Application Resources

An Application is a collection of Resources. These are the Resources which can exist as part of an Application.

ApiGatewayRestApi

An ApiGateway Rest API resource.

API Gateway REST API example
type: ApiGatewayRestApi
order: 10
enabled: true
fail_on_warnings: true
description: "My REST API"
endpoint_configuration:
  - 'REGIONAL'
models:
  emptyjson:
    content_type: 'application/json'
cognito_authorizers:
  cognito:
    identity_source: 'Authorization'
    user_pools:
      - paco.ref netenv.mynet.applications.app.groups.cognito.resources.userpool
dns:
  - domain_name: api.example.com
    hosted_zone: paco.ref resource.route53.example_com
    ssl_certificate:  arn:aws:acm:us-east-1:*******:certificate/********
    base_path_mappings:
        - base_path: ''
          stage: 'prod'
methods:
  get:
    http_method: GET
    authorizer: cognito_authorizers.cognito
    integration:
      integration_type: AWS
      integration_lambda: paco.ref netenv.mynet.applications.app.groups.restapi.resources.mylambda
      integration_responses:
        - status_code: '200'
          response_templates:
            'application/json': ''
      request_parameters:
        "integration.request.querystring.my_id": "method.request.querystring.my_id"
    authorization_type: NONE
    request_parameters:
      "method.request.querystring.my_id": false
      "method.request.querystring.token": false
    method_responses:
      - status_code: '200'
        response_models:
          - content_type: 'application/json'
            model_name: 'emptyjson'
  post:
    http_method: POST
    integration:
      integration_type: AWS
      integration_lambda: paco.ref netenv.mynet.applications.app.groups.restapi.resources.mylambda
      integration_responses:
        - status_code: '200'
          response_templates:
            'application/json': ''
    authorization_type: NONE
    method_responses:
      - status_code: '200'
        response_models:
          - content_type: 'application/json'
            model_name: 'emptyjson'
stages:
  prod:
    deployment_id: 'prod'
    description: 'Prod Stage'
    stage_name: 'prod'
ApiGatewayRestApi
Field name Type Purpose Constraints Default
api_key_source_type String API Key Source Type Must be one of ‘HEADER’ to read the API key from the X-API-Key header of a request or ‘AUTHORIZER’ to read the API key from the UsageIdentifierKey from a Lambda authorizer.  
binary_media_types List<String> Binary Media Types. The list of binary media types that are supported by the RestApi resource, such as image/png or application/octet-stream. By default, RestApi supports only UTF-8-encoded text payloads. Duplicates are not allowed. Slashes must be escaped with ~1. For example, image/png would be image~1png in the BinaryMediaTypes list.  
body String Body. An OpenAPI specification that defines a set of RESTful APIs in JSON or YAML format. For YAML templates, you can also provide the specification in YAML format. Must be valid JSON.  
body_file_location StringFileReference Path to a file containing the Body. Must be valid path to a valid JSON document.  
body_s3_location String The Amazon Simple Storage Service (Amazon S3) location that points to an OpenAPI file, which defines a set of RESTful APIs in JSON or YAML format. Valid S3Location string to a valid JSON or YAML document.  
clone_from String CloneFrom. The ID of the RestApi resource that you want to clone.    
cognito_authorizers Container<ApiGatewayCognitoAuthorizers> Authorizors    
description String Description of the RestApi resource.    
dns List<ApiGatewayDNS> DNS domains to create to resolve to the ApiGateway Endpoint    
endpoint_configuration List<String> Endpoint configuration. A list of the endpoint types of the API. Use this field when creating an API. When importing an existing API, specify the endpoint configuration types using the parameters field. List of strings, each must be one of ‘EDGE’, ‘REGIONAL’, ‘PRIVATE’  
fail_on_warnings Boolean Indicates whether to roll back the resource if a warning occurs while API Gateway is creating the RestApi resource.   False
methods Container<ApiGatewayMethods>      
minimum_compression_size Int An integer that is used to enable compression on an API. When compression is enabled, compression or decompression is not applied on the payload if the payload size is smaller than this value. Setting it to zero allows compression for any payload size. A non-negative integer between 0 and 10485760 (10M) bytes, inclusive.  
models Container<ApiGatewayModels>      
parameters Dict Parameters. Custom header parameters for the request. Dictionary of key/value pairs that are strings. {}
policy String A policy document that contains the permissions for the RestApi resource, in JSON format. To set the ARN for the policy, use the !Join intrinsic function with “” as delimiter and values of “execute-api:/” and “*”. Valid JSON document  
resources Container<ApiGatewayResources>      
stages Container<ApiGatewayStages>      

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

ApiGatewayMethods

Container for ApiGatewayMethod objects.

ApiGatewayMethods Container<ApiGatewayMethod>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

ApiGatewayMethod

API Gateway Method

ApiGatewayMethod
Field name Type Purpose Constraints Default
authorization_type String Authorization Type Must be one of NONE, AWS_IAM, CUSTOM or COGNITO_USER_POOLS NONE
authorizer String Authorizer Must be tan authorizer type and authorizer name in this API Gateway, seperated by a . char. For example, ‘cognito_authorizers.cognito’.  
http_method String HTTP Method Must be one of ANY, DELETE, GET, HEAD, OPTIONS, PATCH, POST or PUT.  
integration Object<ApiGatewayMethodIntegration> Integration    
method_responses List<ApiGatewayMethodMethodResponse> Method Responses List of ApiGatewayMethod MethodResponses  
request_parameters Dict Request Parameters
Specify request parameters as key-value pairs (string-to-Boolean mapping),
with a source as the key and a Boolean as the value. The Boolean specifies whether a parameter is required. A source must match the format method.request.location.name, where the location is query string, path, or header, and name is a valid, unique parameter name.
{}
resource_name String Resource Name    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

ApiGatewayModels

Container for ApiGatewayModel objects.

ApiGatewayModels Container<ApiGatewayModel>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

ApiGatewayModel

ApiGatewayModel
Field name Type Purpose Constraints Default
content_type String Content Type    
description String Description    
schema Dict Schema JSON format. Will use null({}) if left empty. {}

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

ApiGatewayResources

Container for ApiGatewayResource objects.

ApiGatewayResources Container<ApiGatewayResource>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

ApiGatewayResource

ApiGatewayResource Container<`unknown`_>
Field name Type Purpose Constraints Default
child_resources Container<ApiGatewayResources> Child Api Gateway Resources    
enable_cors Boolean Enable CORS   False
path_part String Path Part    

Base Schemas Named, Title

ApiGatewayStages

Container for ApiGatewayStage objects

ApiGatewayStages Container<ApiGatewayStages>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

ApiGatewayStage

API Gateway Stage

ApiGatewayStage
Field name Type Purpose Constraints Default
deployment_id String Deployment ID    
description String Description    
stage_name String Stage name    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

ApiGatewayMethodIntegration

ApiGatewayMethodIntegration
Field name Type Purpose Constraints Default
integration_http_method String Integration HTTP Method Must be one of ANY, DELETE, GET, HEAD, OPTIONS, PATCH, POST or PUT. POST
integration_lambda PacoReference Integration Lambda Paco Reference to Lambda.  
integration_responses List<ApiGatewayMethodIntegrationResponse> Integration Responses    
integration_type String Integration Type Must be one of AWS, AWS_PROXY, HTTP, HTTP_PROXY or MOCK. AWS
pass_through_behavior Choice Pass Through Behaviour    
request_parameters Dict The request parameters that API Gateway sends with the backend request.

Specify request parameters as key-value pairs (string-to-string mappings), with a destination as the key and a source as the value. Specify the destination by using the following pattern integration.request.location.name, where location is query string, path, or header, and name is a valid, unique parameter name.

The source must be an existing method request parameter or a static value. You must enclose static values in single quotation marks and pre-encode these values based on their destination in the request.

{}
request_templates Dict Request Templates   {}
uri String Integration URI    

ApiGatewayMethodIntegrationResponse

ApiGatewayMethodIntegrationResponse
Field name Type Purpose Constraints Default
content_handling String Specifies how to handle request payload content type conversions.

Valid values are:

CONVERT_TO_BINARY: Converts a request payload from a base64-encoded string to a binary blob.

CONVERT_TO_TEXT: Converts a request payload from a binary blob to a base64-encoded string.

If this property isn’t defined, the request payload is passed through from the method request to the integration request without modification.

 
response_parameters Dict Response Parameters   {}
response_templates Dict Response Templates   {}
selection_pattern String A regular expression that specifies which error strings or status codes from the backend map to the integration response.    
status_code String The status code that API Gateway uses to map the integration response to a MethodResponse status code. Must match a status code in the method_respones for this API Gateway REST API.  

ApiGatewayMethodMethodResponse

ApiGatewayMethodMethodResponse
Field name Type Purpose Constraints Default
response_models List<ApiGatewayMethodMethodResponseModel> The resources used for the response’s content type. Specify response models as key-value pairs (string-to-string maps), with a content type as the key and a Model Paco name as the value.  
response_parameters Dict Response Parameters   {}
status_code String HTTP Status code    

ApiGatewayMethodMethodResponseModel

ApiGatewayMethodMethodResponseModel
Field name Type Purpose Constraints Default
content_type String Content Type    
model_name String Model name    

ApiGatewayCognitoAuthorizers

Container for `ApiGatewayAuthorizer`_ objects.

ApiGatewayCognitoAuthorizers Container<`ApiGatewayCognitoAuthorizer`_>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

ApiGatewayDNS

ApiGatewayDNS
Field name Type Purpose Constraints Default
base_path_mappings List<String> Base Path Mappings   []
ssl_certificate PacoReference|String SSL certificate Reference Paco Reference to ACM. String Ok.  

Base Schemas DNS

ASG

An AutoScalingGroup (ASG) contains a collection of Amazon EC2 instances that are treated as a logical grouping for the purposes of automatic scaling and management.

The Paco ASG resource provisions an AutoScalingGroup as well as LaunchConfiguration and TargetGroups for that ASG.

example ASG configuration
type: ASG
order: 30
enabled: true
associate_public_ip_address: false
cooldown_secs: 200
ebs_optimized: false
health_check_grace_period_secs: 240
health_check_type: EC2
availability_zone: 1
ebs_volume_mounts:
  - volume: paco.ref netenv.mynet.applications.app.groups.storage.resources.my_volume
    enabled: true
    folder: /var/www/html
    device: /dev/xvdf
    filesystem: ext4
efs_mounts:
  - enabled: true
    folder: /mnt/wp_efs
    target: paco.ref netenv.mynet.applications.app.groups.storage.resources.my_efs
instance_iam_role:
  enabled: true
  policies:
    - name: DNSRecordSet
      statement:
        - effect: Allow
          action:
            - route53:ChangeResourceRecordSets
          resource:
            - 'arn:aws:route53:::hostedzone/HHIHkjhdhu744'
instance_ami: paco.ref function.aws.ec2.ami.latest.amazon-linux-2
instance_ami_type: amazon
instance_key_pair: paco.ref resource.ec2.keypairs.my_keypair
instance_monitoring: true
instance_type: t2.medium
desired_capacity: 1
max_instances: 3
min_instances: 1
rolling_update_policy:
  max_batch_size: 1
  min_instances_in_service: 1
  pause_time: PT3M
  wait_on_resource_signals: false
target_groups:
  - paco.ref netenv.mynet.applications.app.groups.web.resources.alb.target_groups.cloud
security_groups:
  - paco.ref netenv.mynet.network.vpc.security_groups.web.asg
segment: private
termination_policies:
  - Default
scaling_policy_cpu_average: 60
ssh_access:
  users:
    - bdobbs
  groups:
    - developers
launch_options:
    update_packages: true
    ssm_agent: true
    cfn_init_config_sets:
    - "InstallApp"
cfn_init:
  config_sets:
    InstallApp:
      - "InstallApp"
  configurations:
    InstallApp:
      packages:
        yum:
          python3: []
      users:
        www-data:
          uid: 2000
          home_dir: /home/www-data
      files:
        "/etc/systemd/system/pypiserver.service":
          content_file: ./pypi-config/pypiserver.service
          mode: '000755'
          owner: root
          group: root
      commands:
        00_pypiserver:
          command: "/bin/pip3 install pypiserver"
        01_passlib_dependency:
          command: "/bin/pip3 install passlib"
        02_prep_mount:
           command: "chown www-data:www-data /var/pypi"
      services:
        sysvinit:
          pypiserver:
            enabled: true
            ensure_running: true
monitoring:
  enabled: true
  collection_interval: 60
  metrics:
    - name: swap
      measurements:
        - used_percent
    - name: disk
      measurements:
        - free
      resources:
        - '/'
        - '/var/www/html'
      collection_interval: 300
user_data_script: |
  echo "Hello World!"

AutoScalingGroup Rolling Update Policy

When changes are applied to an AutoScalingGroup that modify the configuration of newly launched instances, AWS can automatically launch instances with the new configuration and terminate old instances that have stale configuration. This can be configured so that there is no interruption of service as the new instances gradually replace old ones. This configuration is set with the rolling_update_policy field.

The rolling update policy must be able to work within the minimum/maximum number of instances in the ASG. Consider the following ASG configuration.

example ASG configuration
type: ASG
max_instances: 2
min_instances: 1
desired_capacity: 1
rolling_update_policy:
  max_batch_size: 1
  min_instances_in_service: 1
  pause_time: PT0S # default setting
  wait_on_resource_signals: false # default setting

This will normally run a single instance in the ASG. The ASG is never allowed to launch more than 2 instances at one time. When an update happens, a new batch of instances is launched - in this example just one instance. There wil be only 1 instance in service, but the capacity will be at 2 instances will the new instance is launched. After the instance is put into service by the ASG, it will immediately terminate the old instance.

The wait_on_resource_signals can be set to tell AWS CloudFormation to wait on making changes to the AutoScalingGroup configuration until a new instance is finished configuring and installing applications and is ready for service. If this field is enabled, then the pause_time default is PT05 (5 minutes). If CloudFormation does not get a SUCCESS signal within the pause_time then it will mark the new instance as failed and terminate it.

If you use pause_time with the default wait_on_resource_signals: false then AWS will simply wait for the full duration of the pause time and then consider the instance ready. pause_time is in format PT#H#M#S, where each # is the number of hours, minutes, and seconds, respectively. The maximum pause_time is one hour. For example:

pause_time: PT0S # 0 seconds
pause_time: PT5M # 5 minutes
pause_time: PT2M30S # 2 minutes and 30 seconds

ASGs will use default settings for a rolling update policy. If you do not want to use an update policies at all, then you must disable the rolling_update_policy explicitly:

type: ASG
rolling_update_policy:
  enabled: false

With no rolling update policy, when you make configuration changes, then existing instances with old configuration will continue to run and instances with the new configuration will not happen until the AutoScalingGroup needs to launch new instances. You must be careful with this approach as you can not know 100% that your new configuration launches instances proprely until some point in the future when new instances are requested by the ASG.

See the AWS documentation for more information on how AutoScalingRollingUpdate Policy configuration is used.

ASG
Field name Type Purpose Constraints Default
associate_public_ip_address Boolean Associate Public IP Address   False
availability_zone String Availability Zones to launch instances in.   all
block_device_mappings List<BlockDeviceMapping> Block Device Mappings    
cfn_init Object<CloudFormationInit> CloudFormation Init    
cooldown_secs Int Cooldown seconds   300
desired_capacity Int Desired capacity   1
desired_capacity_ignore_changes Boolean Ignore changes to the desired_capacity after the ASG is created.   False
dns List<DNS> DNS domains to create to resolve to one of the ASGs EC2 Instances    
ebs_optimized Boolean EBS Optimized   False
ebs_volume_mounts List<EBSVolumeMount> Elastic Block Store Volume Mounts    
ecs Object<ECSASGConfiguration> ECS Configuration    
efs_mounts List<EFSMount> Elastic Filesystem Configuration    
eip PacoReference|String Elastic IP or AllocationId to attach to instance at launch Paco Reference to EIP. String Ok.  
health_check_grace_period_secs Int Health check grace period in seconds   300
health_check_type String Health check type Must be one of: ‘EC2’, ‘ELB’ EC2
instance_ami PacoReference|String Instance AMI Paco Reference to Function. String Ok.  
instance_ami_ignore_changes Boolean Do not update the instance_ami after creation.   False
instance_ami_type String The AMI Operating System family Must be one of amazon, centos, suse, debian, ubuntu, microsoft or redhat. amazon
instance_iam_role Object<Role>      
instance_key_pair PacoReference Key pair to connect to launched instances Paco Reference to EC2KeyPair.  
instance_monitoring Boolean Instance monitoring   False
instance_type String Instance type    
launch_options Object<EC2LaunchOptions> EC2 Launch Options    
lifecycle_hooks Container<ASGLifecycleHooks> Lifecycle Hooks    
load_balancers List<PacoReference> Target groups Paco Reference to TargetGroup.  
max_instances Int Maximum instances   2
min_instances Int Minimum instances   1
rolling_update_policy Object<ASGRollingUpdatePolicy> Rolling Update Policy    
scaling_policies Container<ASGScalingPolicies> Scaling Policies    
scaling_policy_cpu_average Int Average CPU Scaling Polciy   0
secrets List<PacoReference> List of Secrets Manager References Paco Reference to SecretsManagerSecret.  
security_groups List<PacoReference> Security groups Paco Reference to SecurityGroup.  
segment String Segment    
ssh_access Object<SSHAccess> SSH Access    
target_groups List<PacoReference> Target groups Paco Reference to TargetGroup.  
termination_policies List<String> Terminiation policies    
user_data_pre_script String User data pre-script    
user_data_script String User data script    

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

ASGLifecycleHooks

Container for ASGLifecycleHook objects.

ASGLifecycleHooks Container<ASGLifecycleHook>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

ASGLifecycleHook

ASG Lifecycle Hook

ASGLifecycleHook
Field name Type Purpose Constraints Default
default_result String Default Result    
lifecycle_transition String ASG Lifecycle Transition    
notification_target_arn String Lifecycle Notification Target Arn    
role_arn String Licecycel Publish Role ARN    

Base Schemas Deployable, Named, Title

ASGScalingPolicies

Container for ASGScalingPolicy objects.

ASGScalingPolicies Container<ASGScalingPolicy>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

ASGScalingPolicy

Auto Scaling Group Scaling Policy

ASGScalingPolicy
Field name Type Purpose Constraints Default
adjustment_type String Adjustment Type   ChangeInCapacity
alarms List<SimpleCloudWatchAlarm> Alarms    
cooldown Int Scaling Cooldown in Seconds   300
policy_type String Policy Type   SimpleScaling
scaling_adjustment Int Scaling Adjustment    

Base Schemas Deployable, Named, Title

ASGRollingUpdatePolicy

AutoScalingRollingUpdate Policy

ASGRollingUpdatePolicy
Field name Type Purpose Constraints Default
enabled Boolean Enable an UpdatePolicy for the ASG   True
max_batch_size Int Maximum batch size   1
min_instances_in_service Int Minimum instances in service   0
pause_time String Minimum instances in service Must be in the format PT#H#M#S  
wait_on_resource_signals Boolean Wait for resource signals   False

Base Schemas Named, Title

ECSASGConfiguration

ECSASGConfiguration
Field name Type Purpose Constraints Default
capacity_provider Object<ECSCapacityProvider> Capacity Provider    
cluster PacoReference Cluster Paco Reference to ECSCluster.  
log_level Choice Log Level   error

Base Schemas Named, Title

ECSCapacityProvider

ECSCapacityProvider
Field name Type Purpose Constraints Default
maximum_scaling_step_size Int Maximum Scaling Step Size   10000
minimum_scaling_step_size Int Minimum Scaling Step Size   1
target_capacity Int Target Capacity   100

Base Schemas Deployable, Named, Title

SSHAccess

SSHAccess
Field name Type Purpose Constraints Default
groups List<String> Groups Must match a group declared in resource/ec2.yaml []
users List<String> User Must match a user declared in resource/ec2.yaml []

Base Schemas Named, Title

BlockDeviceMapping

BlockDeviceMapping
Field name Type Purpose Constraints Default
device_name String The device name exposed to the EC2 instance    
ebs Object<BlockDevice> Amazon Ebs volume    
virtual_name String The name of the virtual device. The name must be in the form ephemeralX where X is a number starting from zero (0), for example, ephemeral0.  

BlockDevice

BlockDevice
Field name Type Purpose Constraints Default
delete_on_termination Boolean Indicates whether to delete the volume when the instance is terminated.   True
encrypted Boolean Specifies whether the EBS volume is encrypted.    
iops Int The number of I/O operations per second (IOPS) to provision for the volume. The maximum ratio of IOPS to volume size (in GiB) is 50:1, so for 5,000 provisioned IOPS, you need at least 100 GiB storage on the volume.  
size_gib Int The volume size, in Gibibytes (GiB). This can be a number from 1-1,024 for standard, 4-16,384 for io1, 1-16,384 for gp2, and 500-16,384 for st1 and sc1.  
snapshot_id String The snapshot ID of the volume to use.    
volume_type String The volume type, which can be standard for Magnetic, io1 for Provisioned IOPS SSD, gp2 for General Purpose SSD, st1 for Throughput Optimized HDD, or sc1 for Cold HDD. Must be one of standard, io1, gp2, st1 or sc1.  

EBSVolumeMount

EBS Volume Mount Configuration

EBSVolumeMount
Field name Type Purpose Constraints Default
device String Device to mount the EBS Volume with.    
filesystem String Filesystem to mount the EBS Volume with.    
folder String Folder to mount the EBS Volume    
volume PacoReference|String EBS Volume Resource Reference Paco Reference to EBS. String Ok.  

Base Schemas Deployable

EFSMount

EFS Mount Folder and Target Configuration

EFSMount
Field name Type Purpose Constraints Default
folder String Folder to mount the EFS target    
target PacoReference|String EFS Target Resource Reference Paco Reference to EFS. String Ok.  

Base Schemas Deployable

EC2LaunchOptions

EC2 Launch Options

EC2LaunchOptions
Field name Type Purpose Constraints Default
cfn_init_config_sets List<String> List of cfn-init config sets   []
codedeploy_agent Boolean Install CodeDeploy Agent   False
ssm_agent Boolean Install SSM Agent   True
ssm_expire_events_after_days String Retention period of SSM logs   30
update_packages Boolean Update Distribution Packages   False

Base Schemas Named, Title

CloudFormationInit

CloudFormation Init is a method to configure an EC2 instance after it is launched. CloudFormation Init is a much more complete and robust method to install configuration files and pakcages than using a UserData script.

It stores information about packages, files, commands and more in CloudFormation metadata. It is accompanied by a cfn-init script which will run on the instance to fetch this configuration metadata and apply it. The whole system is often referred to simply as cfn-init after this script.

The cfn_init field of for an ASG contains all of the cfn-init configuration. After an instance is launched, it needs to run a local cfn-init script to pull the configuration from the CloudFromation stack and apply it. After cfn-init has applied configuration, you will run cfn-signal to tell CloudFormation the configuration was successfully applied. Use the launch_options field for an ASG to let Paco take care of all this for you.

Refer to the CloudFormation Init docs for a complete description of all the configuration options available.

cfn_init with launch_options
launch_options:
    cfn_init_config_sets:
    - "Install"
cfn_init:
  parameters:
    BasicKey: static-string
    DatabasePasswordarn: paco.ref netenv.mynet.secrets_manager.app.site.database.arn
  config_sets:
    Install:
      - "Install"
  configurations:
    Install:
      packages:
        rpm:
          epel: "http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm"
        yum:
          jq: []
          python3: []
      files:
        "/tmp/get_rds_dsn.sh":
          content_cfn_file: ./webapp/get_rds_dsn.sh
          mode: '000700'
          owner: root
          group: root
        "/etc/httpd/conf.d/saas_wsgi.conf":
          content_file: ./webapp/saas_wsgi.conf
          mode: '000600'
          owner: root
          group: root
        "/etc/httpd/conf.d/wsgi.conf":
          content: "LoadModule wsgi_module modules/mod_wsgi.so"
          mode: '000600'
          owner: root
          group: root
        "/tmp/install_codedeploy.sh":
          source: https://aws-codedeploy-us-west-2.s3.us-west-2.amazonaws.com/latest/install
          mode: '000700'
          owner: root
          group: root
      commands:
        10_install_codedeploy:
          command: "/tmp/install_codedeploy.sh auto > /var/log/cfn-init-codedeploy.log 2>&1"
      services:
        sysvinit:
          codedeploy-agent:
            enabled: true
            ensure_running: true

The parameters field is a set of Parameters that will be passed to the CloudFormation stack. This can be static strings or paco.ref that are looked up from already provisioned cloud resources.

CloudFormation Init can be organized into Configsets. With raw cfn-init using Configsets is optional, but is required with Paco.

In a Configset, the files field has four fields for specifying the file contents.

  • content_file: A path to a file on the local filesystem. A convenient practice is to make a sub-directory in the netenv directory for keeping cfn-init files.
  • content_cfn_file: A path to a file on the local filesystem. This file will have FnSub and FnJoin CloudFormation applied to it.
  • content: For small files, the content can be in-lined directly in this field.
  • source: Fetches the file from a URL.

If you are using content_cfn_file to interpolate Parameters, the file might look like:

!Sub |
    #!/bin/bash

    echo "Database ARN is " ${DatabasePasswordarn}
    echo "AWS Region is " ${AWS::Region}

If you want to include a raw ${SomeValue} string in your file, use the ! character to escape it like this: ${!SomeValue}. cfn-init also supports interpolation with Mustache templates, but Paco support for this is not yet implemented.

CloudFormationInit
Field name Type Purpose Constraints Default
config_sets Container<CloudFormationConfigSets> CloudFormation Init configSets    
configurations Container<CloudFormationConfigurations> CloudFormation Init configurations    
parameters Dict Parameters   {}

Base Schemas Named, Title

CloudFormationConfigSets

CloudFormationConfigSets
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

CloudFormationConfigurations

CloudFormationConfigurations Container<CloudFormationConfiguration>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

CloudFormationConfiguration

CloudFormationConfiguration
Field name Type Purpose Constraints Default
commands Container<CloudFormationInitCommands> Commands    
files Container<CloudFormationInitFiles> Files    
groups Object<CloudFormationInitGroups> Groups    
packages Object<CloudFormationInitPackages> Packages    
services Object<CloudFormationInitServices> Services    
sources Container<CloudFormationInitSources> Sources    
users Object<CloudFormationInitUsers> Users    

Base Schemas Named, Title

CloudFormationInitCommands

CloudFormationInitCommands
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

CloudFormationInitCommand

CloudFormationInitCommand
Field name Type Purpose Constraints Default
command String Command    
cwd String Cwd. The working directory    
env Dict Environment Variables. This property overwrites, rather than appends, the existing environment.   {}
ignore_errors Boolean Ingore errors - determines whether cfn-init continues to run if the command in contained in the command key fails (returns a non-zero value). Set to true if you want cfn-init to continue running even if the command fails.   False
test String A test command that determines whether cfn-init runs commands that are specified in the command key. If the test passes, cfn-init runs the commands.    

CloudFormationInitFiles

CloudFormationInitFiles
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

CloudFormationInitFile

CloudFormationInitFile
Field name Type Purpose Constraints Default
authentication String The name of an authentication method to use.    
content Object<Interface> Either a string or a properly formatted YAML object.    
content_cfn_file YAMLFileReference File path to a properly formatted CloudFormation Functions YAML object.    
content_file StringFileReference File path to a string.    
context String Specifies a context for files that are to be processed as Mustache templates.    
encoding String The encoding format.    
group String The name of the owning group for this file. Not supported for Windows systems.    
mode String A six-digit octal value representing the mode for this file.    
owner String The name of the owning user for this file. Not supported for Windows systems.    
source String A URL to load the file from.    

Base Schemas Named, Title

CloudFormationInitGroups

Container for CloudFormationInit Groups

CloudFormationInitPackages

CloudFormationInitPackages
Field name Type Purpose Constraints Default
apt Container<CloudFormationInitVersionedPackageSet> Apt packages    
msi Container<CloudFormationInitPathOrUrlPackageSet> MSI packages    
python Container<CloudFormationInitVersionedPackageSet> Apt packages    
rpm Container<CloudFormationInitPathOrUrlPackageSet> RPM packages    
rubygems Container<CloudFormationInitVersionedPackageSet> Rubygems packages    
yum Container<CloudFormationInitVersionedPackageSet> Yum packages    

Base Schemas Named, Title

CloudFormationInitVersionedPackageSet

CloudFormationInitPathOrUrlPackageSet

CloudFormationInitServiceCollection

CloudFormationInitServiceCollection
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

CloudFormationInitServices

CloudFormationInitServices
Field name Type Purpose Constraints Default
sysvinit Container<CloudFormationInitServiceCollection> SysVInit Services for Linux OS    
windows Container<CloudFormationInitServiceCollection> Windows Services for Windows OS    

Base Schemas Named, Title

CloudFormationInitService

CloudFormationInitService
Field name Type Purpose Constraints Default
commands List<String> A list of command names. If cfn-init runs the specified command, this service will be restarted.    
enabled Boolean Ensure that the service will be started or not started upon boot.    
ensure_running Boolean Ensure that the service is running or stopped after cfn-init finishes.    
files List<String> A list of files. If cfn-init changes one directly via the files block, this service will be restarted    
packages Dict A map of package manager to list of package names. If cfn-init installs or updates one of these packages, this service will be restarted.   {}
sources List<String> A list of directories. If cfn-init expands an archive into one of these directories, this service will be restarted.    

CloudFormationInitSources

CloudFormationInitSources
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

CloudFormationInitUsers

Container for CloudFormationInit Users

ACM

ACM
Field name Type Purpose Constraints Default
domain_name String Domain Name    
external_resource Boolean Marks this resource as external to avoid creating and validating it.   False
private_ca String Private Certificate Authority ARN    
region String AWS Region Must be a valid AWS Region name  
subject_alternative_names List<String> Subject alternative names    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

CloudFront

CloudFront CDN Configuration

CloudFront
Field name Type Purpose Constraints Default
cache_behaviors List<CloudFrontCacheBehavior> List of Cache Behaviors    
custom_error_responses List<CloudFrontCustomErrorResponse> List of Custom Error Responses    
default_cache_behavior Object<CloudFrontDefaultCacheBehavior> Default Cache Behavior    
default_root_object String The default path to load from the origin.    
domain_aliases List<DNS> List of DNS for the Distribution    
factory Container<CloudFrontFactories_> CloudFront Factory    
origins Container<CloudFrontOrigins_> Map of Origins    
price_class String Price Class   All
viewer_certificate Object<CloudFrontViewerCertificate> Viewer Certificate    
webacl_id String WAF WebACLId    

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

CloudFrontDefaultCacheBehavior

CloudFrontDefaultCacheBehavior
Field name Type Purpose Constraints Default
allowed_methods List<String> List of Allowed HTTP Methods   [‘DELETE’, ‘GET’, ‘HEAD’, ‘OPTIONS’, ‘PATCH’, ‘POST’, ‘PUT’]
cached_methods List<String> List of HTTP Methods to cache   [‘GET’, ‘HEAD’, ‘OPTIONS’]
compress Boolean Compress certain files automatically   False
default_ttl Int Default TTL   86400
forwarded_values Object<CloudFrontForwardedValues> Forwarded Values    
lambda_function_associations List<CloudFrontLambdaFunctionAssocation> Lambda Function Associations    
max_ttl Int Maximum TTL   31536000
min_ttl Int Minimum TTL   0
target_origin PacoReference Target Origin Paco Reference to CloudFrontOrigin.  
viewer_protocol_policy String Viewer Protocol Policy   redirect-to-https

Base Schemas Named, Title

CloudFrontCacheBehavior

CloudFrontCacheBehavior
Field name Type Purpose Constraints Default
path_pattern String Path Pattern    

Base Schemas CloudFrontDefaultCacheBehavior, Named, Title

CloudFrontFactory

CloudFront Factory

CloudFrontFactory
Field name Type Purpose Constraints Default
domain_aliases List<DNS> List of DNS for the Distribution    
viewer_certificate Object<CloudFrontViewerCertificate> Viewer Certificate    

Base Schemas Named, Title

CloudFrontOrigin

CloudFront Origin Configuration

CloudFrontOrigin
Field name Type Purpose Constraints Default
custom_origin_config Object<CloudFrontCustomOriginConfig> Custom Origin Configuration    
domain_name PacoReference|String Origin Resource Reference Paco Reference to Route53HostedZone. String Ok.  
s3_bucket PacoReference Origin S3 Bucket Reference Paco Reference to S3Bucket.  

Base Schemas Named, Title

CloudFrontCustomOriginConfig

CloudFrontCustomOriginConfig
Field name Type Purpose Constraints Default
http_port Int HTTP Port    
https_port Int HTTPS Port    
keepalive_timeout Int HTTP Keepalive Timeout   5
protocol_policy String Protocol Policy    
read_timeout Int Read timeout   30
ssl_protocols List<String> List of SSL Protocols    

Base Schemas Named, Title

CloudFrontCustomErrorResponse

CloudFrontCustomErrorResponse
Field name Type Purpose Constraints Default
error_caching_min_ttl Int Error Caching Min TTL   300
error_code Int HTTP Error Code    
response_code Int HTTP Response Code    
response_page_path String Response Page Path    

CloudFrontViewerCertificate

CloudFrontViewerCertificate
Field name Type Purpose Constraints Default
certificate PacoReference Certificate Reference Paco Reference to ACM.  
minimum_protocol_version String Minimum SSL Protocol Version   TLSv1.1_2016
ssl_supported_method String SSL Supported Method   sni-only

Base Schemas Named, Title

CloudFrontForwardedValues

CloudFrontForwardedValues
Field name Type Purpose Constraints Default
cookies Object<CloudFrontCookies> Forward Cookies    
headers List<String> Forward Headers   [‘*’]
query_string Boolean Forward Query Strings   True

Base Schemas Named, Title

CloudFrontCookies

CloudFrontCookies
Field name Type Purpose Constraints Default
forward String Cookies Forward Action   all
whitelisted_names List<String> White Listed Names    

Base Schemas Named, Title

CloudFrontLambdaFunctionAssocation

CloudFrontLambdaFunctionAssocation
Field name Type Purpose Constraints Default
event_type Choice Event Type Must be one of ‘origin-request’, ‘origin-response’, ‘viewer-request’ or ‘viewer-response’  
include_body Boolean Include Body   False
lambda_function PacoReference Lambda Function Paco Reference to Lambda.  

Base Schemas Named, Title

CognitoLambdaTriggers

CognitoLambdaTriggers
Field name Type Purpose Constraints Default
create_auth_challenge PacoReference CreateAuthChallenge Lambda trigger Paco Reference to Lambda.  
custom_message PacoReference CustomMessage Lambda trigger Paco Reference to Lambda.  
define_auth_challenge PacoReference DefineAuthChallenge Lambda trigger Paco Reference to Lambda.  
post_authentication PacoReference PostAuthentication Lambda trigger Paco Reference to Lambda.  
post_confirmation PacoReference PostConfirmation Lambda trigger Paco Reference to Lambda.  
pre_authentication PacoReference PreAuthentication Lambda trigger Paco Reference to Lambda.  
pre_sign_up PacoReference PreSignUp Lambda trigger Paco Reference to Lambda.  
pre_token_generation PacoReference PreTokenGeneration Lambda trigger Paco Reference to Lambda.  
user_migration PacoReference UserMigration Lambda trigger Paco Reference to Lambda.  
verify_auth_challenge_response PacoReference VerifyAuthChallengeResponse Lambda trigger Paco Reference to Lambda.  

CodeDeployApplication

CodeDeploy Application creates CodeDeploy Application and Deployment Groups for that application.

This resource can be used when you already have another process in-place to put deploy artifacts into an S3 Bucket. If you also need to build artifacts, use DeploymentPipeline instead.

Example CodeDeployApplication resource YAML
type: CodeDeployApplication
order: 40
compute_platform: "Server"
deployment_groups:
  deployment:
    title: "My Deployment Group description"
    ignore_application_stop_failures: true
    revision_location_s3: paco.ref netenv.mynet.applications.app.groups.deploybucket
    autoscalinggroups:
      - paco.ref netenv.mynet.applications.app.groups.web

It can be convienent to install the CodeDeploy agent on your instances using CloudFormationInit.

Example ASG configuration for cfn_init to install CodeDeploy agent
launch_options:
  cfn_init_config_sets:
    - "InstallCodeDeploy"
cfn_init:
  config_sets:
    InstallCodeDeploy:
      - "InstallCodeDeploy"
  files:
    "/tmp/install_codedeploy.sh":
      source: https://aws-codedeploy-us-west-2.s3.us-west-2.amazonaws.com/latest/install
      mode: '000700'
      owner: root
      group: root
  commands:
    01_install_codedeploy:
      command: "/tmp/install_codedeploy.sh auto > /var/log/cfn-init-codedeploy.log 2>&1"
  services:
    sysvinit:
      codedeploy-agent:
        enabled: true
        ensure_running: true
CodeDeployApplication
Field name Type Purpose Constraints Default
compute_platform String Compute Platform Must be one of Lambda, Server or ECS  
deployment_groups Container<CodeDeployDeploymentGroups> CodeDeploy Deployment Groups    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

CodeDeployDeploymentGroups

CodeDeployDeploymentGroups
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

CodeDeployDeploymentGroup

CodeDeployDeploymentGroup
Field name Type Purpose Constraints Default
autoscalinggroups List<PacoReference> AutoScalingGroups that CodeDeploy automatically deploys revisions to when new instances are created Paco Reference to ASG.  
ignore_application_stop_failures Boolean Ignore Application Stop Failures    
revision_location_s3 Object<DeploymentGroupS3Location> S3 Bucket revision location    
role_policies List<Policy> Policies to grant the deployment group role    

Base Schemas Deployable, Named, Title

CognitoUserPool

Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps.

The CognitoUserPool resource type is a user directory in Amazon Cognito. With a user pool, users can sign in to your web or mobile app through Amazon Cognito.

Example CognituUserPool YAML
type: CognitoUserPool
order: 10
enabled: true
auto_verified_attributes: email
mfa: 'optional'
mfa_methods:
 - software_token
 - sms
account_recovery: verified_email
password:
  minimum_length: 12
  require_lowercase: true
  require_uppercase: true
  require_numbers: false
  require_symbols: false
email:
  reply_to_address: reply-to@example.com
user_creation:
  admin_only: true
  unused_account_validity_in_days: 7
  invite_message_templates:
    email_subject: 'Invite to the App!'
    email_message: >
      <p>You've had an account created for you on the app.</p>
      <p><b>Username:</b> {username}</p>
      <p><b>Temporary password:</b> {####}</p>
      <p>Please login and set a secure password. This request will expire in 7 days.</p>
lambda_triggers:
  pre_sign_up: paco.ref netenv.mynet.applications.app.groups.serverless.resources.mylambda
schema:
  - attribute_name: email
    attribute_data_type: string
    mutable: false
    required: true
  - attribute_name: name
    attribute_data_type: string
    mutable: true
    required: true
  - attribute_name: phone_number
    attribute_data_type: string
    mutable: true
    required: false
ui_customizations:
  logo_file: './images/logo.png'
  css_file: './images/cognito.css'
app_clients:
  web:
    generate_secret: false
    callback_urls:
      - https://example.com
      - https://example.com/parseauth
      - https://example.com/refreshauth
    logout_urls:
      - https://example.com/signout
    allowed_oauth_flows:
        - code
    allowed_oauth_scopes:
        - email
        - openid
    domain_name: exampledomain
    identity_providers:
      - cognito
CognitoUserPool
Field name Type Purpose Constraints Default
account_recovery String Account Recovery Options (in order of priority) Can be either ‘admin_only’, ‘verified_email’, ‘verified_phone_number’, ‘verified_phone_number,verified_email’ or ‘verified_email,verified_phone_number’  
app_clients Container<CognitoUserPoolClients> App Clients    
auto_verified_attributes String Auto Verified Attributes Can be either ‘email’, ‘phone_number’ or ‘email,phone_number’  
email Object<CognitoEmailConfiguration> Email Configuration    
lambda_triggers Object<CognitoLambdaTriggers> Lambda Triggers    
mfa Choice MFA Configuration Must be one of ‘off’, ‘on’ or ‘optional’ off
mfa_methods Choice Enabled MFA methods List of ‘sms’ or ‘software_token’ []
password Object<CognitoUserPoolPasswordPolicy> Password Configuration    
schema List<CognitoUserPoolSchemaAttribute> Schema Attributes   []
ui_customizations Object<CognitoUICustomizations> UI Customizations    
user_creation Object<CognitoUserCreation> User Creation    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

CognitoInviteMessageTemplates

CognitoInviteMessageTemplates
Field name Type Purpose Constraints Default
email_message String Email Message    
email_subject String Email Subject    
sms_message String SMS Message    

Base Schemas Named, Title

CognitoUserPoolClients

A container of CognitoUserPoolClient objects.

CognitoUserPoolClients Container<CognitoUserPoolClient>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

CognitoUserPoolClient

CognitoUserPoolClient
Field name Type Purpose Constraints Default
allowed_oauth_flows Choice Allowed OAuth Flows   []
allowed_oauth_scopes List<String> Allow OAuth Scopes   []
callback_urls List<String> Callback URLs   []
domain_name String Domain Name or domain prefix    
generate_secret Boolean Generate Secret   False
identity_providers Choice Identity Providers   []
logout_urls List<String> Logout URLs   []

Base Schemas Named, Title

CognitoEmailConfiguration

CognitoEmailConfiguration
Field name Type Purpose Constraints Default
from_address String From Email Address    
reply_to_address String Reply To Email Address    
verification_message String Verification Message    
verification_subject String Verification Subject    

Base Schemas Named, Title

CognitoUserPoolPasswordPolicy

CognitoUserPoolPasswordPolicy
Field name Type Purpose Constraints Default
minimum_length Int Minimum Length    
require_lowercase Boolean Require Lowercase   True
require_numbers Boolean Require Numbers   True
require_symbols Boolean Require Symbols   True
require_uppercase Boolean Require Uppercase   True

Base Schemas Named, Title

CognitoUserPoolSchemaAttribute

CognitoUserPoolSchemaAttribute
Field name Type Purpose Constraints Default
attribute_data_type Choice Attribute Data Type    
attribute_name String Name From 1 to 20 characters  
mutable Boolean Mutable    
required Boolean Required    

CognitoUICustomizations

CognitoUICustomizations
Field name Type Purpose Constraints Default
css_file StringFileReference File path to a CSS file. Contents must be valid CSS that applies to the Cognito Hosted UI.  
logo_file BinaryFileReference File path to an image. Must be a PNG or JPEG and max 100 Kb.  

Base Schemas Named, Title

CognitoUserCreation

CognitoUserCreation
Field name Type Purpose Constraints Default
admin_only Boolean Allow only Admin to create users   False
invite_message_templates Object<CognitoInviteMessageTemplates> Invite Message Templates    
unused_account_validity_in_days Int Unused Account Validity in Days   7

Base Schemas Named, Title

CognitoIdentityPool

The CognitoIdentityPool resource type grants authorization of Cognito User Pool users to resources.

Example CognituIdentityPool YAML
type: CognitoIdentityPool
order: 20
enabled: true
allow_unauthenticated_identities: true
identity_providers:
 - userpool_client: paco.ref netenv.mynet.applications.myapp.groups.cognito.resources.cup.app_clients.web
   serverside_token_check: false
unauthenticated_role:
  enabled: true
  policies:
    - name: CognitoSyncAll
      statement:
        - effect: Allow
          action:
            - "cognito-sync:*"
          resource:
            - '*'
authenticated_role:
  enabled: true
  policies:
    - name: ViewDescribe
      statement:
        - effect: Allow
          action:
            - "cognito-sync:*"
            - "cognito-identity:*"
          resource:
            - '*'
        - effect: Allow
          action:
            - "lambda:InvokeFunction"
          resource:
            - '*'
CognitoIdentityPool
Field name Type Purpose Constraints Default
allow_unauthenticated_identities Boolean Allow Unauthenticated Identities   False
authenticated_role Object<RoleDefaultEnabled>      
identity_providers List<CognitoIdentityProvider> Identity Providers   []
unauthenticated_role Object<RoleDefaultEnabled>      

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

CognitoIdentityProvider

CognitoIdentityProvider
Field name Type Purpose Constraints Default
serverside_token_check Boolean ServerSide Token Check   False
userpool_client PacoReference Identity Provider Paco Reference to CognitoUserPoolClient.  

DeploymentPipeline

DeploymentPipeline creates AWS CodePipeline resources configured to act as CI/CDs to deploy code and assets to application resources. DeploymentPipelines allow you to express complex CI/CDs with minimal configuration.

A DeploymentPipeline has a number of Actions for three pre-defined Stages: source, build and deploy. The currently supported list of actions for each stage is:

Current Actions available by Stage
source:
  type: CodeCommit.Source
  type: ECR.Source
  type: GitHub.Source
build:
  type: CodeBuild.Build
deploy:
  type: CodeDeploy.Deploy
  type: ECS.Deploy
  type: ManualApproval

DeploymentPipelines can be configured to work cross-account and will automatically encrypt the artifacts S3 Bucket with a KMS-CMK key that can only be accessed by the pipeline. The configuration field lets you set the account that the DeploymentPipeline’s CodePipeilne resource will be created in and also specify the S3 Bucket to use for artifacts.

Configure a DeploymentPipeline to run in the tools account
configuration:
  artifacts_bucket: paco.ref netenv.mynet.applications.myapp.groups.cicd.resources.artifacts
  account: paco.ref accounts.tools

DeploymentPipeline caveats - there are a few things to consider when creating pipelines:

  • You need to create an S3 Bucket that will be configured to for artifacts. Even pipelines which don’t create artifacts will need this resource to hold ephemeral files created by CodePipeline.
  • A pipeline that deploys artifacts to an AutoScalingGroup will need the artifacts_bucket to allow the IAM Instance Role to read from the bucket.
  • A pipeline with an ECR.Source source must be in the same account as the ECR Repository.
  • A pipeline with an ECR.Source source must have at least one image alreaay created in it before it can be created.
  • A pipeline that is building Docker images needs to set privileged_mode: true.
  • If you are using a manual approval step before deploying, pay attention to the run_order field. Normally you will want the approval action to happen before the deploy action.
Example S3 Bucket for a DeploymentPipeline that deploys to an AutoScalingGroup
type: S3Bucket
enabled: true
order: 10
bucket_name: "artifacts"
deletion_policy: "delete"
account: paco.ref accounts.tools
versioning: true
policy:
  - aws:
      - paco.sub '${paco.ref netenv.mynet.applications.myapp.groups.container.resources.asg.instance_iam_role.arn}'
    effect: 'Allow'
    action:
      - 's3:Get*'
      - 's3:List*'
    resource_suffix:
      - '/*'
      - ''
Example DeploymentPipeline to deploy to ECS when an ECR Repository is updated
type: DeploymentPipeline
order: 10
enabled: true
configuration:
  artifacts_bucket: paco.ref netenv.mynet.applications.myapp.groups.cicd.resources.artifacts
  account: paco.ref accounts.tools
source:
  ecr:
    type: ECR.Source
    repository: paco.ref netenv.mynet.applications.myapp.groups.container.resources.ecr_example
    image_tag: latest
deploy:
  ecs:
    type: ECS.Deploy
    cluster: paco.ref netenv.mynet.applications.myapp.groups.container.resources.ecs_cluster
    service: paco.ref netenv.mynet.applications.myapp.groups.container.resources.ecs_config.services.simple_app
Example DeploymentPipeline to pull from GitHub, build a Docker image and then deploy from an ECR Repo
type: DeploymentPipeline
order: 20
enabled: true
configuration:
  artifacts_bucket: paco.ref netenv.mynet.applications.myapp.groups.cicd.resources.artifacts
  account: paco.ref accounts.tools
source:
  github:
    type: GitHub.Source
    deployment_branch_name: "prod"
    github_access_token: paco.ref netenv.mynet.secrets_manager.myapp.github.token
    github_owner: MyExample
    github_repository: MyExample-FrontEnd
    poll_for_source_changes: false
build:
  codebuild:
    type: CodeBuild.Build
    deployment_environment: "prod"
    codebuild_image: 'aws/codebuild/standard:4.0'
    codebuild_compute_type: BUILD_GENERAL1_MEDIUM
    privileged_mode: true # To allow docker images to be built
    codecommit_repo_users:
      - paco.ref resource.codecommit.mygroup.myrepo.users.MyCodeCommitUser
    secrets:
      - paco.ref netenv.mynet.secrets_manager.myapp.github.ssh_private_key
    role_policies:
      - name: AmazonEC2ContainerRegistryPowerUser
        statement:
          - effect: Allow
            action:
              - ecr:GetAuthorizationToken
              - ecr:BatchCheckLayerAvailability
              - ecr:GetDownloadUrlForLayer
              - ecr:GetRepositoryPolicy
              - ecr:DescribeRepositories
              - ecr:ListImages
              - ecr:DescribeImages
              - ecr:BatchGetImage
              - ecr:GetLifecyclePolicy
              - ecr:GetLifecyclePolicyPreview
              - ecr:ListTagsForResource
              - ecr:DescribeImageScanFindings
              - ecr:InitiateLayerUpload
              - ecr:UploadLayerPart
              - ecr:CompleteLayerUpload
              - ecr:PutImage
            resource:
              - '*'
deploy:
  ecs:
    type: ECS.Deploy
    cluster: paco.ref netenv.mynet.applications.myapp.groups.container.resources.cluster
    service: paco.ref netenv.mynet.applications.myapp.groups.container.resources.services.services.frontend
Example DeploymentPipeline to pull from CodeCommit, build an app artifact and then deploy to an ASG using CodeDeploy
type: DeploymentPipeline
order: 30
enabled: true
configuration:
  artifacts_bucket: paco.ref netenv.mynet.applications.myapp.groups.cicd.resources.artifacts
  account: paco.ref accounts.tools
source:
  codecommit:
    type: CodeCommit.Source
    codecommit_repository: paco.ref resource.codecommit.mygroup.myrepo
    deployment_branch_name: "prod"
build:
  codebuild:
    type: CodeBuild.Build
    deployment_environment: "prod"
    codebuild_image: 'aws/codebuild/amazonlinux2-x86_64-standard:1.0'
    codebuild_compute_type: BUILD_GENERAL1_SMALL
deploy:
  approval:
    type: ManualApproval
    run_order: 1
    manual_approval_notification_email:
      - bob@example.com
      - sally@example.com
  codedeploy:
    type: CodeDeploy.Deploy
    run_order: 2
    alb_target_group: paco.ref netenv.mynet.applications.myapp.groups.backend.resources.alb.target_groups.api
    auto_scaling_group: paco.ref netenv.mynet.applications.myapp.groups.backend.resources.api
    auto_rollback_enabled: true
    minimum_healthy_hosts:
      type: HOST_COUNT
      value: 0
    deploy_style_option: WITHOUT_TRAFFIC_CONTROL
DeploymentPipeline
Field name Type Purpose Constraints Default
build Container<DeploymentPipelineBuildStage> Deployment Pipeline Build Stage    
configuration Object<DeploymentPipelineConfiguration> Deployment Pipeline General Configuration    
deploy Container<DeploymentPipelineDeployStage> Deployment Pipeline Deploy Stage    
source Container<DeploymentPipelineSourceStage> Deployment Pipeline Source Stage    
stages Container<CodePipelineStages> Stages    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

CodePipelineStages

Container for CodePipelineStage objects.

CodePipelineStages Container<CodePipelineStage>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

CodePipelineStage

Container for different types of DeploymentPipelineStageAction objects.

CodePipelineStage
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

DeploymentPipelineSourceStage

A map of DeploymentPipeline source stage actions

DeploymentPipelineSourceStage
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

DeploymentPipelineDeployStage

A map of DeploymentPipeline deploy stage actions

DeploymentPipelineDeployStage
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

DeploymentPipelineBuildStage

A map of DeploymentPipeline build stage actions

DeploymentPipelineBuildStage
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

DeploymentPipelineDeployCodeDeploy

CodeDeploy DeploymentPipeline Deploy Stage

DeploymentPipelineDeployCodeDeploy
Field name Type Purpose Constraints Default
alb_target_group PacoReference ALB Target Group Reference Paco Reference to TargetGroup.  
auto_rollback_enabled Boolean Automatic rollback enabled   True
auto_scaling_group PacoReference ASG Reference Paco Reference to ASG.  
deploy_instance_role PacoReference Deploy Instance Role Reference Paco Reference to Role.  
deploy_style_option String Deploy Style Option   WITH_TRAFFIC_CONTROL
elb_name String ELB Name    
minimum_healthy_hosts Object<CodeDeployMinimumHealthyHosts> The minimum number of healthy instances that should be available at any time during the deployment.    

Base Schemas Enablable, Named, DeploymentPipelineStageAction, Title

DeploymentPipelineSourceECR

Amazon ECR DeploymentPipeline Source Stage

This Action is triggered whenever a new image is pushed to an Amazon ECR repository.

pipeline:
  type: DeploymentPipeline
  stages:
    source:
      ecr:
        type: ECR.Source
        enabled: true
        repository:  paco.ref netenv.mynet.applications.myapp.groups.ecr.resources.myecr
        image_tag: "latest"
DeploymentPipelineSourceECR
Field name Type Purpose Constraints Default
image_tag String The name of the tag used for the image.   latest
repository PacoReference|String An ECRRepository ref or the name of the an ECR repository. Paco Reference to ECRRepository. String Ok.  

Base Schemas Enablable, Named, DeploymentPipelineStageAction, Title

CodeDeployMinimumHealthyHosts

CodeDeploy Minimum Healthy Hosts

CodeDeployMinimumHealthyHosts
Field name Type Purpose Constraints Default
type String Deploy Config Type   HOST_COUNT
value Int Deploy Config Value   0

Base Schemas Named, Title

DeploymentPipelineManualApproval

ManualApproval DeploymentPipeline

DeploymentPipelineManualApproval
Field name Type Purpose Constraints Default
manual_approval_notification_email List<String> Manual Approval Notification Email List    

Base Schemas Enablable, Named, DeploymentPipelineStageAction, Title

DeploymentPipelineDeployS3

Amazon S3 Deployment Provider

DeploymentPipelineDeployS3
Field name Type Purpose Constraints Default
bucket PacoReference S3 Bucket Reference Paco Reference to S3Bucket.  
extract Boolean Boolean indicating whether the deployment artifact will be unarchived.   True
input_artifacts List<String> Input Artifacts    
object_key String S3 object key to store the deployment artifact as.    

Base Schemas Enablable, Named, DeploymentPipelineStageAction, Title

DeploymentPipelineBuildCodeBuild

CodeBuild DeploymentPipeline Build Stage

DeploymentPipelineBuildCodeBuild
Field name Type Purpose Constraints Default
buildspec String buildspec.yml filename    
codebuild_compute_type String CodeBuild Compute Type    
codebuild_image String CodeBuild Docker Image    
codecommit_repo_users List<PacoReference> CodeCommit Users Paco Reference to CodeCommitUser.  
deployment_environment String Deployment Environment    
ecr_repositories List<ECRRepositoryPermission> ECR Respository Permissions   []
privileged_mode Boolean Privileged Mode   False
role_policies List<Policy> Project IAM Role Policies    
secrets List<PacoReference> List of PacoReferences to Secrets Manager secrets Paco Reference to SecretsManagerSecret.  
timeout_mins Int Timeout in Minutes   60

Base Schemas Enablable, Named, DeploymentPipelineStageAction, Title

DeploymentPipelineSourceCodeCommit

CodeCommit DeploymentPipeline Source Stage

DeploymentPipelineSourceCodeCommit
Field name Type Purpose Constraints Default
codecommit_repository PacoReference CodeCommit Respository Paco Reference to CodeCommitRepository.  
deployment_branch_name String Deployment Branch Name    

Base Schemas Enablable, Named, DeploymentPipelineStageAction, Title

DeploymentPipelineStageAction

Deployment Pipeline Source Stage

DeploymentPipelineStageAction
Field name Type Purpose Constraints Default
run_order Int The order in which to run this stage   1
type String The type of DeploymentPipeline Source Stage    

Base Schemas Enablable, Named, Title

DeploymentPipelineConfiguration

Deployment Pipeline General Configuration

DeploymentPipelineConfiguration
Field name Type Purpose Constraints Default
account PacoReference The account where Pipeline tools will be provisioned. Paco Reference to Account.  
artifacts_bucket PacoReference Artifacts S3 Bucket Reference Paco Reference to S3Bucket.  

Base Schemas Named, Title

DeploymentGroupS3Location

DeploymentGroupS3Location
Field name Type Purpose Constraints Default
bucket PacoReference S3 Bucket revision location Paco Reference to S3Bucket.  
bundle_type String Bundle Type Must be one of JSON, tar, tgz, YAML or zip.  
key String The name of the Amazon S3 object that represents the bundled artifacts for the application revision.    

EBS

Elastic Block Store (EBS) Volume.

It is required to specify the availability_zone the EBS Volume will be created in. If the volume is going to be used by an ASG, it should launch an instance in the same availability_zone (and region).

Example EBS resource YAML
type: EBS
order: 5
enabled: true
size_gib: 4
volume_type: gp2
availability_zone: 1
EBS
Field name Type Purpose Constraints Default
availability_zone Int Availability Zone to create Volume in.    
size_gib Int Volume Size in GiB   10
snapshot_id String Snapshot ID    
volume_type String Volume Type Must be one of: gp2 | io1 | sc1 | st1 | standard gp2

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

EC2

EC2 Instance

EC2
Field name Type Purpose Constraints Default
associate_public_ip_address Boolean Associate Public IP Address   False
disable_api_termination Boolean Disable API Termination   False
instance_ami String Instance AMI    
instance_key_pair PacoReference key pair for connections to instance Paco Reference to EC2KeyPair.  
instance_type String Instance type    
private_ip_address String Private IP Address    
root_volume_size_gb Int Root volume size GB   8
security_groups List<PacoReference> Security groups Paco Reference to SecurityGroup.  
segment String Segment    
user_data_script String User data script    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

ECRRepository

Elastic Container Registry (ECR) Repository is a fully-managed Docker container registry.

Example ECRRepository
type: ECRRepository
enabled: true
order: 10
repository_name: 'ecr-example'
cross_account_access:
  - paco.ref accounts.dev
  - paco.ref accounts.tools
ECRRepository
Field name Type Purpose Constraints Default
account PacoReference Account the ECR Repository belongs to Paco Reference to Account.  
cross_account_access List<PacoReference> Accounts to grant access to this ECR. Paco Reference to Account.  
lifecycle_policy_registry_id String Lifecycle Policy Registry Id    
lifecycle_policy_text String Lifecycle Policy    
repository_name String Repository Name    
repository_policy Object<Policy> Repository Policy    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

ECRRepositoryPermission

ECRRepositoryPermission
Field name Type Purpose Constraints Default
permission Choice Permission Must be one of ‘Push’, ‘Pull’ or ‘PushAndPull’  
repository PacoReference ECR Repository Paco Reference to ECRRepository.  

ECSCluster

The ECSCluster resource type creates an Amazon Elastic Container Service (Amazon ECS) cluster.

example ECSCluster configuration YAML
type: ECSCluster
title: My ECS Cluster
enabled: true
order: 10
ECSCluster
Field name Type Purpose Constraints Default
         

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

ECSServices

The ECSServices resource type creates one or more ECS Services and their TaskDefinitions that can run in an ECSCluster.

example ECSServices configuration YAML
type: ECSServices
title: "My ECS Services"
enabled: true
order: 40
cluster: paco.ref netenv.mynet.applications.myapp.groups.ecs.resources.cluster
service_discovery_namespace_name: 'private-name'
secrets_manager_access:
  - paco.ref netenv.mynet.secrets_manager.store.database.mydb
task_definitions:
  frontend:
    container_definitions:
      frontend:
        cpu: 256
        essential: true
        image: paco.ref netenv.mynet.applications.myapp.groups.ecr.resources.frontend
        image_tag: latest
        memory: 150 # in MiB
        logging:
          driver: awslogs
          expire_events_after_days: 90
        port_mappings:
          - container_port: 80
            host_port: 0
            protocol: tcp
        secrets:
          - name: DATABASE_PASSWORD
            value_from: paco.ref netenv.mynet.secrets_manager.store.database.mydb
        environment:
          - name: POSTGRES_HOSTNAME
            value: paco.ref netenv.mynet.applications.myapp.groups.database.resources.postgresql.endpoint.address
  demoservice:
    container_definitions:
      demoservice:
        cpu: 256
        essential: true
        image: paco.ref netenv.mynet.applications.myapp.groups.ecr.resources.demoservice
        image_tag: latest
        memory: 100 # in MiB
        logging:
          driver: awslogs
          expire_events_after_days: 90
        port_mappings:
          - container_port: 80
            host_port: 0
            protocol: tcp

services:
  frontend:
    desired_count: 0
    task_definition: frontend
    deployment_controller: ecs
    hostname: frontend.myapp
    load_balancers:
      - container_name: frontend
        container_port: 80
        target_group: paco.ref netenv.mynet.applications.myapp.groups.lb.resources.external.target_groups.frontend
  demoservice:
    desired_count: 0
    task_definition: demoservice
    deployment_controller: ecs
    load_balancers:
      - container_name: demoservice
        container_port: 80
        target_group: paco.ref netenv.mynet.applications.myapp.groups.lb.resources.internal.target_groups.demoservice
ECSServices
Field name Type Purpose Constraints Default
cluster PacoReference Cluster Paco Reference to ECSCluster.  
secrets_manager_access List<PacoReference> List Secrets Manager secret Paco references Paco Reference to SecretsManagerSecret.  
service_discovery_namespace_name String Service Discovery Namespace    
services Container<ECSServicesContainer> Service    
setting_groups Container<ECSSettingsGroups_> Setting Groups    
task_definitions Container<ECSTaskDefinitions> Task Definitions    

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

ECSServicesContainer

Container for ECSService objects.

ECSServicesContainer Container<ECSService>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

ECSService

ECS Service

ECSService
Field name Type Purpose Constraints Default
deployment_controller Choice Deployment Controller One of ecs, code_deploy or external ecs
deployment_maximum_percent Int Deployment Maximum Percent   200
deployment_minimum_healthy_percent Int Deployment Minimum Healthy Percent   100
desired_count Int Desired Count    
health_check_grace_period_seconds Int Health Check Grace Period (seconds)   0
hostname String Container hostname    
launch_type Choice Launch Type Must be one of EC2 or Fargate EC2
load_balancers List<ECSLoadBalancer> Load Balancers   []
maximum_tasks Int Maximum Tasks in service   0
minimum_tasks Int Minimum Tasks in service   0
suspend_scaling Boolean Suspend any Service Scaling activities   False
target_tracking_scaling_policies Container<ECSTargetTrackingScalingPolicies> Target Tracking Scaling Policies    
task_definition String Task Definition    
vpc_config Object<ServiceVPCConfiguration> VPC Configuration    

Base Schemas Monitorable, Named, Title

ECSTaskDefinitions

Container for ECSTaskDefinition objects.

ECSTaskDefinitions Container<ECSTaskDefinition>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

ECSTaskDefinition

ECS Task Definition

ECSTaskDefinition
Field name Type Purpose Constraints Default
container_definitions Container<ECSContainerDefinitions> Container Definitions    
cpu_units Int CPU in Units Must be one of 256, 512, 1024, 2048 or 4096 256
fargate_compatibile Boolean Require Fargate Compability   False
memory_in_mb Int Memory in Mb Must be one of 512, 1024, 2048, 2048 or 4096 thru 30720 512
network_mode Choice Network Mode Must be one of awsvpc, bridge, host or none bridge
volumes List<ECSVolume> Volume definitions for the task   []

Base Schemas Named, Title

ECSContainerDefinitions

Container for ECSContainerDefinition objects.

ECSContainerDefinitions Container<ECSContainerDefinition>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

ECSContainerDefinition

ECS Container Definition

ECSContainerDefinition
Field name Type Purpose Constraints Default
command List<String> Command (Docker CMD) List of strings  
cpu Int Cpu units    
depends_on List<ECSContainerDependency> Depends On List of ECS Container Dependencies []
disable_networking Boolean Disable Networking   False
dns_search_domains List<String> List of DNS search domains. Maps to ‘DnsSearch’ in Docker.   []
dns_servers List<String> List of DNS servers. Maps to ‘Dns’ in Docker.   []
docker_labels Container<DockerLabels> A key/value map of labels. Maps to ‘Labels’ in Docker.    
docker_security_options Choice List of custom labels for SELinux and AppArmor multi-level security systems. Must be a list of no-new-privileges, apparmor:PROFILE, label:value, or credentialspec:CredentialSpecFilePath []
entry_point List<String> Entry Pont (Docker ENTRYPOINT) List of strings  
environment List<NameValuePair> List of environment name value pairs.    
essential Boolean Essential   False
extra_hosts List<ECSHostEntry> List of hostnames and IP address mappings to append to the /etc/hosts file on the container.   []
health_check Object<ECSHealthCheck> The container health check command and associated configuration parameters for the container. This parameter maps to ‘HealthCheck’ in Docker.    
hostname String Hostname to use for your container. This parameter maps to ‘Hostname’ in Docker.    
image PacoReference|String The image used to start a container. This string is passed directly to the Docker daemon. If a paco.ref is used to ECR, then the image_tag field will provide that tag used. Paco Reference to ECRRepository. String Ok.  
image_tag String Tag used for the ECR Repository Image   latest
interactive Boolean When this parameter is true, this allows you to deploy containerized applications that require stdin or a tty to be allocated. This parameter maps to ‘OpenStdin’ in Docker.    
logging Object<ECSLogging> Logging Configuration    
memory Int The amount (in MiB) of memory to present to the container. If your container attempts to exceed the memory specified here, the container is killed.    
memory_reservation Int The soft limit (in MiB) of memory to reserve for the container. When system memory is under heavy contention, Docker attempts to keep the container memory to this soft limit.    
mount_points List<ECSMountPoint> The mount points for data volumes in your container.    
port_mappings List<PortMapping> Port Mappings   []
privileged Boolean Give the container elevated privileges on the host container instance (similar to the root user).   False
pseudo_terminal Boolean Allocate a TTY. This parameter maps to ‘Tty’ in Docker.    
readonly_root_filesystem Boolean Read-only access to its root file system. This parameter maps to ‘ReadonlyRootfs’ in Docker.    
secrets List<ECSTaskDefinitionSecret> List of name, value_from pairs to secret manager Paco references.    
setting_groups List<String> List of names of setting_groups.   []
start_timeout Int Time duration (in seconds) to wait before giving up on resolving dependencies for a container.   300
stop_timeout Int Time duration (in seconds) to wait before the container is forcefully killed if it doesn’t exit normally on its own.   30
ulimits List<ECSUlimit> List of ulimits to set in the container. This parameter maps to ‘Ulimits’ in Docker   []
user String The user name to use inside the container. This parameter maps to ‘User’ in Docker.    
volumes_from List<ECSVolumesFrom> Volumes to mount from another container (Docker VolumesFrom).   []
working_directory String The working directory in which to run commands inside the container. This parameter maps to ‘WorkingDir’ in Docker.    

Base Schemas Named, Title

ECSLoadBalancer

ECS Load Balancer

ECSLoadBalancer
Field name Type Purpose Constraints Default
container_name String Container Name    
container_port Int Container Port    
target_group PacoReference Target Group Paco Reference to TargetGroup.  

Base Schemas Named, Title

ECSVolume

ECS Volume

ECSVolume
Field name Type Purpose Constraints Default
name String Name    

ECSUlimit

ECS Ulimit

ECSUlimit
Field name Type Purpose Constraints Default
hard_limit Int The hard limit for the ulimit type.    
name Choice The type of the ulimit    
soft_limit Int The soft limit for the ulimit type.    

ECSHealthCheck

ECS Health Check

ECSHealthCheck
Field name Type Purpose Constraints Default
command List<String> A string array representing the command that the container runs to determine if it is healthy. The string array must start with CMD to execute the command arguments directly, or CMD-SHELL to run the command with the container’s default shell.    
interval Int The time period in seconds between each health check execution.   30
retries Int Retries   3
start_period Int The optional grace period within which to provide containers time to bootstrap before failed health checks count towards the maximum number of retries.    
timeout Int The time period in seconds to wait for a health check to succeed before it is considered a failure.   5

Base Schemas Named, Title

ECSHostEntry

ECS Host Entry

ECSHostEntry
Field name Type Purpose Constraints Default
hostname String Hostname    
ip_address String IP Address    

DockerLabels

DockerLabels
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

ECSContainerDependency

ECS Container Dependency

ECSContainerDependency
Field name Type Purpose Constraints Default
condition Choice Condition Must be one of COMPLETE, HEALTHY, START or SUCCESS  
container_name String Container Name Must be an existing container name.  

ECSTaskDefinitionSecret

A Name/ValueFrom pair of Paco references to Secrets Manager secrets

ECSTaskDefinitionSecret
Field name Type Purpose Constraints Default
name String Name    
value_from PacoReference Paco reference to Secrets manager Paco Reference to SecretsManagerSecret.  

ECSLogging

ECS Logging Configuration

ECSLogging
Field name Type Purpose Constraints Default
driver Choice Log Driver One of awsfirelens, awslogs, fluentd, gelf, journald, json-file, splunk, syslog  

Base Schemas CloudWatchLogRetention, Named, Title

ECSVolumesFrom

VoumesFrom

ECSVolumesFrom
Field name Type Purpose Constraints Default
read_only Boolean Read Only   False
source_container String The name of another container within the same task definition from which to mount volumes.    

ECSTargetTrackingScalingPolicies

Container for ECSTargetTrackingScalingPolicy objects.

ECSTargetTrackingScalingPolicies Container<ECSTargetTrackingScalingPolicy>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

ECSTargetTrackingScalingPolicy

ECSTargetTrackingScalingPolicy
Field name Type Purpose Constraints Default
disable_scale_in Boolean Disable ScaleIn   False
predefined_metric Choice Predfined Metric to scale on Must be one of ALBRequestCountPerTarget, ECSServiceAverageMemoryUtilization or ECSServiceAverageCPUUtilization  
scale_in_cooldown Int ScaleIn Cooldown   300
scale_out_cooldown Int ScaleIn Cooldown   300
target Int Target    
target_group PacoReference ALB TargetGroup Paco Reference to TargetGroup.  

Base Schemas Enablable, Named, Title

ServiceVPCConfiguration

ServiceVPCConfiguration
Field name Type Purpose Constraints Default
assign_public_ip Boolean Assign Public IP   False

Base Schemas Named, VPCConfiguration, Title

ECSMountPoint

ECS TaskDefinition Mount Point

ECSMountPoint
Field name Type Purpose Constraints Default
container_path String The path on the container to mount the host volume at.    
read_only Boolean Read Only   False
source_volume String The name of the volume to mount. Must be a volume name referenced in the name parameter of task definition volume.  

PortMapping

Port Mapping

PortMapping
Field name Type Purpose Constraints Default
container_port Int Container Port    
host_port Int Host Port    
protocol Choice Protocol Must be either ‘tcp’ or ‘udp’ tcp

EIP

Elastic IP (EIP) resource.

Example EIP resource YAML
type: EIP
order: 5
enabled: true
dns:
  - domain_name: example.com
    hosted_zone: paco.ref resource.route53.examplecom
    ttl: 60
EIP
Field name Type Purpose Constraints Default
dns List<DNS> List of DNS for the EIP    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

EFS

AWS Elastic File System (EFS) resource.

Example EFS resource
type: EFS
order: 20
enabled: true
encrypted: false
segment: private
security_groups:
  - paco.ref netenv.mynet.network.vpc.security_groups.cloud.content
EFS
Field name Type Purpose Constraints Default
encrypted Boolean Encryption at Rest   False
security_groups List<PacoReference> Security groups SecurityGroup the EFS belongs to Paco Reference to SecurityGroup.  
segment String Segment    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

ElastiCache

Base ElastiCache Interface

ElastiCache
Field name Type Purpose Constraints Default
at_rest_encryption Boolean Enable encryption at rest    
auto_minor_version_upgrade Boolean Enable automatic minor version upgrades    
automatic_failover_enabled Boolean Specifies whether a read-only replica is automatically promoted to read/write primary if the existing primary fails    
az_mode String AZ mode    
cache_clusters Int Number of Cache Clusters    
cache_node_type String Cache Node Instance type    
description String Replication Description    
engine String ElastiCache Engine    
engine_version String ElastiCache Engine Version    
maintenance_preferred_window String Preferred maintenance window    
number_of_read_replicas Int Number of read replicas    
parameter_group PacoReference|String Parameter Group name Paco Reference to Interface. String Ok.  
port Int Port    
security_groups List<PacoReference> List of Security Groups Paco Reference to SecurityGroup.  
segment PacoReference Segment Paco Reference to Segment.  

ElastiCacheRedis

Redis ElastiCache Interface

ElastiCacheRedis
Field name Type Purpose Constraints Default
cache_parameter_group_family String Cache Parameter Group Family    
snapshot_retention_limit_days Int Snapshot Retention Limit in Days    
snapshot_window String The daily time range (in UTC) during which ElastiCache begins taking a daily snapshot of your node group (shard).    

Base Schemas ElastiCache, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

ElasticsearchDomain

Amazon Elasticsearch Service (Amazon ES) is a managed service for Elasticsearch clusters. An Amazon ES domain is synonymous with an Elasticsearch cluster. Domains are clusters with the settings, instance types, instance counts, and storage resources that you specify.

example Elasticsearch configuration
type: ElasticsearchDomain
order: 10
title: "Elasticsearch Domain"
enabled: true
access_policies_json: ./es-config/es-access.json
advanced_options:
  indices.fielddata.cache.size: ""
  rest.action.multi.allow_explicit_index: "true"
cluster:
  instance_count: 2
  zone_awareness_enabled: false
  instance_type: "t2.micro.elasticsearch"
  dedicated_master_enabled: true
  dedicated_master_type: "t2.micro.elasticsearch"
  dedicated_master_count: 2
ebs_volumes:
  enabled: true
  iops: 0
  volume_size_gb: 10
  volume_type: 'gp2'
segment: web
security_groups:
  - paco.ref netenv.mynet.network.vpc.security_groups.app.search
ElasticsearchDomain
Field name Type Purpose Constraints Default
access_policies_json StringFileReference Policy document that specifies who can access the Amazon ES domain and their permissions.    
advanced_options Container<ESAdvancedOptions> Advanced Options    
cluster Object<ElasticsearchCluster> Elasticsearch Cluster configuration    
ebs_volumes Object<EBSOptions> EBS volumes that are attached to data nodes in the Amazon ES domain.    
elasticsearch_version String The version of Elasticsearch to use, such as 2.3.   1.5
node_to_node_encryption Boolean Enable node-to-node encryption    
security_groups List<PacoReference> List of Security Groups Paco Reference to SecurityGroup.  
segment String Segment    
snapshot_start_hour Int The hour in UTC during which the service takes an automated daily snapshot of the indices in the Amazon ES domain.    

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

ElasticsearchCluster

ElasticsearchCluster
Field name Type Purpose Constraints Default
dedicated_master_count Int The number of instances to use for the master node. If you specify this field, you must specify true for the dedicated_master_enabled field.  
dedicated_master_enabled Boolean Indicates whether to use a dedicated master node for the Amazon ES domain.    
dedicated_master_type String The hardware configuration of the computer that hosts the dedicated master node Valid Elasticsearch instance type, such as m3.medium.elasticsearch. See https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-supported-instance-types.html  
instance_count Int The number of data nodes (instances) to use in the Amazon ES domain.    
instance_type String The instance type for your data nodes. Valid Elasticsearch instance type, such as m3.medium.elasticsearch. See https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-supported-instance-types.html  
zone_awareness_availability_zone_count Int If you enabled multiple Availability Zones (AZs), the number of AZs that you want the domain to use.   2
zone_awareness_enabled Boolean Enable zone awareness for the Amazon ES domain.    

EBSOptions

EBSOptions
Field name Type Purpose Constraints Default
enabled Boolean Specifies whether Amazon EBS volumes are attached to data nodes in the Amazon ES domain.    
iops Int The number of I/O operations per second (IOPS) that the volume supports.    
volume_size_gb Int The size (in GiB) of the EBS volume for each data node. The minimum and maximum size of an EBS volume depends on the EBS volume type and the instance type to which it is attached.  
volume_type String The EBS volume type to use with the Amazon ES domain. Must be one of: standard, gp2, io1, st1, or sc1  

ESAdvancedOptions

An unconstrainted set of key-value pairs used to set advanced options for Elasticsearch.

EventsRule

Events Rule resources match incoming or scheduled events and route them to target using Amazon EventBridge.

Lambda function resource YAML
type: EventsRule
enabled: true
order: 10
description: Invoke a Lambda every other minute
schedule_expression: "cron(*/2 * * * ? *)"
targets:
    - target: paco.ref netenv.mynet.applications.myapp.groups.mygroup.resources.mylambda
EventsRule
Field name Type Purpose Constraints Default
description String Description    
enabled_state Boolean Enabled State   True
schedule_expression String Schedule Expression    
targets List<EventTarget> The AWS Resources that are invoked when the Rule is triggered.    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

EventTarget

EventTarget
Field name Type Purpose Constraints Default
input_json String Valid JSON passed as input to the target.    
target PacoReference Paco Reference to an AWS Resource to invoke Paco Reference to Interface.  

Base Schemas Named, Title

Lambda

Lambda Functions allow you to run code without provisioning servers and only pay for the compute time when the code is running.

The code for the Lambda function can be specified in one of three ways in the code: field:

  • S3 Bucket artifact: Supply an``s3_bucket`` and s3_key where you have an existing code artifact file.
  • Local file: Supply the zipfile as a path to a local file on disk. This will be inlined into CloudFormation and has a size limitation of only 4 Kb.
  • Local directory: Supply the zipfile as a path to a directory on disk. This directory will be packaged into a zip file and Paco will create an S3 Bucket where it will upload and manage Lambda deployment artifacts.
Lambda code from S3 Bucket or local disk
code:
    s3_bucket: my-bucket-name
    s3_key: 'myapp-1.0.zip'

code:
    zipfile: ./lambda-dir/my-lambda.py

code:
    zipfile: ~/code/my-app/lambda_target/
Lambda function resource YAML
type: Lambda
enabled: true
order: 1
title: 'My Lambda Application'
description: 'Checks the Widgets Service and applies updates to a Route 53 Record Set.'
code:
    s3_bucket: my-bucket-name
    s3_key: 'myapp-1.0.zip'
environment:
    variables:
    - key: 'VAR_ONE'
      value: 'hey now!'
    - key: 'VAR_TWO'
      value: 'Hank Kingsley'
iam_role:
    enabled: true
    policies:
      - name: DNSRecordSet
        statement:
          - effect: Allow
            action:
              - route53:ChangeResourceRecordSets
            resource:
              - 'arn:aws:route53:::hostedzone/AJKDU9834DUY934'
handler: 'myapp.lambda_handler'
memory_size: 128
runtime: 'python3.7'
timeout: 900
expire_events_after_days: 90
log_group_names:
  - AppGroupOne
sns_topics:
  - paco.ref netenv.app.applications.app.groups.web.resources.snstopic
vpc_config:
    segments:
      - paco.ref netenv.app.network.vpc.segments.public
    security_groups:
      - paco.ref netenv.app.network.vpc.security_groups.app.function
Lambda
Field name Type Purpose Constraints Default
code Object<LambdaFunctionCode> The function deployment package.    
description String A description of the function.    
edge Object<LambdaAtEdgeConfiguration> Lambda@Edge configuration    
environment Object<LambdaEnvironment> Lambda Function Environment    
handler String Function Handler    
iam_role Object<Role> The IAM Role this Lambda will execute as.    
layers List<String> Layers Up to 5 Layer ARNs  
log_group_names List<String> Log Group names List of Log Group names []
memory_size Int Function memory size (MB)   128
reserved_concurrent_executions Int Reserved Concurrent Executions   0
runtime String Runtime environment   python3.7
sdb_cache Boolean SDB Cache Domain   False
sns_topics List<PacoReference> List of SNS Topic Paco references or SNS Topic ARNs to subscribe the Lambda to. Paco Reference to SNSTopic. String Ok.  
timeout Int The amount of time that Lambda allows a function to run before stopping it.   3
vpc_config Object<LambdaVpcConfig> Vpc Configuration    

Base Schemas Resource, DNSEnablable, Deployable, CloudWatchLogRetention, Monitorable, Named, Title, Type

LambdaFunctionCode

The deployment package for a Lambda function.

LambdaFunctionCode
Field name Type Purpose Constraints Default
s3_bucket PacoReference|String An Amazon S3 bucket in the same AWS Region as your function Paco Reference to S3Bucket. String Ok.  
s3_key String The Amazon S3 key of the deployment package.    
zipfile LocalPath The function code as a local file or directory. Maximum of 4096 characters.  

LambdaEnvironment

Lambda Environment

LambdaEnvironment
Field name Type Purpose Constraints Default
variables List<LambdaVariable> Lambda Function Variables    

LambdaVpcConfig

Lambda Environment

LambdaVpcConfig
Field name Type Purpose Constraints Default
         

Base Schemas Named, VPCConfiguration, Title

LambdaVariable

Lambda Environment Variable
LambdaVariable
Field name Type Purpose Constraints Default
key String Variable Name    
value PacoReference|String String Value or a Paco Reference to a resource output Paco Reference to Interface. String Ok.  

LambdaAtEdgeConfiguration

LambdaAtEdgeConfiguration
Field name Type Purpose Constraints Default
auto_publish_version String Automatically publish a Version. Update this name to publish a new Version.    

Base Schemas Enablable, Named, Title

LoadBalancer

Base class for Load Balancers

LoadBalancer
Field name Type Purpose Constraints Default
access_logs_bucket PacoReference Bucket to store access logs in Paco Reference to S3Bucket.  
access_logs_prefix String Access Logs S3 Bucket prefix    
dns List<DNS> List of DNS for the ALB    
enable_access_logs Boolean Write access logs to an S3 Bucket    
idle_timeout_secs Int Idle timeout in seconds The idle timeout value, in seconds. 60
listeners Container<Listeners> Listeners    
scheme Choice Scheme    
security_groups List<PacoReference> Security Groups Paco Reference to SecurityGroup.  
segment String Id of the segment stack    
target_groups Container<TargetGroups> Target Groups    

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

ApplicationLoadBalancer

The LBApplication resource type creates an Application Load Balancer. Use load balancers to route traffic from the internet to your web servers.

Load balancers have listeners which will accept requrests on specified ports and protocols. If a listener uses the HTTPS protocol, it can have a Paco reference to an SSL Certificate. A listener can then either redirect the traffic to another port/protcol or send it one of it’s named target_groups.

Each target group will specify it’s health check configuration. To specify which resources will belong to a target group, use the target_groups field on an ASG resource.

Example LBApplication load balancer resource YAML
type: LBApplication
enabled: true
enable_access_logs: true
target_groups:
    api:
        health_check_interval: 30
        health_check_timeout: 10
        healthy_threshold: 2
        unhealthy_threshold: 2
        port: 3000
        protocol: HTTP
        health_check_http_code: 200
        health_check_path: /
        connection_drain_timeout: 30
listeners:
    http:
        port: 80
        protocol: HTTP
        redirect:
            port: 443
            protocol: HTTPS
    https:
        port: 443
        protocol: HTTPS
        ssl_certificates:
            - paco.ref netenv.app.applications.app.groups.certs.resources.root
        target_group: api
dns:
    - hosted_zone: paco.ref resource.route53.mynetenv
      domain_name: api.example.com
scheme: internet-facing
security_groups:
    - paco.ref netenv.app.network.vpc.security_groups.app.alb
segment: public
ApplicationLoadBalancer
Field name Type Purpose Constraints Default
         

Base Schemas LoadBalancer, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

NetworkLoadBalancer

The LBNetwork resource type creates a Network Load Balancer. Use load balancers to route traffic from the internet to your web servers.

Example LBNetwork load balancer resource YAML
type: LBNetwork
enabled: true
enable_access_logs: true
target_groups:
    api:
        health_check_interval: 30
        health_check_timeout: 10
        healthy_threshold: 2
        unhealthy_threshold: 2
        port: 3000
        protocol: HTTP
        health_check_http_code: 200
        health_check_path: /
        connection_drain_timeout: 30
listeners:
    http:
        port: 80
        protocol: HTTP
        redirect:
            port: 443
            protocol: HTTPS
    https:
        port: 443
        protocol: HTTPS
        ssl_certificates:
            - paco.ref netenv.app.applications.app.groups.certs.resources.root
        target_group: api
dns:
    - hosted_zone: paco.ref resource.route53.mynetenv
      domain_name: api.example.com
scheme: internet-facing
segment: public
NetworkLoadBalancer
Field name Type Purpose Constraints Default
         

Base Schemas LoadBalancer, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

DNS

DNS
Field name Type Purpose Constraints Default
domain_name PacoReference|String Domain name Paco Reference to Route53HostedZone. String Ok.  
hosted_zone PacoReference|String Hosted Zone Id Paco Reference to HostedZone. String Ok.  
ssl_certificate PacoReference SSL certificate Reference Paco Reference to ACM.  
ttl Int TTL   300

Listeners

Container for Listener objects.

Listeners Container<Listener>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

Listener

Listener
Field name Type Purpose Constraints Default
redirect Object<PortProtocol> Redirect    
rules Container<ListenerRules_> Container of listener rules    
ssl_certificates List<PacoReference> List of SSL certificate References Paco Reference to ACM.  
ssl_policy Choice SSL Policy    
target_group String Target group    

Base Schemas PortProtocol

ListenerRule

ListenerRule
Field name Type Purpose Constraints Default
host String Host header value    
path_pattern List<String> List of paths to match    
priority Int Forward condition priority   1
redirect_host String The host to redirect to    
rule_type String Type of Rule    
target_group String Target group name    

Base Schemas Deployable, Named, Title

PortProtocol

Port and Protocol

PortProtocol
Field name Type Purpose Constraints Default
port Int Port    
protocol Choice Protocol    

TargetGroups

Container for TargetGroup objects.

TargetGroups Container<TargetGroup>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

TargetGroup

Target Group

TargetGroup
Field name Type Purpose Constraints Default
connection_drain_timeout Int Connection drain timeout    
health_check_http_code String Health check HTTP codes    
health_check_interval Int Health check interval    
health_check_path String Health check path   /
health_check_protocol Choice Protocol   HTTP
health_check_timeout Int Health check timeout    
healthy_threshold Int Healthy threshold    
target_type Choice Target Type Must be one of ‘instance’, ‘ip’ or ‘lambda’. instance
unhealthy_threshold Int Unhealthy threshold    

Base Schemas Resource, DNSEnablable, Deployable, Named, PortProtocol, Title, Type

PinpointApplication

Amazon Pinpoint is a flexible and scalable outbound and inbound marketing communications service. You can connect with customers over channels like email, SMS, push, or voice.

A Pinpoint Application is a collection of related settings, customer information, segments, campaigns, and other types of Amazon Pinpoint resources.

Currently AWS Pinpoint only supports general configuration suitable for sending transactional messages.

example Pinpoint Application configuration
type: PinpointApplication
enabled: true
order: 20
title: "My SaaS Transactional Message Service"
email_channel:
    enable_email: true
    from_address: "bob@example.com"
sms_channel:
    enable_sms: true
    sender_id: MyUniqueName
PinpointApplication
Field name Type Purpose Constraints Default
email_channel Object<PinpointEmailChannel> Email Channel    
sms_channel Object<PinpointSMSChannel> SMS Channel    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

PinpointSMSChannel

Pinpoint SMS Channel

PinpointSMSChannel
Field name Type Purpose Constraints Default
enable_sms Boolean Enable SMS   True
sender_id String The identity that you want to display on recipients’ devices when they receive messages from the SMS channel.    
short_code String The registered short code that you want to use when you send messages through the SMS channel.    

PinpointEmailChannel

Pinpoint Email Channel

PinpointEmailChannel
Field name Type Purpose Constraints Default
enable_email Boolean Enable Email   True
from_address String The verified email address that you want to send email from when you send email through the channel.    

IoTTopicRule

IoTTopicRule allows you to create a list of actions that will be triggered from a MQTT message coming in to IoT Core.

example IoTTopicRule configuration
type: IoTTopicRule
title: Rule to take action for MQTT messages sent to 'sensor/example'
order: 20
enabled: true
actions:
  - awslambda:
      function: paco.ref netenv.mynet.applications.app.groups.app.resources.iotlambda
  - iotanalytics:
      pipeline: paco.ref netenv.mynet.applications.app.groups.app.resources.analyticspipeline
aws_iot_sql_version: '2016-03-23'
rule_enabled: true
sql: "SELECT * FROM 'sensor/example'"
IoTTopicRule
Field name Type Purpose Constraints Default
actions List<IoTTopicRuleAction> Actions An IoTTopicRule must define at least one action. []
aws_iot_sql_version String AWS IoT SQL Version   2016-03-23
rule_enabled Boolean Rule is Enabled   True
sql String SQL statement used to query the topic Must be a valid Sql statement  

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

IoTTopicRuleAction

IoTTopicRuleAction
Field name Type Purpose Constraints Default
awslambda Object<IoTTopicRuleLambdaAction> Lambda Action    
iotanalytics Object<IoTTopicRuleIoTAnalyticsAction> IoT Analytics Action    

IoTTopicRuleIoTAnalyticsAction

IoTTopicRuleIoTAnalyticsAction
Field name Type Purpose Constraints Default
pipeline PacoReference IoT Analytics pipeline Paco Reference to IoTAnalyticsPipeline.  

IoTTopicRuleLambdaAction

IoTTopicRuleLambdaAction
Field name Type Purpose Constraints Default
function PacoReference Lambda function Paco Reference to Lambda.  

IoTAnalyticsPipeline

An IoTAnalyticsPipeline composes four closely related resources: IoT Analytics Channel, IoT Analytics Pipeline, IoT Analytics Datastore and IoT Analytics Dataset.

An IoT Analytics Pipeline begins with a Channel. A Channel is an S3 Bucket of raw incoming messages. A Channel provides an ARN that an IoTTopicRule can send MQTT messages to. These messages can later be re-processed if the analysis pipeline changes. Use the channel_storage field to configure the Channel storage.

Next the Pipeline applies a series of pipeline_activities to the incoming Channel messages. After any message modifications have been made, they are stored in a Datastore.

A Datastore is S3 Bucket storage of messages that are ready to be analyzed. Use the datastore_storage field to configure the Datastore storage. The datastore_name is an optional field to give your Datastore a fixed name, this can be useful if you use Dataset SQL Query analysis which needs to use the Datastore name in a SELECT query. However, if you use datastore_name it doesn’t vary by Environment - if you use name then it is recommended to use different Regions and Accounts for each IoTAnalytics environment.

Lastly the Datastore can be analyzed and have the resulting output saved as a Dataset. There may be multiple Datasets to create different analysis of the data. Datasets can be analyzed on a managed host running a Docker container or with an SQL Query to create subsets of a Datastore suitable for analysis with tools such as AWS QuickSight.

example IoTAnalyticsPipeline configuration
type: IoTAnalyticsPipeline
title: My IoT Analytics Pipeline
order: 100
enabled: true
channel_storage:
  bucket: paco.ref netenv.mynet.applications.app.groups.iot.resources.iotbucket
  key_prefix: raw_input/
pipeline_activities:
  adddatetime:
    activity_type: lambda
    function: paco.ref netenv.mynet.applications.app.groups.iot.resources.iotfunc
    batch_size: 10
  filter:
    activity_type: filter
    filter: "temperature > 0"
datastore_name: example
datastore_storage:
  expire_events_after_days: 30
datasets:
  hightemp:
    query_action:
      sql_query: "SELECT * FROM example WHERE temperature > 20"
    content_delivery_rules:
      s3temperature:
        s3_destination:
          bucket: paco.ref netenv.mynet.applications.app.groups.iot.resources.iotbucket
          key: "/HighTemp/!{iotanalytics:scheduleTime}/!{iotanalytics:versionId}.csv"
    expire_events_after_days: 3
    version_history: 5
IoTAnalyticsPipeline
Field name Type Purpose Constraints Default
channel_storage Object<IotAnalyticsStorage> IoT Analytics Channel raw storage    
datasets Container<IoTDatasets> IoT Analytics Datasets    
datastore_name String Datastore name    
datastore_storage Object<IotAnalyticsStorage> IoT Analytics Datastore storage    
pipeline_activities Container<IoTPipelineActivities> IoT Analytics Pipeline Activies    

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

IoTDatasets

Container for IoTDataset objects.

IoTDatasets Container<IoTDataset>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

IoTDataset

IoTDataset
Field name Type Purpose Constraints Default
container_action Object<DatasetContainerAction> Dataset Container action    
content_delivery_rules Container<DatasetContentDeliveryRules> Content Delivery Rules    
query_action Object<DatasetQueryAction> SQL Query action    
triggers List<DatasetTrigger> Triggers   []
version_history Int How many versions of dataset contents are kept. 0 indicates Unlimited. If not specified or set to null, only the latest version plus the latest succeeded version (if they are different) are kept for the time period specified by expire_events_after_days field.    

Base Schemas StorageRetention, Named, Title

DatasetTrigger

DatasetTrigger
Field name Type Purpose Constraints Default
schedule_expression String Schedule Expression    
triggering_dataset String Triggering Dataset    

DatasetContentDeliveryRules

Container for DatasetContentDeliveryRule objects.

DatasetContentDeliveryRules Container<DatasetContentDeliveryRule>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

DatasetContentDeliveryRule

DatasetContentDeliveryRule
Field name Type Purpose Constraints Default
s3_destination Object<DatasetS3Destination> S3 Destination    

Base Schemas Named, Title

DatasetS3Destination

DatasetS3Destination
Field name Type Purpose Constraints Default
bucket PacoReference S3 Bucket Paco Reference to S3Bucket.  
key String Key    

DatasetQueryAction

DatasetQueryAction
Field name Type Purpose Constraints Default
filters List<String> Filters   []
sql_query String Sql Query Dataset Action object    

Base Schemas Named, Title

DatasetContainerAction

DatasetContainerAction
Field name Type Purpose Constraints Default
image_arn String Image ARN    
resource_compute_type Choice Resource Compute Type Either ACU_1 (vCPU=4, memory=16 GiB) or ACU_2 (vCPU=8, memory=32 GiB)  
resource_volume_size_gb Int Resource Volume Size in GB    
variables Container<DatasetVariables> Variables    

Base Schemas Named, Title

DatasetVariables

Container for DatasetVariables objects.

DatasetVariables Container<DatasetVariables>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

DatasetVariable

DatasetVariable
Field name Type Purpose Constraints Default
double_value Float Double Value    
output_file_uri_value String Output file URI value The URI of the location where dataset contents are stored, usually the URI of a file in an S3 bucket.  
string_value String String Value    

Base Schemas Named, Title

IoTPipelineActivities

Container for IoTPipelineActivity objects.

IoTPipelineActivities Container<IoTPipelineActivity>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

IoTPipelineActivity

Each activity must have an activity_type and supply fields specific for that type. There is an implicit Channel activity before all other activities and an an implicit Datastore activity after all other activities.

All example types for IoTAnalyticsPipeline pipeline_activities
activity_type: lambda
batch_size: 1
function: paco.ref netenv.mynet[...]mylambda

activity_type: add_attributes
attributes:
  key1: hello
  key2: world

activity_type: remove_attributes
attribute_list:
  - key1
  - key2

activity_type: select_attributes
attribute_list:
  - key1
  - key2

activity_type: filter
filter: "attribute1 > 40 AND attribute2 < 20"

activity_type: math
attribute: "attribute1"
math: "attribute1 - 10"

activity_type: device_registry_enrich
attribute: "attribute1"
thing_name: "mything"

activity_type: device_shadow_enrich
attribute: "attribute1"
thing_name: "mything"
IoTPipelineActivity
Field name Type Purpose Constraints Default
activity_type String Activity Type    
attribute String Attribute    
attribute_list List<String> Attribute List    
attributes Container<Attributes> Attributes    
batch_size Int Batch Size    
filter String Filter    
function PacoReference Lambda function Paco Reference to Lambda.  
math String Math    
thing_name String Thing Name    

Base Schemas Named, Title

Attributes

Dictionary of Attributes

Attributes
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

IotAnalyticsStorage

IotAnalyticsStorage
Field name Type Purpose Constraints Default
bucket PacoReference S3 Bucket Paco Reference to S3Bucket.  
key_prefix String Key Prefix for S3 Bucket    

Base Schemas StorageRetention, Named, Title

StorageRetention

StorageRetention
Field name Type Purpose Constraints Default
expire_events_after_days Int Expire Events After Days Must be 1 or greater. If set to an explicit 0 then it is considered unlimited. 0

ManagedPolicy

IAM Managed Policy

ManagedPolicy
Field name Type Purpose Constraints Default
path String Path   /
policy_name String Policy Name used in AWS. This will be prefixed with an 8 character hash.    
roles List<String> List of Role Names    
statement List<Statement> Statements    
users List<String> List of IAM Users    

Base Schemas Deployable, Named, Title

RDS

Relational Database Service (RDS) allows you to set up, operate, and scale a relational database in AWS.

You can create a single DB Instance or an Aurora DB Cluster.

DB Instance

Currently Paco supports RDSMysql and RDSPostgresql for single database instances.

RDSMysql resource example
type: RDSMysql
order: 1
title: "Joe's MySQL Database server"
enabled: true
engine_version: 5.7.26
db_instance_type: db.t3.micro
port: 3306
storage_type: gp2
storage_size_gb: 20
storage_encrypted: true
multi_az: true
allow_major_version_upgrade: false
auto_minor_version_upgrade: true
publically_accessible: false
master_username: root
master_user_password: "change-me"
backup_preferred_window: 08:00-08:30
backup_retention_period: 7
maintenance_preferred_window: 'sat:10:00-sat:10:30'
license_model: "general-public-license"
cloudwatch_logs_exports:
  - error
  - slowquery
security_groups:
  - paco.ref netenv.mynet.network.vpc.security_groups.app.database
segment: paco.ref netenv.mynet.network.vpc.segments.private
primary_domain_name: database.example.internal
primary_hosted_zone: paco.ref netenv.mynet.network.vpc.private_hosted_zone
parameter_group: paco.ref netenv.mynet.applications.app.groups.web.resources.dbparams_performance

Aurora DB Cluster

AWS Aurora is relational databases built for the cloud. Aurora features a distributed, fault-tolerant, self-healing storage system and can easily scale from a single database instance to a cluster of multiple database instances.

When creating an Aurora RDS resource, you must specify your db_instances. If you specify more than one database instance, then Aurora will automatically designate one instance as a Writer and all other instances will be Readers.

Each db_instance can specify it’s own complete set of configuration or you can use the default_instance field to shared default configuration between instances. If a db_instance doesn’t specify a value but it is specified by default_instance it will fall back to using that value.

A simple Aurora with only a single database instance could be:

Simple Aurora single instance
type: RDSMysqlAurora
default_instance:
  db_instance_type: db.t3.medium
db_instances:
  single:

A more complex Aurora with a cluster of three database instances could be:

Three instance Aurora cluster
type: RDSMysqlAurora
default_instance:
  db_instance_type: db.t3.medium
  enhanced_monitoring_interval_in_seconds: 30
db_instances:
  first:
    availability_zone: 1
    db_instance_type: db.t3.large
    enhanced_monitoring_interval_in_seconds: 5
  second:
    availability_zone: 2
  third:
    availability_zone: 3
RDSPostgresqlAurora db cluster example
type: RDSPostgresqlAurora
order: 10
enabled: true
availability_zones: all
engine_version: '11.7'
port: 5432
master_username: master
secrets_password: paco.ref netenv.anet.secrets_manager.anet.app.database
backup_preferred_window: 04:00-05:00
backup_retention_period: 7
maintenance_preferred_window: 'Sat:07:00-Sat:08:00'
cluster_parameter_group: paco.ref netenv.mynet.applications.app.groups.web.resources.clusterparams
cloudwatch_logs_exports:
  - error
security_groups:
  - paco.ref netenv.mynet.network.vpc.security_groups.app.database
segment: paco.ref netenv.anet.network.vpc.segments.private
dns:
  - domain_name: database.test.internal
    hosted_zone: paco.ref netenv.mynet.network.vpc.private_hosted_zone
enable_kms_encryption: true
cluster_event_notifications:
  groups:
    - wb_low
  event_categories:
    - failover
    - failure
    - notification
default_instance:
  parameter_group: paco.ref netenv.mynet.applications.app.groups.web.resources.dbparams_performance
  enable_performance_insights: true
  publicly_accessible: false
  db_instance_type: db.t3.medium
  allow_major_version_upgrade: true
  auto_minor_version_upgrade: true
  event_notifications:
    groups:
      - admin
    event_categories:
      - availability
      - configuration change
      - deletion
      - failover
      - failure
      - maintenance
      - notification
      - recovery
  monitoring:
    enabled: true
    alarm_sets:
      basic_dbinstance:
db_instances:
  first:
    db_instance_type: db.t3.medium
    enhanced_monitoring_interval_in_seconds: 30
    availability_zone: 1
    monitoring:
      enabled: true
      alarm_sets:
        complex_dbinstance:
  second:
    enable_performance_insights: false
    event_notifications:
      groups:
        - admin
      event_categories:
        - maintenance

RDSMysql

RDS for MySQL

RDSMysql
Field name Type Purpose Constraints Default
         

Base Schemas RDSInstance, RDS, Resource, DNSEnablable, Deployable, Monitorable, RDSMultiAZ, Named, Title, Type

RDSPostgresql

RDS for Postgresql

RDSPostgresql
Field name Type Purpose Constraints Default
         

Base Schemas RDSInstance, RDS, Resource, DNSEnablable, Deployable, Monitorable, RDSMultiAZ, Named, Title, Type

RDSPostgresqlAurora

RDS PostgreSQL Aurora Cluster

RDSPostgresqlAurora
Field name Type Purpose Constraints Default
database_name String Database Name to create in the cluster Must be a valid database name for the DB Engine. Must contain 1 to 63 letters, numbers or underscores. Must begin with a letter or an underscore. Can’t be PostgreSQL reserved word.  

Base Schemas RDSAurora, RDS, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

RDSMysqlAurora

RDS MySQL Aurora Cluster

RDSMysqlAurora
Field name Type Purpose Constraints Default
database_name String Database Name to create in the cluster Must be a valid database name for the DB Engine. Must contain 1 to 64 letters or numbers. Can’t be MySQL reserved word.  

Base Schemas RDSAurora, RDS, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

RDSOptionConfiguration

Option groups enable and configure features that are specific to a particular DB engine.

RDSOptionConfiguration
Field name Type Purpose Constraints Default
option_name String Option Name    
option_settings List<NameValuePair> List of option name value pairs.    
option_version String Option Version    
port String Port    

NameValuePair

A Name/Value pair to use for RDS Option Group configuration

NameValuePair
Field name Type Purpose Constraints Default
name String Name    
value PacoReference|String Value Paco Reference to Interface. String Ok.  

RDSMultiAZ

RDS with MultiAZ capabilities. When you provision a Multi-AZ DB Instance, Amazon RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ).

RDSMultiAZ
Field name Type Purpose Constraints Default
multi_az Boolean Multiple Availability Zone deployment   False

Base Schemas RDSInstance, RDS, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

RDSInstance

RDS DB Instance

RDSInstance
Field name Type Purpose Constraints Default
allow_major_version_upgrade Boolean Allow major version upgrades    
auto_minor_version_upgrade Boolean Automatic minor version upgrades    
db_instance_type String RDS Instance Type    
license_model String License Model    
option_configurations List<RDSOptionConfiguration> Option Configurations    
parameter_group PacoReference RDS Parameter Group Paco Reference to DBParameterGroup.  
publically_accessible Boolean Assign a Public IP address    
storage_encrypted Boolean Enable Storage Encryption    
storage_size_gb Int DB Storage Size in Gigabytes    
storage_type String DB Storage Type    

Base Schemas RDS, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

RDSAurora

RDS Aurora DB Cluster

RDSAurora
Field name Type Purpose Constraints Default
availability_zones String Availability Zones to launch instances in. Must be one of all, 1, 2, 3 … all
backtrack_window_in_seconds Int Backtrack Window in seconds. Disabled when set to 0. Maximum is 72 hours (259,200 seconds). 0
cluster_event_notifications Object<RDSDBClusterEventNotifications> Cluster Event Notifications    
cluster_parameter_group PacoReference DB Cluster Parameter Group Paco Reference to DBClusterParameterGroup.  
db_instances Container<RDSClusterInstances> DB Instances    
default_instance Object<RDSClusterDefaultInstance> Default DB Instance configuration    
enable_http_endpoint Boolean Enable an HTTP endpoint to provide a connectionless web service API for running SQL queries   False
enable_kms_encryption Boolean Enable KMS Key encryption. Will create one KMS-CMK key dedicated to each DBCluster.   False
engine_mode Choice Engine Mode Must be one of provisioned, serverless, parallelquery, global, or multimaster.  
read_dns List<DNS> DNS domains to create to resolve to the connection Read Endpoint    
restore_type Choice Restore Type Must be one of full-copy or copy-on-write full-copy
use_latest_restorable_time Boolean Restore the DB cluster to the latest restorable backup time   False

Base Schemas RDS, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

RDSDBInstanceEventNotifications

DB Instance Event Notifications

RDSDBInstanceEventNotifications
Field name Type Purpose Constraints Default
event_categories Choice Event Categories    
groups List<String> Groups    

Base Schemas Named, Title

RDSClusterDefaultInstance

Default configuration for a DB Instance that belongs to a DB Cluster.

RDSClusterDefaultInstance
Field name Type Purpose Constraints Default
allow_major_version_upgrade Boolean Allow major version upgrades    
auto_minor_version_upgrade Boolean Automatic minor version upgrades    
availability_zone Int Availability Zone where the instance will be provisioned. Must be one of 1, 2, 3 …  
db_instance_type String DB Instance Type    
enable_performance_insights Boolean Enable Performance Insights   False
enhanced_monitoring_interval_in_seconds Int Enhanced Monitoring interval in seconds. This will enable enhanced monitoring unless set to 0. Must be one of 0, 1, 5, 10, 15, 30, 60. 0
event_notifications Object<RDSDBInstanceEventNotifications> DB Instance Event Notifications    
parameter_group PacoReference DB Parameter Group Paco Reference to DBParameterGroup.  
publicly_accessible Boolean Assign a Public IP address   False

Base Schemas Monitorable, Named, Title

RDSClusterInstance

DB Instance that belongs to a DB Cluster.

RDSClusterInstance
Field name Type Purpose Constraints Default
allow_major_version_upgrade Boolean Allow major version upgrades    
auto_minor_version_upgrade Boolean Automatic minor version upgrades    
availability_zone Int Availability Zone where the instance will be provisioned. Must be one of 1, 2, 3 …  
db_instance_type String DB Instance Type    
enable_performance_insights Boolean Enable Performance Insights    
enhanced_monitoring_interval_in_seconds Int Enhanced Monitoring interval in seconds. This will enable enhanced monitoring unless set to 0. Must be one of 0, 1, 5, 10, 15, 30, 60.  
event_notifications Object<RDSDBInstanceEventNotifications> DB Instance Event Notifications    
parameter_group PacoReference DB Parameter Group Paco Reference to DBParameterGroup.  
publicly_accessible Boolean Assign a Public IP address    

Base Schemas Monitorable, Named, Title

RDSClusterInstances

Container for RDSClusterInstance objects.

RDSClusterInstances Container<RDSClusterInstances>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

RDSDBClusterEventNotifications

Event Notifications for a DB Cluster

RDSDBClusterEventNotifications
Field name Type Purpose Constraints Default
event_categories Choice Event Categories    
groups List<String> Groups    

Base Schemas Named, Title

DBParameters

If you want to use DB Parameter Groups with your RDS, then use the parameter_group field to reference a DBParameterGroup resource. Keeping DB Parameter Groups as separate resources allows having multiple Paramater Groups provisioned at the same time. For example, you might have both resources for dbparams_performance and dbparams_debug, allowing you to use the AWS Console to switch between performance and debug configuration quickl in an emergency.

DBParameterGroup

DBParameterGroup

DBParameterGroup
Field name Type Purpose Constraints Default
description String Description    
family String Database Family    
parameters Container<DBParameters> Database Parameter set    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

DBClusterParameterGroup

DBCluster Parameter Group

DBClusterParameterGroup
Field name Type Purpose Constraints Default
         

Base Schemas Resource, DBParameterGroup, DNSEnablable, Deployable, Named, Title, Type

Route53HealthCheck

Route53 Health Check

Route53HealthCheck
Field name Type Purpose Constraints Default
domain_name String Fully Qualified Domain Name Either this or the load_balancer field can be set but not both.  
enable_sni Boolean Enable SNI   False
failure_threshold Int Number of consecutive health checks that an endpoint must pass or fail for Amazon Route 53 to change the current status of the endpoint from unhealthy to healthy or vice versa.   3
health_check_type String Health Check Type Must be one of HTTP, HTTPS or TCP  
health_checker_regions List<String> Health checker regions List of AWS Region names (e.g. us-west-2) from which to make health checks.  
ip_address PacoReference|String IP Address Paco Reference to EIP. String Ok.  
latency_graphs Boolean Measure latency and display CloudWatch graph in the AWS Console   False
load_balancer PacoReference|String Load Balancer Endpoint Paco Reference to LoadBalancer. String Ok.  
match_string String String to match in the first 5120 bytes of the response    
port Int Port   80
request_interval_fast Boolean Fast request interval will only wait 10 seconds between each health check response instead of the standard 30   False
resource_path String Resource Path String such as ‘/health.html’. Path should return a 2xx or 3xx. Query string parameters are allowed: ‘/search?query=health’ /

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

S3Bucket

S3Bucket is an object storage resource in the Amazon S3 service.

S3Buckets may be declared either in the global resource/s3.yaml file or in a network environment in as an application resource.

S3Buckets in an application context will use the same account and region as the application, although it is still possible to override this to use other accouns and regions if desired.

example S3Bucket resource
type: S3Bucket
title: My S3 Bucket
enabled: true
order: 10
account: paco.ref accounts.data
region: us-west-2
deletion_policy: "delete"
notifications:
    lambdas:
     - paco.ref netenv.mynet.applications.app.groups.serverless.resources.mylambda
cloudfront_origin: false
external_resource: false
versioning: false
add_paco_suffix: true
policy:
  - principal:
      Service: iotanalytics.amazonaws.com
    effect: 'Allow'
    action:
      - s3:Get*
      - s3:ListBucket
      - s3:ListBucketMultipartUploads
      - s3:ListMultipartUploadParts
    resource_suffix:
      - '/*'
      - ''
    condition:
      StringEquals:
        s3:x-amz-acl:
          "public-read"
      IpAddress:
        "aws:SourceIp": "192.0.2.0/24"
      NotIpAddress:
        "aws:SourceIp": "192.0.2.188/32"

  - aws:
      - paco.sub '${paco.ref netenv.mynet.applications.app.groups.site.resources.demo.instance_iam_role.arn}'
    effect: 'Allow'
    action:
      - 's3:Get*'
      - 's3:List*'
    resource_suffix:
      - '/*'
      - ''
S3Bucket
Field name Type Purpose Constraints Default
account PacoReference Account that S3 Bucket belongs to. Paco Reference to Account.  
add_paco_suffix Boolean Add the Paco s3bucket_hash suffix to the bucket name   False
bucket_name String Bucket Name A short unique name to assign the bucket. bucket
cloudfront_origin Boolean Creates and listens for a CloudFront Access Origin Identity   False
deletion_policy String Bucket Deletion Policy   delete
external_resource Boolean Boolean indicating whether the S3 Bucket already exists or not   False
notifications Object<S3NotificationConfiguration> Notification configuration    
policy List<S3BucketPolicy> List of S3 Bucket Policies    
region String Bucket region    
static_website_hosting Object<S3StaticWebsiteHosting> Static website hosting configuration.    
versioning Boolean Enable Versioning on the bucket.   False

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

S3BucketPolicy

S3 Bucket Policy

S3BucketPolicy
Field name Type Purpose Constraints Default
action List<String> List of Actions    
aws List<String> List of AWS Principals. Either this field or the principal field must be set.  
condition Dict Condition Each Key is the Condition name and the Value must be a dictionary of request filters. e.g. { “StringEquals” : { “aws:username” : “johndoe” }} {}
effect Choice Effect Must be one of ‘Allow’ or ‘Deny’  
principal Dict Prinicpals Either this field or the aws field must be set. Key should be one of: AWS, Federated, Service or CanonicalUser. Value can be either a String or a List. {}
resource_suffix List<String> List of AWS Resources Suffixes    
sid String Statement Id    

S3LambdaConfiguration

S3LambdaConfiguration
Field name Type Purpose Constraints Default
event String S3 bucket event for which to invoke the AWS Lambda function Must be a supported event type: https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html  
function PacoReference Lambda function to notify Paco Reference to Lambda.  

S3NotificationConfiguration

S3NotificationConfiguration
Field name Type Purpose Constraints Default
lambdas List<S3LambdaConfiguration> Lambda configurations    

S3StaticWebsiteHosting

S3StaticWebsiteHosting
Field name Type Purpose Constraints Default
redirect_requests Object<S3StaticWebsiteHostingRedirectRequests> Redirect requests configuration.    

Base Schemas Deployable

S3StaticWebsiteHostingRedirectRequests

S3StaticWebsiteHostingRedirectRequests
Field name Type Purpose Constraints Default
protocol String Protocol    
target PacoReference|String Target S3 Bucket or domain. Paco Reference to S3Bucket. String Ok.  

SNSTopic

Simple Notification Service (SNS) Topic resource.

Example SNSTopic resource YAML
type: SNSTopic
order: 1
enabled: true
display_name: "Waterbear Cloud AWS"
cross_account_access: true
subscriptions:
  - endpoint: http://example.com/yes
    protocol: http
  - endpoint: https://example.com/orno
    protocol: https
  - endpoint: bob@example.com
    protocol: email
  - endpoint: bob@example.com
    protocol: email-json
    filter_policy: '{"State": [ { "anything-but": "COMPLETED" } ] }'
  - endpoint: '555-555-5555'
    protocol: sms
  - endpoint: arn:aws:sqs:us-east-2:444455556666:queue1
    protocol: sqs
  - endpoint: arn:aws:sqs:us-east-2:444455556666:queue1
    protocol: application
  - endpoint: arn:aws:lambda:us-east-1:123456789012:function:my-function
    protocol: lambda
SNSTopic
Field name Type Purpose Constraints Default
cross_account_access Boolean Cross-account access from all other accounts in this project.   False
display_name String Display name for SMS Messages    
locations List<AccountRegions> Locations Only applies to a global SNS Topic []
subscriptions List<SNSTopicSubscription> List of SNS Topic Subscriptions    

Base Schemas Resource, DNSEnablable, Enablable, Named, Title, Type

SNSTopicSubscription

SNSTopicSubscription
Field name Type Purpose Constraints Default
endpoint PacoReference|String SNS Topic ARN or Paco Reference Paco Reference to SNSTopic. String Ok.  
filter_policy String Filter Policy Must be valid JSON  
protocol String Notification protocol Must be a valid SNS Topic subscription protocol: ‘http’, ‘https’, ‘email’, ‘email-json’, ‘sms’, ‘sqs’, ‘application’, ‘lambda’. email