End of support notice: On October 7, 2026, AWS will end support for AWS Proton. After October 7, 2026, you will no longer be able to access the AWS Proton console or AWS Proton resources. Your deployed infrastructure will remain intact. For more information, see [AWS Proton Service Deprecation and Migration Guide](https://docs.aws.amazon.com/proton/latest/userguide/proton-end-of-support.html).
# AWS Proton parameters
You can define and use parameters in your infrastructure as code (IaC) files to make them flexible and re-usable. You read a parameter value in your IaC files by referring to the parameter's name in the AWS Proton *parameter namespace*. AWS Proton injects parameter values into the rendered IaC files that it generates during resource provisioning. To process AWS CloudFormation IaC parameters, AWS Proton uses [Jinja](https://jinja.palletsprojects.com/en/2.11.x/). To process Terraform IaC parameters, AWS Proton generates a Terraform parameter value file and relies on the parametrization ability built into HCL.
With [CodeBuild provisioning](ag-works-prov-methods.md#ag-works-prov-methods-codebuild), AWS Proton generates an input file that your code can import. The file is a JSON or HCL file, depending on a property in your template's manifest. For more information, see [CodeBuild provisioning parameter details and examples](parameters-codebuild.md).
You can refer to parameters in your environment, service, and component IaC files or provisioning code with the following requirements:
+ The length of each parameter name doesn't exceed 100 characters.
+ The length of the parameter namespace and resource name combined doesn't exceed the character limit for the resource name.
AWS Proton provisioning fails if these quotas are exceeded.
## Parameter types
The following parameter types are available to you for reference in AWS Proton IaC files:
**Input parameter**
Environments and service instances can take input parameters that you define in a [schema file](ag-schema.md) that you associate with the environment or service template. You can refer to a resource's input parameters in the resource's IaC file. Component IaC files can refer to input parameters of the service instance that the component is attached to.
AWS Proton checks input parameter names against your schema file, and matches them with the parameters that are referenced in your IaC files to inject the input values that you provide in a spec file during resource provisioning.
**Output parameter**
You can define outputs in any of your IaC files. An output can be, for example, a name, ID, or ARN of one of the resources that the template provisions, or it can be a way to pass through one of the template's inputs. You can refer to these outputs in IaC files of other resources.
In CloudFormation IaC files,define output parameters in the `Outputs:` block. In a Terraform IaC file, define each output parameter using an `output` statement.
**Resource parameter**
AWS Proton automatically creates AWS Proton resource parameters. These parameters expose properties of the AWS Proton resource object. An example of a resource parameter is `environment.name`.
## Using AWS Proton parameters in your IaC files
To read a parameter value in an IaC file, you refer to the parameter's name in the AWS Proton parameter namespace. For AWS CloudFormation IaC files, you use *Jinja* syntax and surround the parameter with pairs of curly braces and quotation marks.
The following table shows the reference syntax for each supported template language, with an example.
| Template language | Syntax | Example: environment input named "VPC" |
| --- | --- | --- |
| CloudFormation | `"{{ parameter-name }}"` | `"{{ environment.inputs.VPC }}"` |
| Terraform | `var.parameter-name` | `var.environment.inputs.VPC` [Generated Terraform variable definitions](ag-infrastructure-tmp-files-terraform.md#compiled-tform) |
**Note**
If you use [CloudFormation dynamic parameters](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html) in your IaC file, you must [escape them](https://jinja.palletsprojects.com/en/2.11.x/templates/#escaping) to prevent Jinja misinterpretation errors. For more information, see [Troubleshooting AWS Proton](ag-troubleshooting.md)
The following table lists namespace names for all AWS Proton resource parameters. Each template file type can use a different subset of the parameter namespace.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/proton/latest/userguide/parameters.html)
For more information and examples, see the subtopics about parameters in IaC template files for different resource types and template languages.
**Topics**
+ [Parameter types](#param-name-types)
+ [Using AWS Proton parameters in your IaC files](#param-name-spaces)
+ [Environment CloudFormation IaC file parameter details and examples](env-parameters.md)
+ [Service CloudFormation IaC file parameter details and examples](svc-parameters.md)
+ [Component CloudFormation IaC file parameter details and examples](comp-parameters.md)
+ [Parameter filters for CloudFormation IaC files](parameter-filters.md)
+ [CodeBuild provisioning parameter details and examples](parameters-codebuild.md)
+ [Terraform infrastructure as code (IaC) file parameter details and examples](env-parameters-tform.md)
# Environment CloudFormation IaC file parameter details and examples
You can define and reference parameters in your environment infrastructure as code (IaC) files. For a detailed description of AWS Proton parameters, parameter types, the parameter namespace, and how to use parameters in your IaC files, see [AWS Proton parameters](parameters.md).
## Define environment parameters
You can define both input and output parameters for environment IaC files.
+ **Input parameters** – Define environment input parameters in your [schema file](ag-schema.md).
The following list includes examples of environment input parameters for typical use cases.
+ VPC CIDR values
+ Load balancer settings
+ Database settings
+ A health check timeout
As an administrator, you can provide values for input parameters when you [create an environment](ag-create-env.md):
+ Use the console to fill out a schema-based form that AWS Proton provides.
+ Use the CLI to provide a spec that includes the values.
+ **Output parameters** – Define environment outputs in your environment IaC files. You can then refer to these outputs in IaC files of other resources.
## Read parameter values in environment IaC files
You can read parameters related to the environment in environment IaC files. You read a parameter value by referencing the parameter's name in the AWS Proton parameter namespace.
+ **Input parameters** – Read an environment input value by referencing `environment.inputs.input-name`.
+ **Resource parameters** – Read AWS Proton resource parameters by referencing names such as `environment.name`.
**Note**
No output parameters of other resources are available to environment IaC files.
## Example environment and service IaC files with parameters
The following example demonstrates parameter definition and reference in an environment IaC file. The example then shows how environment output parameters defined in the environment IaC file can be referenced in a service IaC file.
**Example Environment CloudFormation IaC file**
Note the following in this example:
+ The `environment.inputs.` namespace refers to environment input parameters.
+ The Amazon EC2 Systems Manager (SSM) parameter `StoreInputValue` concatenates the environment inputs.
+ The `MyEnvParameterValue` output exposes the same input parameter concatenation as an output parameter. Three additional output parameters also expose the input parameters individually.
+ Six additional output parameters expose resources that the environment provisions.
```
Resources:
StoreInputValue:
Type: AWS::SSM::Parameter
Properties:
Type: String
Value: "{{ environment.inputs.my_sample_input }} {{ environment.inputs.my_other_sample_input}} {{ environment.inputs.another_optional_input }}"
# input parameter references
# These output values are available to service infrastructure as code files as outputs, when given the
# the 'environment.outputs' namespace, for example, service_instance.environment.outputs.ClusterName.
Outputs:
MyEnvParameterValue: # output definition
Value: !GetAtt StoreInputValue.Value
MySampleInputValue: # output definition
Value: "{{ environment.inputs.my_sample_input }}" # input parameter reference
MyOtherSampleInputValue: # output definition
Value: "{{ environment.inputs.my_other_sample_input }}" # input parameter reference
AnotherOptionalInputValue: # output definition
Value: "{{ environment.inputs.another_optional_input }}" # input parameter reference
ClusterName: # output definition
Description: The name of the ECS cluster
Value: !Ref 'ECSCluster' # provisioned resource
ECSTaskExecutionRole: # output definition
Description: The ARN of the ECS role
Value: !GetAtt 'ECSTaskExecutionRole.Arn' # provisioned resource
VpcId: # output definition
Description: The ID of the VPC that this stack is deployed in
Value: !Ref 'VPC' # provisioned resource
PublicSubnetOne: # output definition
Description: Public subnet one
Value: !Ref 'PublicSubnetOne' # provisioned resource
PublicSubnetTwo: # output definition
Description: Public subnet two
Value: !Ref 'PublicSubnetTwo' # provisioned resource
ContainerSecurityGroup: # output definition
Description: A security group used to allow Fargate containers to receive traffic
Value: !Ref 'ContainerSecurityGroup' # provisioned resource
```
**Example Service CloudFormation IaC file**
The `environment.outputs.` namespace refers to environment outputs from an environment IaC file. For example, the name `environment.outputs.ClusterName` reads the value of the `ClusterName` environment output parameter.
```
AWSTemplateFormatVersion: '2010-09-09'
Description: Deploy a service on AWS Fargate, hosted in a public subnet, and accessible via a public load balancer.
Mappings:
TaskSize:
x-small:
cpu: 256
memory: 512
small:
cpu: 512
memory: 1024
medium:
cpu: 1024
memory: 2048
large:
cpu: 2048
memory: 4096
x-large:
cpu: 4096
memory: 8192
Resources:
# A log group for storing the stdout logs from this service's containers
LogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: '{{service_instance.name}}' # resource parameter
# The task definition. This is a simple metadata description of what
# container to run, and what resource requirements it has.
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
Family: '{{service_instance.name}}' # resource parameter
Cpu: !FindInMap [TaskSize, {{service_instance.inputs.task_size}}, cpu] # input parameter
Memory: !FindInMap [TaskSize, {{service_instance.inputs.task_size}}, memory]
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
ExecutionRoleArn: '{{environment.outputs.ECSTaskExecutionRole}}' # output reference to an environment infrastructure code file
TaskRoleArn: !Ref "AWS::NoValue"
ContainerDefinitions:
- Name: '{{service_instance.name}}' # resource parameter
Cpu: !FindInMap [TaskSize, {{service_instance.inputs.task_size}}, cpu]
Memory: !FindInMap [TaskSize, {{service_instance.inputs.task_size}}, memory]
Image: '{{service_instance.inputs.image}}'
PortMappings:
- ContainerPort: '{{service_instance.inputs.port}}' # input parameter
LogConfiguration:
LogDriver: 'awslogs'
Options:
awslogs-group: '{{service_instance.name}}' # resource parameter
awslogs-region: !Ref 'AWS::Region'
awslogs-stream-prefix: '{{service_instance.name}}' # resource parameter
# The service_instance. The service is a resource which allows you to run multiple
# copies of a type of task, and gather up their logs and metrics, as well
# as monitor the number of running tasks and replace any that have crashed
Service:
Type: AWS::ECS::Service
DependsOn: LoadBalancerRule
Properties:
ServiceName: '{{service_instance.name}}' # resource parameter
Cluster: '{{environment.outputs.ClusterName}}' # output reference to an environment infrastructure as code file
LaunchType: FARGATE
DeploymentConfiguration:
MaximumPercent: 200
MinimumHealthyPercent: 75
DesiredCount: '{{service_instance.inputs.desired_count}}'# input parameter
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: ENABLED
SecurityGroups:
- '{{environment.outputs.ContainerSecurityGroup}}' # output reference to an environment infrastructure as code file
Subnets:
- '{{environment.outputs.PublicSubnetOne}}' # output reference to an environment infrastructure as code file
- '{{environment.outputs.PublicSubnetTwo}}' # output reference to an environment infrastructure as code file
TaskDefinition: !Ref 'TaskDefinition'
LoadBalancers:
- ContainerName: '{{service_instance.name}}' # resource parameter
ContainerPort: '{{service_instance.inputs.port}}' # input parameter
TargetGroupArn: !Ref 'TargetGroup'
[...]
```
# Service CloudFormation IaC file parameter details and examples
You can define and reference parameters in your service and pipeline infrastructure as code (IaC) files. For a detailed description of AWS Proton parameters, parameter types, the parameter namespace, and how to use parameters in your IaC files, see [AWS Proton parameters](parameters.md).
## Define service parameters
You can define both input and output parameters for service IaC files.
+ **Input parameters** – Define service instance input parameters in your [schema file](ag-schema.md).
The following list includes examples of service input parameters for typical use cases.
+ Port
+ Task size
+ Image
+ Desired count
+ Docker file
+ Unit test command
You provide values for input parameters when you [create a service](ag-create-svc.md):
+ Use the console to fill out a schema-based form that AWS Proton provides.
+ Use the CLI to provide a spec that includes the values.
+ **Output parameters** – Define service instance outputs in your service IaC files. You can then refer to these outputs in IaC files of other resources.
## Read parameter values in service IaC files
You can read parameters related to the service and to other resources in service IaC files. You read a parameter value by referencing the parameter's name in the AWS Proton parameter namespace.
+ **Input parameters** – Read a service instance input value by referencing `service_instance.inputs.input-name`.
+ **Resource parameters** – Read AWS Proton resource parameters by referencing names such as `service.name`, `service_instance.name`, and `environment.name`.
+ **Output parameters** – Read outputs of other resources by referencing `environment.outputs.output-name` or `service_instance.components.default.outputs.output-name`.
## Example service IaC file with parameters
The following example is a snippet from a service CloudFormation IaC file. The `environment.outputs.` namespace refers to outputs from the environment IaC file. The `service_instance.inputs.` namespace refers to service instance input parameters. The `service_instance.name` property refers to an AWS Proton resource parameter.
```
Resources:
StoreServiceInstanceInputValue:
Type: AWS::SSM::Parameter
Properties:
Type: String
Value: "{{ service.name }} {{ service_instance.name }} {{ service_instance.inputs.my_sample_service_instance_required_input }} {{ service_instance.inputs.my_sample_service_instance_optional_input }} {{ environment.outputs.MySampleInputValue }} {{ environment.outputs.MyOtherSampleInputValue }}"
# resource parameter references # input parameter references # output references to an environment infrastructure as code file
Outputs:
MyServiceInstanceParameter: # output definition
Value: !Ref StoreServiceInstanceInputValue
MyServiceInstanceRequiredInputValue: # output definition
Value: "{{ service_instance.inputs.my_sample_service_instance_required_input }}" # input parameter reference
MyServiceInstanceOptionalInputValue: # output definition
Value: "{{ service_instance.inputs.my_sample_service_instance_optional_input }}" # input parameter reference
MyServiceInstancesEnvironmentSampleOutputValue: # output definition
Value: "{{ environment.outputs.MySampleInputValue }}" # output reference to an environment IaC file
MyServiceInstancesEnvironmentOtherSampleOutputValue: # output definition
Value: "{{ environment.outputs.MyOtherSampleInputValue }}" # output reference to an environment IaC file
```
# Component CloudFormation IaC file parameter details and examples
You can define and reference parameters in your component infrastructure as code (IaC) files. For a detailed description of AWS Proton parameters, parameter types, the parameter namespace, and how to use parameters in your IaC files, see [AWS Proton parameters](parameters.md). For more information about components, see [AWS Proton components](ag-components.md).
## Define component output parameters
You can define output parameters in your component IaC files. You can then refer to these outputs in service IaC files.
**Note**
You can't define inputs for component IaC files. Attached components can get inputs from the service instance that they are attached to. Detached components don't have inputs.
## Read parameter values in component IaC files
You can read parameters related to the component and to other resources in component IaC files. You read a parameter value by referencing the parameter's name in the AWS Proton parameter namespace.
+ **Input parameters** – Read an attached service instance input value by referencing `service_instance.inputs.input-name`.
+ **Resource parameters** – Read AWS Proton resource parameters by referencing names such as `component.name`, `service.name`, `service_instance.name`, and `environment.name`.
+ **Output parameters** – Read environment outputs by referencing `environment.outputs.output-name`.
## Example component and service IaC files with parameters
The following example shows a component that provisions an Amazon Simple Storage Service (Amazon S3) bucket and related access policy and exposes the Amazon Resource Names (ARNs) of both resources as component outputs. A service IaC template adds the component outputs as container environment variables of an Amazon Elastic Container Service (Amazon ECS) task to make the outputs available to code running in the container, and adds the bucket access policy to the task's role. The bucket name is based on the names of the environment, service, service instance, and component, meaning that the bucket is coupled with a specific instance of the component template extending a specific service instance. Developers can create multiple custom components based on this component template, to provision Amazon S3 buckets for different service instances and functional needs.
The example shows how you use Jinja `{{ ... }}` syntax to refer to component and other resource parameters in your service IaC file. You can use `{% if ... %}` statements to add blocks of statements only when a component is attached to the service instance. The `proton_cfn_*` keywords are *filters* that you can use to sanitize and format output parameter values. For more information about filters, see [Parameter filters for CloudFormation IaC files](parameter-filters.md).
As an administrator, you author the service IaC template file.
**Example service CloudFormation IaC file using a component**
```
# service/instance_infrastructure/cloudformation.yaml
Resources:
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
TaskRoleArn: !Ref TaskRole
ContainerDefinitions:
- Name: '{{service_instance.name}}'
# ...
{% if service_instance.components.default.outputs | length > 0 %}
Environment:
{{ service_instance.components.default.outputs |
proton_cfn_ecs_task_definition_formatted_env_vars }}
{% endif %}
# ...
TaskRole:
Type: AWS::IAM::Role
Properties:
# ...
ManagedPolicyArns:
- !Ref BaseTaskRoleManagedPolicy
{{ service_instance.components.default.outputs
| proton_cfn_iam_policy_arns }}
# Basic permissions for the task
BaseTaskRoleManagedPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
# ...
```
As a developer, you author the component IaC template file.
**Example component CloudFormation IaC file**
```
# cloudformation.yaml
# A component that defines an S3 bucket and a policy for accessing the bucket.
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: '{{environment.name}}-{{service.name}}-{{service_instance.name}}-{{component.name}}'
S3BucketAccessPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 's3:Get*'
- 's3:List*'
- 's3:PutObject'
Resource: !GetAtt S3Bucket.Arn
Outputs:
BucketName:
Description: "Bucket to access"
Value: !GetAtt S3Bucket.Arn
BucketAccessPolicyArn:
Value: !Ref S3BucketAccessPolicy
```
When AWS Proton renders an CloudFormation template for your service instance and replaces all parameters with actual values, the template might look like the following file.
**Example service instance CloudFormation rendered IaC file**
```
Resources:
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
TaskRoleArn: !Ref TaskRole
ContainerDefinitions:
- Name: '{{service_instance.name}}'
# ...
Environment:
- Name: BucketName
Value: arn:aws:s3:us-east-1:123456789012:environment_name-service_name-service_instance_name-component_name
- Name: BucketAccessPolicyArn
Value: arn:aws:iam::123456789012:policy/cfn-generated-policy-name
# ...
TaskRole:
Type: AWS::IAM::Role
Properties:
# ...
ManagedPolicyArns:
- !Ref BaseTaskRoleManagedPolicy
- arn:aws:iam::123456789012:policy/cfn-generated-policy-name
# Basic permissions for the task
BaseTaskRoleManagedPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
# ...
```
# Parameter filters for CloudFormation IaC files
When you make references to [AWS Proton parameters](parameters.md) in your AWS CloudFormation IaC files, you can use Jinja modifiers known as *filters* to validate, filter, and format parameter values before they get inserted into the rendered template. Filter validations are particularly useful when referring to [component](ag-components.md) output parameters, because component creation and attachment are done by developers, and an administrator using component outputs in a service instance template might want to verify their existence and validity. However, you can use filters in any Jinja IaC file.
The following sections describe and define the available parameter filters, and provide examples. AWS Proton defines most of these filters. The `default` filter is a Jinja built-in filter.
## Format environment properties for Amazon ECS tasks
**Declaration**
```
dict → proton_cfn_ecs_task_definition_formatted_env_vars (raw: boolean = True) → YAML list of dicts
```
**Description**
This filter formats a list of outputs to be used in an [Environment property](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-containerdefinitions.html#cfn-ecs-taskdefinition-containerdefinition-environment) in the `ContainerDefinition` section of an Amazon Elastic Container Service (Amazon ECS) task definition.
Set `raw` to `False` to also validate the parameter value. In this case, the value is required to match the regular expression `^[a-zA-Z0-9_-]*$`. If the value fails this validation, template rendering fails.
### Example
With the following custom component template:
```
Resources:
# ...
Outputs:
Output1:
Description: "Example component output 1"
Value: hello
Output2:
Description: "Example component output 2"
Value: world
```
And the following service template:
```
Resources:
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
# ...
ContainerDefinitions:
- Name: MyServiceName
# ...
Environment:
{{ service_instance.components.default.outputs
| proton_cfn_ecs_task_definition_formatted_env_vars }}
```
The rendered service template is as follows:
```
Resources:
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
# ...
ContainerDefinitions:
- Name: MyServiceName
# ...
Environment:
- Name: Output1
Value: hello
- Name: Output2
Value: world
```
## Format environment properties for Lambda functions
**Declaration**
```
dict → proton_cfn_lambda_function_formatted_env_vars (raw: boolean = True) → YAML dict
```
**Description**
This filter formats a list of outputs to be used in an [Environment property](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-environment) in the `Properties` section of an AWS Lambda function definition.
Set `raw` to `False` to also validate the parameter value. In this case, the value is required to match the regular expression `^[a-zA-Z0-9_-]*$`. If the value fails this validation, template rendering fails.
### Example
With the following custom component template:
```
Resources:
# ...
Outputs:
Output1:
Description: "Example component output 1"
Value: hello
Output2:
Description: "Example component output 2"
Value: world
```
And the following service template:
```
Resources:
Lambda:
Type: AWS::Lambda::Function
Properties:
Environment:
Variables:
{{ service_instance.components.default.outputs
| proton_cfn_lambda_function_formatted_env_vars }}
```
The rendered service template is as follows:
```
Resources:
Lambda:
Type: AWS::Lambda::Function
Properties:
Environment:
Variables:
Output1: hello
Output2: world
```
## Extract IAM policy ARNs to include in IAM roles
**Declaration**
```
dict → proton_cfn_iam_policy_arns → YAML list
```
**Description**
This filter formats a list of outputs to be used in a [ManagedPolicyArns property](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-managepolicyarns) in the `Properties` section of an AWS Identity and Access Management (IAM) role definition. The filter uses the regular expression `^arn:[a-zA-Z-]+:iam::\d{12}:policy/` to extract valid IAM policy ARNs from the list of output parameters. You can use this filter to append policies in output parameter values to an IAM role definition in a service template.
### Example
With the following custom component template:
```
Resources:
# ...
ExamplePolicy1:
Type: AWS::IAM::ManagedPolicy
Properties:
# ...
ExamplePolicy2:
Type: AWS::IAM::ManagedPolicy
Properties:
# ...
# ...
Outputs:
Output1:
Description: "Example component output 1"
Value: hello
Output2:
Description: "Example component output 2"
Value: world
PolicyArn1:
Description: "ARN of policy 1"
Value: !Ref ExamplePolicy1
PolicyArn2:
Description: "ARN of policy 2"
Value: !Ref ExamplePolicy2
```
And the following service template:
```
Resources:
# ...
TaskRole:
Type: AWS::IAM::Role
Properties:
# ...
ManagedPolicyArns:
- !Ref BaseTaskRoleManagedPolicy
{{ service_instance.components.default.outputs
| proton_cfn_iam_policy_arns }}
# Basic permissions for the task
BaseTaskRoleManagedPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
# ...
```
The rendered service template is as follows:
```
Resources:
# ...
TaskRole:
Type: AWS::IAM::Role
Properties:
# ...
ManagedPolicyArns:
- !Ref BaseTaskRoleManagedPolicy
- arn:aws:iam::123456789012:policy/cfn-generated-policy-name-1
- arn:aws:iam::123456789012:policy/cfn-generated-policy-name-2
# Basic permissions for the task
BaseTaskRoleManagedPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
# ...
```
## Sanitize property values
**Declaration**
```
string → proton_cfn_sanitize → string
```
**Description**
This is a general purpose filter. Use it to validate the safety of a parameter value. The filter validates that the value either matches the regular expression `^[a-zA-Z0-9_-]*$` or is a valid Amazon Resource Name (ARN). If the value fails this validation, template rendering fails.
### Example
With the following custom component template:
```
Resources:
# ...
Outputs:
Output1:
Description: "Example of valid output"
Value: "This-is_valid_37"
Output2:
Description: "Example incorrect output"
Value: "this::is::incorrect"
SomeArn:
Description: "Example ARN"
Value: arn:aws:some-service::123456789012:some-resource/resource-name
```
+ The following reference in a service template:
```
# ...
{{ service_instance.components.default.outputs.Output1
| proton_cfn_sanitize }}
```
Renders as follows:
```
# ...
This-is_valid_37
```
+ The following reference in a service template:
```
# ...
{{ service_instance.components.default.outputs.Output2
| proton_cfn_sanitize }}
```
Results with the following rendering error:
```
Illegal character(s) detected in "this::is::incorrect". Must match regex ^[a-zA-Z0-9_-]*$ or be a valid ARN
```
+ The following reference in a service template:
```
# ...
{{ service_instance.components.default.outputs.SomeArn
| proton_cfn_sanitize }}
```
Renders as follows:
```
# ...
arn:aws:some-service::123456789012:some-resource/resource-name
```
## Provide default values for nonexistent references
**Description**
The `default` filter provides a default value when a namespace reference doesn't exist. Use it to write robust templates that can render without failure even when the parameter you refer to is missing.
### Example
The following reference in a service template causes template rendering to fail if the service instance doesn't have an attached directly defined (default) component, or if the attached component doesn't have an output named `test`.
```
# ...
{{ service_instance.components.default.outputs.test }}
```
To avoid this issue, add the `default` filter.
```
# ...
{{ service_instance.components.default.outputs.test | default("[optional-value]") }}
```
# CodeBuild provisioning parameter details and examples
You can define parameters in your templates for CodeBuild-based AWS Proton resources and reference these parameters in your provisioning code. For a detailed description of AWS Proton parameters, parameter types, the parameter namespace, and how to use parameters in your IaC files, see [AWS Proton parameters](parameters.md).
**Note**
You can use CodeBuild provisioning with environments and services. At this time you can't provision components this way.
## Input parameters
When you create an AWS Proton resource, like an environment or a service, you provide values for input parameters that are defined in your template's [schema file](ag-schema.md). When the resource that you create uses [CodeBuild provisioning](ag-works-prov-methods.md#ag-works-prov-methods-codebuild), AWS Proton renders these input values into an input file. Your provisioning code can import and get parameter values from this file.
For an example of a CodeBuild templates, see [CodeBuild provisioning template bundle](ag-infrastructure-tmp-files-codebuild.md). For more information about manifest files, see [Wrap up template files for AWS Proton](ag-wrap-up.md).
The following example is a JSON input file generated during CodeBuild-based provisioning of a service instance.
### Example: using the AWS CDK with CodeBuild provisioning
```
{
"service_instance": {
"name": "my-service-staging",
"inputs": {
"port": "8080",
"task_size": "medium"
}
},
"service": {
"name": "my-service"
},
"environment": {
"account_id": "123456789012",
"name": "my-env-staging",
"outputs": {
"vpc-id": "hdh2323423"
}
}
}
```
## Output parameters
To communicate resource provisioning outputs back to AWS Proton, your provisioning code can generate a JSON file named `proton-outputs.json` with values for output parameters defined in your template's [schema file](ag-schema.md). For example, the `cdk deploy` command has the `--outputs-file` argument that instructs the AWS CDK to generate a JSON file with provisioning outputs. If your resource uses the AWS CDK, specify the following command in your CodeBuild template manifest:
```
aws proton notify-resource-deployment-status-change
```
AWS Proton looks for this JSON file. If the file exists after your provisioning code successfully completes, AWS Proton reads output parameter values from it.
# Terraform infrastructure as code (IaC) file parameter details and examples
You can include Terraform input variables in `variable.tf` files in your template bundle. You can also create a schema to create AWS Proton managed variables. AWS Proton creates variable `.tf files` from your schema file. For more information, see [Terraform IaC files](ag-infrastructure-tmp-files-terraform.md).
To reference your schema defined AWS Proton variables in your infrastructure `.tf files`, you use the AWS Proton namespaces shown in the *Parameters and namespaces for Terraform IaC* table. For example, you can use `var.environment.inputs.vpc_cidr`. Inside quotation marks, surround these variables with single brackets and add a dollar sign in front of the first brace (for example, `“${var.environment.inputs.vpc_cidr}”`).
The following example shows how to use namespaces to include AWS Proton parameters in an environment `.tf file`.
```
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
// This tells terraform to store the state file in s3 at the location
// s3://terraform-state-bucket/tf-os-sample/terraform.tfstate
backend "s3" {
bucket = "terraform-state-bucket"
key = "tf-os-sample/terraform.tfstate"
region = "us-east-1"
}
}
// Configure the AWS Provider
provider "aws" {
region = "us-east-1"
default_tags {
tags = var.proton_tags
}
}
resource "aws_ssm_parameter" "my_ssm_parameter" {
name = "my_ssm_parameter"
type = "String"
// Use the Proton environment.inputs. namespace
value = var.environment.inputs.ssm_parameter_value
}
```