMappings" : [
{
"DeviceName" : "/dev/sdc",
"VirtualName" : "ephemeral0"
}
]
}
}
```
#### YAML
```
EC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}'
KeyName: !Ref KeyName
InstanceType: !Ref InstanceType
SecurityGroups:
- !Ref Ec2SecurityGroup
BlockDeviceMappings:
- DeviceName: /dev/sdc
VirtualName: ephemeral0
```
# Create launch templates with CloudFormation
This section provides an example for creating an Amazon EC2 launch template using CloudFormation. Launch templates allow you to create templates for configuring and provisioning Amazon EC2 instances within AWS. With launch templates, you can store launch parameters so that you do not have to specify them every time you launch an instance. For more examples, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html#aws-resource-ec2-launchtemplate--examples) section in the `AWS::EC2::LaunchTemplate` resource.
For more information about launch templates, see [Store instance launch parameters in Amazon EC2 launch templates](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html) in the *Amazon EC2 User Guide*.
For information about creating launch templates for use with Auto Scaling groups, see [Auto Scaling launch templates](https://docs.aws.amazon.com/autoscaling/ec2/userguide/launch-templates.html) in the *Amazon EC2 Auto Scaling User Guide*.
**Topics**
+ [
## Create a launch template that specifies security groups, tags, user data, and an IAM role
](#scenario-as-launch-template)
## Create a launch template that specifies security groups, tags, user data, and an IAM role
This snippet shows an [AWS::EC2::LaunchTemplate](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) resource that contains the configuration information to launch an instance. You specify values for the `ImageId`, `InstanceType`, `SecurityGroups`, `UserData`, and `TagSpecifications` properties. The `SecurityGroups` property specifies an existing EC2 security group and a new security group. The `Ref` function gets the ID of the [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) resource `myNewEC2SecurityGroup` that's declared elsewhere in the stack template.
The launch template includes a section for custom user data. You can pass in configuration tasks and scripts that run when an instance launches in this section. In this example, the user data installs the AWS Systems Manager Agent and starts the agent.
The launch template also includes an IAM role that allows applications running on instances to perform actions on your behalf. This example shows an [AWS::IAM::Role](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-role.html) resource for the launch template, which uses the `IamInstanceProfile` property to specify the IAM role. The `Ref` function gets the name of the [AWS::IAM::InstanceProfile](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-instanceprofile.html) resource `myInstanceProfile`. To configure the permissions of the IAM role, you specify a value for the `ManagedPolicyArns` property.
### JSON
```
1. {
2. "Resources":{
3. "myLaunchTemplate":{
4. "Type":"AWS::EC2::LaunchTemplate",
5. "Properties":{
6. "LaunchTemplateName":{ "Fn::Sub": "${AWS::StackName}-launch-template" },
7. "LaunchTemplateData":{
8. "ImageId":"ami-02354e95b3example",
9. "InstanceType":"t3.micro",
10. "IamInstanceProfile":{
11. "Name":{
12. "Ref":"myInstanceProfile"
13. }
14. },
15. "SecurityGroupIds":[
16. {
17. "Ref":"myNewEC2SecurityGroup"
18. },
19. "sg-083cd3bfb8example"
20. ],
21. "UserData":{
22. "Fn::Base64":{
23. "Fn::Join": [
24. "", [
25. "#!/bin/bash\n",
26. "cd /tmp\n",
27. "yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm\n",
28. "systemctl enable amazon-ssm-agent\n",
29. "systemctl start amazon-ssm-agent\n"
30. ]
31. ]
32. }
33. },
34. "TagSpecifications":[
35. {
36. "ResourceType":"instance",
37. "Tags":[
38. {
39. "Key":"environment",
40. "Value":"development"
41. }
42. ]
43. },
44. {
45. "ResourceType":"volume",
46. "Tags":[
47. {
48. "Key":"environment",
49. "Value":"development"
50. }
51. ]
52. }
53. ]
54. }
55. }
56. },
57. "myInstanceRole":{
58. "Type":"AWS::IAM::Role",
59. "Properties":{
60. "RoleName":"InstanceRole",
61. "AssumeRolePolicyDocument":{
62. "Version": "2012-10-17",
63. "Statement":[
64. {
65. "Effect":"Allow",
66. "Principal":{
67. "Service":[
68. "ec2.amazonaws.com"
69. ]
70. },
71. "Action":[
72. "sts:AssumeRole"
73. ]
74. }
75. ]
76. },
77. "ManagedPolicyArns":[
78. "arn:aws:iam::aws:policy/myCustomerManagedPolicy"
79. ]
80. }
81. },
82. "myInstanceProfile":{
83. "Type":"AWS::IAM::InstanceProfile",
84. "Properties":{
85. "Path":"/",
86. "Roles":[
87. {
88. "Ref":"myInstanceRole"
89. }
90. ]
91. }
92. }
93. }
94. }
```
### YAML
```
1. ---
2. Resources:
3. myLaunchTemplate:
4. Type: AWS::EC2::LaunchTemplate
5. Properties:
6. LaunchTemplateName: !Sub ${AWS::StackName}-launch-template
7. LaunchTemplateData:
8. ImageId: ami-02354e95b3example
9. InstanceType: t3.micro
10. IamInstanceProfile:
11. Name: !Ref myInstanceProfile
12. SecurityGroupIds:
13. - !Ref myNewEC2SecurityGroup
14. - sg-083cd3bfb8example
15. UserData:
16. Fn::Base64: !Sub |
17. #!/bin/bash
18. cd /tmp
19. yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
20. systemctl enable amazon-ssm-agent
21. systemctl start amazon-ssm-agent
22. TagSpecifications:
23. - ResourceType: instance
24. Tags:
25. - Key: environment
26. Value: development
27. - ResourceType: volume
28. Tags:
29. - Key: environment
30. Value: development
31. myInstanceRole:
32. Type: AWS::IAM::Role
33. Properties:
34. RoleName: InstanceRole
35. AssumeRolePolicyDocument:
36. Version: '2012-10-17'
37. Statement:
38. - Effect: 'Allow'
39. Principal:
40. Service:
41. - 'ec2.amazonaws.com'
42. Action:
43. - 'sts:AssumeRole'
44. ManagedPolicyArns:
45. - 'arn:aws:iam::aws:policy/myCustomerManagedPolicy'
46. myInstanceProfile:
47. Type: AWS::IAM::InstanceProfile
48. Properties:
49. Path: '/'
50. Roles:
51. - !Ref myInstanceRole
```
# Manage security groups with CloudFormation
The following snippets demonstrate how to use CloudFormation to manage security groups and Amazon EC2 instances to control access to your AWS resources.
**Topics**
+ [
## Associate an Amazon EC2 instance with a security group
](#quickref-ec2-instances-associate-security-group)
+ [
## Create security groups with ingress rules
](#quickref-ec2-instances-ingress)
+ [
## Create an Elastic Load Balancer with a security group ingress rule
](#scenario-ec2-security-group-elbingress)
## Associate an Amazon EC2 instance with a security group
The following example snippets demonstrate how to associate an Amazon EC2 instance with a default Amazon VPC security group using CloudFormation.
**Topics**
+ [
### Associate an Amazon EC2 instance with a default VPC security group
](#using-cfn-getatt-default-values)
+ [
### Create an Amazon EC2 instance with an attached volume and security group
](#scenario-ec2-volumeattachment)
### Associate an Amazon EC2 instance with a default VPC security group
The following snippet creates an Amazon VPC, a subnet within the VPC, and an Amazon EC2 instance. The VPC is created using an [AWS::EC2::VPC](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-vpc.html) resource. The IP address range for the VPC is defined in the larger template and is referenced by the `MyVPCCIDRRange` parameter.
A subnet is created within the VPC using an [AWS::EC2:: Subnet](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-subnet.html) resource. The subnet is associated with the VPC, which is referenced as `MyVPC`.
An EC2 instance is launched within the VPC and subnet using an [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) resource. This resource specifies the Amazon Machine Image (AMI) to use to launch the instance, the subnet where the instance will run, and the security group to associate with the instance. The `ImageId` uses a Systems Manager parameter to dynamically retrieve the latest Amazon Linux 2 AMI.
The security group ID is obtained using the `Fn::GetAtt` function, which retrieves the default security group from the `MyVPC` resource.
The instance is placed within the `MySubnet` resource defined in the snippet.
When you create a VPC using CloudFormation, AWS automatically creates default resources within the VPC, including a default security group. However, when you define a VPC within a CloudFormation template, you may not have access to the IDs of these default resources when you create the template. To access and use the default resources specified in the template, you can use intrinsic functions such as `Fn::GetAtt`. This function allows you to work with the default resources that are automatically created by CloudFormation.
#### JSON
```
"MyVPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": {
"Ref": "MyVPCCIDRRange"
},
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "default"
}
},
"MySubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": {
"Ref": "MyVPCCIDRRange"
},
"VpcId": {
"Ref": "MyVPC"
}
}
},
"MyInstance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}",
"SecurityGroupIds": [
{
"Fn::GetAtt": [
"MyVPC",
"DefaultSecurityGroup"
]
}
],
"SubnetId": {
"Ref": "MySubnet"
}
}
}
```
#### YAML
```
MyVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock:
Ref: MyVPCCIDRRange
EnableDnsSupport: false
EnableDnsHostnames: false
InstanceTenancy: default
MySubnet:
Type: AWS::EC2::Subnet
Properties:
CidrBlock:
Ref: MyVPCCIDRRange
VpcId:
Ref: MyVPC
MyInstance:
Type: AWS::EC2::Instance
Properties:
ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}'
SecurityGroupIds:
- Fn::GetAtt:
- MyVPC
- DefaultSecurityGroup
SubnetId:
Ref: MySubnet
```
### Create an Amazon EC2 instance with an attached volume and security group
The following snippet creates an Amazon EC2 instance using an [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) resource, which is launched from a designated AMI . The instance is associated with a security group that allows incoming SSH traffic on port 22 from a specified IP address, using an [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) resource . It creates a 100 GB Amazon EBS volume using an [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-volume.html) resource. The volume is created in the same availability zone as the instance, as specified by the `GetAtt` function, and is mounted to the instance at the `/dev/sdh` device.
For more information about creating Amazon EBS volumes, see [Create an Amazon EBS volume](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-creating-volume.html).
#### JSON
```
1. "Ec2Instance": {
2. "Type": "AWS::EC2::Instance",
3. "Properties": {
4. "SecurityGroups": [
5. {
6. "Ref": "InstanceSecurityGroup"
7. }
8. ],
9. "ImageId": "ami-1234567890abcdef0"
10. }
11. },
12. "InstanceSecurityGroup": {
13. "Type": "AWS::EC2::SecurityGroup",
14. "Properties": {
15. "GroupDescription": "Enable SSH access via port 22",
16. "SecurityGroupIngress": [
17. {
18. "IpProtocol": "tcp",
19. "FromPort": "22",
20. "ToPort": "22",
21. "CidrIp": "192.0.2.0/24"
22. }
23. ]
24. }
25. },
26. "NewVolume": {
27. "Type": "AWS::EC2::Volume",
28. "Properties": {
29. "Size": "100",
30. "AvailabilityZone": {
31. "Fn::GetAtt": [
32. "Ec2Instance",
33. "AvailabilityZone"
34. ]
35. }
36. }
37. },
38. "MountPoint": {
39. "Type": "AWS::EC2::VolumeAttachment",
40. "Properties": {
41. "InstanceId": {
42. "Ref": "Ec2Instance"
43. },
44. "VolumeId": {
45. "Ref": "NewVolume"
46. },
47. "Device": "/dev/sdh"
48. }
49. }
```
#### YAML
```
1. Ec2Instance:
2. Type: AWS::EC2::Instance
3. Properties:
4. SecurityGroups:
5. - !Ref InstanceSecurityGroup
6. ImageId: ami-1234567890abcdef0
7. InstanceSecurityGroup:
8. Type: AWS::EC2::SecurityGroup
9. Properties:
10. GroupDescription: Enable SSH access via port 22
11. SecurityGroupIngress:
12. - IpProtocol: tcp
13. FromPort: 22
14. ToPort: 22
15. CidrIp: 192.0.2.0/24
16. NewVolume:
17. Type: AWS::EC2::Volume
18. Properties:
19. Size: 100
20. AvailabilityZone: !GetAtt [Ec2Instance, AvailabilityZone]
21. MountPoint:
22. Type: AWS::EC2::VolumeAttachment
23. Properties:
24. InstanceId: !Ref Ec2Instance
25. VolumeId: !Ref NewVolume
26. Device: /dev/sdh
```
## Create security groups with ingress rules
The following example snippets demonstrate how to configure security groups with specific ingress rules using CloudFormation.
**Topics**
+ [
### Create security group with ingress rules for SSH and HTTP access
](#scenario-ec2-security-group-rule)
+ [
### Create a security group with ingress rules for HTTP and SSH access from specified CIDR ranges
](#scenario-ec2-security-group-two-ports)
+ [
### Create cross-referencing security groups with ingress rules
](#scenario-ec2-security-group-ingress)
### Create security group with ingress rules for SSH and HTTP access
The following snippet describes two security group ingress rules using an [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) resource. The first ingress rule allows SSH (port 22) access from an existing security group named `MyAdminSecurityGroup`, which is owned by the AWS account with the account number `1111-2222-3333`. The second ingress rule allows HTTP (port 80) access from a different security group named `MySecurityGroupCreatedInCFN`, which is created in the same template. The `Ref` function is used to reference the logical name of the security group created in the same template.
In the first ingress rule, you must add a value for both the `SourceSecurityGroupName` and `SourceSecurityGroupOwnerId` properties. In the second ingress rule, `MySecurityGroupCreatedInCFNTemplate` references a different security group, which is created in the same template. Verify that the logical name `MySecurityGroupCreatedInCFNTemplate` matches the actual logical name of the security group resource that you specify in the larger template.
For more information about security groups, see [Amazon EC2 security groups for your Amazon EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html) in the *Amazon EC2 User Guide*.
#### JSON
```
1. "SecurityGroup": {
2. "Type": "AWS::EC2::SecurityGroup",
3. "Properties": {
4. "GroupDescription": "Allow connections from specified source security group",
5. "SecurityGroupIngress": [
6. {
7. "IpProtocol": "tcp",
8. "FromPort": "22",
9. "ToPort": "22",
10. "SourceSecurityGroupName": "MyAdminSecurityGroup",
11. "SourceSecurityGroupOwnerId": "1111-2222-3333"
12. },
13. {
14. "IpProtocol": "tcp",
15. "FromPort": "80",
16. "ToPort": "80",
17. "SourceSecurityGroupName": {
18. "Ref": "MySecurityGroupCreatedInCFNTemplate"
19. }
20. }
21. ]
22. }
23. }
```
#### YAML
```
1. SecurityGroup:
2. Type: AWS::EC2::SecurityGroup
3. Properties:
4. GroupDescription: Allow connections from specified source security group
5. SecurityGroupIngress:
6. - IpProtocol: tcp
7. FromPort: '22'
8. ToPort: '22'
9. SourceSecurityGroupName: MyAdminSecurityGroup
10. SourceSecurityGroupOwnerId: '1111-2222-3333'
11. - IpProtocol: tcp
12. FromPort: '80'
13. ToPort: '80'
14. SourceSecurityGroupName:
15. Ref: MySecurityGroupCreatedInCFNTemplate
```
### Create a security group with ingress rules for HTTP and SSH access from specified CIDR ranges
The following snippet creates a security group for an Amazon EC2 instance with two inbound rules. The inbound rules allow incoming TCP traffic on the specified ports from the designated CIDR ranges. An [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) resource is used to specify the rules. You must specify a protocol for each rule. For TCP, you must specify a port or port range. If you do not specify either a source security group or a CIDR range, the stack will launch successfully, but the rule will not be applied to the security group.
For more information about security groups, see [Amazon EC2 security groups for your Amazon EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html) in the *Amazon EC2 User Guide*.
#### JSON
```
1. "ServerSecurityGroup": {
2. "Type": "AWS::EC2::SecurityGroup",
3. "Properties": {
4. "GroupDescription": "Allow connections from specified CIDR ranges",
5. "SecurityGroupIngress": [
6. {
7. "IpProtocol": "tcp",
8. "FromPort": "80",
9. "ToPort": "80",
10. "CidrIp": "192.0.2.0/24"
11. },
12. {
13. "IpProtocol": "tcp",
14. "FromPort": "22",
15. "ToPort": "22",
16. "CidrIp": "192.0.2.0/24"
17. }
18. ]
19. }
20. }
```
#### YAML
```
1. ServerSecurityGroup:
2. Type: AWS::EC2::SecurityGroup
3. Properties:
4. GroupDescription: Allow connections from specified CIDR ranges
5. SecurityGroupIngress:
6. - IpProtocol: tcp
7. FromPort: 80
8. ToPort: 80
9. CidrIp: 192.0.2.0/24
10. - IpProtocol: tcp
11. FromPort: 22
12. ToPort: 22
13. CidrIp: 192.0.2.0/24
```
### Create cross-referencing security groups with ingress rules
The following snippet uses the [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) resource to create two Amazon EC2 security groups, `SGroup1` and `SGroup2`. Ingress rules that allow communication between the two security groups are created by using the [AWS::EC2::SecurityGroupIngress](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroupingress.html) resource. `SGroup1Ingress` establishes an ingress rule for `SGroup1` that allows incoming TCP traffic on port 80 from the source security group, `SGroup2`. `SGroup2Ingress` establishes an ingress rule for `SGroup2` that allows incoming TCP traffic on port 80 from the source security group, `SGroup1`.
#### JSON
```
1. "SGroup1": {
2. "Type": "AWS::EC2::SecurityGroup",
3. "Properties": {
4. "GroupDescription": "EC2 instance access"
5. }
6. },
7. "SGroup2": {
8. "Type": "AWS::EC2::SecurityGroup",
9. "Properties": {
10. "GroupDescription": "EC2 instance access"
11. }
12. },
13. "SGroup1Ingress": {
14. "Type": "AWS::EC2::SecurityGroupIngress",
15. "Properties": {
16. "GroupName": {
17. "Ref": "SGroup1"
18. },
19. "IpProtocol": "tcp",
20. "ToPort": "80",
21. "FromPort": "80",
22. "SourceSecurityGroupName": {
23. "Ref": "SGroup2"
24. }
25. }
26. },
27. "SGroup2Ingress": {
28. "Type": "AWS::EC2::SecurityGroupIngress",
29. "Properties": {
30. "GroupName": {
31. "Ref": "SGroup2"
32. },
33. "IpProtocol": "tcp",
34. "ToPort": "80",
35. "FromPort": "80",
36. "SourceSecurityGroupName": {
37. "Ref": "SGroup1"
38. }
39. }
40. }
```
#### YAML
```
1. SGroup1:
2. Type: AWS::EC2::SecurityGroup
3. Properties:
4. GroupDescription: EC2 Instance access
5. SGroup2:
6. Type: AWS::EC2::SecurityGroup
7. Properties:
8. GroupDescription: EC2 Instance access
9. SGroup1Ingress:
10. Type: AWS::EC2::SecurityGroupIngress
11. Properties:
12. GroupName: !Ref SGroup1
13. IpProtocol: tcp
14. ToPort: 80
15. FromPort: 80
16. SourceSecurityGroupName: !Ref SGroup2
17. SGroup2Ingress:
18. Type: AWS::EC2::SecurityGroupIngress
19. Properties:
20. GroupName: !Ref SGroup2
21. IpProtocol: tcp
22. ToPort: 80
23. FromPort: 80
24. SourceSecurityGroupName: !Ref SGroup1
```
## Create an Elastic Load Balancer with a security group ingress rule
The following template creates an [AWS::ElasticLoadBalancing::LoadBalancer](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancing-loadbalancer.html) resource in the specified availability zone. The [AWS::ElasticLoadBalancing::LoadBalancer](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancing-loadbalancer.html) resource is configured to listen on port 80 for HTTP traffic and direct requests to instances also on port 80. The Elastic Load Balancer is responsible for load balancing incoming HTTP traffic among the instances.
Additionally, this template generates an [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) resource associated with the load balancer. This security group is created with a single ingress rule, described as `ELB ingress group`, which allows incoming TCP traffic on port 80. The source for this ingress rule is defined using the `Fn::GetAtt` fucntion to retrieve attributes from the load balancer resource. `SourceSecurityGroupOwnerId` uses `Fn::GetAtt` to obtain the `OwnerAlias` of the source security group of the load balancer. `SourceSecurityGroupName` uses `Fn::Getatt` to obtain the `GroupName` of the source security group of the ELB.
This setup ensures secure communication between the ELB and the instances.
For more information about load balancing, see the [Elastic Load Balancing User Guide](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/).
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyELB": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"AvailabilityZones": [
"aa-example-1a"
],
"Listeners": [
{
"LoadBalancerPort": "80",
"InstancePort": "80",
"Protocol": "HTTP"
}
]
}
},
"MyELBIngressGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "ELB ingress group",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"SourceSecurityGroupOwnerId": {
"Fn::GetAtt": [
"MyELB",
"SourceSecurityGroup.OwnerAlias"
]
},
"SourceSecurityGroupName": {
"Fn::GetAtt": [
"MyELB",
"SourceSecurityGroup.GroupName"
]
}
}
]
}
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
MyELB:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- aa-example-1a
Listeners:
- LoadBalancerPort: '80'
InstancePort: '80'
Protocol: HTTP
MyELBIngressGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: ELB ingress group
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
SourceSecurityGroupOwnerId:
Fn::GetAtt:
- MyELB
- SourceSecurityGroup.OwnerAlias
SourceSecurityGroupName:
Fn::GetAtt:
- MyELB
- SourceSecurityGroup.GroupName
```
# Allocate and associate Elastic IP addresses with CloudFormation
The following template snippets are examples related to Elastic IP addresses (EIPs) in Amazon EC2. These examples cover allocation, association, and management of EIPs for your instances.
**Topics**
+ [
## Allocate an Elastic IP address and associate it with an Amazon EC2 instance
](#scenario-ec2-eip)
+ [
## Associate an Elastic IP address to an Amazon EC2 instance by specifying the IP address
](#scenario-ec2-eip-association)
+ [
## Associate an Elastic IP address to an Amazon EC2 instance by specifying the allocation ID of the IP address
](#scenario-ec2-eip-association-vpc)
## Allocate an Elastic IP address and associate it with an Amazon EC2 instance
The following snippet allocates an Amazon EC2 Elastic IP (EIP) address and associates it with an Amazon EC2 instance using an [AWS::EC2::EIP ](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eip.html) resource. You can allocate an EIP address from an address pool owned by AWS or from an address pool created from a public IPv4 address range you bring to AWS for use with your AWS resources using [bring your own IP addresses (BYOIP)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html). In this example, the EIP is allocated from an address pool owned by AWS.
For more information about Elastic IP addresses, see [Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html) in the *Amazon EC2 User Guide*.
### JSON
```
1. "ElasticIP": {
2. "Type": "AWS::EC2::EIP",
3. "Properties": {
4. "InstanceId": {
5. "Ref": "Ec2Instance"
6. }
7. }
8. }
```
### YAML
```
1. ElasticIP:
2. Type: AWS::EC2::EIP
3. Properties:
4. InstanceId: !Ref EC2Instance
```
## Associate an Elastic IP address to an Amazon EC2 instance by specifying the IP address
The following snippet associates an existing Amazon EC2 Elastic IP address to an EC2 instance using an [AWS::EC2::EIPAssociation](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eipassociation.html) resource. You must first allocate an Elastic IP address for use in your account. An Elastic IP address can be associated with a single instance.
### JSON
```
1. "IPAssoc": {
2. "Type": "AWS::EC2::EIPAssociation",
3. "Properties": {
4. "InstanceId": {
5. "Ref": "Ec2Instance"
6. },
7. "EIP": "192.0.2.0"
8. }
9. }
```
### YAML
```
1. IPAssoc:
2. Type: AWS::EC2::EIPAssociation
3. Properties:
4. InstanceId: !Ref EC2Instance
5. EIP: 192.0.2.0
```
## Associate an Elastic IP address to an Amazon EC2 instance by specifying the allocation ID of the IP address
The following snippet associates an existing Elastic IP address to an Amazon EC2 instance by specifying the allocation ID using an [AWS::EC2::EIPAssociation](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eipassociation.html) resource. An allocation ID is assigned to an Elastic IP address upon Elastic IP address allocation.
### JSON
```
1. "IPAssoc": {
2. "Type": "AWS::EC2::EIPAssociation",
3. "Properties": {
4. "InstanceId": {
5. "Ref": "Ec2Instance"
6. },
7. "AllocationId": "eipalloc-1234567890abcdef0"
8. }
9. }
```
### YAML
```
1. IPAssoc:
2. Type: AWS::EC2::EIPAssociation
3. Properties:
4. InstanceId: !Ref EC2Instance
5. AllocationId: eipalloc-1234567890abcdef0
```
# Configure Amazon VPC resources with CloudFormation
This section provides examples for configuring Amazon VPC resources using CloudFormation. VPCs allow you to create a virtual network within AWS, and these snippets show how to configure aspects of VPCs to meet your networking requirements.
**Topics**
+ [
## Enable IPv6 egress-only internet access in a VPC
](#quickref-ec2-route-egressonlyinternetgateway)
+ [
## Elastic network interface (ENI) template snippets
](#cfn-template-snippets-eni)
## Enable IPv6 egress-only internet access in a VPC
An egress-only internet gateway allows instances within a VPC to access the internet and prevent resources on the internet from communicating with the instances. The following snippet enables IPv6 egress-only internet access from within a VPC. It creates a VPC with an IPv4 address range of `10.0.0/16` using an [AWS::EC2::VPC](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-vpc.html) resource. A route table is associated with this VPC resource using an [AWS::EC2::RouteTable](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-routetable.html) resource. The route table manages routes for instances within the VPC. An [AWS::EC2::EgressOnlyInternetGateway](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-egressonlyinternetgateway.html) is used to create an egress-only internet gateway to enable IPv6 communication for outbound traffic from instances within the VPC, while preventing inbound traffic. An [AWS::EC2::Route](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-route.html) resource is specified to create an IPv6 route in the route table that directs all outbound IPv6 traffic (`::/0`) to the egress-only internet gateway.
For more information about egress-only internet gateways, see [Enable outbound IPv6 traffic using an egress-only internet gateway](https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html) in the *Amazon VPC User Guide*.
### JSON
```
"DefaultIpv6Route": {
"Type": "AWS::EC2::Route",
"Properties": {
"DestinationIpv6CidrBlock": "::/0",
"EgressOnlyInternetGatewayId": {
"Ref": "EgressOnlyInternetGateway"
},
"RouteTableId": {
"Ref": "RouteTable"
}
}
},
"EgressOnlyInternetGateway": {
"Type": "AWS::EC2::EgressOnlyInternetGateway",
"Properties": {
"VpcId": {
"Ref": "VPC"
}
}
},
"RouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
}
}
},
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16"
}
}
```
### YAML
```
DefaultIpv6Route:
Type: AWS::EC2::Route
Properties:
DestinationIpv6CidrBlock: "::/0"
EgressOnlyInternetGatewayId:
Ref: "EgressOnlyInternetGateway"
RouteTableId:
Ref: "RouteTable"
EgressOnlyInternetGateway:
Type: AWS::EC2::EgressOnlyInternetGateway
Properties:
VpcId:
Ref: "VPC"
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: "VPC"
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: "10.0.0.0/16"
```
## Elastic network interface (ENI) template snippets
### Create an Amazon EC2 instance with attached elastic network interfaces (ENIs)
The following example snippet creates an Amazon EC2 instance using an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) resource in the specified Amazon VPC and subnet. It attaches two network interfaces (ENIs) with the instance, associates Elastic IP addresses to the instances through the attached ENIs, and configures the security group for SSH and HTTP access. User data is supplied to the instance as part of the launch configuration when the instance is created. The user data includes a script encoded in `base64` format to ensure it is passed to the instance. When the instance is launched, the script runs automatically as part of the bootstrapping process. It installs `ec2-net-utils`, configures the network interfaces, and starts the HTTP service.
To determine the appropriate Amazon Machine Image (AMI) based on the selected Region, the snippet uses a `Fn::FindInMap` function that looks up values in a `RegionMap` mapping. This mapping must be defined in the larger template. The two network interfaces are created using [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-networkinterface.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-networkinterface.html) resources. Elastic IP addresses are specified using [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eip.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eip.html) resources allocated to the `vpc` domain. These elastic IP addresses are associated with the network interfaces using [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eipassociation.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eipassociation.html) resources.
The `Outputs` section defines values or resources that you want to access after the stack is created. In this snippet, the defined output is `InstancePublicIp`, which represents the public IP address of the EC2 instance created by the stack. You can retrieve this output in the **Output** tab on the CloudFormation console, or using the [describe-stacks](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/describe-stacks.html) command.
For more information about elastic network interfaces, see [Elastic network interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html).
#### JSON
```
"Resources": {
"ControlPortAddress": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
}
},
"AssociateControlPort": {
"Type": "AWS::EC2::EIPAssociation",
"Properties": {
"AllocationId": {
"Fn::GetAtt": [
"ControlPortAddress",
"AllocationId"
]
},
"NetworkInterfaceId": {
"Ref": "controlXface"
}
}
},
"WebPortAddress": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
}
},
"AssociateWebPort": {
"Type": "AWS::EC2::EIPAssociation",
"Properties": {
"AllocationId": {
"Fn::GetAtt": [
"WebPortAddress",
"AllocationId"
]
},
"NetworkInterfaceId": {
"Ref": "webXface"
}
}
},
"SSHSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "VpcId"
},
"GroupDescription": "Enable SSH access via port 22",
"SecurityGroupIngress": [
{
"CidrIp": "0.0.0.0/0",
"FromPort": 22,
"IpProtocol": "tcp",
"ToPort": 22
}
]
}
},
"WebSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "VpcId"
},
"GroupDescription": "Enable HTTP access via user-defined port",
"SecurityGroupIngress": [
{
"CidrIp": "0.0.0.0/0",
"FromPort": 80,
"IpProtocol": "tcp",
"ToPort": 80
}
]
}
},
"controlXface": {
"Type": "AWS::EC2::NetworkInterface",
"Properties": {
"SubnetId": {
"Ref": "SubnetId"
},
"Description": "Interface for controlling traffic such as SSH",
"GroupSet": [
{
"Fn::GetAtt": [
"SSHSecurityGroup",
"GroupId"
]
}
],
"SourceDestCheck": true,
"Tags": [
{
"Key": "Network",
"Value": "Control"
}
]
}
},
"webXface": {
"Type": "AWS::EC2::NetworkInterface",
"Properties": {
"SubnetId": {
"Ref": "SubnetId"
},
"Description": "Interface for web traffic",
"GroupSet": [
{
"Fn::GetAtt": [
"WebSecurityGroup",
"GroupId"
]
}
],
"SourceDestCheck": true,
"Tags": [
{
"Key": "Network",
"Value": "Web"
}
]
}
},
"Ec2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": {
"Fn::FindInMap": [
"RegionMap",
{
"Ref": "AWS::Region"
},
"AMI"
]
},
"KeyName": {
"Ref": "KeyName"
},
"NetworkInterfaces": [
{
"NetworkInterfaceId": {
"Ref": "controlXface"
},
"DeviceIndex": "0"
},
{
"NetworkInterfaceId": {
"Ref": "webXface"
},
"DeviceIndex": "1"
}
],
"Tags": [
{
"Key": "Role",
"Value": "Test Instance"
}
],
"UserData": {
"Fn::Base64": {
"Fn::Sub": "#!/bin/bash -xe\nyum install ec2-net-utils -y\nec2ifup eth1\nservice httpd start\n"
}
}
}
}
},
"Outputs": {
"InstancePublicIp": {
"Description": "Public IP Address of the EC2 Instance",
"Value": {
"Fn::GetAtt": [
"Ec2Instance",
"PublicIp"
]
}
}
}
```
#### YAML
```
Resources:
ControlPortAddress:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
AssociateControlPort:
Type: AWS::EC2::EIPAssociation
Properties:
AllocationId:
Fn::GetAtt:
- ControlPortAddress
- AllocationId
NetworkInterfaceId:
Ref: controlXface
WebPortAddress:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
AssociateWebPort:
Type: AWS::EC2::EIPAssociation
Properties:
AllocationId:
Fn::GetAtt:
- WebPortAddress
- AllocationId
NetworkInterfaceId:
Ref: webXface
SSHSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId:
Ref: VpcId
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
FromPort: 22
IpProtocol: tcp
ToPort: 22
WebSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId:
Ref: VpcId
GroupDescription: Enable HTTP access via user-defined port
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
FromPort: 80
IpProtocol: tcp
ToPort: 80
controlXface:
Type: AWS::EC2::NetworkInterface
Properties:
SubnetId:
Ref: SubnetId
Description: Interface for controlling traffic such as SSH
GroupSet:
- Fn::GetAtt:
- SSHSecurityGroup
- GroupId
SourceDestCheck: true
Tags:
- Key: Network
Value: Control
webXface:
Type: AWS::EC2::NetworkInterface
Properties:
SubnetId:
Ref: SubnetId
Description: Interface for web traffic
GroupSet:
- Fn::GetAtt:
- WebSecurityGroup
- GroupId
SourceDestCheck: true
Tags:
- Key: Network
Value: Web
Ec2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId:
Fn::FindInMap:
- RegionMap
- Ref: AWS::Region
- AMI
KeyName:
Ref: KeyName
NetworkInterfaces:
- NetworkInterfaceId:
Ref: controlXface
DeviceIndex: "0"
- NetworkInterfaceId:
Ref: webXface
DeviceIndex: "1"
Tags:
- Key: Role
Value: Test Instance
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
yum install ec2-net-utils -y
ec2ifup eth1
service httpd start
Outputs:
InstancePublicIp:
Description: Public IP Address of the EC2 Instance
Value:
Fn::GetAtt:
- Ec2Instance
- PublicIp
```
# Amazon Elastic Container Service sample templates
Amazon Elastic Container Service (Amazon ECS) is a container management service that makes it easy to run, stop, and manage Docker containers on a cluster of Amazon Elastic Compute Cloud (Amazon EC2) instances.
## Create a cluster with the AL2023 Amazon ECS-Optimized-AMI
Define a cluster that uses a capacity provider that launches AL2023 instances on Amazon EC2.
**Important**
For the latest AMI IDs, see [Amazon ECS-optimized AMI](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) in the *Amazon Elastic Container Service Developer Guide*.
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "EC2 ECS cluster that starts out empty, with no EC2 instances yet. An ECS capacity provider automatically launches more EC2 instances as required on the fly when you request ECS to launch services or standalone tasks.",
"Parameters": {
"InstanceType": {
"Type": "String",
"Description": "EC2 instance type",
"Default": "t2.medium",
"AllowedValues": [
"t1.micro",
"t2.2xlarge",
"t2.large",
"t2.medium",
"t2.micro",
"t2.nano",
"t2.small",
"t2.xlarge",
"t3.2xlarge",
"t3.large",
"t3.medium",
"t3.micro",
"t3.nano",
"t3.small",
"t3.xlarge"
]
},
"DesiredCapacity": {
"Type": "Number",
"Default": "0",
"Description": "Number of EC2 instances to launch in your ECS cluster."
},
"MaxSize": {
"Type": "Number",
"Default": "100",
"Description": "Maximum number of EC2 instances that can be launched in your ECS cluster."
},
"ECSAMI": {
"Description": "The Amazon Machine Image ID used for the cluster",
"Type": "AWS::SSM::Parameter::Value",
"Default": "/aws/service/ecs/optimized-ami/amazon-linux-2023/recommended/image_id"
},
"VpcId": {
"Type": "AWS::EC2::VPC::Id",
"Description": "VPC ID where the ECS cluster is launched",
"Default": "vpc-1234567890abcdef0"
},
"SubnetIds": {
"Type": "List",
"Description": "List of subnet IDs where the EC2 instances will be launched",
"Default": "subnet-021345abcdef67890"
}
},
"Resources": {
"ECSCluster": {
"Type": "AWS::ECS::Cluster",
"Properties": {
"ClusterSettings": [
{
"Name": "containerInsights",
"Value": "enabled"
}
]
}
},
"ECSAutoScalingGroup": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"DependsOn": [
"ECSCluster",
"EC2Role"
],
"Properties": {
"VPCZoneIdentifier": {
"Ref": "SubnetIds"
},
"LaunchTemplate": {
"LaunchTemplateId": {
"Ref": "ContainerInstances"
},
"Version": {
"Fn::GetAtt": [
"ContainerInstances",
"LatestVersionNumber"
]
}
},
"MinSize": 0,
"MaxSize": {
"Ref": "MaxSize"
},
"DesiredCapacity": {
"Ref": "DesiredCapacity"
},
"NewInstancesProtectedFromScaleIn": true
},
"UpdatePolicy": {
"AutoScalingReplacingUpdate": {
"WillReplace": "true"
}
}
},
"ContainerInstances": {
"Type": "AWS::EC2::LaunchTemplate",
"Properties": {
"LaunchTemplateName": "asg-launch-template",
"LaunchTemplateData": {
"ImageId": {
"Ref": "ECSAMI"
},
"InstanceType": {
"Ref": "InstanceType"
},
"IamInstanceProfile": {
"Name": {
"Ref": "EC2InstanceProfile"
}
},
"SecurityGroupIds": [
{
"Ref": "ContainerHostSecurityGroup"
}
],
"UserData": {
"Fn::Base64": {
"Fn::Sub": "#!/bin/bash -xe\n echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config\n yum install -y aws-cfn-bootstrap\n /opt/aws/bin/cfn-init -v --stack ${AWS::StackId} --resource ContainerInstances --configsets full_install --region ${AWS::Region} &\n"
}
},
"MetadataOptions": {
"HttpEndpoint": "enabled",
"HttpTokens": "required"
}
}
}
},
"EC2InstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [
{
"Ref": "EC2Role"
}
]
}
},
"CapacityProvider": {
"Type": "AWS::ECS::CapacityProvider",
"Properties": {
"AutoScalingGroupProvider": {
"AutoScalingGroupArn": {
"Ref": "ECSAutoScalingGroup"
},
"ManagedScaling": {
"InstanceWarmupPeriod": 60,
"MinimumScalingStepSize": 1,
"MaximumScalingStepSize": 100,
"Status": "ENABLED",
"TargetCapacity": 100
},
"ManagedTerminationProtection": "ENABLED"
}
}
},
"CapacityProviderAssociation": {
"Type": "AWS::ECS::ClusterCapacityProviderAssociations",
"Properties": {
"CapacityProviders": [
{
"Ref": "CapacityProvider"
}
],
"Cluster": {
"Ref": "ECSCluster"
},
"DefaultCapacityProviderStrategy": [
{
"Base": 0,
"CapacityProvider": {
"Ref": "CapacityProvider"
},
"Weight": 1
}
]
}
},
"ContainerHostSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Access to the EC2 hosts that run containers",
"VpcId": {
"Ref": "VpcId"
}
}
},
"EC2Role": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
]
}
},
"ECSTaskExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ecs-tasks.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
],
"Condition": {
"ArnLike": {
"aws:SourceArn": {
"Fn::Sub": "arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:*"
}
},
"StringEquals": {
"aws:SourceAccount": {
"Fn::Sub": "${AWS::AccountId}"
}
}
}
}
]
},
"Path": "/",
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
]
}
}
},
"Outputs": {
"ClusterName": {
"Description": "The ECS cluster into which to launch resources",
"Value": "ECSCluster"
},
"ECSTaskExecutionRole": {
"Description": "The role used to start up a task",
"Value": "ECSTaskExecutionRole"
},
"CapacityProvider": {
"Description": "The cluster capacity provider that the service should use to request capacity when it wants to start up a task",
"Value": "CapacityProvider"
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: 2010-09-09
Description: EC2 ECS cluster that starts out empty, with no EC2 instances yet.
An ECS capacity provider automatically launches more EC2 instances as required
on the fly when you request ECS to launch services or standalone tasks.
Parameters:
InstanceType:
Type: String
Description: EC2 instance type
Default: "t2.medium"
AllowedValues:
- t1.micro
- t2.2xlarge
- t2.large
- t2.medium
- t2.micro
- t2.nano
- t2.small
- t2.xlarge
- t3.2xlarge
- t3.large
- t3.medium
- t3.micro
- t3.nano
- t3.small
- t3.xlarge
DesiredCapacity:
Type: Number
Default: "0"
Description: Number of EC2 instances to launch in your ECS cluster.
MaxSize:
Type: Number
Default: "100"
Description: Maximum number of EC2 instances that can be launched in your ECS cluster.
ECSAMI:
Description: The Amazon Machine Image ID used for the cluster
Type: AWS::SSM::Parameter::Value
Default: /aws/service/ecs/optimized-ami/amazon-linux-2023/recommended/image_id
VpcId:
Type: AWS::EC2::VPC::Id
Description: VPC ID where the ECS cluster is launched
Default: vpc-1234567890abcdef0
SubnetIds:
Type: List
Description: List of subnet IDs where the EC2 instances will be launched
Default: "subnet-021345abcdef67890"
Resources:
# This is authorizes ECS to manage resources on your
# account on your behalf. This role is likely already created on your account
# ECSRole:
# Type: AWS::IAM::ServiceLinkedRole
# Properties:
# AWSServiceName: 'ecs.amazonaws.com'
# ECS Resources
ECSCluster:
Type: AWS::ECS::Cluster
Properties:
ClusterSettings:
- Name: containerInsights
Value: enabled
# Autoscaling group. This launches the actual EC2 instances that will register
# themselves as members of the cluster, and run the docker containers.
ECSAutoScalingGroup:
Type: AWS::AutoScaling::AutoScalingGroup
DependsOn:
# This is to ensure that the ASG gets deleted first before these
# resources, when it comes to stack teardown.
- ECSCluster
- EC2Role
Properties:
VPCZoneIdentifier:
Ref: SubnetIds
LaunchTemplate:
LaunchTemplateId: !Ref ContainerInstances
Version: !GetAtt ContainerInstances.LatestVersionNumber
MinSize: 0
MaxSize:
Ref: MaxSize
DesiredCapacity:
Ref: DesiredCapacity
NewInstancesProtectedFromScaleIn: true
UpdatePolicy:
AutoScalingReplacingUpdate:
WillReplace: "true"
# The config for each instance that is added to the cluster
ContainerInstances:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: "asg-launch-template"
LaunchTemplateData:
ImageId:
Ref: ECSAMI
InstanceType:
Ref: InstanceType
IamInstanceProfile:
Name: !Ref EC2InstanceProfile
SecurityGroupIds:
- !Ref ContainerHostSecurityGroup
# This injected configuration file is how the EC2 instance
# knows which ECS cluster on your AWS account it should be joining
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config
yum install -y aws-cfn-bootstrap
/opt/aws/bin/cfn-init -v --stack ${AWS::StackId} --resource ContainerInstances --configsets full_install --region ${AWS::Region} &
# Disable IMDSv1, and require IMDSv2
MetadataOptions:
HttpEndpoint: enabled
HttpTokens: required
EC2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref EC2Role
# Create an ECS capacity provider to attach the ASG to the ECS cluster
# so that it autoscales as we launch more containers
CapacityProvider:
Type: AWS::ECS::CapacityProvider
Properties:
AutoScalingGroupProvider:
AutoScalingGroupArn: !Ref ECSAutoScalingGroup
ManagedScaling:
InstanceWarmupPeriod: 60
MinimumScalingStepSize: 1
MaximumScalingStepSize: 100
Status: ENABLED
# Percentage of cluster reservation to try to maintain
TargetCapacity: 100
ManagedTerminationProtection: ENABLED
# Create a cluster capacity provider assocation so that the cluster
# will use the capacity provider
CapacityProviderAssociation:
Type: AWS::ECS::ClusterCapacityProviderAssociations
Properties:
CapacityProviders:
- !Ref CapacityProvider
Cluster: !Ref ECSCluster
DefaultCapacityProviderStrategy:
- Base: 0
CapacityProvider: !Ref CapacityProvider
Weight: 1
# A security group for the EC2 hosts that will run the containers.
# This can be used to limit incoming traffic to or outgoing traffic
# from the container's host EC2 instance.
ContainerHostSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Access to the EC2 hosts that run containers
VpcId:
Ref: VpcId
# Role for the EC2 hosts. This allows the ECS agent on the EC2 hosts
# to communciate with the ECS control plane, as well as download the docker
# images from ECR to run on your host.
EC2Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: /
ManagedPolicyArns:
# See reference: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonEC2ContainerServiceforEC2Role
- arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
# This managed policy allows us to connect to the instance using SSM
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
# This is a role which is used within Fargate to allow the Fargate agent
# to download images, and upload logs.
ECSTaskExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- sts:AssumeRole
Condition:
ArnLike:
aws:SourceArn: !Sub arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:*
StringEquals:
aws:SourceAccount: !Sub ${AWS::AccountId}
Path: /
# This role enables all features of ECS. See reference:
# https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonECSTaskExecutionRolePolicy
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
Outputs:
ClusterName:
Description: The ECS cluster into which to launch resources
Value: ECSCluster
ECSTaskExecutionRole:
Description: The role used to start up a task
Value: ECSTaskExecutionRole
CapacityProvider:
Description: The cluster capacity provider that the service should use to
request capacity when it wants to start up a task
Value: CapacityProvider
```
## Deploy a service
The following template defines a service that uses the capacity provider to request AL2023 capacity to run on. Containers will be launched onto the AL2023 instances as they come online:
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "An example service that deploys in AWS VPC networking mode on EC2 capacity. Service uses a capacity provider to request EC2 instances to run on. Service runs with networking in private subnets, but still accessible to the internet via a load balancer hosted in public subnets.",
"Parameters": {
"VpcId": {
"Type": "String",
"Description": "The VPC that the service is running inside of"
},
"PublicSubnetIds": {
"Type": "List",
"Description": "List of public subnet ID's to put the load balancer in"
},
"PrivateSubnetIds": {
"Type": "List",
"Description": "List of private subnet ID's that the AWS VPC tasks are in"
},
"ClusterName": {
"Type": "String",
"Description": "The name of the ECS cluster into which to launch capacity."
},
"ECSTaskExecutionRole": {
"Type": "String",
"Description": "The role used to start up an ECS task"
},
"CapacityProvider": {
"Type": "String",
"Description": "The cluster capacity provider that the service should use to request capacity when it wants to start up a task"
},
"ServiceName": {
"Type": "String",
"Default": "web",
"Description": "A name for the service"
},
"ImageUrl": {
"Type": "String",
"Default": "public.ecr.aws/docker/library/nginx:latest",
"Description": "The url of a docker image that contains the application process that will handle the traffic for this service"
},
"ContainerCpu": {
"Type": "Number",
"Default": 256,
"Description": "How much CPU to give the container. 1024 is 1 CPU"
},
"ContainerMemory": {
"Type": "Number",
"Default": 512,
"Description": "How much memory in megabytes to give the container"
},
"ContainerPort": {
"Type": "Number",
"Default": 80,
"Description": "What port that the application expects traffic on"
},
"DesiredCount": {
"Type": "Number",
"Default": 2,
"Description": "How many copies of the service task to run"
}
},
"Resources": {
"TaskDefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"Family": {
"Ref": "ServiceName"
},
"Cpu": {
"Ref": "ContainerCpu"
},
"Memory": {
"Ref": "ContainerMemory"
},
"NetworkMode": "awsvpc",
"RequiresCompatibilities": [
"EC2"
],
"ExecutionRoleArn": {
"Ref": "ECSTaskExecutionRole"
},
"ContainerDefinitions": [
{
"Name": {
"Ref": "ServiceName"
},
"Cpu": {
"Ref": "ContainerCpu"
},
"Memory": {
"Ref": "ContainerMemory"
},
"Image": {
"Ref": "ImageUrl"
},
"PortMappings": [
{
"ContainerPort": {
"Ref": "ContainerPort"
},
"HostPort": {
"Ref": "ContainerPort"
}
}
],
"LogConfiguration": {
"LogDriver": "awslogs",
"Options": {
"mode": "non-blocking",
"max-buffer-size": "25m",
"awslogs-group": {
"Ref": "LogGroup"
},
"awslogs-region": {
"Ref": "AWS::Region"
},
"awslogs-stream-prefix": {
"Ref": "ServiceName"
}
}
}
}
]
}
},
"Service": {
"Type": "AWS::ECS::Service",
"DependsOn": "PublicLoadBalancerListener",
"Properties": {
"ServiceName": {
"Ref": "ServiceName"
},
"Cluster": {
"Ref": "ClusterName"
},
"PlacementStrategies": [
{
"Field": "attribute:ecs.availability-zone",
"Type": "spread"
},
{
"Field": "cpu",
"Type": "binpack"
}
],
"CapacityProviderStrategy": [
{
"Base": 0,
"CapacityProvider": {
"Ref": "CapacityProvider"
},
"Weight": 1
}
],
"NetworkConfiguration": {
"AwsvpcConfiguration": {
"SecurityGroups": [
{
"Ref": "ServiceSecurityGroup"
}
],
"Subnets": {
"Ref": "PrivateSubnetIds"
}
}
},
"DeploymentConfiguration": {
"MaximumPercent": 200,
"MinimumHealthyPercent": 75
},
"DesiredCount": {
"Ref": "DesiredCount"
},
"TaskDefinition": {
"Ref": "TaskDefinition"
},
"LoadBalancers": [
{
"ContainerName": {
"Ref": "ServiceName"
},
"ContainerPort": {
"Ref": "ContainerPort"
},
"TargetGroupArn": {
"Ref": "ServiceTargetGroup"
}
}
]
}
},
"ServiceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security group for service",
"VpcId": {
"Ref": "VpcId"
}
}
},
"ServiceTargetGroup": {
"Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties": {
"HealthCheckIntervalSeconds": 6,
"HealthCheckPath": "/",
"HealthCheckProtocol": "HTTP",
"HealthCheckTimeoutSeconds": 5,
"HealthyThresholdCount": 2,
"TargetType": "ip",
"Port": {
"Ref": "ContainerPort"
},
"Protocol": "HTTP",
"UnhealthyThresholdCount": 10,
"VpcId": {
"Ref": "VpcId"
},
"TargetGroupAttributes": [
{
"Key": "deregistration_delay.timeout_seconds",
"Value": 0
}
]
}
},
"PublicLoadBalancerSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Access to the public facing load balancer",
"VpcId": {
"Ref": "VpcId"
},
"SecurityGroupIngress": [
{
"CidrIp": "0.0.0.0/0",
"IpProtocol": -1
}
]
}
},
"PublicLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Scheme": "internet-facing",
"LoadBalancerAttributes": [
{
"Key": "idle_timeout.timeout_seconds",
"Value": "30"
}
],
"Subnets": {
"Ref": "PublicSubnetIds"
},
"SecurityGroups": [
{
"Ref": "PublicLoadBalancerSG"
}
]
}
},
"PublicLoadBalancerListener": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"DefaultActions": [
{
"Type": "forward",
"ForwardConfig": {
"TargetGroups": [
{
"TargetGroupArn": {
"Ref": "ServiceTargetGroup"
},
"Weight": 100
}
]
}
}
],
"LoadBalancerArn": {
"Ref": "PublicLoadBalancer"
},
"Port": 80,
"Protocol": "HTTP"
}
},
"ServiceIngressfromLoadBalancer": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"Description": "Ingress from the public ALB",
"GroupId": {
"Ref": "ServiceSecurityGroup"
},
"IpProtocol": -1,
"SourceSecurityGroupId": {
"Ref": "PublicLoadBalancerSG"
}
}
},
"LogGroup": {
"Type": "AWS::Logs::LogGroup"
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Description: >-
An example service that deploys in AWS VPC networking mode on EC2 capacity.
Service uses a capacity provider to request EC2 instances to run on. Service
runs with networking in private subnets, but still accessible to the internet
via a load balancer hosted in public subnets.
Parameters:
VpcId:
Type: String
Description: The VPC that the service is running inside of
PublicSubnetIds:
Type: 'List'
Description: List of public subnet ID's to put the load balancer in
PrivateSubnetIds:
Type: 'List'
Description: List of private subnet ID's that the AWS VPC tasks are in
ClusterName:
Type: String
Description: The name of the ECS cluster into which to launch capacity.
ECSTaskExecutionRole:
Type: String
Description: The role used to start up an ECS task
CapacityProvider:
Type: String
Description: >-
The cluster capacity provider that the service should use to request
capacity when it wants to start up a task
ServiceName:
Type: String
Default: web
Description: A name for the service
ImageUrl:
Type: String
Default: 'public.ecr.aws/docker/library/nginx:latest'
Description: >-
The url of a docker image that contains the application process that will
handle the traffic for this service
ContainerCpu:
Type: Number
Default: 256
Description: How much CPU to give the container. 1024 is 1 CPU
ContainerMemory:
Type: Number
Default: 512
Description: How much memory in megabytes to give the container
ContainerPort:
Type: Number
Default: 80
Description: What port that the application expects traffic on
DesiredCount:
Type: Number
Default: 2
Description: How many copies of the service task to run
Resources:
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
Family: !Ref ServiceName
Cpu: !Ref ContainerCpu
Memory: !Ref ContainerMemory
NetworkMode: awsvpc
RequiresCompatibilities:
- EC2
ExecutionRoleArn: !Ref ECSTaskExecutionRole
ContainerDefinitions:
- Name: !Ref ServiceName
Cpu: !Ref ContainerCpu
Memory: !Ref ContainerMemory
Image: !Ref ImageUrl
PortMappings:
- ContainerPort: !Ref ContainerPort
HostPort: !Ref ContainerPort
LogConfiguration:
LogDriver: awslogs
Options:
mode: non-blocking
max-buffer-size: 25m
awslogs-group: !Ref LogGroup
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: !Ref ServiceName
Service:
Type: AWS::ECS::Service
DependsOn: PublicLoadBalancerListener
Properties:
ServiceName: !Ref ServiceName
Cluster: !Ref ClusterName
PlacementStrategies:
- Field: 'attribute:ecs.availability-zone'
Type: spread
- Field: cpu
Type: binpack
CapacityProviderStrategy:
- Base: 0
CapacityProvider: !Ref CapacityProvider
Weight: 1
NetworkConfiguration:
AwsvpcConfiguration:
SecurityGroups:
- !Ref ServiceSecurityGroup
Subnets: !Ref PrivateSubnetIds
DeploymentConfiguration:
MaximumPercent: 200
MinimumHealthyPercent: 75
DesiredCount: !Ref DesiredCount
TaskDefinition: !Ref TaskDefinition
LoadBalancers:
- ContainerName: !Ref ServiceName
ContainerPort: !Ref ContainerPort
TargetGroupArn: !Ref ServiceTargetGroup
ServiceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for service
VpcId: !Ref VpcId
ServiceTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 6
HealthCheckPath: /
HealthCheckProtocol: HTTP
HealthCheckTimeoutSeconds: 5
HealthyThresholdCount: 2
TargetType: ip
Port: !Ref ContainerPort
Protocol: HTTP
UnhealthyThresholdCount: 10
VpcId: !Ref VpcId
TargetGroupAttributes:
- Key: deregistration_delay.timeout_seconds
Value: 0
PublicLoadBalancerSG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Access to the public facing load balancer
VpcId: !Ref VpcId
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
IpProtocol: -1
PublicLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Scheme: internet-facing
LoadBalancerAttributes:
- Key: idle_timeout.timeout_seconds
Value: '30'
Subnets: !Ref PublicSubnetIds
SecurityGroups:
- !Ref PublicLoadBalancerSG
PublicLoadBalancerListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- Type: forward
ForwardConfig:
TargetGroups:
- TargetGroupArn: !Ref ServiceTargetGroup
Weight: 100
LoadBalancerArn: !Ref PublicLoadBalancer
Port: 80
Protocol: HTTP
ServiceIngressfromLoadBalancer:
Type: AWS::EC2::SecurityGroupIngress
Properties:
Description: Ingress from the public ALB
GroupId: !Ref ServiceSecurityGroup
IpProtocol: -1
SourceSecurityGroupId: !Ref PublicLoadBalancerSG
LogGroup:
Type: AWS::Logs::LogGroup
```
# Amazon Elastic File System Sample Template
Amazon Elastic File System (Amazon EFS) is a file storage service for Amazon Elastic Compute Cloud (Amazon EC2) instances. With Amazon EFS, your applications have storage when they need it because storage capacity grows and shrinks automatically as you add and remove files.
The following sample template deploys EC2 instances (in an Auto Scaling group) that are associated with an Amazon EFS file system. To associate the instances with the file system, the instances run the cfn-init helper script, which downloads and installs the `nfs-utils` yum package, creates a new directory, and then uses the file system's DNS name to mount the file system at that directory. The file system's DNS name resolves to a mount target's IP address in the Amazon EC2 instance's Availability Zone. For more information about the DNS name structure, see [Mounting File Systems](https://docs.aws.amazon.com/efs/latest/ug/mounting-fs.html) in the *Amazon Elastic File System User Guide*.
To measure Network File System activity, the template includes custom Amazon CloudWatch metrics. The template also creates a VPC, subnet, and security groups. To allow the instances to communicate with the file system, the VPC must have DNS enabled, and the mount target and the EC2 instances must be in the same Availability Zone (AZ), which is specified by the subnet.
The security group of the mount target enables a network connection to TCP port 2049, which is required for an NFSv4 client to mount a file system. For more information on security groups for EC2 instances and mount targets, see [Security](https://docs.aws.amazon.com/efs/latest/ug/security-considerations.html) in the [https://docs.aws.amazon.com/efs/latest/ug/](https://docs.aws.amazon.com/efs/latest/ug/).
**Note**
If you make an update to the mount target that causes it to be replaced, instances or applications that use the associated file system might be disrupted. This can cause uncommitted writes to be lost. To avoid disruption, stop your instances when you update the mount target by setting the desired capacity to zero. This allows the instances to unmount the file system before the mount target is deleted. After the mount update has completed, start your instances in a subsequent update by setting the desired capacity.
## JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "This template creates an Amazon EFS file system and mount target and associates it with Amazon EC2 instances in an Auto Scaling group. **WARNING** This template creates Amazon EC2 instances and related resources. You will be billed for the AWS resources used if you create a stack from this template.",
"Parameters": {
"InstanceType" : {
"Description" : "WebServer EC2 instance type",
"Type" : "String",
"Default" : "t2.small",
"AllowedValues" : [
"t1.micro",
"t2.nano",
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"m1.small",
"m1.medium",
"m1.large",
"m1.xlarge",
"m2.xlarge",
"m2.2xlarge",
"m2.4xlarge",
"m3.medium",
"m3.large",
"m3.xlarge",
"m3.2xlarge",
"m4.large",
"m4.xlarge",
"m4.2xlarge",
"m4.4xlarge",
"m4.10xlarge",
"c1.medium",
"c1.xlarge",
"c3.large",
"c3.xlarge",
"c3.2xlarge",
"c3.4xlarge",
"c3.8xlarge",
"c4.large",
"c4.xlarge",
"c4.2xlarge",
"c4.4xlarge",
"c4.8xlarge",
"g2.2xlarge",
"g2.8xlarge",
"r3.large",
"r3.xlarge",
"r3.2xlarge",
"r3.4xlarge",
"r3.8xlarge",
"i2.xlarge",
"i2.2xlarge",
"i2.4xlarge",
"i2.8xlarge",
"d2.xlarge",
"d2.2xlarge",
"d2.4xlarge",
"d2.8xlarge",
"hi1.4xlarge",
"hs1.8xlarge",
"cr1.8xlarge",
"cc2.8xlarge",
"cg1.4xlarge"
],
"ConstraintDescription" : "must be a valid EC2 instance type."
},
"KeyName": {
"Type": "AWS::EC2::KeyPair::KeyName",
"Description": "Name of an existing EC2 key pair to enable SSH access to the EC2 instances"
},
"AsgMaxSize": {
"Type": "Number",
"Description": "Maximum size and initial desired capacity of Auto Scaling Group",
"Default": "2"
},
"SSHLocation" : {
"Description" : "The IP address range that can be used to connect to the EC2 instances by using SSH",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
},
"VolumeName" : {
"Description" : "The name to be used for the EFS volume",
"Type": "String",
"MinLength": "1",
"Default": "myEFSvolume"
},
"MountPoint" : {
"Description" : "The Linux mount point for the EFS volume",
"Type": "String",
"MinLength": "1",
"Default": "myEFSvolume"
}
},
"Mappings" : {
"AWSInstanceType2Arch" : {
"t1.micro" : { "Arch" : "HVM64" },
"t2.nano" : { "Arch" : "HVM64" },
"t2.micro" : { "Arch" : "HVM64" },
"t2.small" : { "Arch" : "HVM64" },
"t2.medium" : { "Arch" : "HVM64" },
"t2.large" : { "Arch" : "HVM64" },
"m1.small" : { "Arch" : "HVM64" },
"m1.medium" : { "Arch" : "HVM64" },
"m1.large" : { "Arch" : "HVM64" },
"m1.xlarge" : { "Arch" : "HVM64" },
"m2.xlarge" : { "Arch" : "HVM64" },
"m2.2xlarge" : { "Arch" : "HVM64" },
"m2.4xlarge" : { "Arch" : "HVM64" },
"m3.medium" : { "Arch" : "HVM64" },
"m3.large" : { "Arch" : "HVM64" },
"m3.xlarge" : { "Arch" : "HVM64" },
"m3.2xlarge" : { "Arch" : "HVM64" },
"m4.large" : { "Arch" : "HVM64" },
"m4.xlarge" : { "Arch" : "HVM64" },
"m4.2xlarge" : { "Arch" : "HVM64" },
"m4.4xlarge" : { "Arch" : "HVM64" },
"m4.10xlarge" : { "Arch" : "HVM64" },
"c1.medium" : { "Arch" : "HVM64" },
"c1.xlarge" : { "Arch" : "HVM64" },
"c3.large" : { "Arch" : "HVM64" },
"c3.xlarge" : { "Arch" : "HVM64" },
"c3.2xlarge" : { "Arch" : "HVM64" },
"c3.4xlarge" : { "Arch" : "HVM64" },
"c3.8xlarge" : { "Arch" : "HVM64" },
"c4.large" : { "Arch" : "HVM64" },
"c4.xlarge" : { "Arch" : "HVM64" },
"c4.2xlarge" : { "Arch" : "HVM64" },
"c4.4xlarge" : { "Arch" : "HVM64" },
"c4.8xlarge" : { "Arch" : "HVM64" },
"g2.2xlarge" : { "Arch" : "HVMG2" },
"g2.8xlarge" : { "Arch" : "HVMG2" },
"r3.large" : { "Arch" : "HVM64" },
"r3.xlarge" : { "Arch" : "HVM64" },
"r3.2xlarge" : { "Arch" : "HVM64" },
"r3.4xlarge" : { "Arch" : "HVM64" },
"r3.8xlarge" : { "Arch" : "HVM64" },
"i2.xlarge" : { "Arch" : "HVM64" },
"i2.2xlarge" : { "Arch" : "HVM64" },
"i2.4xlarge" : { "Arch" : "HVM64" },
"i2.8xlarge" : { "Arch" : "HVM64" },
"d2.xlarge" : { "Arch" : "HVM64" },
"d2.2xlarge" : { "Arch" : "HVM64" },
"d2.4xlarge" : { "Arch" : "HVM64" },
"d2.8xlarge" : { "Arch" : "HVM64" },
"hi1.4xlarge" : { "Arch" : "HVM64" },
"hs1.8xlarge" : { "Arch" : "HVM64" },
"cr1.8xlarge" : { "Arch" : "HVM64" },
"cc2.8xlarge" : { "Arch" : "HVM64" }
},
"AWSRegionArch2AMI" : {
"us-east-1" : {"HVM64" : "ami-0ff8a91507f77f867", "HVMG2" : "ami-0a584ac55a7631c0c"},
"us-west-2" : {"HVM64" : "ami-a0cfeed8", "HVMG2" : "ami-0e09505bc235aa82d"},
"us-west-1" : {"HVM64" : "ami-0bdb828fd58c52235", "HVMG2" : "ami-066ee5fd4a9ef77f1"},
"eu-west-1" : {"HVM64" : "ami-047bb4163c506cd98", "HVMG2" : "ami-0a7c483d527806435"},
"eu-west-2" : {"HVM64" : "ami-f976839e", "HVMG2" : "NOT_SUPPORTED"},
"eu-west-3" : {"HVM64" : "ami-0ebc281c20e89ba4b", "HVMG2" : "NOT_SUPPORTED"},
"eu-central-1" : {"HVM64" : "ami-0233214e13e500f77", "HVMG2" : "ami-06223d46a6d0661c7"},
"ap-northeast-1" : {"HVM64" : "ami-06cd52961ce9f0d85", "HVMG2" : "ami-053cdd503598e4a9d"},
"ap-northeast-2" : {"HVM64" : "ami-0a10b2721688ce9d2", "HVMG2" : "NOT_SUPPORTED"},
"ap-northeast-3" : {"HVM64" : "ami-0d98120a9fb693f07", "HVMG2" : "NOT_SUPPORTED"},
"ap-southeast-1" : {"HVM64" : "ami-08569b978cc4dfa10", "HVMG2" : "ami-0be9df32ae9f92309"},
"ap-southeast-2" : {"HVM64" : "ami-09b42976632b27e9b", "HVMG2" : "ami-0a9ce9fecc3d1daf8"},
"ap-south-1" : {"HVM64" : "ami-0912f71e06545ad88", "HVMG2" : "ami-097b15e89dbdcfcf4"},
"us-east-2" : {"HVM64" : "ami-0b59bfac6be064b78", "HVMG2" : "NOT_SUPPORTED"},
"ca-central-1" : {"HVM64" : "ami-0b18956f", "HVMG2" : "NOT_SUPPORTED"},
"sa-east-1" : {"HVM64" : "ami-07b14488da8ea02a0", "HVMG2" : "NOT_SUPPORTED"},
"cn-north-1" : {"HVM64" : "ami-0a4eaf6c4454eda75", "HVMG2" : "NOT_SUPPORTED"},
"cn-northwest-1" : {"HVM64" : "ami-6b6a7d09", "HVMG2" : "NOT_SUPPORTED"}
}
},
"Resources": {
"CloudWatchPutMetricsRole" : {
"Type" : "AWS::IAM::Role",
"Properties" : {
"AssumeRolePolicyDocument" : {
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
"Service" : [ "ec2.amazonaws.com" ]
},
"Action" : [ "sts:AssumeRole" ]
} ]
},
"Path" : "/"
}
},
"CloudWatchPutMetricsRolePolicy" : {
"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyName" : "CloudWatch_PutMetricData",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudWatchPutMetricData",
"Effect": "Allow",
"Action": ["cloudwatch:PutMetricData"],
"Resource": ["*"]
}
]
},
"Roles" : [ { "Ref" : "CloudWatchPutMetricsRole" } ]
}
},
"CloudWatchPutMetricsInstanceProfile" : {
"Type" : "AWS::IAM::InstanceProfile",
"Properties" : {
"Path" : "/",
"Roles" : [ { "Ref" : "CloudWatchPutMetricsRole" } ]
}
},
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"EnableDnsSupport" : "true",
"EnableDnsHostnames" : "true",
"CidrBlock": "10.0.0.0/16",
"Tags": [ {"Key": "Application", "Value": { "Ref": "AWS::StackId"} } ]
}
},
"InternetGateway" : {
"Type" : "AWS::EC2::InternetGateway",
"Properties" : {
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackName" } },
{ "Key" : "Network", "Value" : "Public" }
]
}
},
"GatewayToInternet" : {
"Type" : "AWS::EC2::VPCGatewayAttachment",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"InternetGatewayId" : { "Ref" : "InternetGateway" }
}
},
"RouteTable":{
"Type":"AWS::EC2::RouteTable",
"Properties":{
"VpcId": {"Ref":"VPC"}
}
},
"SubnetRouteTableAssoc": {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"RouteTableId" : {"Ref":"RouteTable"},
"SubnetId" : {"Ref":"Subnet"}
}
},
"InternetGatewayRoute": {
"Type":"AWS::EC2::Route",
"Properties":{
"DestinationCidrBlock":"0.0.0.0/0",
"RouteTableId":{"Ref":"RouteTable"},
"GatewayId":{"Ref":"InternetGateway"}
}
},
"Subnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": { "Ref": "VPC" },
"CidrBlock": "10.0.0.0/24",
"Tags": [ { "Key": "Application", "Value": { "Ref": "AWS::StackId" } } ]
}
},
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": { "Ref": "VPC" },
"GroupDescription": "Enable SSH access via port 22",
"SecurityGroupIngress": [
{ "IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "CidrIp": { "Ref": "SSHLocation" } },
{ "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIp": "0.0.0.0/0" }
]
}
},
"MountTargetSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": { "Ref": "VPC" },
"GroupDescription": "Security group for mount target",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 2049,
"ToPort": 2049,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"FileSystem": {
"Type": "AWS::EFS::FileSystem",
"Properties": {
"PerformanceMode": "generalPurpose",
"FileSystemTags": [
{
"Key": "Name",
"Value": { "Ref" : "VolumeName" }
}
]
}
},
"MountTarget": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": { "Ref": "FileSystem" },
"SubnetId": { "Ref": "Subnet" },
"SecurityGroups": [ { "Ref": "MountTargetSecurityGroup" } ]
}
},
"LaunchConfiguration": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Metadata" : {
"AWS::CloudFormation::Init" : {
"configSets" : {
"MountConfig" : [ "setup", "mount" ]
},
"setup" : {
"packages" : {
"yum" : {
"nfs-utils" : []
}
},
"files" : {
"/home/ec2-user/post_nfsstat" : {
"content" : { "Fn::Join" : [ "", [
"#!/bin/bash\n",
"\n",
"INPUT=\"$(cat)\"\n",
"CW_JSON_OPEN='{ \"Namespace\": \"EFS\", \"MetricData\": [ '\n",
"CW_JSON_CLOSE=' ] }'\n",
"CW_JSON_METRIC=''\n",
"METRIC_COUNTER=0\n",
"\n",
"for COL in 1 2 3 4 5 6; do\n",
"\n",
" COUNTER=0\n",
" METRIC_FIELD=$COL\n",
" DATA_FIELD=$(($COL+($COL-1)))\n",
"\n",
" while read line; do\n",
" if [[ COUNTER -gt 0 ]]; then\n",
"\n",
" LINE=`echo $line | tr -s ' ' `\n",
" AWS_COMMAND=\"aws cloudwatch put-metric-data --region ", { "Ref": "AWS::Region" }, "\"\n",
" MOD=$(( $COUNTER % 2))\n",
"\n",
" if [ $MOD -eq 1 ]; then\n",
" METRIC_NAME=`echo $LINE | cut -d ' ' -f $METRIC_FIELD`\n",
" else\n",
" METRIC_VALUE=`echo $LINE | cut -d ' ' -f $DATA_FIELD`\n",
" fi\n",
"\n",
" if [[ -n \"$METRIC_NAME\" && -n \"$METRIC_VALUE\" ]]; then\n",
" INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)\n",
" CW_JSON_METRIC=\"$CW_JSON_METRIC { \\\"MetricName\\\": \\\"$METRIC_NAME\\\", \\\"Dimensions\\\": [{\\\"Name\\\": \\\"InstanceId\\\", \\\"Value\\\": \\\"$INSTANCE_ID\\\"} ], \\\"Value\\\": $METRIC_VALUE },\"\n",
" unset METRIC_NAME\n",
" unset METRIC_VALUE\n",
"\n",
" METRIC_COUNTER=$((METRIC_COUNTER+1))\n",
" if [ $METRIC_COUNTER -eq 20 ]; then\n",
" # 20 is max metric collection size, so we have to submit here\n",
" aws cloudwatch put-metric-data --region ", { "Ref": "AWS::Region" }, " --cli-input-json \"`echo $CW_JSON_OPEN ${CW_JSON_METRIC%?} $CW_JSON_CLOSE`\"\n",
"\n",
" # reset\n",
" METRIC_COUNTER=0\n",
" CW_JSON_METRIC=''\n",
" fi\n",
" fi \n",
"\n",
"\n",
"\n",
" COUNTER=$((COUNTER+1))\n",
" fi\n",
"\n",
" if [[ \"$line\" == \"Client nfs v4:\" ]]; then\n",
" # the next line is the good stuff \n",
" COUNTER=$((COUNTER+1))\n",
" fi\n",
" done <<< \"$INPUT\"\n",
"done\n",
"\n",
"# submit whatever is left\n",
"aws cloudwatch put-metric-data --region ", { "Ref": "AWS::Region" }, " --cli-input-json \"`echo $CW_JSON_OPEN ${CW_JSON_METRIC%?} $CW_JSON_CLOSE`\""
] ] },
"mode": "000755",
"owner": "ec2-user",
"group": "ec2-user"
},
"/home/ec2-user/crontab" : {
"content" : { "Fn::Join" : [ "", [
"* * * * * /usr/sbin/nfsstat | /home/ec2-user/post_nfsstat\n"
] ] },
"owner": "ec2-user",
"group": "ec2-user"
}
},
"commands" : {
"01_createdir" : {
"command" : {"Fn::Join" : [ "", [ "mkdir /", { "Ref" : "MountPoint" }]]}
}
}
},
"mount" : {
"commands" : {
"01_mount" : {
"command" : { "Fn::Sub": "sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 ${FileSystem}.efs.${AWS::Region}.amazonaws.com:/ /${MountPoint}"}
},
"02_permissions" : {
"command" : {"Fn::Join" : [ "", [ "chown ec2-user:ec2-user /", { "Ref" : "MountPoint" }]]}
}
}
}
}
},
"Properties": {
"AssociatePublicIpAddress" : true,
"ImageId": {
"Fn::FindInMap": [ "AWSRegionArch2AMI", { "Ref": "AWS::Region" }, {
"Fn::FindInMap": [ "AWSInstanceType2Arch", { "Ref": "InstanceType" }, "Arch" ]
} ]
},
"InstanceType": { "Ref": "InstanceType" },
"KeyName": { "Ref": "KeyName" },
"SecurityGroups": [ { "Ref": "InstanceSecurityGroup" } ],
"IamInstanceProfile" : { "Ref" : "CloudWatchPutMetricsInstanceProfile" },
"UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
"#!/bin/bash -xe\n",
"yum install -y aws-cfn-bootstrap\n",
"/opt/aws/bin/cfn-init -v ",
" --stack ", { "Ref" : "AWS::StackName" },
" --resource LaunchConfiguration ",
" --configsets MountConfig ",
" --region ", { "Ref" : "AWS::Region" }, "\n",
"crontab /home/ec2-user/crontab\n",
"/opt/aws/bin/cfn-signal -e $? ",
" --stack ", { "Ref" : "AWS::StackName" },
" --resource AutoScalingGroup ",
" --region ", { "Ref" : "AWS::Region" }, "\n"
]]}}
}
},
"AutoScalingGroup": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"DependsOn": ["MountTarget", "GatewayToInternet"],
"CreationPolicy" : {
"ResourceSignal" : {
"Timeout" : "PT15M",
"Count" : { "Ref": "AsgMaxSize" }
}
},
"Properties": {
"VPCZoneIdentifier": [ { "Ref": "Subnet" } ],
"LaunchConfigurationName": { "Ref": "LaunchConfiguration" },
"MinSize": "1",
"MaxSize": { "Ref": "AsgMaxSize" },
"DesiredCapacity": { "Ref": "AsgMaxSize" },
"Tags": [ {
"Key": "Name",
"Value": "EFS FileSystem Mounted Instance",
"PropagateAtLaunch": "true"
} ]
}
}
},
"Outputs" : {
"MountTargetID" : {
"Description" : "Mount target ID",
"Value" : { "Ref" : "MountTarget" }
},
"FileSystemID" : {
"Description" : "File system ID",
"Value" : { "Ref" : "FileSystem" }
}
}
}
```
## YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Description: This template creates an Amazon EFS file system and mount target and
associates it with Amazon EC2 instances in an Auto Scaling group. **WARNING** This
template creates Amazon EC2 instances and related resources. You will be billed
for the AWS resources used if you create a stack from this template.
Parameters:
InstanceType:
Description: WebServer EC2 instance type
Type: String
Default: t2.small
AllowedValues:
- t1.micro
- t2.nano
- t2.micro
- t2.small
- t2.medium
- t2.large
- m1.small
- m1.medium
- m1.large
- m1.xlarge
- m2.xlarge
- m2.2xlarge
- m2.4xlarge
- m3.medium
- m3.large
- m3.xlarge
- m3.2xlarge
- m4.large
- m4.xlarge
- m4.2xlarge
- m4.4xlarge
- m4.10xlarge
- c1.medium
- c1.xlarge
- c3.large
- c3.xlarge
- c3.2xlarge
- c3.4xlarge
- c3.8xlarge
- c4.large
- c4.xlarge
- c4.2xlarge
- c4.4xlarge
- c4.8xlarge
- g2.2xlarge
- g2.8xlarge
- r3.large
- r3.xlarge
- r3.2xlarge
- r3.4xlarge
- r3.8xlarge
- i2.xlarge
- i2.2xlarge
- i2.4xlarge
- i2.8xlarge
- d2.xlarge
- d2.2xlarge
- d2.4xlarge
- d2.8xlarge
- hi1.4xlarge
- hs1.8xlarge
- cr1.8xlarge
- cc2.8xlarge
- cg1.4xlarge
ConstraintDescription: must be a valid EC2 instance type.
KeyName:
Type: AWS::EC2::KeyPair::KeyName
Description: Name of an existing EC2 key pair to enable SSH access to the ECS
instances
AsgMaxSize:
Type: Number
Description: Maximum size and initial desired capacity of Auto Scaling Group
Default: '2'
SSHLocation:
Description: The IP address range that can be used to connect to the EC2 instances
by using SSH
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
VolumeName:
Description: The name to be used for the EFS volume
Type: String
MinLength: '1'
Default: myEFSvolume
MountPoint:
Description: The Linux mount point for the EFS volume
Type: String
MinLength: '1'
Default: myEFSvolume
Mappings:
AWSInstanceType2Arch:
t1.micro:
Arch: HVM64
t2.nano:
Arch: HVM64
t2.micro:
Arch: HVM64
t2.small:
Arch: HVM64
t2.medium:
Arch: HVM64
t2.large:
Arch: HVM64
m1.small:
Arch: HVM64
m1.medium:
Arch: HVM64
m1.large:
Arch: HVM64
m1.xlarge:
Arch: HVM64
m2.xlarge:
Arch: HVM64
m2.2xlarge:
Arch: HVM64
m2.4xlarge:
Arch: HVM64
m3.medium:
Arch: HVM64
m3.large:
Arch: HVM64
m3.xlarge:
Arch: HVM64
m3.2xlarge:
Arch: HVM64
m4.large:
Arch: HVM64
m4.xlarge:
Arch: HVM64
m4.2xlarge:
Arch: HVM64
m4.4xlarge:
Arch: HVM64
m4.10xlarge:
Arch: HVM64
c1.medium:
Arch: HVM64
c1.xlarge:
Arch: HVM64
c3.large:
Arch: HVM64
c3.xlarge:
Arch: HVM64
c3.2xlarge:
Arch: HVM64
c3.4xlarge:
Arch: HVM64
c3.8xlarge:
Arch: HVM64
c4.large:
Arch: HVM64
c4.xlarge:
Arch: HVM64
c4.2xlarge:
Arch: HVM64
c4.4xlarge:
Arch: HVM64
c4.8xlarge:
Arch: HVM64
g2.2xlarge:
Arch: HVMG2
g2.8xlarge:
Arch: HVMG2
r3.large:
Arch: HVM64
r3.xlarge:
Arch: HVM64
r3.2xlarge:
Arch: HVM64
r3.4xlarge:
Arch: HVM64
r3.8xlarge:
Arch: HVM64
i2.xlarge:
Arch: HVM64
i2.2xlarge:
Arch: HVM64
i2.4xlarge:
Arch: HVM64
i2.8xlarge:
Arch: HVM64
d2.xlarge:
Arch: HVM64
d2.2xlarge:
Arch: HVM64
d2.4xlarge:
Arch: HVM64
d2.8xlarge:
Arch: HVM64
hi1.4xlarge:
Arch: HVM64
hs1.8xlarge:
Arch: HVM64
cr1.8xlarge:
Arch: HVM64
cc2.8xlarge:
Arch: HVM64
AWSRegionArch2AMI:
us-east-1:
HVM64: ami-0ff8a91507f77f867
HVMG2: ami-0a584ac55a7631c0c
us-west-2:
HVM64: ami-a0cfeed8
HVMG2: ami-0e09505bc235aa82d
us-west-1:
HVM64: ami-0bdb828fd58c52235
HVMG2: ami-066ee5fd4a9ef77f1
eu-west-1:
HVM64: ami-047bb4163c506cd98
HVMG2: ami-0a7c483d527806435
eu-west-2:
HVM64: ami-f976839e
HVMG2: NOT_SUPPORTED
eu-west-3:
HVM64: ami-0ebc281c20e89ba4b
HVMG2: NOT_SUPPORTED
eu-central-1:
HVM64: ami-0233214e13e500f77
HVMG2: ami-06223d46a6d0661c7
ap-northeast-1:
HVM64: ami-06cd52961ce9f0d85
HVMG2: ami-053cdd503598e4a9d
ap-northeast-2:
HVM64: ami-0a10b2721688ce9d2
HVMG2: NOT_SUPPORTED
ap-northeast-3:
HVM64: ami-0d98120a9fb693f07
HVMG2: NOT_SUPPORTED
ap-southeast-1:
HVM64: ami-08569b978cc4dfa10
HVMG2: ami-0be9df32ae9f92309
ap-southeast-2:
HVM64: ami-09b42976632b27e9b
HVMG2: ami-0a9ce9fecc3d1daf8
ap-south-1:
HVM64: ami-0912f71e06545ad88
HVMG2: ami-097b15e89dbdcfcf4
us-east-2:
HVM64: ami-0b59bfac6be064b78
HVMG2: NOT_SUPPORTED
ca-central-1:
HVM64: ami-0b18956f
HVMG2: NOT_SUPPORTED
sa-east-1:
HVM64: ami-07b14488da8ea02a0
HVMG2: NOT_SUPPORTED
cn-north-1:
HVM64: ami-0a4eaf6c4454eda75
HVMG2: NOT_SUPPORTED
cn-northwest-1:
HVM64: ami-6b6a7d09
HVMG2: NOT_SUPPORTED
Resources:
CloudWatchPutMetricsRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
CloudWatchPutMetricsRolePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: CloudWatch_PutMetricData
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: CloudWatchPutMetricData
Effect: Allow
Action:
- cloudwatch:PutMetricData
Resource:
- "*"
Roles:
- Ref: CloudWatchPutMetricsRole
CloudWatchPutMetricsInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- Ref: CloudWatchPutMetricsRole
VPC:
Type: AWS::EC2::VPC
Properties:
EnableDnsSupport: 'true'
EnableDnsHostnames: 'true'
CidrBlock: 10.0.0.0/16
Tags:
- Key: Application
Value:
Ref: AWS::StackId
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Application
Value:
Ref: AWS::StackName
- Key: Network
Value: Public
GatewayToInternet:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: VPC
InternetGatewayId:
Ref: InternetGateway
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: VPC
SubnetRouteTableAssoc:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: RouteTable
SubnetId:
Ref: Subnet
InternetGatewayRoute:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: 0.0.0.0/0
RouteTableId:
Ref: RouteTable
GatewayId:
Ref: InternetGateway
Subnet:
Type: AWS::EC2::Subnet
Properties:
VpcId:
Ref: VPC
CidrBlock: 10.0.0.0/24
Tags:
- Key: Application
Value:
Ref: AWS::StackId
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId:
Ref: VPC
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp:
Ref: SSHLocation
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
MountTargetSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId:
Ref: VPC
GroupDescription: Security group for mount target
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 2049
ToPort: 2049
CidrIp: 0.0.0.0/0
FileSystem:
Type: AWS::EFS::FileSystem
Properties:
PerformanceMode: generalPurpose
FileSystemTags:
- Key: Name
Value:
Ref: VolumeName
MountTarget:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId:
Ref: FileSystem
SubnetId:
Ref: Subnet
SecurityGroups:
- Ref: MountTargetSecurityGroup
LaunchConfiguration:
Type: AWS::AutoScaling::LaunchConfiguration
Metadata:
AWS::CloudFormation::Init:
configSets:
MountConfig:
- setup
- mount
setup:
packages:
yum:
nfs-utils: []
files:
"/home/ec2-user/post_nfsstat":
content: !Sub |
#!/bin/bash
INPUT="$(cat)"
CW_JSON_OPEN='{ "Namespace": "EFS", "MetricData": [ '
CW_JSON_CLOSE=' ] }'
CW_JSON_METRIC=''
METRIC_COUNTER=0
for COL in 1 2 3 4 5 6; do
COUNTER=0
METRIC_FIELD=$COL
DATA_FIELD=$(($COL+($COL-1)))
while read line; do
if [[ COUNTER -gt 0 ]]; then
LINE=`echo $line | tr -s ' ' `
AWS_COMMAND="aws cloudwatch put-metric-data --region ${AWS::Region}"
MOD=$(( $COUNTER % 2))
if [ $MOD -eq 1 ]; then
METRIC_NAME=`echo $LINE | cut -d ' ' -f $METRIC_FIELD`
else
METRIC_VALUE=`echo $LINE | cut -d ' ' -f $DATA_FIELD`
fi
if [[ -n "$METRIC_NAME" && -n "$METRIC_VALUE" ]]; then
INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
CW_JSON_METRIC="$CW_JSON_METRIC { \"MetricName\": \"$METRIC_NAME\", \"Dimensions\": [{\"Name\": \"InstanceId\", \"Value\": \"$INSTANCE_ID\"} ], \"Value\": $METRIC_VALUE },"
unset METRIC_NAME
unset METRIC_VALUE
METRIC_COUNTER=$((METRIC_COUNTER+1))
if [ $METRIC_COUNTER -eq 20 ]; then
# 20 is max metric collection size, so we have to submit here
aws cloudwatch put-metric-data --region ${AWS::Region} --cli-input-json "`echo $CW_JSON_OPEN ${!CW_JSON_METRIC%?} $CW_JSON_CLOSE`"
# reset
METRIC_COUNTER=0
CW_JSON_METRIC=''
fi
fi
COUNTER=$((COUNTER+1))
fi
if [[ "$line" == "Client nfs v4:" ]]; then
# the next line is the good stuff
COUNTER=$((COUNTER+1))
fi
done <<< "$INPUT"
done
# submit whatever is left
aws cloudwatch put-metric-data --region ${AWS::Region} --cli-input-json "`echo $CW_JSON_OPEN ${!CW_JSON_METRIC%?} $CW_JSON_CLOSE`"
mode: '000755'
owner: ec2-user
group: ec2-user
"/home/ec2-user/crontab":
content: "* * * * * /usr/sbin/nfsstat | /home/ec2-user/post_nfsstat\n"
owner: ec2-user
group: ec2-user
commands:
01_createdir:
command: !Sub "mkdir /${MountPoint}"
mount:
commands:
01_mount:
command: !Sub >
mount -t nfs4 -o nfsvers=4.1 ${FileSystem}.efs.${AWS::Region}.amazonaws.com:/ /${MountPoint}
02_permissions:
command: !Sub "chown ec2-user:ec2-user /${MountPoint}"
Properties:
AssociatePublicIpAddress: true
ImageId:
Fn::FindInMap:
- AWSRegionArch2AMI
- Ref: AWS::Region
- Fn::FindInMap:
- AWSInstanceType2Arch
- Ref: InstanceType
- Arch
InstanceType:
Ref: InstanceType
KeyName:
Ref: KeyName
SecurityGroups:
- Ref: InstanceSecurityGroup
IamInstanceProfile:
Ref: CloudWatchPutMetricsInstanceProfile
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
yum install -y aws-cfn-bootstrap
/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource LaunchConfiguration --configsets MountConfig --region ${AWS::Region}
crontab /home/ec2-user/crontab
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource AutoScalingGroup --region ${AWS::Region}
AutoScalingGroup:
Type: AWS::AutoScaling::AutoScalingGroup
DependsOn:
- MountTarget
- GatewayToInternet
CreationPolicy:
ResourceSignal:
Timeout: PT15M
Count:
Ref: AsgMaxSize
Properties:
VPCZoneIdentifier:
- Ref: Subnet
LaunchConfigurationName:
Ref: LaunchConfiguration
MinSize: '1'
MaxSize:
Ref: AsgMaxSize
DesiredCapacity:
Ref: AsgMaxSize
Tags:
- Key: Name
Value: EFS FileSystem Mounted Instance
PropagateAtLaunch: 'true'
Outputs:
MountTargetID:
Description: Mount target ID
Value:
Ref: MountTarget
FileSystemID:
Description: File system ID
Value:
Ref: FileSystem
```
# Elastic Beanstalk template snippets
With Elastic Beanstalk, you can quickly deploy and manage applications in AWS without worrying about the infrastructure that runs those applications. The following sample template can help you describe Elastic Beanstalk resources in your CloudFormation template.
## Elastic Beanstalk sample PHP
The following sample template deploys a sample PHP web application that's stored in an Amazon S3 bucket. The environment is also an auto-scaling, load-balancing environment, with a minimum of two Amazon EC2 instances and a maximum of six. It shows an Elastic Beanstalk environment that uses a legacy launch configuration. For information about using a launch template instead, see [Launch Templates](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-cfg-autoscaling-launch-templates.html) in the *AWS Elastic Beanstalk Developer Guide*.
Replace `solution-stack` with a solution stack name (platform version). For a list of available solution stacks, use the AWS CLI command **aws elasticbeanstalk list-available-solution-stacks**.
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"sampleApplication": {
"Type": "AWS::ElasticBeanstalk::Application",
"Properties": {
"Description": "AWS Elastic Beanstalk Sample Application"
}
},
"sampleApplicationVersion": {
"Type": "AWS::ElasticBeanstalk::ApplicationVersion",
"Properties": {
"ApplicationName": {
"Ref": "sampleApplication"
},
"Description": "AWS ElasticBeanstalk Sample Application Version",
"SourceBundle": {
"S3Bucket": {
"Fn::Sub": "elasticbeanstalk-samples-${AWS::Region}"
},
"S3Key": "php-newsample-app.zip"
}
}
},
"sampleConfigurationTemplate": {
"Type": "AWS::ElasticBeanstalk::ConfigurationTemplate",
"Properties": {
"ApplicationName": {
"Ref": "sampleApplication"
},
"Description": "AWS ElasticBeanstalk Sample Configuration Template",
"OptionSettings": [
{
"Namespace": "aws:autoscaling:asg",
"OptionName": "MinSize",
"Value": "2"
},
{
"Namespace": "aws:autoscaling:asg",
"OptionName": "MaxSize",
"Value": "6"
},
{
"Namespace": "aws:elasticbeanstalk:environment",
"OptionName": "EnvironmentType",
"Value": "LoadBalanced"
},
{
"Namespace": "aws:autoscaling:launchconfiguration",
"OptionName": "IamInstanceProfile",
"Value": {
"Ref": "MyInstanceProfile"
}
}
],
"SolutionStackName": "solution-stack"
}
},
"sampleEnvironment": {
"Type": "AWS::ElasticBeanstalk::Environment",
"Properties": {
"ApplicationName": {
"Ref": "sampleApplication"
},
"Description": "AWS ElasticBeanstalk Sample Environment",
"TemplateName": {
"Ref": "sampleConfigurationTemplate"
},
"VersionLabel": {
"Ref": "sampleApplicationVersion"
}
}
},
"MyInstanceRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Description": "Beanstalk EC2 role",
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier",
"arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker",
"arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier"
]
}
},
"MyInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Roles": [
{
"Ref": "MyInstanceRole"
}
]
}
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
sampleApplication:
Type: AWS::ElasticBeanstalk::Application
Properties:
Description: AWS Elastic Beanstalk Sample Application
sampleApplicationVersion:
Type: AWS::ElasticBeanstalk::ApplicationVersion
Properties:
ApplicationName:
Ref: sampleApplication
Description: AWS ElasticBeanstalk Sample Application Version
SourceBundle:
S3Bucket: !Sub "elasticbeanstalk-samples-${AWS::Region}"
S3Key: php-newsample-app.zip
sampleConfigurationTemplate:
Type: AWS::ElasticBeanstalk::ConfigurationTemplate
Properties:
ApplicationName:
Ref: sampleApplication
Description: AWS ElasticBeanstalk Sample Configuration Template
OptionSettings:
- Namespace: aws:autoscaling:asg
OptionName: MinSize
Value: '2'
- Namespace: aws:autoscaling:asg
OptionName: MaxSize
Value: '6'
- Namespace: aws:elasticbeanstalk:environment
OptionName: EnvironmentType
Value: LoadBalanced
- Namespace: aws:autoscaling:launchconfiguration
OptionName: IamInstanceProfile
Value: !Ref MyInstanceProfile
SolutionStackName: solution-stack
sampleEnvironment:
Type: AWS::ElasticBeanstalk::Environment
Properties:
ApplicationName:
Ref: sampleApplication
Description: AWS ElasticBeanstalk Sample Environment
TemplateName:
Ref: sampleConfigurationTemplate
VersionLabel:
Ref: sampleApplicationVersion
MyInstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Description: Beanstalk EC2 role
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier
- arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker
- arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier
MyInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Roles:
- !Ref MyInstanceRole
```
# Elastic Load Balancing template snippets
To create an Application Load Balancer, a Network Load Balancer, or a Gateway Load Balancer, use the V2 resource types, which start with `AWS::ElasticLoadBalancingV2`. To create a Classic Load Balancer, use the resource types that start with `AWS::ElasticLoadBalancing`.
**Topics**
+ [
## ELBv2 resources
](#scenario-elbv2-load-balancer)
+ [
## Classic Load Balancer resources
](#scenario-elb-load-balancer)
## ELBv2 resources
This example defines an Application Load Balancer with an HTTP listener and a default action that forwards traffic to the target group. The load balancer uses the default health check settings. The target group has two registered EC2 instances.
------
#### [ YAML ]
```
Resources:
myLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: my-alb
Type: application
Scheme: internal
Subnets:
- !Ref subnet-AZ1
- !Ref subnet-AZ2
SecurityGroups:
- !Ref mySecurityGroup
myHTTPlistener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
LoadBalancerArn: !Ref myLoadBalancer
Protocol: HTTP
Port: 80
DefaultActions:
- Type: "forward"
TargetGroupArn: !Ref myTargetGroup
myTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
Name: "my-target-group"
Protocol: HTTP
Port: 80
TargetType: instance
VpcId: !Ref myVPC
Targets:
- Id: !GetAtt Instance1.InstanceId
Port: 80
- Id: !GetAtt Instance2.InstanceId
Port: 80
```
------
#### [ JSON ]
```
{
"Resources": {
"myLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Name": "my-alb",
"Type": "application",
"Scheme": "internal",
"Subnets": [
{
"Ref": "subnet-AZ1"
},
{
"Ref": "subnet-AZ2"
}
],
"SecurityGroups": [
{
"Ref": "mySecurityGroup"
}
]
}
},
"myHTTPlistener": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"LoadBalancerArn": {
"Ref": "myLoadBalancer"
},
"Protocol": "HTTP",
"Port": 80,
"DefaultActions": [
{
"Type": "forward",
"TargetGroupArn": {
"Ref": "myTargetGroup"
}
}
]
}
},
"myTargetGroup": {
"Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties": {
"Name": "my-target-group",
"Protocol": "HTTP",
"Port": 80,
"TargetType": "instance",
"VpcId": {
"Ref": "myVPC"
},
"Targets": [
{
"Id": {
"Fn::GetAtt": [
"Instance1",
"InstanceId"
]
},
"Port": 80
},
{
"Id": {
"Fn::GetAtt": [
"Instance2",
"InstanceId"
]
},
"Port": 80
}
]
}
}
}
}
```
------
## Classic Load Balancer resources
This example defines a Classic Load Balancer with an HTTP listener and no registered EC2 instances. The load balancer uses the default health check settings.
------
#### [ YAML ]
```
myLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- "us-east-1a"
Listeners:
- LoadBalancerPort: '80'
InstancePort: '80'
Protocol: HTTP
```
------
#### [ JSON ]
```
"myLoadBalancer" : {
"Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties" : {
"AvailabilityZones" : [ "us-east-1a" ],
"Listeners" : [ {
"LoadBalancerPort" : "80",
"InstancePort" : "80",
"Protocol" : "HTTP"
} ]
}
}
```
------
This example defines a Classic Load Balancer with an HTTP listener, two registered EC2 instances, and custom health check settings.
------
#### [ YAML ]
```
myClassicLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AvailabilityZones:
- "us-east-1a"
Instances:
- Ref: Instance1
- Ref: Instance2
Listeners:
- LoadBalancerPort: '80'
InstancePort: '80'
Protocol: HTTP
HealthCheck:
Target: HTTP:80/
HealthyThreshold: '3'
UnhealthyThreshold: '5'
Interval: '30'
Timeout: '5'
```
------
#### [ JSON ]
```
"myClassicLoadBalancer" : {
"Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties" : {
"AvailabilityZones" : [ "us-east-1a" ],
"Instances" : [
{ "Ref" : "Instance1" },
{ "Ref" : "Instance2" }
],
"Listeners" : [ {
"LoadBalancerPort" : "80",
"InstancePort" : "80",
"Protocol" : "HTTP"
} ],
"HealthCheck" : {
"Target" : "HTTP:80/",
"HealthyThreshold" : "3",
"UnhealthyThreshold" : "5",
"Interval" : "30",
"Timeout" : "5"
}
}
}
```
------
# AWS Identity and Access Management template snippets
This section contains AWS Identity and Access Management template snippets.
**Topics**
+ [
## Declaring an IAM user resource
](#scenario-iam-user)
+ [
## Declaring an IAM access key resource
](#scenario-iam-accesskey)
+ [
## Declaring an IAM group resource
](#scenario-iam-group)
+ [
## Adding users to a group
](#scenario-iam-addusertogroup)
+ [
## Declaring an IAM policy
](#scenario-iam-policy)
+ [
## Declaring an Amazon S3 bucket policy
](#scenario-bucket-policy)
+ [
## Declaring an Amazon SNS topic policy
](#scenario-sns-policy)
+ [
## Declaring an Amazon SQS policy
](#scenario-sqs-policy)
+ [
## IAM role template examples
](#scenarios-iamroles)
**Important**
When creating or updating a stack using a template containing IAM resources, you must acknowledge the use of IAM capabilities. For more information, see [Acknowledging IAM resources in CloudFormation templates](control-access-with-iam.md#using-iam-capabilities).
## Declaring an IAM user resource
This snippet shows how to declare an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html) resource to create an IAM user. The user is declared with the path (`"/"`) and a login profile with the password (`myP@ssW0rd`).
The policy document named `giveaccesstoqueueonly` gives the user permission to perform all Amazon SQS actions on the Amazon SQS queue resource `myqueue`, and denies access to all other Amazon SQS queue resources. The `Fn::GetAtt` function gets the Arn attribute of the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html) resource `myqueue`.
The policy document named `giveaccesstotopiconly` is added to the user to give the user permission to perform all Amazon SNS actions on the Amazon SNS topic resource `mytopic` and to deny access to all other Amazon SNS resources. The `Ref` function gets the ARN of the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html) resource `mytopic`.
### JSON
```
"myuser" : {
"Type" : "AWS::IAM::User",
"Properties" : {
"Path" : "/",
"LoginProfile" : {
"Password" : "myP@ssW0rd"
},
"Policies" : [ {
"PolicyName" : "giveaccesstoqueueonly",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [ "sqs:*" ],
"Resource" : [ {
"Fn::GetAtt" : [ "myqueue", "Arn" ]
} ]
}, {
"Effect" : "Deny",
"Action" : [ "sqs:*" ],
"NotResource" : [ {
"Fn::GetAtt" : [ "myqueue", "Arn" ]
} ]
}
] }
}, {
"PolicyName" : "giveaccesstotopiconly",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [ "sns:*" ],
"Resource" : [ { "Ref" : "mytopic" } ]
}, {
"Effect" : "Deny",
"Action" : [ "sns:*" ],
"NotResource" : [ { "Ref" : "mytopic" } ]
} ]
}
} ]
}
}
```
### YAML
```
myuser:
Type: AWS::IAM::User
Properties:
Path: "/"
LoginProfile:
Password: myP@ssW0rd
Policies:
- PolicyName: giveaccesstoqueueonly
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:*
Resource:
- !GetAtt myqueue.Arn
- Effect: Deny
Action:
- sqs:*
NotResource:
- !GetAtt myqueue.Arn
- PolicyName: giveaccesstotopiconly
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sns:*
Resource:
- !Ref mytopic
- Effect: Deny
Action:
- sns:*
NotResource:
- !Ref mytopic
```
## Declaring an IAM access key resource
###
This snippet shows an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-accesskey.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-accesskey.html) resource. The `myaccesskey` resource creates an access key and assigns it to an IAM user that is declared as an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html) resource in the template.
#### JSON
```
"myaccesskey" : {
"Type" : "AWS::IAM::AccessKey",
"Properties" : {
"UserName" : { "Ref" : "myuser" }
}
}
```
#### YAML
```
myaccesskey:
Type: AWS::IAM::AccessKey
Properties:
UserName:
!Ref myuser
```
###
You can get the secret key for an `AWS::IAM::AccessKey` resource using the `Fn::GetAtt` function. One way to retrieve the secret key is to put it into an `Output` value. You can get the access key using the `Ref` function. The following `Output` value declarations get the access key and secret key for `myaccesskey`.
#### JSON
```
"AccessKeyformyaccesskey" : {
"Value" : { "Ref" : "myaccesskey" }
},
"SecretKeyformyaccesskey" : {
"Value" : {
"Fn::GetAtt" : [ "myaccesskey", "SecretAccessKey" ]
}
}
```
#### YAML
```
AccessKeyformyaccesskey:
Value:
!Ref myaccesskey
SecretKeyformyaccesskey:
Value: !GetAtt myaccesskey.SecretAccessKey
```
###
You can also pass the AWS access key and secret key to an Amazon EC2 instance or Auto Scaling group defined in the template. The following [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) declaration uses the `UserData` property to pass the access key and secret key for the `myaccesskey` resource.
#### JSON
```
"myinstance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"AvailabilityZone" : "us-east-1a",
"ImageId" : "ami-0ff8a91507f77f867",
"UserData" : {
"Fn::Base64" : {
"Fn::Join" : [
"", [
"ACCESS_KEY=", {
"Ref" : "myaccesskey"
},
"&",
"SECRET_KEY=",
{
"Fn::GetAtt" : [
"myaccesskey",
"SecretAccessKey"
]
}
]
]
}
}
}
}
```
#### YAML
```
myinstance:
Type: AWS::EC2::Instance
Properties:
AvailabilityZone: "us-east-1a"
ImageId: ami-0ff8a91507f77f867
UserData:
Fn::Base64: !Sub "ACCESS_KEY=${myaccesskey}&SECRET_KEY=${myaccesskey.SecretAccessKey}"
```
## Declaring an IAM group resource
This snippet shows an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-group.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-group.html) resource. The group has a path (`"/myapplication/"`). The policy document named `myapppolicy` is added to the group to allow the group's users to perform all Amazon SQS actions on the Amazon SQS queue resource myqueue and deny access to all other Amazon SQS resources except `myqueue`.
To assign a policy to a resource, IAM requires the Amazon Resource Name (ARN) for the resource. In the snippet, the `Fn::GetAtt` function gets the ARN of the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html) resource queue.
### JSON
```
"mygroup" : {
"Type" : "AWS::IAM::Group",
"Properties" : {
"Path" : "/myapplication/",
"Policies" : [ {
"PolicyName" : "myapppolicy",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [ "sqs:*" ],
"Resource" : [ {
"Fn::GetAtt" : [ "myqueue", "Arn" ]
} ]
},
{
"Effect" : "Deny",
"Action" : [ "sqs:*" ],
"NotResource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ]
}
] }
} ]
}
}
```
### YAML
```
mygroup:
Type: AWS::IAM::Group
Properties:
Path: "/myapplication/"
Policies:
- PolicyName: myapppolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:*
Resource: !GetAtt myqueue.Arn
- Effect: Deny
Action:
- sqs:*
NotResource: !GetAtt myqueue.Arn
```
## Adding users to a group
The [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-usertogroupaddition.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-usertogroupaddition.html) resource adds users to a group. In the following snippet, the `addUserToGroup` resource adds the following users to an existing group named `myexistinggroup2`: the existing user `existinguser1` and the user `myuser` which is declared as an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html) resource in the template.
### JSON
```
"addUserToGroup" : {
"Type" : "AWS::IAM::UserToGroupAddition",
"Properties" : {
"GroupName" : "myexistinggroup2",
"Users" : [ "existinguser1", { "Ref" : "myuser" } ]
}
}
```
### YAML
```
addUserToGroup:
Type: AWS::IAM::UserToGroupAddition
Properties:
GroupName: myexistinggroup2
Users:
- existinguser1
- !Ref myuser
```
## Declaring an IAM policy
This snippet shows how to create a policy and apply it to multiple groups using an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-policy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-policy.html) resource named `mypolicy`. The `mypolicy` resource contains a `PolicyDocument` property that allows `GetObject`, `PutObject`, and `PutObjectAcl` actions on the objects in the S3 bucket represented by the ARN `arn:aws:s3:::myAWSBucket`. The `mypolicy` resource applies the policy to an existing group named `myexistinggroup1` and a group `mygroup` that's declared in the template as an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-group.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-group.html) resource. This example shows how to apply a policy to a group using the `Groups` property; however, you can alternatively use the `Users` property to add a policy document to a list of users.
### JSON
```
"mypolicy" : {
"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyName" : "mygrouppolicy",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [
"s3:GetObject" , "s3:PutObject" , "s3:PutObjectAcl" ],
"Resource" : "arn:aws:s3:::myAWSBucket/*"
} ]
},
"Groups" : [ "myexistinggroup1", { "Ref" : "mygroup" } ]
}
}
```
### YAML
```
mypolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: mygrouppolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
- s3:PutObjectAcl
Resource: arn:aws:s3:::myAWSBucket/*
Groups:
- myexistinggroup1
- !Ref mygroup
```
## Declaring an Amazon S3 bucket policy
This snippet shows how to create a policy and apply it to an Amazon S3 bucket using the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucket.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucket.html) resource. The `mybucketpolicy` resource declares a policy document that allows the `user1` IAM user to perform the `GetObject` action on all objects in the S3 bucket to which this policy is applied. In the snippet, the `Fn::GetAtt` function gets the ARN of the `user1` resource. The `mybucketpolicy` resource applies the policy to the `AWS::S3::BucketPolicy` resource mybucket. The `Ref` function gets the bucket name of the `mybucket` resource.
### JSON
```
"mybucketpolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyPolicy",
"Version": "2012-10-17",
"Statement" : [ {
"Sid" : "ReadAccess",
"Action" : [ "s3:GetObject" ],
"Effect" : "Allow",
"Resource" : { "Fn::Join" : [
"", [ "arn:aws:s3:::", { "Ref" : "mybucket" } , "/*" ]
] },
"Principal" : {
"AWS" : { "Fn::GetAtt" : [ "user1", "Arn" ] }
}
} ]
},
"Bucket" : { "Ref" : "mybucket" }
}
}
```
### YAML
```
mybucketpolicy:
Type: AWS::S3::BucketPolicy
Properties:
PolicyDocument:
Id: MyPolicy
Version: '2012-10-17'
Statement:
- Sid: ReadAccess
Action:
- s3:GetObject
Effect: Allow
Resource: !Sub "arn:aws:s3:::${mybucket}/*"
Principal:
AWS: !GetAtt user1.Arn
Bucket: !Ref mybucket
```
## Declaring an Amazon SNS topic policy
This snippet shows how to create a policy and apply it to an Amazon SNS topic using the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topicpolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topicpolicy.html) resource. The `mysnspolicy` resource contains a `PolicyDocument` property that allows the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-user.html) resource `myuser` to perform the `Publish` action on an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sns-topic.html) resource `mytopic`. In the snippet, the `Fn::GetAtt` function gets the ARN for the `myuser` resource and the `Ref` function gets the ARN for the `mytopic` resource.
### JSON
```
"mysnspolicy" : {
"Type" : "AWS::SNS::TopicPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyTopicPolicy",
"Version": "2012-10-17",
"Statement" : [ {
"Sid" : "My-statement-id",
"Effect" : "Allow",
"Principal" : {
"AWS" : { "Fn::GetAtt" : [ "myuser", "Arn" ] }
},
"Action" : "sns:Publish",
"Resource" : "*"
} ]
},
"Topics" : [ { "Ref" : "mytopic" } ]
}
}
```
### YAML
```
mysnspolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: MyTopicPolicy
Version: '2012-10-17'
Statement:
- Sid: My-statement-id
Effect: Allow
Principal:
AWS: !GetAtt myuser.Arn
Action: sns:Publish
Resource: "*"
Topics:
- !Ref mytopic
```
## Declaring an Amazon SQS policy
This snippet shows how to create a policy and apply it to an Amazon SQS queue using the [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queuepolicy.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queuepolicy.html) resource. The `PolicyDocument` property allows the existing user `myapp` (specified by its ARN) to perform the `SendMessage` action on an existing queue, which is specified by its URL, and an [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-sqs-queue.html) resource myqueue. The [Ref](resources-section-structure.md#resource-properties-ref) function gets the URL for the `myqueue` resource.
### JSON
```
"mysqspolicy" : {
"Type" : "AWS::SQS::QueuePolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyQueuePolicy",
"Version": "2012-10-17",
"Statement" : [ {
"Sid" : "Allow-User-SendMessage",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::123456789012:user/myapp"
},
"Action" : [ "sqs:SendMessage" ],
"Resource" : "*"
} ]
},
"Queues" : [
"https://sqs.us-east-2aws-region.amazonaws.com/123456789012/myexistingqueue",
{ "Ref" : "myqueue" }
]
}
}
```
### YAML
```
mysqspolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Id: MyQueuePolicy
Version: '2012-10-17'
Statement:
- Sid: Allow-User-SendMessage
Effect: Allow
Principal:
AWS: arn:aws:iam::123456789012:user/myapp
Action:
- sqs:SendMessage
Resource: "*"
Queues:
- https://sqs.aws-region.amazonaws.com/123456789012/myexistingqueue
- !Ref myqueue
```
## IAM role template examples
This section provides CloudFormation template examples for IAM roles for EC2 instances.
For more information, see [IAM roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) in the *Amazon EC2 User Guide*.
### IAM role with EC2
In this example, the instance profile is referenced by the `IamInstanceProfile` property of the EC2 instance. Both the instance policy and role policy reference [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-role.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-role.html).
#### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myEC2Instance": {
"Type": "AWS::EC2::Instance",
"Version": "2009-05-15",
"Properties": {
"ImageId": "ami-0ff8a91507f77f867",
"InstanceType": "m1.small",
"Monitoring": "true",
"DisableApiTermination": "false",
"IamInstanceProfile": {
"Ref": "RootInstanceProfile"
}
}
},
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "ec2.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
},
"Path": "/"
}
},
"RolePolicies": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]
},
"Roles": [ { "Ref": "RootRole" } ]
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ { "Ref": "RootRole" } ]
}
}
}
}
```
#### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myEC2Instance:
Type: AWS::EC2::Instance
Version: '2009-05-15'
Properties:
ImageId: ami-0ff8a91507f77f867
InstanceType: m1.small
Monitoring: 'true'
DisableApiTermination: 'false'
IamInstanceProfile:
!Ref RootInstanceProfile
RootRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
RolePolicies:
Type: AWS::IAM::Policy
Properties:
PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: "*"
Resource: "*"
Roles:
- !Ref RootRole
RootInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- !Ref RootRole
```
### IAM role with Auto Scaling group
In this example, the instance profile is referenced by the `IamInstanceProfile` property of an Amazon EC2 Auto Scaling launch configuration.
#### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myLCOne": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Version": "2009-05-15",
"Properties": {
"ImageId": "ami-0ff8a91507f77f867",
"InstanceType": "m1.small",
"InstanceMonitoring": "true",
"IamInstanceProfile": { "Ref": "RootInstanceProfile" }
}
},
"myASGrpOne": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"Version": "2009-05-15",
"Properties": {
"AvailabilityZones": [ "us-east-1a" ],
"LaunchConfigurationName": { "Ref": "myLCOne" },
"MinSize": "0",
"MaxSize": "0",
"HealthCheckType": "EC2",
"HealthCheckGracePeriod": "120"
}
},
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "ec2.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
},
"Path": "/"
}
},
"RolePolicies": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]
},
"Roles": [ { "Ref": "RootRole" } ]
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ { "Ref": "RootRole" } ]
}
}
}
}
```
#### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myLCOne:
Type: AWS::AutoScaling::LaunchConfiguration
Version: '2009-05-15'
Properties:
ImageId: ami-0ff8a91507f77f867
InstanceType: m1.small
InstanceMonitoring: 'true'
IamInstanceProfile:
!Ref RootInstanceProfile
myASGrpOne:
Type: AWS::AutoScaling::AutoScalingGroup
Version: '2009-05-15'
Properties:
AvailabilityZones:
- "us-east-1a"
LaunchConfigurationName:
!Ref myLCOne
MinSize: '0'
MaxSize: '0'
HealthCheckType: EC2
HealthCheckGracePeriod: '120'
RootRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
RolePolicies:
Type: AWS::IAM::Policy
Properties:
PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: "*"
Resource: "*"
Roles:
- !Ref RootRole
RootInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- !Ref RootRole
```
# AWS Lambda template
The following template uses an AWS Lambda (Lambda) function and custom resource to append a new security group to a list of existing security groups. This function is useful when you want to build a list of security groups dynamically, so that your list includes both new and existing security groups. For example, you can pass a list of existing security groups as a parameter value, append the new value to the list, and then associate all your values with an EC2 instance. For more information about the Lambda function resource type, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html).
In the example, when CloudFormation creates the `AllSecurityGroups` custom resource, CloudFormation invokes the `AppendItemToListFunction` Lambda function. CloudFormation passes the list of existing security groups and a new security group (`NewSecurityGroup`) to the function, which appends the new security group to the list and then returns the modified list. CloudFormation uses the modified list to associate all security groups with the `MyEC2Instance` resource.
## JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"ExistingSecurityGroups": {
"Type": "List"
},
"ExistingVPC": {
"Type": "AWS::EC2::VPC::Id",
"Description": "The VPC ID that includes the security groups in the ExistingSecurityGroups parameter."
},
"InstanceType": {
"Type": "String",
"Default": "t2.micro",
"AllowedValues": [
"t2.micro",
"t3.micro"
]
}
},
"Resources": {
"SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow HTTP traffic to the host",
"VpcId": {
"Ref": "ExistingVPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"AllSecurityGroups": {
"Type": "Custom::Split",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"AppendItemToListFunction",
"Arn"
]
},
"List": {
"Ref": "ExistingSecurityGroups"
},
"AppendedItem": {
"Ref": "SecurityGroup"
}
}
},
"AppendItemToListFunction": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Handler": "index.handler",
"Role": {
"Fn::GetAtt": [
"LambdaExecutionRole",
"Arn"
]
},
"Code": {
"ZipFile": {
"Fn::Join": [
"",
[
"var response = require('cfn-response');",
"exports.handler = function(event, context) {",
" var responseData = {Value: event.ResourceProperties.List};",
" responseData.Value.push(event.ResourceProperties.AppendedItem);",
" response.send(event, context, response.SUCCESS, responseData);",
"};"
]
]
}
},
"Runtime": "nodejs20.x"
}
},
"MyEC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}",
"SecurityGroupIds": {
"Fn::GetAtt": [
"AllSecurityGroups",
"Value"
]
},
"InstanceType": {
"Ref": "InstanceType"
}
}
},
"LambdaExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:*:*:*"
}
]
}
}
]
}
}
},
"Outputs": {
"AllSecurityGroups": {
"Description": "Security Groups that are associated with the EC2 instance",
"Value": {
"Fn::Join": [
", ",
{
"Fn::GetAtt": [
"AllSecurityGroups",
"Value"
]
}
]
}
}
}
}
```
## YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
ExistingSecurityGroups:
Type: List
ExistingVPC:
Type: AWS::EC2::VPC::Id
Description: The VPC ID that includes the security groups in the ExistingSecurityGroups parameter.
InstanceType:
Type: String
Default: t2.micro
AllowedValues:
- t2.micro
- t3.micro
Resources:
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow HTTP traffic to the host
VpcId: !Ref ExistingVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
AllSecurityGroups:
Type: Custom::Split
Properties:
ServiceToken: !GetAtt AppendItemToListFunction.Arn
List: !Ref ExistingSecurityGroups
AppendedItem: !Ref SecurityGroup
AppendItemToListFunction:
Type: AWS::Lambda::Function
Properties:
Handler: index.handler
Role: !GetAtt LambdaExecutionRole.Arn
Code:
ZipFile: !Join
- ''
- - var response = require('cfn-response');
- exports.handler = function(event, context) {
- ' var responseData = {Value: event.ResourceProperties.List};'
- ' responseData.Value.push(event.ResourceProperties.AppendedItem);'
- ' response.send(event, context, response.SUCCESS, responseData);'
- '};'
Runtime: nodejs20.x
MyEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: '{{resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}}'
SecurityGroupIds: !GetAtt AllSecurityGroups.Value
InstanceType: !Ref InstanceType
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:*
Resource: arn:aws:logs:*:*:*
Outputs:
AllSecurityGroups:
Description: Security Groups that are associated with the EC2 instance
Value: !Join
- ', '
- !GetAtt AllSecurityGroups.Value
```
# Amazon Redshift template snippets
Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. You can use CloudFormation to provision and manage Amazon Redshift clusters.
## Amazon Redshift cluster
The following sample template creates an Amazon Redshift cluster according to the parameter values that are specified when the stack is created. The cluster parameter group that is associated with the Amazon Redshift cluster enables user activity logging. The template also launches the Amazon Redshift clusters in an Amazon VPC that is defined in the template. The VPC includes an internet gateway so that you can access the Amazon Redshift clusters from the Internet. However, the communication between the cluster and the Internet gateway must also be enabled, which is done by the route table entry.
**Note**
The template includes the `IsMultiNodeCluster` condition so that the `NumberOfNodes` parameter is declared only when the `ClusterType` parameter value is set to `multi-node`.
The example defines the `MysqlRootPassword` parameter with its `NoEcho` property set to `true`. If you set the `NoEcho` attribute to `true`, CloudFormation returns the parameter value masked as asterisks (\$1\$1\$1\$1\$1) for any calls that describe the stack or stack events, except for information stored in the locations specified below.
**Important**
Using the `NoEcho` attribute does not mask any information stored in the following:
The `Metadata` template section. CloudFormation does not transform, modify, or redact any information you include in the `Metadata` section. For more information, see [Metadata](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html).
The `Outputs` template section. For more information, see [Outputs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html).
The `Metadata` attribute of a resource definition. For more information, see [`Metadata` attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-metadata.html).
We strongly recommend you do not use these mechanisms to include sensitive information, such as passwords or secrets.
**Important**
Rather than embedding sensitive information directly in your CloudFormation templates, we recommend you use dynamic parameters in the stack template to reference sensitive information that is stored and managed outside of CloudFormation, such as in the AWS Systems Manager Parameter Store or AWS Secrets Manager.
For more information, see the [Do not embed credentials in your templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/security-best-practices.html#creds) best practice.
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters" : {
"DatabaseName" : {
"Description" : "The name of the first database to be created when the cluster is created",
"Type" : "String",
"Default" : "dev",
"AllowedPattern" : "([a-z]|[0-9])+"
},
"ClusterType" : {
"Description" : "The type of cluster",
"Type" : "String",
"Default" : "single-node",
"AllowedValues" : [ "single-node", "multi-node" ]
},
"NumberOfNodes" : {
"Description" : "The number of compute nodes in the cluster. For multi-node clusters, the NumberOfNodes parameter must be greater than 1",
"Type" : "Number",
"Default" : "1"
},
"NodeType" : {
"Description" : "The type of node to be provisioned",
"Type" : "String",
"Default" : "ds2.xlarge",
"AllowedValues" : [ "ds2.xlarge", "ds2.8xlarge", "dc1.large", "dc1.8xlarge" ]
},
"MasterUsername" : {
"Description" : "The user name that is associated with the master user account for the cluster that is being created",
"Type" : "String",
"Default" : "defaultuser",
"AllowedPattern" : "([a-z])([a-z]|[0-9])*"
},
"MasterUserPassword" : {
"Description" : "The password that is associated with the master user account for the cluster that is being created.",
"Type" : "String",
"NoEcho" : "true"
},
"InboundTraffic" : {
"Description" : "Allow inbound traffic to the cluster from this CIDR range.",
"Type" : "String",
"MinLength": "9",
"MaxLength": "18",
"Default" : "0.0.0.0/0",
"AllowedPattern" : "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription" : "must be a valid CIDR range of the form x.x.x.x/x."
},
"PortNumber" : {
"Description" : "The port number on which the cluster accepts incoming connections.",
"Type" : "Number",
"Default" : "5439"
}
},
"Conditions" : {
"IsMultiNodeCluster" : {
"Fn::Equals" : [{ "Ref" : "ClusterType" }, "multi-node" ]
}
},
"Resources" : {
"RedshiftCluster" : {
"Type" : "AWS::Redshift::Cluster",
"DependsOn" : "AttachGateway",
"Properties" : {
"ClusterType" : { "Ref" : "ClusterType" },
"NumberOfNodes" : { "Fn::If" : [ "IsMultiNodeCluster", { "Ref" : "NumberOfNodes" }, { "Ref" : "AWS::NoValue" }]},
"NodeType" : { "Ref" : "NodeType" },
"DBName" : { "Ref" : "DatabaseName" },
"MasterUsername" : { "Ref" : "MasterUsername" },
"MasterUserPassword" : { "Ref" : "MasterUserPassword" },
"ClusterParameterGroupName" : { "Ref" : "RedshiftClusterParameterGroup" },
"VpcSecurityGroupIds" : [ { "Ref" : "SecurityGroup" } ],
"ClusterSubnetGroupName" : { "Ref" : "RedshiftClusterSubnetGroup" },
"PubliclyAccessible" : "true",
"Port" : { "Ref" : "PortNumber" }
}
},
"RedshiftClusterParameterGroup" : {
"Type" : "AWS::Redshift::ClusterParameterGroup",
"Properties" : {
"Description" : "Cluster parameter group",
"ParameterGroupFamily" : "redshift-1.0",
"Parameters" : [{
"ParameterName" : "enable_user_activity_logging",
"ParameterValue" : "true"
}]
}
},
"RedshiftClusterSubnetGroup" : {
"Type" : "AWS::Redshift::ClusterSubnetGroup",
"Properties" : {
"Description" : "Cluster subnet group",
"SubnetIds" : [ { "Ref" : "PublicSubnet" } ]
}
},
"VPC" : {
"Type" : "AWS::EC2::VPC",
"Properties" : {
"CidrBlock" : "10.0.0.0/16"
}
},
"PublicSubnet" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"CidrBlock" : "10.0.0.0/24",
"VpcId" : { "Ref" : "VPC" }
}
},
"SecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Security group",
"SecurityGroupIngress" : [ {
"CidrIp" : { "Ref": "InboundTraffic" },
"FromPort" : { "Ref" : "PortNumber" },
"ToPort" : { "Ref" : "PortNumber" },
"IpProtocol" : "tcp"
} ],
"VpcId" : { "Ref" : "VPC" }
}
},
"myInternetGateway" : {
"Type" : "AWS::EC2::InternetGateway"
},
"AttachGateway" : {
"Type" : "AWS::EC2::VPCGatewayAttachment",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"InternetGatewayId" : { "Ref" : "myInternetGateway" }
}
},
"PublicRouteTable" : {
"Type" : "AWS::EC2::RouteTable",
"Properties" : {
"VpcId" : {
"Ref" : "VPC"
}
}
},
"PublicRoute" : {
"Type" : "AWS::EC2::Route",
"DependsOn" : "AttachGateway",
"Properties" : {
"RouteTableId" : {
"Ref" : "PublicRouteTable"
},
"DestinationCidrBlock" : "0.0.0.0/0",
"GatewayId" : {
"Ref" : "myInternetGateway"
}
}
},
"PublicSubnetRouteTableAssociation" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : {
"Ref" : "PublicSubnet"
},
"RouteTableId" : {
"Ref" : "PublicRouteTable"
}
}
}
},
"Outputs" : {
"ClusterEndpoint" : {
"Description" : "Cluster endpoint",
"Value" : { "Fn::Join" : [ ":", [ { "Fn::GetAtt" : [ "RedshiftCluster", "Endpoint.Address" ] }, { "Fn::GetAtt" : [ "RedshiftCluster", "Endpoint.Port" ] } ] ] }
},
"ClusterName" : {
"Description" : "Name of cluster",
"Value" : { "Ref" : "RedshiftCluster" }
},
"ParameterGroupName" : {
"Description" : "Name of parameter group",
"Value" : { "Ref" : "RedshiftClusterParameterGroup" }
},
"RedshiftClusterSubnetGroupName" : {
"Description" : "Name of cluster subnet group",
"Value" : { "Ref" : "RedshiftClusterSubnetGroup" }
},
"RedshiftClusterSecurityGroupName" : {
"Description" : "Name of cluster security group",
"Value" : { "Ref" : "SecurityGroup" }
}
}
}
```
### YAML
```
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
DatabaseName:
Description: The name of the first database to be created when the cluster is
created
Type: String
Default: dev
AllowedPattern: "([a-z]|[0-9])+"
ClusterType:
Description: The type of cluster
Type: String
Default: single-node
AllowedValues:
- single-node
- multi-node
NumberOfNodes:
Description: The number of compute nodes in the cluster. For multi-node clusters,
the NumberOfNodes parameter must be greater than 1
Type: Number
Default: '1'
NodeType:
Description: The type of node to be provisioned
Type: String
Default: ds2.xlarge
AllowedValues:
- ds2.xlarge
- ds2.8xlarge
- dc1.large
- dc1.8xlarge
MasterUsername:
Description: The user name that is associated with the master user account for
the cluster that is being created
Type: String
Default: defaultuser
AllowedPattern: "([a-z])([a-z]|[0-9])*"
MasterUserPassword:
Description: The password that is associated with the master user account for
the cluster that is being created.
Type: String
NoEcho: 'true'
InboundTraffic:
Description: Allow inbound traffic to the cluster from this CIDR range.
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: must be a valid CIDR range of the form x.x.x.x/x.
PortNumber:
Description: The port number on which the cluster accepts incoming connections.
Type: Number
Default: '5439'
Conditions:
IsMultiNodeCluster:
Fn::Equals:
- Ref: ClusterType
- multi-node
Resources:
RedshiftCluster:
Type: AWS::Redshift::Cluster
DependsOn: AttachGateway
Properties:
ClusterType:
Ref: ClusterType
NumberOfNodes:
Fn::If:
- IsMultiNodeCluster
- Ref: NumberOfNodes
- Ref: AWS::NoValue
NodeType:
Ref: NodeType
DBName:
Ref: DatabaseName
MasterUsername:
Ref: MasterUsername
MasterUserPassword:
Ref: MasterUserPassword
ClusterParameterGroupName:
Ref: RedshiftClusterParameterGroup
VpcSecurityGroupIds:
- Ref: SecurityGroup
ClusterSubnetGroupName:
Ref: RedshiftClusterSubnetGroup
PubliclyAccessible: 'true'
Port:
Ref: PortNumber
RedshiftClusterParameterGroup:
Type: AWS::Redshift::ClusterParameterGroup
Properties:
Description: Cluster parameter group
ParameterGroupFamily: redshift-1.0
Parameters:
- ParameterName: enable_user_activity_logging
ParameterValue: 'true'
RedshiftClusterSubnetGroup:
Type: AWS::Redshift::ClusterSubnetGroup
Properties:
Description: Cluster subnet group
SubnetIds:
- Ref: PublicSubnet
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
PublicSubnet:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.0.0/24
VpcId:
Ref: VPC
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group
SecurityGroupIngress:
- CidrIp:
Ref: InboundTraffic
FromPort:
Ref: PortNumber
ToPort:
Ref: PortNumber
IpProtocol: tcp
VpcId:
Ref: VPC
myInternetGateway:
Type: AWS::EC2::InternetGateway
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: VPC
InternetGatewayId:
Ref: myInternetGateway
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: VPC
PublicRoute:
Type: AWS::EC2::Route
DependsOn: AttachGateway
Properties:
RouteTableId:
Ref: PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: myInternetGateway
PublicSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId:
Ref: PublicSubnet
RouteTableId:
Ref: PublicRouteTable
Outputs:
ClusterEndpoint:
Description: Cluster endpoint
Value: !Sub "${RedshiftCluster.Endpoint.Address}:${RedshiftCluster.Endpoint.Port}"
ClusterName:
Description: Name of cluster
Value:
Ref: RedshiftCluster
ParameterGroupName:
Description: Name of parameter group
Value:
Ref: RedshiftClusterParameterGroup
RedshiftClusterSubnetGroupName:
Description: Name of cluster subnet group
Value:
Ref: RedshiftClusterSubnetGroup
RedshiftClusterSecurityGroupName:
Description: Name of cluster security group
Value:
Ref: SecurityGroup
```
## See also
[AWS::Redshift::Cluster](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-redshift-cluster.html)
# Amazon RDS template snippets
**Topics**
+ [
## Amazon RDS DB instance resource
](#scenario-rds-instance)
+ [
## Amazon RDS oracle database DB instance resource
](#scenario-rds-oracleinstance)
+ [
## Amazon RDS DBSecurityGroup resource for CIDR range
](#scenario-rds-security-group-cidr)
+ [
## Amazon RDS DBSecurityGroup with an Amazon EC2 security group
](#scenario-rds-security-group-ec2)
+ [
## Multiple VPC security groups
](#scenario-multiple-vpc-security-groups)
+ [
## Amazon RDS database instance in a VPC security group
](#w2aac11c41c76c15)
## Amazon RDS DB instance resource
This example shows an Amazon RDS DB Instance resource with managed master user password. For more information, see [Password management with AWS Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html) in the *Amazon RDS User Guide* and [Password management with AWS Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-secrets-manager.html) in the *Aurora User Guide*. Because the optional `EngineVersion` property isn't specified, the default engine version is used for this DB Instance. For details about the default engine version and other default settings, see [CreateDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html). The `DBSecurityGroups` property authorizes network ingress to the `AWS::RDS::DBSecurityGroup` resources named `MyDbSecurityByEC2SecurityGroup` and MyDbSecurityByCIDRIPGroup. For details, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html). The DB Instance resource also has a `DeletionPolicy` attribute set to `Snapshot`. With the `Snapshot` `DeletionPolicy` set, CloudFormation will take a snapshot of this DB Instance before deleting it during stack deletion.
### JSON
```
1. "MyDB" : {
2. "Type" : "AWS::RDS::DBInstance",
3. "Properties" : {
4. "DBSecurityGroups" : [
5. {"Ref" : "MyDbSecurityByEC2SecurityGroup"}, {"Ref" : "MyDbSecurityByCIDRIPGroup"} ],
6. "AllocatedStorage" : "5",
7. "DBInstanceClass" : "db.t2.small",
8. "Engine" : "MySQL",
9. "MasterUsername" : "MyName",
10. "ManageMasterUserPassword" : true,
11. "MasterUserSecret" : {
12. "KmsKeyId" : {"Ref" : "KMSKey"}
13. }
14. },
15. "DeletionPolicy" : "Snapshot"
16. }
```
### YAML
```
1. MyDB:
2. Type: AWS::RDS::DBInstance
3. Properties:
4. DBSecurityGroups:
5. - Ref: MyDbSecurityByEC2SecurityGroup
6. - Ref: MyDbSecurityByCIDRIPGroup
7. AllocatedStorage: '5'
8. DBInstanceClass: db.t2.small
9. Engine: MySQL
10. MasterUsername: MyName
11. ManageMasterUserPassword: true
12. MasterUserSecret:
13. KmsKeyId: !Ref KMSKey
14. DeletionPolicy: Snapshot
```
## Amazon RDS oracle database DB instance resource
This example creates an Oracle Database DB Instance resource with managed master user password. For more information, see [Password management with AWS Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html) in the *Amazon RDS User Guide*. The example specifies the `Engine` as `oracle-ee` with a license model of bring-your-own-license. For details about the settings for Oracle Database DB instances, see [CreateDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html). The DBSecurityGroups property authorizes network ingress to the `AWS::RDS::DBSecurityGroup` resources named MyDbSecurityByEC2SecurityGroup and MyDbSecurityByCIDRIPGroup. For details, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html). The DB Instance resource also has a `DeletionPolicy` attribute set to `Snapshot`. With the `Snapshot` `DeletionPolicy` set, CloudFormation will take a snapshot of this DB Instance before deleting it during stack deletion.
### JSON
```
1. "MyDB" : {
2. "Type" : "AWS::RDS::DBInstance",
3. "Properties" : {
4. "DBSecurityGroups" : [
5. {"Ref" : "MyDbSecurityByEC2SecurityGroup"}, {"Ref" : "MyDbSecurityByCIDRIPGroup"} ],
6. "AllocatedStorage" : "5",
7. "DBInstanceClass" : "db.t2.small",
8. "Engine" : "oracle-ee",
9. "LicenseModel" : "bring-your-own-license",
10. "MasterUsername" : "master",
11. "ManageMasterUserPassword" : true,
12. "MasterUserSecret" : {
13. "KmsKeyId" : {"Ref" : "KMSKey"}
14. }
15. },
16. "DeletionPolicy" : "Snapshot"
17. }
```
### YAML
```
1. MyDB:
2. Type: AWS::RDS::DBInstance
3. Properties:
4. DBSecurityGroups:
5. - Ref: MyDbSecurityByEC2SecurityGroup
6. - Ref: MyDbSecurityByCIDRIPGroup
7. AllocatedStorage: '5'
8. DBInstanceClass: db.t2.small
9. Engine: oracle-ee
10. LicenseModel: bring-your-own-license
11. MasterUsername: master
12. ManageMasterUserPassword: true
13. MasterUserSecret:
14. KmsKeyId: !Ref KMSKey
15. DeletionPolicy: Snapshot
```
## Amazon RDS DBSecurityGroup resource for CIDR range
This example shows an Amazon RDS `DBSecurityGroup` resource with ingress authorization for the specified CIDR range in the format `ddd.ddd.ddd.ddd/dd`. For details, see [AWS::RDS::DBSecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbsecuritygroup.html) and [Ingress](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-rds-dbsecuritygroup-ingress.html).
### JSON
```
1. "MyDbSecurityByCIDRIPGroup" : {
2. "Type" : "AWS::RDS::DBSecurityGroup",
3. "Properties" : {
4. "GroupDescription" : "Ingress for CIDRIP",
5. "DBSecurityGroupIngress" : {
6. "CIDRIP" : "192.168.0.0/32"
7. }
8. }
9. }
```
### YAML
```
1. MyDbSecurityByCIDRIPGroup:
2. Type: AWS::RDS::DBSecurityGroup
3. Properties:
4. GroupDescription: Ingress for CIDRIP
5. DBSecurityGroupIngress:
6. CIDRIP: "192.168.0.0/32"
```
## Amazon RDS DBSecurityGroup with an Amazon EC2 security group
This example shows an [AWS::RDS::DBSecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbsecuritygroup.html) resource with ingress authorization from an Amazon EC2 security group referenced by `MyEc2SecurityGroup`.
To do this, you define an EC2 security group and then use the intrinsic `Ref` function to refer to the EC2 security group within your `DBSecurityGroup`.
### JSON
```
"DBInstance" : {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBName" : { "Ref" : "DBName" },
"Engine" : "MySQL",
"MasterUsername" : { "Ref" : "DBUsername" },
"DBInstanceClass" : { "Ref" : "DBClass" },
"DBSecurityGroups" : [ { "Ref" : "DBSecurityGroup" } ],
"AllocatedStorage" : { "Ref" : "DBAllocatedStorage" },
"MasterUserPassword": { "Ref" : "DBPassword" }
}
},
"DBSecurityGroup": {
"Type": "AWS::RDS::DBSecurityGroup",
"Properties": {
"DBSecurityGroupIngress": {
"EC2SecurityGroupName": {
"Fn::GetAtt": ["WebServerSecurityGroup", "GroupName"]
}
},
"GroupDescription" : "Frontend Access"
}
},
"WebServerSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Enable HTTP access via port 80 and SSH access",
"SecurityGroupIngress" : [
{"IpProtocol" : "tcp", "FromPort" : 80, "ToPort" : 80, "CidrIp" : "0.0.0.0/0"},
{"IpProtocol" : "tcp", "FromPort" : 22, "ToPort" : 22, "CidrIp" : "0.0.0.0/0"}
]
}
}
```
### YAML
This example is extracted from the following full example: [Drupal\$1Single\$1Instance\$1With\$1RDS.template](https://s3.amazonaws.com/cloudformation-templates-us-east-1/Drupal_Single_Instance_With_RDS.template)
```
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
DBName:
Ref: DBName
Engine: MySQL
MasterUsername:
Ref: DBUsername
DBInstanceClass:
Ref: DBClass
DBSecurityGroups:
- Ref: DBSecurityGroup
AllocatedStorage:
Ref: DBAllocatedStorage
MasterUserPassword:
Ref: DBPassword
DBSecurityGroup:
Type: AWS::RDS::DBSecurityGroup
Properties:
DBSecurityGroupIngress:
EC2SecurityGroupName:
Ref: WebServerSecurityGroup
GroupDescription: Frontend Access
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP access via port 80 and SSH access
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
```
## Multiple VPC security groups
This example shows an [AWS::RDS::DBSecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbsecuritygroup.html) resource with ingress authorization for multiple Amazon EC2 VPC security groups in [AWS::RDS::DBSecurityGroupIngress](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbsecuritygroupingress.html).
### JSON
```
{
"Resources" : {
"DBinstance" : {
"Type" : "AWS::RDS::DBInstance",
"Properties" : {
"AllocatedStorage" : "5",
"DBInstanceClass" : "db.t2.small",
"DBName" : {"Ref": "MyDBName" },
"DBSecurityGroups" : [ { "Ref" : "DbSecurityByEC2SecurityGroup" } ],
"DBSubnetGroupName" : { "Ref" : "MyDBSubnetGroup" },
"Engine" : "MySQL",
"MasterUserPassword": { "Ref" : "MyDBPassword" },
"MasterUsername" : { "Ref" : "MyDBUsername" }
},
"DeletionPolicy" : "Snapshot"
},
"DbSecurityByEC2SecurityGroup" : {
"Type" : "AWS::RDS::DBSecurityGroup",
"Properties" : {
"GroupDescription" : "Ingress for Amazon EC2 security group",
"EC2VpcId" : { "Ref" : "MyVPC" },
"DBSecurityGroupIngress" : [ {
"EC2SecurityGroupId" : "sg-b0ff1111",
"EC2SecurityGroupOwnerId" : "111122223333"
}, {
"EC2SecurityGroupId" : "sg-ffd722222",
"EC2SecurityGroupOwnerId" : "111122223333"
} ]
}
}
}
}
```
### YAML
```
Resources:
DBinstance:
Type: AWS::RDS::DBInstance
Properties:
AllocatedStorage: '5'
DBInstanceClass: db.t2.small
DBName:
Ref: MyDBName
DBSecurityGroups:
- Ref: DbSecurityByEC2SecurityGroup
DBSubnetGroupName:
Ref: MyDBSubnetGroup
Engine: MySQL
MasterUserPassword:
Ref: MyDBPassword
MasterUsername:
Ref: MyDBUsername
DeletionPolicy: Snapshot
DbSecurityByEC2SecurityGroup:
Type: AWS::RDS::DBSecurityGroup
Properties:
GroupDescription: Ingress for Amazon EC2 security group
EC2VpcId:
Ref: MyVPC
DBSecurityGroupIngress:
- EC2SecurityGroupId: sg-b0ff1111
EC2SecurityGroupOwnerId: '111122223333'
- EC2SecurityGroupId: sg-ffd722222
EC2SecurityGroupOwnerId: '111122223333'
```
## Amazon RDS database instance in a VPC security group
This example shows an Amazon RDS database instance associated with an Amazon EC2 VPC security group.
### JSON
```
{
"DBEC2SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription": "Open database for access",
"SecurityGroupIngress" : [{
"IpProtocol" : "tcp",
"FromPort" : 3306,
"ToPort" : 3306,
"SourceSecurityGroupName" : { "Ref" : "WebServerSecurityGroup" }
}]
}
},
"DBInstance" : {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBName" : { "Ref" : "DBName" },
"Engine" : "MySQL",
"MultiAZ" : { "Ref": "MultiAZDatabase" },
"MasterUsername" : { "Ref" : "DBUser" },
"DBInstanceClass" : { "Ref" : "DBClass" },
"AllocatedStorage" : { "Ref" : "DBAllocatedStorage" },
"MasterUserPassword": { "Ref" : "DBPassword" },
"VPCSecurityGroups" : [ { "Fn::GetAtt": [ "DBEC2SecurityGroup", "GroupId" ] } ]
}
}
}
```
### YAML
```
DBEC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Open database for access
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 3306
ToPort: 3306
SourceSecurityGroupName:
Ref: WebServerSecurityGroup
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
DBName:
Ref: DBName
Engine: MySQL
MultiAZ:
Ref: MultiAZDatabase
MasterUsername:
Ref: DBUser
DBInstanceClass:
Ref: DBClass
AllocatedStorage:
Ref: DBAllocatedStorage
MasterUserPassword:
Ref: DBPassword
VPCSecurityGroups:
- !GetAtt DBEC2SecurityGroup.GroupId
```
# Route 53 template snippets
**Topics**
+ [
## Amazon Route 53 resource record set using hosted zone name or ID
](#scenario-route53-recordset-by-host)
+ [
## Using RecordSetGroup to set up weighted resource record sets
](#scenario-recordsetgroup-weighted)
+ [
## Using RecordSetGroup to set up an alias resource record set
](#scenario-recordsetgroup-zoneapex)
+ [
## Alias resource record set for a CloudFront distribution
](#scenario-user-friendly-url-for-cloudfront-distribution)
## Amazon Route 53 resource record set using hosted zone name or ID
When you create an Amazon Route 53 resource record set, you must specify the hosted zone where you want to add it. CloudFormation provides two ways to specify a hosted zone:
+ You can explicitly specify the hosted zone using the `HostedZoneId` property.
+ You can have CloudFormation find the hosted zone using the `HostedZoneName` property. If you use the `HostedZoneName` property and there are multiple hosted zones with the same name, CloudFormation doesn't create the stack.
### Adding RecordSet using HostedZoneId
This example adds an Amazon Route 53 resource record set containing an `SPF` record for the domain name `mysite.example.com` that uses the `HostedZoneId` property to specify the hosted zone.
#### JSON
```
1. "myDNSRecord" : {
2. "Type" : "AWS::Route53::RecordSet",
3. "Properties" :
4. {
5. "HostedZoneId" : "Z3DG6IL3SJCGPX",
6. "Name" : "mysite.example.com.",
7. "Type" : "SPF",
8. "TTL" : "900",
9. "ResourceRecords" : [ "\"v=spf1 ip4:192.168.0.1/16 -all\"" ]
10. }
11. }
```
#### YAML
```
1. myDNSRecord:
2. Type: AWS::Route53::RecordSet
3. Properties:
4. HostedZoneId: Z3DG6IL3SJCGPX
5. Name: mysite.example.com.
6. Type: SPF
7. TTL: '900'
8. ResourceRecords:
9. - '"v=spf1 ip4:192.168.0.1/16 -all"'
```
### Adding RecordSet using HostedZoneName
This example adds an Amazon Route 53 resource record set for the domain name "mysite.example.com" using the `HostedZoneName` property to specify the hosted zone.
#### JSON
```
1. "myDNSRecord2" : {
2. "Type" : "AWS::Route53::RecordSet",
3. "Properties" : {
4. "HostedZoneName" : "example.com.",
5. "Name" : "mysite.example.com.",
6. "Type" : "A",
7. "TTL" : "900",
8. "ResourceRecords" : [
9. "192.168.0.1",
10. "192.168.0.2"
11. ]
12. }
13. }
```
#### YAML
```
1. myDNSRecord2:
2. Type: AWS::Route53::RecordSet
3. Properties:
4. HostedZoneName: example.com.
5. Name: mysite.example.com.
6. Type: A
7. TTL: '900'
8. ResourceRecords:
9. - 192.168.0.1
10. - 192.168.0.2
```
## Using RecordSetGroup to set up weighted resource record sets
This example uses an [AWS::Route53::RecordSetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-route53-recordsetgroup.html) to set up two CNAME records for the "example.com." hosted zone. The `RecordSets` property contains the CNAME record sets for the "mysite.example.com" DNS name. Each record set contains an identifier (`SetIdentifier`) and weight (`Weight`). The proportion of internet traffic that's routed to the resources is based on the following calculations:
+ `Frontend One`: `140/(140+60)` = `140/200` = 70%
+ `Frontend Two`: `60/(140+60)` = `60/200` = 30%
For more information about weighted resource record sets, see [Weighted routing](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-weighted.html) in the *Amazon Route 53 Developer Guide*.
### JSON
```
1. "myDNSOne" : {
2. "Type" : "AWS::Route53::RecordSetGroup",
3. "Properties" : {
4. "HostedZoneName" : "example.com.",
5. "Comment" : "Weighted RR for my frontends.",
6. "RecordSets" : [
7. {
8. "Name" : "mysite.example.com.",
9. "Type" : "CNAME",
10. "TTL" : "900",
11. "SetIdentifier" : "Frontend One",
12. "Weight" : "140",
13. "ResourceRecords" : ["example-ec2.amazonaws.com"]
14. },
15. {
16. "Name" : "mysite.example.com.",
17. "Type" : "CNAME",
18. "TTL" : "900",
19. "SetIdentifier" : "Frontend Two",
20. "Weight" : "60",
21. "ResourceRecords" : ["example-ec2-larger.amazonaws.com"]
22. }
23. ]
24. }
25. }
```
### YAML
```
1. myDNSOne:
2. Type: AWS::Route53::RecordSetGroup
3. Properties:
4. HostedZoneName: example.com.
5. Comment: Weighted RR for my frontends.
6. RecordSets:
7. - Name: mysite.example.com.
8. Type: CNAME
9. TTL: '900'
10. SetIdentifier: Frontend One
11. Weight: '140'
12. ResourceRecords:
13. - example-ec2.amazonaws.com
14. - Name: mysite.example.com.
15. Type: CNAME
16. TTL: '900'
17. SetIdentifier: Frontend Two
18. Weight: '60'
19. ResourceRecords:
20. - example-ec2-larger.amazonaws.com
```
## Using RecordSetGroup to set up an alias resource record set
The following examples use an [AWS::Route53::RecordSetGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-route53-recordsetgroup.html) to set up an alias resource record set named `example.com` that routes traffic to an ELB Version 1 (Classic) load balancer and a Version 2 (Application or Network) load balancer. The [AliasTarget](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-route53-recordset-aliastarget.html) property specifies the hosted zone ID and DNS name for the `myELB` `LoadBalancer` by using the `GetAtt` intrinsic function. `GetAtt` retrieves different properties of `myELB` resource, depending on whether you're routing traffic to a Version 1 or Version 2 load balancer:
+ Version 1 load balancer: `CanonicalHostedZoneNameID` and `DNSName`
+ Version 2 load balancer: `CanonicalHostedZoneID` and `DNSName`
For more information about alias resource record sets, see [Choosing between alias and non-alias records](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html) in the *Route 53 Developer Guide*.
### JSON for version 1 load balancer
```
1. "myELB" : {
2. "Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
3. "Properties" : {
4. "AvailabilityZones" : [ "us-east-1a" ],
5. "Listeners" : [ {
6. "LoadBalancerPort" : "80",
7. "InstancePort" : "80",
8. "Protocol" : "HTTP"
9. } ]
10. }
11. },
12. "myDNS" : {
13. "Type" : "AWS::Route53::RecordSetGroup",
14. "Properties" : {
15. "HostedZoneName" : "example.com.",
16. "Comment" : "Zone apex alias targeted to myELB LoadBalancer.",
17. "RecordSets" : [
18. {
19. "Name" : "example.com.",
20. "Type" : "A",
21. "AliasTarget" : {
22. "HostedZoneId" : { "Fn::GetAtt" : ["myELB", "CanonicalHostedZoneNameID"] },
23. "DNSName" : { "Fn::GetAtt" : ["myELB","DNSName"] }
24. }
25. }
26. ]
27. }
28. }
```
### YAML for version 1 load balancer
```
1. myELB:
2. Type: AWS::ElasticLoadBalancing::LoadBalancer
3. Properties:
4. AvailabilityZones:
5. - "us-east-1a"
6. Listeners:
7. - LoadBalancerPort: '80'
8. InstancePort: '80'
9. Protocol: HTTP
10. myDNS:
11. Type: AWS::Route53::RecordSetGroup
12. Properties:
13. HostedZoneName: example.com.
14. Comment: Zone apex alias targeted to myELB LoadBalancer.
15. RecordSets:
16. - Name: example.com.
17. Type: A
18. AliasTarget:
19. HostedZoneId: !GetAtt 'myELB.CanonicalHostedZoneNameID'
20. DNSName: !GetAtt 'myELB.DNSName'
```
### JSON for version 2 load balancer
```
1. "myELB" : {
2. "Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
3. "Properties" : {
4. "Subnets" : [
5. {"Ref": "SubnetAZ1"},
6. {"Ref" : "SubnetAZ2"}
7. ]
8. }
9. },
10. "myDNS" : {
11. "Type" : "AWS::Route53::RecordSetGroup",
12. "Properties" : {
13. "HostedZoneName" : "example.com.",
14. "Comment" : "Zone apex alias targeted to myELB LoadBalancer.",
15. "RecordSets" : [
16. {
17. "Name" : "example.com.",
18. "Type" : "A",
19. "AliasTarget" : {
20. "HostedZoneId" : { "Fn::GetAtt" : ["myELB", "CanonicalHostedZoneID"] },
21. "DNSName" : { "Fn::GetAtt" : ["myELB","DNSName"] }
22. }
23. }
24. ]
25. }
26. }
```
### YAML for version 2 load balancer
```
1. myELB:
2. Type: AWS::ElasticLoadBalancingV2::LoadBalancer
3. Properties:
4. Subnets:
5. - Ref: SubnetAZ1
6. - Ref: SubnetAZ2
7. myDNS:
8. Type: AWS::Route53::RecordSetGroup
9. Properties:
10. HostedZoneName: example.com.
11. Comment: Zone apex alias targeted to myELB LoadBalancer.
12. RecordSets:
13. - Name: example.com.
14. Type: A
15. AliasTarget:
16. HostedZoneId: !GetAtt 'myELB.CanonicalHostedZoneID'
17. DNSName: !GetAtt 'myELB.DNSName'
```
## Alias resource record set for a CloudFront distribution
The following example creates an alias A record that points a custom domain name to an existing CloudFront distribution. `myHostedZoneID` is assumed to be either a reference to an actual `AWS::Route53::HostedZone` resource in the same template or a parameter. `myCloudFrontDistribution` refers to an `AWS::CloudFront::Distribution` resource within the same template. The alias record uses the standard CloudFront hosted zone ID (`Z2FDTNDATAQYW2`) and automatically resolves the distribution’s domain name using `Fn::GetAtt`. This setup allows web traffic to be routed from the custom domain to the CloudFront distribution without requiring an IP address.
**Note**
When you create alias resource record sets, you must specify `Z2FDTNDATAQYW2` for the `HostedZoneId` property. Alias resource record sets for CloudFront can't be created in a private zone.
### JSON
```
1. {
2. "myDNS": {
3. "Type": "AWS::Route53::RecordSetGroup",
4. "Properties": {
5. "HostedZoneId": {
6. "Ref": "myHostedZoneID"
7. },
8. "RecordSets": [
9. {
10. "Name": {
11. "Ref": "myRecordSetDomainName"
12. },
13. "Type": "A",
14. "AliasTarget": {
15. "HostedZoneId": "Z2FDTNDATAQYW2",
16. "DNSName": {
17. "Fn::GetAtt": [
18. "myCloudFrontDistribution",
19. "DomainName"
20. ]
21. },
22. "EvaluateTargetHealth": false
23. }
24. }
25. ]
26. }
27. }
28. }
```
### YAML
```
1. myDNS:
2. Type: AWS::Route53::RecordSetGroup
3. Properties:
4. HostedZoneId: !Ref myHostedZoneID
5. RecordSets:
6. - Name: !Ref myRecordSetDomainName
7. Type: A
8. AliasTarget:
9. HostedZoneId: Z2FDTNDATAQYW2
10. DNSName: !GetAtt
11. - myCloudFrontDistribution
12. - DomainName
13. EvaluateTargetHealth: false
```
# Amazon S3 template snippets
Use these Amazon S3 sample templates to help describe your Amazon S3 buckets with CloudFormation. For more examples, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucket.html#aws-resource-s3-bucket--examples) section in the `AWS::S3::Bucket` resource.
**Topics**
+ [
## Creating an Amazon S3 bucket with defaults
](#scenario-s3-bucket)
+ [
## Creating an Amazon S3 bucket for website hosting and with a `DeletionPolicy`
](#scenario-s3-bucket-website)
+ [
## Creating a static website using a custom domain
](#scenario-s3-bucket-website-customdomain)
## Creating an Amazon S3 bucket with defaults
This example uses a [AWS::S3::Bucket](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucket.html) to create a bucket with default settings.
### JSON
```
1. "myS3Bucket" : {
2. "Type" : "AWS::S3::Bucket"
3. }
```
### YAML
```
1. MyS3Bucket:
2. Type: AWS::S3::Bucket
```
## Creating an Amazon S3 bucket for website hosting and with a `DeletionPolicy`
This example creates a bucket as a website and disables Block Public Access (public read permissions are required for buckets set up for website hosting). A public bucket policy is then added to the bucket. Because this bucket resource has a `DeletionPolicy` attribute set to `Retain`, CloudFormation will not delete this bucket when it deletes the stack. The `Output` section uses `Fn::GetAtt` to retrieve the `WebsiteURL` attribute and `DomainName` attribute of the `S3Bucket` resource.
**Note**
The following examples assume the `BlockPublicPolicy` and `RestrictPublicBuckets` Block Public Access settings have been disabled at the account level.
### JSON
```
1. {
2. "AWSTemplateFormatVersion": "2010-09-09",
3. "Resources": {
4. "S3Bucket": {
5. "Type": "AWS::S3::Bucket",
6. "Properties": {
7. "PublicAccessBlockConfiguration": {
8. "BlockPublicAcls": false,
9. "BlockPublicPolicy": false,
10. "IgnorePublicAcls": false,
11. "RestrictPublicBuckets": false
12. },
13. "WebsiteConfiguration": {
14. "IndexDocument": "index.html",
15. "ErrorDocument": "error.html"
16. }
17. },
18. "DeletionPolicy": "Retain",
19. "UpdateReplacePolicy": "Retain"
20. },
21. "BucketPolicy": {
22. "Type": "AWS::S3::BucketPolicy",
23. "Properties": {
24. "PolicyDocument": {
25. "Id": "MyPolicy",
26. "Version": "2012-10-17",
27. "Statement": [
28. {
29. "Sid": "PublicReadForGetBucketObjects",
30. "Effect": "Allow",
31. "Principal": "*",
32. "Action": "s3:GetObject",
33. "Resource": {
34. "Fn::Join": [
35. "",
36. [
37. "arn:aws:s3:::",
38. {
39. "Ref": "S3Bucket"
40. },
41. "/*"
42. ]
43. ]
44. }
45. }
46. ]
47. },
48. "Bucket": {
49. "Ref": "S3Bucket"
50. }
51. }
52. }
53. },
54. "Outputs": {
55. "WebsiteURL": {
56. "Value": {
57. "Fn::GetAtt": [
58. "S3Bucket",
59. "WebsiteURL"
60. ]
61. },
62. "Description": "URL for website hosted on S3"
63. },
64. "S3BucketSecureURL": {
65. "Value": {
66. "Fn::Join": [
67. "",
68. [
69. "https://",
70. {
71. "Fn::GetAtt": [
72. "S3Bucket",
73. "DomainName"
74. ]
75. }
76. ]
77. ]
78. },
79. "Description": "Name of S3 bucket to hold website content"
80. }
81. }
82. }
```
### YAML
```
1. AWSTemplateFormatVersion: 2010-09-09
2. Resources:
3. S3Bucket:
4. Type: AWS::S3::Bucket
5. Properties:
6. PublicAccessBlockConfiguration:
7. BlockPublicAcls: false
8. BlockPublicPolicy: false
9. IgnorePublicAcls: false
10. RestrictPublicBuckets: false
11. WebsiteConfiguration:
12. IndexDocument: index.html
13. ErrorDocument: error.html
14. DeletionPolicy: Retain
15. UpdateReplacePolicy: Retain
16. BucketPolicy:
17. Type: AWS::S3::BucketPolicy
18. Properties:
19. PolicyDocument:
20. Id: MyPolicy
21. Version: 2012-10-17
22. Statement:
23. - Sid: PublicReadForGetBucketObjects
24. Effect: Allow
25. Principal: '*'
26. Action: 's3:GetObject'
27. Resource: !Join
28. - ''
29. - - 'arn:aws:s3:::'
30. - !Ref S3Bucket
31. - /*
32. Bucket: !Ref S3Bucket
33. Outputs:
34. WebsiteURL:
35. Value: !GetAtt
36. - S3Bucket
37. - WebsiteURL
38. Description: URL for website hosted on S3
39. S3BucketSecureURL:
40. Value: !Join
41. - ''
42. - - 'https://'
43. - !GetAtt
44. - S3Bucket
45. - DomainName
46. Description: Name of S3 bucket to hold website content
```
## Creating a static website using a custom domain
You can use Route 53 with a registered domain. The following sample assumes that you have already created a hosted zone in Route 53 for your domain. The example creates two buckets for website hosting. The root bucket hosts the content, and the other bucket redirects `www.domainname.com` requests to the root bucket. The record sets map your domain name to Amazon S3 endpoints.
You will also need to add a bucket policy, as shown in the examples above.
For more information about using a custom domain, see [Tutorial: Configuring a static website using a custom domain registered with Route 53](https://docs.aws.amazon.com/AmazonS3/latest/userguide/website-hosting-custom-domain-walkthrough.html) in the *Amazon Simple Storage Service User Guide*.
**Note**
The following examples assume the `BlockPublicPolicy` and `RestrictPublicBuckets` Block Public Access settings have been disabled at the account level.
### JSON
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Mappings" : {
"RegionMap" : {
"us-east-1" : { "S3hostedzoneID" : "Z3AQBSTGFYJSTF", "websiteendpoint" : "s3-website-us-east-1.amazonaws.com" },
"us-west-1" : { "S3hostedzoneID" : "Z2F56UZL2M1ACD", "websiteendpoint" : "s3-website-us-west-1.amazonaws.com" },
"us-west-2" : { "S3hostedzoneID" : "Z3BJ6K6RIION7M", "websiteendpoint" : "s3-website-us-west-2.amazonaws.com" },
"eu-west-1" : { "S3hostedzoneID" : "Z1BKCTXD74EZPE", "websiteendpoint" : "s3-website-eu-west-1.amazonaws.com" },
"ap-southeast-1" : { "S3hostedzoneID" : "Z3O0J2DXBE1FTB", "websiteendpoint" : "s3-website-ap-southeast-1.amazonaws.com" },
"ap-southeast-2" : { "S3hostedzoneID" : "Z1WCIGYICN2BYD", "websiteendpoint" : "s3-website-ap-southeast-2.amazonaws.com" },
"ap-northeast-1" : { "S3hostedzoneID" : "Z2M4EHUR26P7ZW", "websiteendpoint" : "s3-website-ap-northeast-1.amazonaws.com" },
"sa-east-1" : { "S3hostedzoneID" : "Z31GFT0UA1I2HV", "websiteendpoint" : "s3-website-sa-east-1.amazonaws.com" }
}
},
"Parameters": {
"RootDomainName": {
"Description": "Domain name for your website (example.com)",
"Type": "String"
}
},
"Resources": {
"RootBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName" : {"Ref":"RootDomainName"},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": false,
"RestrictPublicBuckets": false
},
"WebsiteConfiguration": {
"IndexDocument":"index.html",
"ErrorDocument":"404.html"
}
}
},
"WWWBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": {
"Fn::Join": ["", ["www.", {"Ref":"RootDomainName"}]]
},
"AccessControl": "BucketOwnerFullControl",
"WebsiteConfiguration": {
"RedirectAllRequestsTo": {
"HostName": {"Ref": "RootBucket"}
}
}
}
},
"myDNS": {
"Type": "AWS::Route53::RecordSetGroup",
"Properties": {
"HostedZoneName": {
"Fn::Join": ["", [{"Ref": "RootDomainName"}, "."]]
},
"Comment": "Zone apex alias.",
"RecordSets": [
{
"Name": {"Ref": "RootDomainName"},
"Type": "A",
"AliasTarget": {
"HostedZoneId": {"Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "S3hostedzoneID"]},
"DNSName": {"Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "websiteendpoint"]}
}
},
{
"Name": {
"Fn::Join": ["", ["www.", {"Ref":"RootDomainName"}]]
},
"Type": "CNAME",
"TTL" : "900",
"ResourceRecords" : [
{"Fn::GetAtt":["WWWBucket", "DomainName"]}
]
}
]
}
}
},
"Outputs": {
"WebsiteURL": {
"Value": {"Fn::GetAtt": ["RootBucket", "WebsiteURL"]},
"Description": "URL for website hosted on S3"
}
}
}
```
### YAML
```
Parameters:
RootDomainName:
Description: Domain name for your website (example.com)
Type: String
Mappings:
RegionMap:
us-east-1:
S3hostedzoneID: Z3AQBSTGFYJSTF
websiteendpoint: s3-website-us-east-1.amazonaws.com
us-west-1:
S3hostedzoneID: Z2F56UZL2M1ACD
websiteendpoint: s3-website-us-west-1.amazonaws.com
us-west-2:
S3hostedzoneID: Z3BJ6K6RIION7M
websiteendpoint: s3-website-us-west-2.amazonaws.com
eu-west-1:
S3hostedzoneID: Z1BKCTXD74EZPE
websiteendpoint: s3-website-eu-west-1.amazonaws.com
ap-southeast-1:
S3hostedzoneID: Z3O0J2DXBE1FTB
websiteendpoint: s3-website-ap-southeast-1.amazonaws.com
ap-southeast-2:
S3hostedzoneID: Z1WCIGYICN2BYD
websiteendpoint: s3-website-ap-southeast-2.amazonaws.com
ap-northeast-1:
S3hostedzoneID: Z2M4EHUR26P7ZW
websiteendpoint: s3-website-ap-northeast-1.amazonaws.com
sa-east-1:
S3hostedzoneID: Z31GFT0UA1I2HV
websiteendpoint: s3-website-sa-east-1.amazonaws.com
Resources:
RootBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref RootDomainName
PublicAccessBlockConfiguration:
BlockPublicAcls: false
BlockPublicPolicy: false
IgnorePublicAcls: false
RestrictPublicBuckets: false
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: 404.html
WWWBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub
- www.${Domain}
- Domain: !Ref RootDomainName
AccessControl: BucketOwnerFullControl
WebsiteConfiguration:
RedirectAllRequestsTo:
HostName: !Ref RootBucket
myDNS:
Type: AWS::Route53::RecordSetGroup
Properties:
HostedZoneName: !Sub
- ${Domain}.
- Domain: !Ref RootDomainName
Comment: Zone apex alias.
RecordSets:
- Name: !Ref RootDomainName
Type: A
AliasTarget:
HostedZoneId: !FindInMap [ RegionMap, !Ref 'AWS::Region', S3hostedzoneID]
DNSName: !FindInMap [ RegionMap, !Ref 'AWS::Region', websiteendpoint]
- Name: !Sub
- www.${Domain}
- Domain: !Ref RootDomainName
Type: CNAME
TTL: 900
ResourceRecords:
- !GetAtt WWWBucket.DomainName
Outputs:
WebsiteURL:
Value: !GetAtt RootBucket.WebsiteURL
Description: URL for website hosted on S3
```
# Amazon SNS template snippets
This example shows an Amazon SNS topic resource. It requires a valid email address.
## JSON
```
1. "MySNSTopic" : {
2. "Type" : "AWS::SNS::Topic",
3. "Properties" : {
4. "Subscription" : [ {
5. "Endpoint" : "add valid email address",
6. "Protocol" : "email"
7. } ]
8. }
9. }
```
## YAML
```
1. MySNSTopic:
2. Type: AWS::SNS::Topic
3. Properties:
4. Subscription:
5. - Endpoint: "add valid email address"
6. Protocol: email
```
# Amazon SQS template snippets
This example shows an Amazon SQS queue.
## JSON
```
1. "MyQueue" : {
2. "Type" : "AWS::SQS::Queue",
3. "Properties" : {
4. "VisibilityTimeout" : "value"
5. }
6. }
```
## YAML
```
1. MyQueue:
2. Type: AWS::SQS::Queue
3. Properties:
4. VisibilityTimeout: value
```
# Amazon Timestream template snippets
Amazon Timestream for InfluxDB makes it easy for application developers and DevOps teams to run fully managed InfluxDB databases on AWS for real-time time-series applications using open-source APIs. You can quickly create an InfluxDB database that handles demanding time- series workloads. With a few simple API calls, you can set up, migrate, operate, and scale an InfluxDB database on AWS with automated software patching, backups, and recovery. You can also find these samples at [awslabs/amazon-timestream-tools/tree/mainline/integrations/cloudformation/timestream-influxdb](https://github.com/awslabs/amazon-timestream-tools/tree/mainline/integrations/cloudformation/timestream-influxdb) on GitHub.
**Topics**
+ [
## Minimal sample using default values
](#scenario-timestream-influxdb-example-1)
+ [
## More complete example with parameters
](#scenario-timestream-influxdb-example-2)
These CloudFormation templates create the following resources that are needed to successfully create, connect to, and monitor a Amazon Timestream for InfluxDB instance:
**Amazon VPC**
+ `VPC`
+ One or more `Subnet`
+ `InternetGateway`
+ `RouteTable`
+ `SecurityGroup`
**Amazon S3**
+ `Bucket`
**Amazon Timestream**
+ `InfluxDBInstance`
## Minimal sample using default values
This example deploys a multi- AZ and publicly accessible instance using default values when possible.
### JSON
```
{
"Metadata": {
"AWS::CloudFormation::Interface": {
"ParameterGroups": [
{
"Label": {"default": "Amazon Timestream for InfluxDB Configuration"},
"Parameters": [
"DbInstanceName",
"InfluxDBPassword"
]
}
],
"ParameterLabels": {
"VPCCIDR": {"default": "VPC CIDR"}
}
}
},
"Parameters": {
"DbInstanceName": {
"Description": "The name that uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and CLI commands. This name will also be a prefix included in the endpoint. DB instance names must be unique per customer and per Region.",
"Type": "String",
"Default": "mydbinstance",
"MinLength": 3,
"MaxLength": 40,
"AllowedPattern": "^[a-zA-z][a-zA-Z0-9]*(-[a-zA-Z0-9]+)*$"
},
"InfluxDBPassword": {
"Description": "The password of the initial admin user created in InfluxDB. This password will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in AWS Secrets Manager in your account.",
"Type": "String",
"NoEcho": true,
"MinLength": 8,
"MaxLength": 64,
"AllowedPattern": "^[a-zA-Z0-9]+$"
}
},
"Resources": {
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {"CidrBlock": "10.0.0.0/16"}
},
"InternetGateway": {"Type": "AWS::EC2::InternetGateway"},
"InternetGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"InternetGatewayId": {"Ref": "InternetGateway"},
"VpcId": {"Ref": "VPC"}
}
},
"Subnet1": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {"Ref": "VPC"},
"AvailabilityZone": {
"Fn::Select": [
0,
{"Fn::GetAZs": ""}
]
},
"CidrBlock": {
"Fn::Select": [
0,
{
"Fn::Cidr": [
{
"Fn::GetAtt": [
"VPC",
"CidrBlock"
]
},
2,
12
]
}
]
},
"MapPublicIpOnLaunch": true
}
},
"Subnet2": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {"Ref": "VPC"},
"AvailabilityZone": {
"Fn::Select": [
1,
{"Fn::GetAZs": ""}
]
},
"CidrBlock": {
"Fn::Select": [
1,
{
"Fn::Cidr": [
{
"Fn::GetAtt": [
"VPC",
"CidrBlock"
]
},
2,
12
]
}
]
},
"MapPublicIpOnLaunch": true
}
},
"RouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {"Ref": "VPC"}
}
},
"DefaultRoute": {
"Type": "AWS::EC2::Route",
"DependsOn": "InternetGatewayAttachment",
"Properties": {
"RouteTableId": {"Ref": "RouteTable"},
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {"Ref": "InternetGateway"}
}
},
"Subnet1RouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {"Ref": "RouteTable"},
"SubnetId": {"Ref": "Subnet1"}
}
},
"Subnet2RouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {"Ref": "RouteTable"},
"SubnetId": {"Ref": "Subnet2"}
}
},
"InfluxDBSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupName": "influxdb-sg",
"GroupDescription": "Security group allowing port 8086 ingress for InfluxDB",
"VpcId": {"Ref": "VPC"}
}
},
"InfluxDBSecurityGroupIngress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {"Ref": "InfluxDBSecurityGroup"},
"IpProtocol": "tcp",
"CidrIp": "0.0.0.0/0",
"FromPort": 8086,
"ToPort": 8086
}
},
"InfluxDBLogsS3Bucket": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Retain"
},
"InfluxDBLogsS3BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {"Ref": "InfluxDBLogsS3Bucket"},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": {"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}/InfluxLogs/*"},
"Principal": {"Service": "timestream-influxdb.amazonaws.com"}
},
{
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
{"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}/*"},
{"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}"}
],
"Principal": "*",
"Condition": {
"Bool": {"aws:SecureTransport": false}
}
}
]
}
}
},
"DbInstance": {
"Type": "AWS::Timestream::InfluxDBInstance",
"DependsOn": "InfluxDBLogsS3BucketPolicy",
"Properties": {
"AllocatedStorage": 20,
"DbInstanceType": "db.influx.medium",
"Name": {"Ref": "DbInstanceName"},
"Password": {"Ref": "InfluxDBPassword"},
"PubliclyAccessible": true,
"DeploymentType": "WITH_MULTIAZ_STANDBY",
"VpcSecurityGroupIds": [
{"Ref": "InfluxDBSecurityGroup"}
],
"VpcSubnetIds": [
{"Ref": "Subnet1"},
{"Ref": "Subnet2"}
],
"LogDeliveryConfiguration": {
"S3Configuration": {
"BucketName": {"Ref": "InfluxDBLogsS3Bucket"},
"Enabled": true
}
}
}
}
},
"Outputs": {
"VPC": {
"Description": "A reference to the VPC used to create network resources",
"Value": {"Ref": "VPC"}
},
"Subnets": {
"Description": "A list of the subnets created",
"Value": {
"Fn::Join": [
",",
[
{"Ref": "Subnet1"},
{"Ref": "Subnet2"}
]
]
}
},
"Subnet1": {
"Description": "A reference to the subnet in the 1st Availability Zone",
"Value": {"Ref": "Subnet1"}
},
"Subnet2": {
"Description": "A reference to the subnet in the 2nd Availability Zone",
"Value": {"Ref": "Subnet2"}
},
"InfluxDBSecurityGroup": {
"Description": "Security group with port 8086 ingress rule",
"Value": {"Ref": "InfluxDBSecurityGroup"}
},
"InfluxDBLogsS3Bucket": {
"Description": "S3 Bucket containing InfluxDB logs from the DB instance",
"Value": {"Ref": "InfluxDBLogsS3Bucket"}
},
"DbInstance": {
"Description": "A reference to the Timestream for InfluxDB DB instance",
"Value": {"Ref": "DbInstance"}
},
"InfluxAuthParametersSecretArn": {
"Description": "The Amazon Resource Name (ARN) of the AWS Secrets Manager secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password.",
"Value": {
"Fn::GetAtt": [
"DbInstance",
"InfluxAuthParametersSecretArn"
]
}
},
"Endpoint": {
"Description": "The endpoint URL to connect to InfluxDB",
"Value": {
"Fn::Join": [
"",
[
"https://",
{
"Fn::GetAtt": [
"DbInstance",
"Endpoint"
]
},
":8086"
]
]
}
}
}
}
```
### YAML
```
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
-
Label:
default: "Amazon Timestream for InfluxDB Configuration"
Parameters:
- DbInstanceName
- InfluxDBPassword
ParameterLabels:
VPCCIDR:
default: VPC CIDR
Parameters:
DbInstanceName:
Description: The name that uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and CLI commands. This name will also be a prefix included in the endpoint. DB instance names must be unique per customer and per Region.
Type: String
Default: mydbinstance
MinLength: 3
MaxLength: 40
AllowedPattern: ^[a-zA-z][a-zA-Z0-9]*(-[a-zA-Z0-9]+)*$
InfluxDBPassword:
Description: The password of the initial admin user created in InfluxDB. This password will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in AWS Secrets Manager in your account.
Type: String
NoEcho: true
MinLength: 8
MaxLength: 64
AllowedPattern: ^[a-zA-Z0-9]+$
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
InternetGateway:
Type: AWS::EC2::InternetGateway
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
Subnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [0, !GetAZs '']
CidrBlock: !Select [0, !Cidr [!GetAtt VPC.CidrBlock, 2, 12 ]]
MapPublicIpOnLaunch: true
Subnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [1, !GetAZs '']
CidrBlock: !Select [1, !Cidr [!GetAtt VPC.CidrBlock, 2, 12 ]]
MapPublicIpOnLaunch: true
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
DefaultRoute:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref RouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
Subnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref Subnet1
Subnet2RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref Subnet2
InfluxDBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "influxdb-sg"
GroupDescription: "Security group allowing port 8086 ingress for InfluxDB"
VpcId: !Ref VPC
InfluxDBSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref InfluxDBSecurityGroup
IpProtocol: tcp
CidrIp: 0.0.0.0/0
FromPort: 8086
ToPort: 8086
InfluxDBLogsS3Bucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
InfluxDBLogsS3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref InfluxDBLogsS3Bucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action: "s3:PutObject"
Effect: Allow
Resource: !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}/InfluxLogs/*
Principal:
Service: timestream-influxdb.amazonaws.com
- Action: "s3:*"
Effect: Deny
Resource:
- !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}/*
- !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}
Principal: "*"
Condition:
Bool:
aws:SecureTransport: false
DbInstance:
Type: AWS::Timestream::InfluxDBInstance
DependsOn: InfluxDBLogsS3BucketPolicy
Properties:
AllocatedStorage: 20
DbInstanceType: db.influx.medium
Name: !Ref DbInstanceName
Password: !Ref InfluxDBPassword
PubliclyAccessible: true
DeploymentType: WITH_MULTIAZ_STANDBY
VpcSecurityGroupIds:
- !Ref InfluxDBSecurityGroup
VpcSubnetIds:
- !Ref Subnet1
- !Ref Subnet2
LogDeliveryConfiguration:
S3Configuration:
BucketName: !Ref InfluxDBLogsS3Bucket
Enabled: true
Outputs:
# Network Resources
VPC:
Description: A reference to the VPC used to create network resources
Value: !Ref VPC
Subnets:
Description: A list of the subnets created
Value: !Join [",", [!Ref Subnet1, !Ref Subnet2]]
Subnet1:
Description: A reference to the subnet in the 1st Availability Zone
Value: !Ref Subnet1
Subnet2:
Description: A reference to the subnet in the 2nd Availability Zone
Value: !Ref Subnet2
InfluxDBSecurityGroup:
Description: Security group with port 8086 ingress rule
Value: !Ref InfluxDBSecurityGroup
# Timestream for InfluxDB Resources
InfluxDBLogsS3Bucket:
Description: S3 Bucket containing InfluxDB logs from the DB instance
Value: !Ref InfluxDBLogsS3Bucket
DbInstance:
Description: A reference to the Timestream for InfluxDB DB instance
Value: !Ref DbInstance
InfluxAuthParametersSecretArn:
Description: "The Amazon Resource Name (ARN) of the AWS Secrets Manager secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password."
Value: !GetAtt DbInstance.InfluxAuthParametersSecretArn
Endpoint:
Description: The endpoint URL to connect to InfluxDB
Value: !Join ["", ["https://", !GetAtt DbInstance.Endpoint, ":8086"]]
```
## More complete example with parameters
This example template dynamically alters the network resources based on the parameters provided. Parameters include `PubliclyAccessible` and `DeploymentType`.
### JSON
```
{
"Metadata": {
"AWS::CloudFormation::Interface": {
"ParameterGroups": [
{
"Label": {"default": "Network Configuration"},
"Parameters": ["VPCCIDR"]
},
{
"Label": {"default": "Amazon Timestream for InfluxDB Configuration"},
"Parameters": [
"DbInstanceName",
"InfluxDBUsername",
"InfluxDBPassword",
"InfluxDBOrganization",
"InfluxDBBucket",
"DbInstanceType",
"DbStorageType",
"AllocatedStorage",
"PubliclyAccessible",
"DeploymentType"
]
}
],
"ParameterLabels": {
"VPCCIDR": {"default": "VPC CIDR"}
}
}
},
"Parameters": {
"VPCCIDR": {
"Description": "Please enter the IP range (CIDR notation) for the new VPC",
"Type": "String",
"Default": "10.0.0.0/16"
},
"DbInstanceName": {
"Description": "The name that uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and CLI commands. This name will also be a prefix included in the endpoint. DB instance names must be unique per customer and per Region.",
"Type": "String",
"Default": "mydbinstance",
"MinLength": 3,
"MaxLength": 40,
"AllowedPattern": "^[a-zA-z][a-zA-Z0-9]*(-[a-zA-Z0-9]+)*$"
},
"InfluxDBUsername": {
"Description": "The username of the initial admin user created in InfluxDB. Must start with a letter and can't end with a hyphen or contain two consecutive hyphens. For example, my-user1. This username will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in AWS Secrets Manager in your account.",
"Type": "String",
"Default": "admin",
"MinLength": 1,
"MaxLength": 64
},
"InfluxDBPassword": {
"Description": "The password of the initial admin user created in InfluxDB. This password will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in AWS Secrets Manager in your account.",
"Type": "String",
"NoEcho": true,
"MinLength": 8,
"MaxLength": 64,
"AllowedPattern": "^[a-zA-Z0-9]+$"
},
"InfluxDBOrganization": {
"Description": "The name of the initial organization for the initial admin user in InfluxDB. An InfluxDB organization is a workspace for a group of users.",
"Type": "String",
"Default": "org",
"MinLength": 1,
"MaxLength": 64
},
"InfluxDBBucket": {
"Description": "The name of the initial InfluxDB bucket. All InfluxDB data is stored in a bucket. A bucket combines the concept of a database and a retention period (the duration of time that each data point persists). A bucket belongs to an organization.",
"Type": "String",
"Default": "bucket",
"MinLength": 2,
"MaxLength": 64,
"AllowedPattern": "^[^_\\\"][^\\\"]*$"
},
"DeploymentType": {
"Description": "Specifies whether the Timestream for InfluxDB is deployed as Single-AZ or with a MultiAZ Standby for High availability",
"Type": "String",
"Default": "WITH_MULTIAZ_STANDBY",
"AllowedValues": [
"SINGLE_AZ",
"WITH_MULTIAZ_STANDBY"
]
},
"AllocatedStorage": {
"Description": "The amount of storage to allocate for your DB storage type in GiB (gibibytes).",
"Type": "Number",
"Default": 400,
"MinValue": 20,
"MaxValue": 16384
},
"DbInstanceType": {
"Description": "The Timestream for InfluxDB DB instance type to run InfluxDB on.",
"Type": "String",
"Default": "db.influx.medium",
"AllowedValues": [
"db.influx.medium",
"db.influx.large",
"db.influx.xlarge",
"db.influx.2xlarge",
"db.influx.4xlarge",
"db.influx.8xlarge",
"db.influx.12xlarge",
"db.influx.16xlarge"
]
},
"DbStorageType": {
"Description": "The Timestream for InfluxDB DB storage type to read and write InfluxDB data.",
"Type": "String",
"Default": "InfluxIOIncludedT1",
"AllowedValues": [
"InfluxIOIncludedT1",
"InfluxIOIncludedT2",
"InfluxIOIncludedT3"
]
},
"PubliclyAccessible": {
"Description": "Configures the DB instance with a public IP to facilitate access.",
"Type": "String",
"Default": true,
"AllowedValues": [
true,
false
]
}
},
"Conditions": {
"IsMultiAZ": {
"Fn::Equals": [
{"Ref": "DeploymentType"},
"WITH_MULTIAZ_STANDBY"
]
},
"IsPublic": {
"Fn::Equals": [
{"Ref": "PubliclyAccessible"},
true
]
}
},
"Resources": {
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": {"Ref": "VPCCIDR"}
}
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway",
"Condition": "IsPublic"
},
"InternetGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Condition": "IsPublic",
"Properties": {
"InternetGatewayId": {"Ref": "InternetGateway"},
"VpcId": {"Ref": "VPC"}
}
},
"Subnet1": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {"Ref": "VPC"},
"AvailabilityZone": {
"Fn::Select": [
0,
{"Fn::GetAZs": ""}
]
},
"CidrBlock": {
"Fn::Select": [
0,
{
"Fn::Cidr": [
{
"Fn::GetAtt": [
"VPC",
"CidrBlock"
]
},
2,
12
]
}
]
},
"MapPublicIpOnLaunch": {
"Fn::If": [
"IsPublic",
true,
false
]
}
}
},
"Subnet2": {
"Type": "AWS::EC2::Subnet",
"Condition": "IsMultiAZ",
"Properties": {
"VpcId": {"Ref": "VPC"},
"AvailabilityZone": {
"Fn::Select": [
1,
{"Fn::GetAZs": ""}
]
},
"CidrBlock": {
"Fn::Select": [
1,
{
"Fn::Cidr": [
{
"Fn::GetAtt": [
"VPC",
"CidrBlock"
]
},
2,
12
]
}
]
},
"MapPublicIpOnLaunch": {
"Fn::If": [
"IsPublic",
true,
false
]
}
}
},
"RouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {"Ref": "VPC"}
}
},
"DefaultRoute": {
"Type": "AWS::EC2::Route",
"Condition": "IsPublic",
"DependsOn": "InternetGatewayAttachment",
"Properties": {
"RouteTableId": {"Ref": "RouteTable"},
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {"Ref": "InternetGateway"}
}
},
"Subnet1RouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {"Ref": "RouteTable"},
"SubnetId": {"Ref": "Subnet1"}
}
},
"Subnet2RouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Condition": "IsMultiAZ",
"Properties": {
"RouteTableId": {"Ref": "RouteTable"},
"SubnetId": {"Ref": "Subnet2"}
}
},
"InfluxDBSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupName": "influxdb-sg",
"GroupDescription": "Security group allowing port 8086 ingress for InfluxDB",
"VpcId": {"Ref": "VPC"}
}
},
"InfluxDBSecurityGroupIngress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {"Ref": "InfluxDBSecurityGroup"},
"IpProtocol": "tcp",
"CidrIp": "0.0.0.0/0",
"FromPort": 8086,
"ToPort": 8086
}
},
"InfluxDBLogsS3Bucket": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Retain"
},
"InfluxDBLogsS3BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {"Ref": "InfluxDBLogsS3Bucket"},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": {"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}/InfluxLogs/*"},
"Principal": {"Service": "timestream-influxdb.amazonaws.com"}
},
{
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
{"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}/*"},
{"Fn::Sub": "arn:aws:s3:::${InfluxDBLogsS3Bucket}"}
],
"Principal": "*",
"Condition": {
"Bool": {"aws:SecureTransport": false}
}
}
]
}
}
},
"DbInstance": {
"Type": "AWS::Timestream::InfluxDBInstance",
"DependsOn": "InfluxDBLogsS3BucketPolicy",
"Properties": {
"DbStorageType": {"Ref": "DbStorageType"},
"AllocatedStorage": {"Ref": "AllocatedStorage"},
"DbInstanceType": {"Ref": "DbInstanceType"},
"Name": {"Ref": "DbInstanceName"},
"Username": {"Ref": "InfluxDBUsername"},
"Password": {"Ref": "InfluxDBPassword"},
"Organization": {"Ref": "InfluxDBOrganization"},
"Bucket": {"Ref": "InfluxDBBucket"},
"PubliclyAccessible": {
"Fn::If": [
"IsPublic",
true,
false
]
},
"DeploymentType": {"Ref": "DeploymentType"},
"VpcSecurityGroupIds": [
{"Ref": "InfluxDBSecurityGroup"}
],
"VpcSubnetIds": {
"Fn::If": [
"IsMultiAZ",
[
{"Ref": "Subnet1"},
{"Ref": "Subnet2"}
],
[
{"Ref": "Subnet1"}
]
]
},
"LogDeliveryConfiguration": {
"S3Configuration": {
"BucketName": {"Ref": "InfluxDBLogsS3Bucket"},
"Enabled": true
}
}
}
}
},
"Outputs": {
"VPC": {
"Description": "A reference to the VPC used to create network resources",
"Value": {"Ref": "VPC"}
},
"Subnets": {
"Description": "A list of the subnets created",
"Value": {
"Fn::If": [
"IsMultiAZ",
{
"Fn::Join": [
",",
[
{"Ref": "Subnet1"},
{"Ref": "Subnet2"}
]
]
},
{"Ref": "Subnet1"}
]
}
},
"Subnet1": {
"Description": "A reference to the subnet in the 1st Availability Zone",
"Value": {"Ref": "Subnet1"}
},
"Subnet2": {
"Condition": "IsMultiAZ",
"Description": "A reference to the subnet in the 2nd Availability Zone",
"Value": {"Ref": "Subnet2"}
},
"InfluxDBSecurityGroup": {
"Description": "Security group with port 8086 ingress rule",
"Value": {"Ref": "InfluxDBSecurityGroup"}
},
"InfluxDBLogsS3Bucket": {
"Description": "S3 Bucket containing InfluxDB logs from the DB instance",
"Value": {"Ref": "InfluxDBLogsS3Bucket"}
},
"DbInstance": {
"Description": "A reference to the Timestream for InfluxDB DB instance",
"Value": {"Ref": "DbInstance"}
},
"InfluxAuthParametersSecretArn": {
"Description": "The Amazon Resource Name (ARN) of the AWS Secrets Manager secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password.",
"Value": {
"Fn::GetAtt": [
"DbInstance",
"InfluxAuthParametersSecretArn"
]
}
},
"Endpoint": {
"Description": "The endpoint URL to connect to InfluxDB",
"Value": {
"Fn::Join": [
"",
[
"https://",
{
"Fn::GetAtt": [
"DbInstance",
"Endpoint"
]
},
":8086"
]
]
}
}
}
}
```
### YAML
```
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
-
Label:
default: "Network Configuration"
Parameters:
- VPCCIDR
-
Label:
default: "Amazon Timestream for InfluxDB Configuration"
Parameters:
- DbInstanceName
- InfluxDBUsername
- InfluxDBPassword
- InfluxDBOrganization
- InfluxDBBucket
- DbInstanceType
- DbStorageType
- AllocatedStorage
- PubliclyAccessible
- DeploymentType
ParameterLabels:
VPCCIDR:
default: VPC CIDR
Parameters:
# Network Configuration
VPCCIDR:
Description: Please enter the IP range (CIDR notation) for the new VPC
Type: String
Default: 10.0.0.0/16
# Timestream for InfluxDB Configuration
DbInstanceName:
Description: The name that uniquely identifies the DB instance when interacting with the Amazon Timestream for InfluxDB API and CLI commands. This name will also be a prefix included in the endpoint. DB instance names must be unique per customer and per Region.
Type: String
Default: mydbinstance
MinLength: 3
MaxLength: 40
AllowedPattern: ^[a-zA-z][a-zA-Z0-9]*(-[a-zA-Z0-9]+)*$
# InfluxDB initial user configurations
InfluxDBUsername:
Description: The username of the initial admin user created in InfluxDB. Must start with a letter and can't end with a hyphen or contain two consecutive hyphens. For example, my-user1. This username will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in AWS Secrets Manager in your account.
Type: String
Default: admin
MinLength: 1
MaxLength: 64
InfluxDBPassword:
Description: The password of the initial admin user created in InfluxDB. This password will allow you to access the InfluxDB UI to perform various administrative tasks and also use the InfluxDB CLI to create an operator token. These attributes will be stored in a Secret created in AWS in your account.
Type: String
NoEcho: true
MinLength: 8
MaxLength: 64
AllowedPattern: ^[a-zA-Z0-9]+$
InfluxDBOrganization:
Description: The name of the initial organization for the initial admin user in InfluxDB. An InfluxDB organization is a workspace for a group of users.
Type: String
Default: org
MinLength: 1
MaxLength: 64
InfluxDBBucket:
Description: The name of the initial InfluxDB bucket. All InfluxDB data is stored in a bucket. A bucket combines the concept of a database and a retention period (the duration of time that each data point persists). A bucket belongs to an organization.
Type: String
Default: bucket
MinLength: 2
MaxLength: 64
AllowedPattern: ^[^_\"][^\"]*$
DeploymentType:
Description: Specifies whether the Timestream for InfluxDB is deployed as Single-AZ or with a MultiAZ Standby for High availability
Type: String
Default: WITH_MULTIAZ_STANDBY
AllowedValues:
- SINGLE_AZ
- WITH_MULTIAZ_STANDBY
AllocatedStorage:
Description: The amount of storage to allocate for your DB storage type in GiB (gibibytes).
Type: Number
Default: 400
MinValue: 20
MaxValue: 16384
DbInstanceType:
Description: The Timestream for InfluxDB DB instance type to run InfluxDB on.
Type: String
Default: db.influx.medium
AllowedValues:
- db.influx.medium
- db.influx.large
- db.influx.xlarge
- db.influx.2xlarge
- db.influx.4xlarge
- db.influx.8xlarge
- db.influx.12xlarge
- db.influx.16xlarge
DbStorageType:
Description: The Timestream for InfluxDB DB storage type to read and write InfluxDB data.
Type: String
Default: InfluxIOIncludedT1
AllowedValues:
- InfluxIOIncludedT1
- InfluxIOIncludedT2
- InfluxIOIncludedT3
PubliclyAccessible:
Description: Configures the DB instance with a public IP to facilitate access.
Type: String
Default: true
AllowedValues:
- true
- false
Conditions:
IsMultiAZ: !Equals [!Ref DeploymentType, WITH_MULTIAZ_STANDBY]
IsPublic: !Equals [!Ref PubliclyAccessible, true]
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref VPCCIDR
InternetGateway:
Type: AWS::EC2::InternetGateway
Condition: IsPublic
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Condition: IsPublic
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
Subnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [0, !GetAZs '']
CidrBlock: !Select [0, !Cidr [!GetAtt VPC.CidrBlock, 2, 12 ]]
MapPublicIpOnLaunch: !If [IsPublic, true, false]
Subnet2:
Type: AWS::EC2::Subnet
Condition: IsMultiAZ
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [1, !GetAZs '']
CidrBlock: !Select [1, !Cidr [!GetAtt VPC.CidrBlock, 2, 12 ]]
MapPublicIpOnLaunch: !If [IsPublic, true, false]
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
DefaultRoute:
Type: AWS::EC2::Route
Condition: IsPublic
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref RouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
Subnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref Subnet1
Subnet2RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Condition: IsMultiAZ
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref Subnet2
InfluxDBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "influxdb-sg"
GroupDescription: "Security group allowing port 8086 ingress for InfluxDB"
VpcId: !Ref VPC
InfluxDBSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref InfluxDBSecurityGroup
IpProtocol: tcp
CidrIp: 0.0.0.0/0
FromPort: 8086
ToPort: 8086
InfluxDBLogsS3Bucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
InfluxDBLogsS3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref InfluxDBLogsS3Bucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action: "s3:PutObject"
Effect: Allow
Resource: !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}/InfluxLogs/*
Principal:
Service: timestream-influxdb.amazonaws.com
- Action: "s3:*"
Effect: Deny
Resource:
- !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}/*
- !Sub arn:aws:s3:::${InfluxDBLogsS3Bucket}
Principal: "*"
Condition:
Bool:
aws:SecureTransport: false
DbInstance:
Type: AWS::Timestream::InfluxDBInstance
DependsOn: InfluxDBLogsS3BucketPolicy
Properties:
DbStorageType: !Ref DbStorageType
AllocatedStorage: !Ref AllocatedStorage
DbInstanceType: !Ref DbInstanceType
Name: !Ref DbInstanceName
Username: !Ref InfluxDBUsername
Password: !Ref InfluxDBPassword
Organization: !Ref InfluxDBOrganization
Bucket: !Ref InfluxDBBucket
PubliclyAccessible: !If [IsPublic, true, false]
DeploymentType: !Ref DeploymentType
VpcSecurityGroupIds:
- !Ref InfluxDBSecurityGroup
VpcSubnetIds: !If
- IsMultiAZ
-
- !Ref Subnet1
- !Ref Subnet2
-
- !Ref Subnet1
LogDeliveryConfiguration:
S3Configuration:
BucketName: !Ref InfluxDBLogsS3Bucket
Enabled: true
Outputs:
# Network Resources
VPC:
Description: A reference to the VPC used to create network resources
Value: !Ref VPC
Subnets:
Description: A list of the subnets created
Value: !If
- IsMultiAZ
- !Join [",", [!Ref Subnet1, !Ref Subnet2]]
- !Ref Subnet1
Subnet1:
Description: A reference to the subnet in the 1st Availability Zone
Value: !Ref Subnet1
Subnet2:
Condition: IsMultiAZ
Description: A reference to the subnet in the 2nd Availability Zone
Value: !Ref Subnet2
InfluxDBSecurityGroup:
Description: Security group with port 8086 ingress rule
Value: !Ref InfluxDBSecurityGroup
# Timestream for InfluxDB Resources
InfluxDBLogsS3Bucket:
Description: S3 Bucket containing InfluxDB logs from the DB instance
Value: !Ref InfluxDBLogsS3Bucket
DbInstance:
Description: A reference to the Timestream for InfluxDB DB instance
Value: !Ref DbInstance
InfluxAuthParametersSecretArn:
Description: "The Amazon Resource Name (ARN) of the AWS Secrets Manager secret containing the initial InfluxDB authorization parameters. The secret value is a JSON formatted key-value pair holding InfluxDB authorization values: organization, bucket, username, and password."
Value: !GetAtt DbInstance.InfluxAuthParametersSecretArn
Endpoint:
Description: The endpoint URL to connect to InfluxDB
Value: !Join ["", ["https://", !GetAtt DbInstance.Endpoint, ":8086"]]
```
# Deploy Windows-based stacks using CloudFormation
This page provides links to technical reference documentation for CloudFormation resources commonly used in Windows-based deployments.
CloudFormation provides support for deploying and managing Microsoft Windows stacks through Infrastructure as Code (IaC). You can use CloudFormation for automated provisioning of Windows-based EC2 instances, SQL Server on Amazon RDS, and Microsoft Active Directory through Directory Service.
AWS provides pre-configured Amazon Machine Images (AMIs) specifically designed for Windows platforms to help you quickly deploy applications on Amazon EC2. These AMIs include default Microsoft settings and AWS-specific customizations. With CloudFormation, you can choose an appropriate AMI, launch an instance, and access it using Remote Desktop Connection, just as you would with any other Windows Server. The AMIs contain essential software components, including EC2Launch (versions vary by Windows Server edition), AWS Systems Manager, CloudFormation, AWS Tools for PowerShell, and various network, storage, and graphics drivers to ensure optimal performance and compatibility with AWS services. For more information, see the [AWS Windows AMI Reference](https://docs.aws.amazon.com/ec2/latest/windows-ami-reference/windows-amis.html).
CloudFormation also supports software configuration tools, such as `UserData` scripts, which can run PowerShell or batch commands when an EC2 instance first boots up. It also offers helper scripts (`cfn-init`, `cfn-signal`, `cfn-get-metadata`, and `cfn-hup`) and supports the `AWS::CloudFormation::Init` metadata for managing packages, files, and services on Windows instances.
For enterprise environments, CloudFormation enables domain joining, Windows license management through EC2 licensing models, and secure credential handling with AWS Secrets Manager. Combined with version-controlled templates and repeatable deployments, CloudFormation helps organizations maintain consistent, secure, and scalable Windows environments across multiple AWS Regions and accounts.
For details on CloudFormation resources commonly used in Windows-based deployments, see the following technical reference topics.
| Resource type | Description |
| --- | --- |
| [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) | For launching Windows EC2 instances. |
| [AWS::EC2::SecurityGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-securitygroup.html) | To define firewall rules for Windows workloads. |
| [AWS::AutoScaling::AutoScalingGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-autoscaling-autoscalinggroup.html) [AWS::EC2::LaunchTemplate](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-launchtemplate.html) | For scaling Windows EC2 instances. |
| [AWS::DirectoryService::MicrosoftAD](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-directoryservice-microsoftad.html) | For deploying Microsoft Active Directory. |
| [AWS::FSx::FileSystem](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-fsx-filesystem.html) | For deploying FSx for Windows File Server. |
| [AWS::RDS::DBInstance](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-rds-dbinstance.html) | For provisioning SQL Server on Amazon RDS. |
| [AWS::CloudFormation::Init](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-init.html) | Used within EC2 metadata for configuring instances. For more information, see [Bootstrapping Windows-based CloudFormation stacks](cfn-windows-stacks-bootstrapping.md). |
| [AWS::SecretsManager::Secret](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-secretsmanager-secret.html) | For securely managing credentials and Windows passwords. |
| [AWS::SSM::Parameter](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ssm-parameter.html) | For storing configuration values securely. |
| [AWS::IAM::InstanceProfile](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-instanceprofile.html) [AWS::IAM::Role](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-iam-role.html) | For granting permissions to applications running on EC2 instances. |
# Bootstrapping Windows-based CloudFormation stacks
This topic describes how to bootstrap a Windows stack and troubleshoot stack creation issues.
**Topics**
+ [
## User data in EC2 instances
](#cfn-windows-bootstrapping-user-data)
+ [
## CloudFormation helper scripts
](#cfn-windows-bootstrapping-helper-scripts)
+ [
## Example of bootstrapping a Windows stack
](#cfn-windows-bootstrapping-example)
+ [
## Escape backslashes in Windows file paths
](#cfn-windows-stacks-escape-backslashes)
+ [
## Manage Windows services
](#cfn-windows-stacks-manage-windows-services)
+ [
## Troubleshoot stack creation issues
](#cfn-windows-stacks-troubleshooting)
## User data in EC2 instances
User data is an Amazon EC2 feature that allows you to pass scripts or configuration information to an EC2 instance when it launches.
For Windows EC2 instances:
+ You can use either batch scripts (using `