Application Resources

An Application is a collection of Resources. These are the Resources which can exist as part of an Application.

ApiGatewayRestApi

An Api Gateway Rest API resource.

Intended to allow provisioning of all API Gateway REST API resources (currently only parital field support).

API Gateway REST API example
type: ApiGatewayRestApi
order: 10
enabled: true
fail_on_warnings: true
description: "My REST API"
endpoint_configuration:
  - 'REGIONAL'
models:
  emptyjson:
    content_type: 'application/json'
methods:
  get:
    http_method: GET
    integration:
      integration_type: AWS
      integration_lambda: paco.ref netenv.mynet.applications.app.groups.restapi.resources.mylambda
      integration_responses:
        - status_code: '200'
          response_templates:
            'application/json': ''
      request_parameters:
        "integration.request.querystring.my_id": "method.request.querystring.my_id"
    authorization_type: NONE
    request_parameters:
      "method.request.querystring.my_id": false
      "method.request.querystring.token": false
    method_responses:
      - status_code: '200'
        response_models:
          - content_type: 'application/json'
            model_name: 'emptyjson'
  post:
    http_method: POST
    integration:
      integration_type: AWS
      integration_lambda: paco.ref netenv.mynet.applications.app.groups.restapi.resources.mylambda
      integration_responses:
        - status_code: '200'
          response_templates:
            'application/json': ''
    authorization_type: NONE
    method_responses:
      - status_code: '200'
        response_models:
          - content_type: 'application/json'
            model_name: 'emptyjson'
stages:
  prod:
    deployment_id: 'prod'
    description: 'Prod Stage'
    stage_name: 'prod'
ApiGatewayRestApi
Field name Type Purpose Constraints Default
api_key_source_type String API Key Source Type Must be one of ‘HEADER’ to read the API key from the X-API-Key header of a request or ‘AUTHORIZER’ to read the API key from the UsageIdentifierKey from a Lambda authorizer.  
binary_media_types List<String> Binary Media Types. The list of binary media types that are supported by the RestApi resource, such as image/png or application/octet-stream. By default, RestApi supports only UTF-8-encoded text payloads. Duplicates are not allowed. Slashes must be escaped with ~1. For example, image/png would be image~1png in the BinaryMediaTypes list.  
body String Body. An OpenAPI specification that defines a set of RESTful APIs in JSON or YAML format. For YAML templates, you can also provide the specification in YAML format. Must be valid JSON.  
body_file_location StringFileReference Path to a file containing the Body. Must be valid path to a valid JSON document.  
body_s3_location String The Amazon Simple Storage Service (Amazon S3) location that points to an OpenAPI file, which defines a set of RESTful APIs in JSON or YAML format. Valid S3Location string to a valid JSON or YAML document.  
clone_from String CloneFrom. The ID of the RestApi resource that you want to clone.    
description String Description of the RestApi resource.    
endpoint_configuration List<String> Endpoint configuration. A list of the endpoint types of the API. Use this field when creating an API. When importing an existing API, specify the endpoint configuration types using the parameters field. List of strings, each must be one of ‘EDGE’, ‘REGIONAL’, ‘PRIVATE’  
fail_on_warnings Boolean Indicates whether to roll back the resource if a warning occurs while API Gateway is creating the RestApi resource.   False
methods Container<ApiGatewayMethods>      
minimum_compression_size Int An integer that is used to enable compression on an API. When compression is enabled, compression or decompression is not applied on the payload if the payload size is smaller than this value. Setting it to zero allows compression for any payload size. A non-negative integer between 0 and 10485760 (10M) bytes, inclusive.  
models Container<ApiGatewayModels>      
parameters Dict Parameters. Custom header parameters for the request. Dictionary of key/value pairs that are strings. {}
policy String A policy document that contains the permissions for the RestApi resource, in JSON format. To set the ARN for the policy, use the !Join intrinsic function with “” as delimiter and values of “execute-api:/” and “*”. Valid JSON document  
resources Container<ApiGatewayResources>      
stages Container<ApiGatewayStages>      

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

ApiGatewayMethods

Container for ApiGatewayMethod objects.

ApiGatewayMethods Container<ApiGatewayMethod>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

ApiGatewayMethod

API Gateway Method

ApiGatewayMethod
Field name Type Purpose Constraints Default
authorization_type String Authorization Type Must be one of NONE, AWS_IAM, CUSTOM or COGNITO_USER_POOLS  
http_method String HTTP Method Must be one of ANY, DELETE, GET, HEAD, OPTIONS, PATCH, POST or PUT.  
integration Object<ApiGatewayMethodIntegration> Integration    
method_responses List<ApiGatewayMethodMethodResponse> Method Responses List of ApiGatewayMethod MethodResponses  
request_parameters Dict Request Parameters
Specify request parameters as key-value pairs (string-to-Boolean mapping),
with a source as the key and a Boolean as the value. The Boolean specifies whether a parameter is required. A source must match the format method.request.location.name, where the location is query string, path, or header, and name is a valid, unique parameter name.
{}
resource_id String Resource Id    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

ApiGatewayModels

Container for ApiGatewayModel objects.

ApiGatewayModels Container<ApiGatewayModel>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

ApiGatewayModel

ApiGatewayModel
Field name Type Purpose Constraints Default
content_type String Content Type    
description String Description    
schema Dict Schema JSON format. Will use null({}) if left empty. {}

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

ApiGatewayResources

Container for ApiGatewayResource objects.

ApiGatewayResources Container<ApiGatewayResource>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

ApiGatewayResource

ApiGatewayResource
Field name Type Purpose Constraints Default
parent_id String Id of the parent resource. Default is ‘RootResourceId’ for a resource without a parent.   RootResourceId
path_part String Path Part    
rest_api_id String Name of the API Gateway REST API this resource belongs to.    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

ApiGatewayStages

Container for ApiGatewayStage objects

ApiGatewayStages Container<ApiGatewayStages>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

ApiGatewayStage

API Gateway Stage

ApiGatewayStage
Field name Type Purpose Constraints Default
deployment_id String Deployment ID    
description String Description    
stage_name String Stage name    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

ApiGatewayMethodIntegration

ApiGatewayMethodIntegration
Field name Type Purpose Constraints Default
integration_http_method String Integration HTTP Method Must be one of ANY, DELETE, GET, HEAD, OPTIONS, PATCH, POST or PUT. POST
integration_lambda PacoReference Integration Lambda Paco Reference to Lambda.  
integration_responses List<ApiGatewayMethodIntegrationResponse> Integration Responses    
integration_type String Integration Type Must be one of AWS, AWS_PROXY, HTTP, HTTP_PROXY or MOCK. AWS
request_parameters Dict The request parameters that API Gateway sends with the backend request.

Specify request parameters as key-value pairs (string-to-string mappings), with a destination as the key and a source as the value. Specify the destination by using the following pattern integration.request.location.name, where location is query string, path, or header, and name is a valid, unique parameter name.

The source must be an existing method request parameter or a static value. You must enclose static values in single quotation marks and pre-encode these values based on their destination in the request.

{}
uri String Integration URI    

ApiGatewayMethodIntegrationResponse

ApiGatewayMethodIntegrationResponse
Field name Type Purpose Constraints Default
content_handling String Specifies how to handle request payload content type conversions.

Valid values are:

CONVERT_TO_BINARY: Converts a request payload from a base64-encoded string to a binary blob.

CONVERT_TO_TEXT: Converts a request payload from a binary blob to a base64-encoded string.

If this property isn’t defined, the request payload is passed through from the method request to the integration request without modification.

 
response_parameters Dict Response Parameters   {}
response_templates Dict Response Templates   {}
selection_pattern String A regular expression that specifies which error strings or status codes from the backend map to the integration response.    
status_code String The status code that API Gateway uses to map the integration response to a MethodResponse status code. Must match a status code in the method_respones for this API Gateway REST API.  

ApiGatewayMethodMethodResponse

ApiGatewayMethodMethodResponse
Field name Type Purpose Constraints Default
response_models List<ApiGatewayMethodMethodResponseModel> The resources used for the response’s content type. Specify response models as key-value pairs (string-to-string maps), with a content type as the key and a Model Paco name as the value.  
status_code String HTTP Status code    

ApiGatewayMethodMethodResponseModel

ApiGatewayMethodMethodResponseModel
Field name Type Purpose Constraints Default
content_type String Content Type    
model_name String Model name    

ASG

An AutoScalingGroup (ASG) contains a collection of Amazon EC2 instances that are treated as a logical grouping for the purposes of automatic scaling and management.

The Paco ASG resource provisions an AutoScalingGroup as well as LaunchConfiguration and TargetGroups for that ASG.

example ASG configuration
type: ASG
order: 30
enabled: true
associate_public_ip_address: false
cooldown_secs: 200
ebs_optimized: false
health_check_grace_period_secs: 240
health_check_type: EC2
availability_zone: 1
ebs_volume_mounts:
  - volume: paco.ref netenv.mynet.applications.app.groups.storage.resources.my_volume
    enabled: true
    folder: /var/www/html
    device: /dev/xvdf
    filesystem: ext4
efs_mounts:
  - enabled: true
    folder: /mnt/wp_efs
    target: paco.ref netenv.mynet.applications.app.groups.storage.resources.my_efs
instance_iam_role:
  enabled: true
  policies:
    - name: DNSRecordSet
      statement:
        - effect: Allow
          action:
            - route53:ChangeResourceRecordSets
          resource:
            - 'arn:aws:route53:::hostedzone/HHIHkjhdhu744'
instance_ami: paco.ref function.aws.ec2.ami.latest.amazon-linux-2
instance_ami_type: amazon
instance_key_pair: paco.ref resource.ec2.keypairs.my_keypair
instance_monitoring: true
instance_type: t2.medium
desired_capacity: 1
max_instances: 3
min_instances: 1
rolling_update_policy:
  max_batch_size: 1
  min_instances_in_service: 1
  pause_time: PT3M
  wait_on_resource_signals: false
target_groups:
  - paco.ref netenv.mynet.applications.app.groups.web.resources.alb.target_groups.cloud
security_groups:
  - paco.ref netenv.mynet.network.vpc.security_groups.web.asg
segment: private
termination_policies:
  - Default
scaling_policy_cpu_average: 60
launch_options:
    update_packages: true
    ssm_agent: true
    cfn_init_config_sets:
    - "InstallApp"
cfn_init:
  config_sets:
    InstallApp:
      - "InstallApp"
  configurations:
    InstallApp:
      packages:
        yum:
          python3: []
      users:
        www-data:
          uid: 2000
          home_dir: /home/www-data
      files:
        "/etc/systemd/system/pypiserver.service":
          content_file: ./pypi-config/pypiserver.service
          mode: '000755'
          owner: root
          group: root
      commands:
        00_pypiserver:
          command: "/bin/pip3 install pypiserver"
        01_passlib_dependency:
          command: "/bin/pip3 install passlib"
        02_prep_mount:
           command: "chown www-data:www-data /var/pypi"
      services:
        sysvinit:
          pypiserver:
            enabled: true
            ensure_running: true
monitoring:
  enabled: true
  collection_interval: 60
  metrics:
    - name: swap
      measurements:
        - used_percent
    - name: disk
      measurements:
        - free
      resources:
        - '/'
        - '/var/www/html'
      collection_interval: 300
user_data_script: |
  echo "Hello World!"

AutoScalingGroup Rolling Update Policy

When changes are applied to an AutoScalingGroup that modify the configuration of newly launched instances, AWS can automatically launch instances with the new configuration and terminate old instances that have stale configuration. This can be configured so that there is no interruption of service as the new instances gradually replace old ones. This configuration is set with the rolling_update_policy field.

The rolling update policy must be able to work within the minimum/maximum number of instances in the ASG. Consider the following ASG configuration.

example ASG configuration
type: ASG
max_instances: 2
min_instances: 1
desired_capacity: 1
rolling_update_policy:
  max_batch_size: 1
  min_instances_in_service: 1
  pause_time: PT0S # default setting
  wait_on_resource_signals: false # default setting

This will normally run a single instance in the ASG. The ASG is never allowed to launch more than 2 instances at one time. When an update happens, a new batch of instances is launched - in this example just one instance. There wil be only 1 instance in service, but the capacity will be at 2 instances will the new instance is launched. After the instance is put into service by the ASG, it will immediately terminate the old instance.

The wait_on_resource_signals can be set to tell AWS CloudFormation to wait on making changes to the AutoScalingGroup configuration until a new instance is finished configuring and installing applications and is ready for service. If this field is enabled, then the pause_time default is PT05 (5 minutes). If CloudFormation does not get a SUCCESS signal within the pause_time then it will mark the new instance as failed and terminate it.

If you use pause_time with the default wait_on_resource_signals: false then AWS will simply wait for the full duration of the pause time and then consider the instance ready. pause_time is in format PT#H#M#S, where each # is the number of hours, minutes, and seconds, respectively. The maximum pause_time is one hour. For example:

pause_time: PT0S # 0 seconds
pause_time: PT5M # 5 minutes
pause_time: PT2M30S # 2 minutes and 30 seconds

ASGs will use default settings for a rolling update policy. If you do not want to use an update policies at all, then you must disable the rolling_update_policy explicitly:

type: ASG
rolling_update_policy:
  enabled: false

With no rolling update policy, when you make configuration changes, then existing instances with old configuration will continue to run and instances with the new configuration will not happen until the AutoScalingGroup needs to launch new instances. You must be careful with this approach as you can not know 100% that your new configuration launches instances proprely until some point in the future when new instances are requested by the ASG.

See the AWS documentation for more information on how AutoScalingRollingUpdate Policy configuration is used.

ASG
Field name Type Purpose Constraints Default
associate_public_ip_address Boolean Associate Public IP Address   False
availability_zone String Availability Zones to launch instances in.   all
block_device_mappings List<BlockDeviceMapping> Block Device Mappings    
cfn_init Object<CloudFormationInit> CloudFormation Init    
cooldown_secs Int Cooldown seconds   300
desired_capacity Int Desired capacity   1
desired_capacity_ignore_changes Boolean Ignore changes to the desired_capacity after the ASG is created.   False
ebs_optimized Boolean EBS Optimized   False
ebs_volume_mounts List<EBSVolumeMount> Elastic Block Store Volume Mounts    
efs_mounts List<EFSMount> Elastic Filesystem Configuration    
eip PacoReference|String Elastic IP or AllocationId to attach to instance at launch Paco Reference to EIP. String Ok.  
health_check_grace_period_secs Int Health check grace period in seconds   300
health_check_type String Health check type Must be one of: ‘EC2’, ‘ELB’ EC2
instance_ami PacoReference|String Instance AMI Paco Reference to Function. String Ok.  
instance_ami_ignore_changes Boolean Do not update the instance_ami after creation.   False
instance_ami_type String The AMI Operating System family Must be one of amazon, centos, suse, debian, ubuntu, microsoft or redhat. amazon
instance_iam_role Object<Role>      
instance_key_pair PacoReference Key pair to connect to launched instances Paco Reference to EC2KeyPair.  
instance_monitoring Boolean Instance monitoring   False
instance_type String Instance type    
launch_options Object<EC2LaunchOptions> EC2 Launch Options    
lifecycle_hooks Container<ASGLifecycleHooks> Lifecycle Hooks    
load_balancers List<PacoReference> Target groups Paco Reference to TargetGroup.  
max_instances Int Maximum instances   2
min_instances Int Minimum instances   1
rolling_update_policy Object<ASGRollingUpdatePolicy> Rolling Update Policy    
scaling_policies Container<ASGScalingPolicies> Scaling Policies    
scaling_policy_cpu_average Int Average CPU Scaling Polciy   0
secrets List<PacoReference> List of Secrets Manager References Paco Reference to SecretsManagerSecret.  
security_groups List<PacoReference> Security groups Paco Reference to SecurityGroup.  
segment String Segment    
target_groups List<PacoReference> Target groups Paco Reference to TargetGroup.  
termination_policies List<String> Terminiation policies    
user_data_pre_script String User data pre-script    
user_data_script String User data script    

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

ASGLifecycleHooks

Container for ASGLifecycleHook objects.

ASGLifecycleHooks Container<ASGLifecycleHook>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

ASGLifecycleHook

ASG Lifecycle Hook

ASGLifecycleHook
Field name Type Purpose Constraints Default
default_result String Default Result    
lifecycle_transition String ASG Lifecycle Transition    
notification_target_arn String Lifecycle Notification Target Arn    
role_arn String Licecycel Publish Role ARN    

Base Schemas Deployable, Named, Title

ASGScalingPolicies

Container for ASGScalingPolicy objects.

ASGScalingPolicies Container<ASGScalingPolicy>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

ASGScalingPolicy

Auto Scaling Group Scaling Policy

ASGScalingPolicy
Field name Type Purpose Constraints Default
adjustment_type String Adjustment Type   ChangeInCapacity
alarms List<SimpleCloudWatchAlarm> Alarms    
cooldown Int Scaling Cooldown in Seconds   300
policy_type String Policy Type   SimpleScaling
scaling_adjustment Int Scaling Adjustment    

Base Schemas Deployable, Named, Title

ASGRollingUpdatePolicy

AutoScalingRollingUpdate Policy

ASGRollingUpdatePolicy
Field name Type Purpose Constraints Default
enabled Boolean Enable an UpdatePolicy for the ASG   True
max_batch_size Int Maximum batch size   1
min_instances_in_service Int Minimum instances in service   0
pause_time String Minimum instances in service Must be in the format PT#H#M#S  
wait_on_resource_signals Boolean Wait for resource signals   False

Base Schemas Named, Title

BlockDeviceMapping

BlockDeviceMapping
Field name Type Purpose Constraints Default
device_name String The device name exposed to the EC2 instance    
ebs Object<BlockDevice> Amazon Ebs volume    
virtual_name String The name of the virtual device. The name must be in the form ephemeralX where X is a number starting from zero (0), for example, ephemeral0.  

BlockDevice

BlockDevice
Field name Type Purpose Constraints Default
delete_on_termination Boolean Indicates whether to delete the volume when the instance is terminated.   True
encrypted Boolean Specifies whether the EBS volume is encrypted.    
iops Int The number of I/O operations per second (IOPS) to provision for the volume. The maximum ratio of IOPS to volume size (in GiB) is 50:1, so for 5,000 provisioned IOPS, you need at least 100 GiB storage on the volume.  
size_gib Int The volume size, in Gibibytes (GiB). This can be a number from 1-1,024 for standard, 4-16,384 for io1, 1-16,384 for gp2, and 500-16,384 for st1 and sc1.  
snapshot_id String The snapshot ID of the volume to use.    
volume_type String The volume type, which can be standard for Magnetic, io1 for Provisioned IOPS SSD, gp2 for General Purpose SSD, st1 for Throughput Optimized HDD, or sc1 for Cold HDD. Must be one of standard, io1, gp2, st1 or sc1.  

EBSVolumeMount

EBS Volume Mount Configuration

EBSVolumeMount
Field name Type Purpose Constraints Default
device String Device to mount the EBS Volume with.    
filesystem String Filesystem to mount the EBS Volume with.    
folder String Folder to mount the EBS Volume    
volume PacoReference|String EBS Volume Resource Reference Paco Reference to EBS. String Ok.  

Base Schemas Deployable

EFSMount

EFS Mount Folder and Target Configuration

EFSMount
Field name Type Purpose Constraints Default
folder String Folder to mount the EFS target    
target PacoReference|String EFS Target Resource Reference Paco Reference to EFS. String Ok.  

Base Schemas Deployable

EC2LaunchOptions

EC2 Launch Options

EC2LaunchOptions
Field name Type Purpose Constraints Default
cfn_init_config_sets List<String> List of cfn-init config sets   []
ssm_agent Boolean Install SSM Agent   True
ssm_expire_events_after_days String Retention period of SSM logs   30
update_packages Boolean Update Distribution Packages   False

Base Schemas Named, Title

CloudFormationInit

CloudFormation Init is a method to configure an EC2 instance after it is launched. CloudFormation Init is a much more complete and robust method to install configuration files and pakcages than using a UserData script.

It stores information about packages, files, commands and more in CloudFormation metadata. It is accompanied by a cfn-init script which will run on the instance to fetch this configuration metadata and apply it. The whole system is often referred to simply as cfn-init after this script.

The cfn_init field of for an ASG contains all of the cfn-init configuration. After an instance is launched, it needs to run a local cfn-init script to pull the configuration from the CloudFromation stack and apply it. After cfn-init has applied configuration, you will run cfn-signal to tell CloudFormation the configuration was successfully applied. Use the launch_options field for an ASG to let Paco take care of all this for you.

Refer to the CloudFormation Init docs for a complete description of all the configuration options available.

cfn_init with launch_options
launch_options:
    cfn_init_config_sets:
    - "Install"
cfn_init:
  parameters:
    BasicKey: static-string
    DatabasePasswordarn: paco.ref netenv.mynet.secrets_manager.app.site.database.arn
  config_sets:
    Install:
      - "Install"
  configurations:
    Install:
      packages:
        rpm:
          epel: "http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm"
        yum:
          jq: []
          python3: []
      files:
        "/tmp/get_rds_dsn.sh":
          content_cfn_file: ./webapp/get_rds_dsn.sh
          mode: '000700'
          owner: root
          group: root
        "/etc/httpd/conf.d/saas_wsgi.conf":
          content_file: ./webapp/saas_wsgi.conf
          mode: '000600'
          owner: root
          group: root
        "/etc/httpd/conf.d/wsgi.conf":
          content: "LoadModule wsgi_module modules/mod_wsgi.so"
          mode: '000600'
          owner: root
          group: root
        "/tmp/install_codedeploy.sh":
          source: https://aws-codedeploy-us-west-2.s3.us-west-2.amazonaws.com/latest/install
          mode: '000700'
          owner: root
          group: root
      commands:
        10_install_codedeploy:
          command: "/tmp/install_codedeploy.sh auto > /var/log/cfn-init-codedeploy.log 2>&1"
      services:
        sysvinit:
          codedeploy-agent:
            enabled: true
            ensure_running: true

The parameters field is a set of Parameters that will be passed to the CloudFormation stack. This can be static strings or paco.ref that are looked up from already provisioned cloud resources.

CloudFormation Init can be organized into Configsets. With raw cfn-init using Configsets is optional, but is required with Paco.

In a Configset, the files field has four fields for specifying the file contents.

  • content_file: A path to a file on the local filesystem. A convenient practice is to make a sub-directory in the netenv directory for keeping cfn-init files.
  • content_cfn_file: A path to a file on the local filesystem. This file will have FnSub and FnJoin CloudFormation applied to it.
  • content: For small files, the content can be in-lined directly in this field.
  • source: Fetches the file from a URL.

If you are using content_cfn_file to interpolate Parameters, the file might look like:

!Sub |
    #!/bin/bash

    echo "Database ARN is " ${DatabasePasswordarn}
    echo "AWS Region is " ${AWS::Region}

If you want to include a raw ${SomeValue} string in your file, use the ! character to escape it like this: ${!SomeValue}. cfn-init also supports interpolation with Mustache templates, but Paco support for this is not yet implemented.

CloudFormationInit
Field name Type Purpose Constraints Default
config_sets Container<CloudFormationConfigSets> CloudFormation Init configSets    
configurations Container<CloudFormationConfigurations> CloudFormation Init configurations    
parameters Dict Parameters   {}

Base Schemas Named, Title

CloudFormationConfigSets

CloudFormationConfigSets
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

CloudFormationConfigurations

CloudFormationConfigurations Container<CloudFormationConfiguration>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

CloudFormationConfiguration

CloudFormationConfiguration
Field name Type Purpose Constraints Default
commands Container<CloudFormationInitCommands> Commands    
files Container<CloudFormationInitFiles> Files    
groups Object<CloudFormationInitGroups> Groups    
packages Object<CloudFormationInitPackages> Packages    
services Object<CloudFormationInitServices> Services    
sources Container<CloudFormationInitSources> Sources    
users Object<CloudFormationInitUsers> Users    

Base Schemas Named, Title

CloudFormationInitCommands

CloudFormationInitCommands
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

CloudFormationInitCommand

CloudFormationInitCommand
Field name Type Purpose Constraints Default
command String Command    
cwd String Cwd. The working directory    
env Dict Environment Variables. This property overwrites, rather than appends, the existing environment.   {}
ignore_errors Boolean Ingore errors - determines whether cfn-init continues to run if the command in contained in the command key fails (returns a non-zero value). Set to true if you want cfn-init to continue running even if the command fails.   False
test String A test command that determines whether cfn-init runs commands that are specified in the command key. If the test passes, cfn-init runs the commands.    

CloudFormationInitFiles

CloudFormationInitFiles
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

CloudFormationInitFile

CloudFormationInitFile
Field name Type Purpose Constraints Default
authentication String The name of an authentication method to use.    
content Object<Interface> Either a string or a properly formatted YAML object.    
content_cfn_file YAMLFileReference File path to a properly formatted CloudFormation Functions YAML object.    
content_file StringFileReference File path to a string.    
context String Specifies a context for files that are to be processed as Mustache templates.    
encoding String The encoding format.    
group String The name of the owning group for this file. Not supported for Windows systems.    
mode String A six-digit octal value representing the mode for this file.    
owner String The name of the owning user for this file. Not supported for Windows systems.    
source String A URL to load the file from.    

Base Schemas Named, Title

CloudFormationInitGroups

Container for CloudFormationInit Groups

CloudFormationInitPackages

CloudFormationInitPackages
Field name Type Purpose Constraints Default
apt Container<CloudFormationInitVersionedPackageSet> Apt packages    
msi Container<CloudFormationInitPathOrUrlPackageSet> MSI packages    
python Container<CloudFormationInitVersionedPackageSet> Apt packages    
rpm Container<CloudFormationInitPathOrUrlPackageSet> RPM packages    
rubygems Container<CloudFormationInitVersionedPackageSet> Rubygems packages    
yum Container<CloudFormationInitVersionedPackageSet> Yum packages    

Base Schemas Named, Title

CloudFormationInitVersionedPackageSet

CloudFormationInitPathOrUrlPackageSet

CloudFormationInitServiceCollection

CloudFormationInitServiceCollection
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

CloudFormationInitServices

CloudFormationInitServices
Field name Type Purpose Constraints Default
sysvinit Container<CloudFormationInitServiceCollection> SysVInit Services for Linux OS    
windows Container<CloudFormationInitServiceCollection> Windows Services for Windows OS    

Base Schemas Named, Title

CloudFormationInitService

CloudFormationInitService
Field name Type Purpose Constraints Default
commands List<String> A list of command names. If cfn-init runs the specified command, this service will be restarted.    
enabled Boolean Ensure that the service will be started or not started upon boot.    
ensure_running Boolean Ensure that the service is running or stopped after cfn-init finishes.    
files List<String> A list of files. If cfn-init changes one directly via the files block, this service will be restarted    
packages Dict A map of package manager to list of package names. If cfn-init installs or updates one of these packages, this service will be restarted.   {}
sources List<String> A list of directories. If cfn-init expands an archive into one of these directories, this service will be restarted.    

CloudFormationInitSources

CloudFormationInitSources
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

CloudFormationInitUsers

Container for CloudFormationInit Users

AWSCertificateManager

AWSCertificateManager
Field name Type Purpose Constraints Default
domain_name String Domain Name    
external_resource Boolean Marks this resource as external to avoid creating and validating it.   False
subject_alternative_names List<String> Subject alternative names    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

CloudFront

CloudFront CDN Configuration

CloudFront
Field name Type Purpose Constraints Default
cache_behaviors List<CloudFrontCacheBehavior> List of Cache Behaviors    
custom_error_responses List<CloudFrontCustomErrorResponse> List of Custom Error Responses    
default_cache_behavior Object<CloudFrontDefaultCacheBehavior> Default Cache Behavior    
default_root_object String The default path to load from the origin.    
domain_aliases List<DNS> List of DNS for the Distribution    
factory Container<CloudFrontFactory> CloudFront Factory    
origins Container<CloudFrontOrigin> Map of Origins    
price_class String Price Class   All
viewer_certificate Object<CloudFrontViewerCertificate> Viewer Certificate    
webacl_id String WAF WebACLId    

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

CloudFrontDefaultCacheBehavior

CloudFrontDefaultCacheBehavior
Field name Type Purpose Constraints Default
allowed_methods List<String> List of Allowed HTTP Methods   [‘DELETE’, ‘GET’, ‘HEAD’, ‘OPTIONS’, ‘PATCH’, ‘POST’, ‘PUT’]
cached_methods List<String> List of HTTP Methods to cache   [‘GET’, ‘HEAD’, ‘OPTIONS’]
compress Boolean Compress certain files automatically   False
default_ttl Int Default TTL   0
forwarded_values Object<CloudFrontForwardedValues> Forwarded Values    
max_ttl Int Maximum TTL   -1
min_ttl Int Minimum TTL   -1
target_origin PacoReference Target Origin Paco Reference to CloudFrontOrigin.  
viewer_protocol_policy String Viewer Protocol Policy   redirect-to-https

Base Schemas Named, Title

CloudFrontCacheBehavior

CloudFrontCacheBehavior
Field name Type Purpose Constraints Default
path_pattern String Path Pattern    

Base Schemas CloudFrontDefaultCacheBehavior, Named, Title

CloudFrontFactory

CloudFront Factory

CloudFrontFactory
Field name Type Purpose Constraints Default
domain_aliases List<DNS> List of DNS for the Distribution    
viewer_certificate Object<CloudFrontViewerCertificate> Viewer Certificate    

Base Schemas Named, Title

CloudFrontOrigin

CloudFront Origin Configuration

CloudFrontOrigin
Field name Type Purpose Constraints Default
custom_origin_config Object<CloudFrontCustomOriginConfig> Custom Origin Configuration    
domain_name PacoReference|String Origin Resource Reference Paco Reference to Route53HostedZone. String Ok.  
s3_bucket PacoReference Origin S3 Bucket Reference Paco Reference to S3Bucket.  

Base Schemas Named, Title

CloudFrontCustomOriginConfig

CloudFrontCustomOriginConfig
Field name Type Purpose Constraints Default
http_port Int HTTP Port    
https_port Int HTTPS Port    
keepalive_timeout Int HTTP Keepalive Timeout   5
protocol_policy String Protocol Policy    
read_timeout Int Read timeout   30
ssl_protocols List<String> List of SSL Protocols    

Base Schemas Named, Title

CloudFrontCustomErrorResponse

CloudFrontCustomErrorResponse
Field name Type Purpose Constraints Default
error_caching_min_ttl Int Error Caching Min TTL    
error_code Int HTTP Error Code    
response_code Int HTTP Response Code    
response_page_path String Response Page Path    

CloudFrontViewerCertificate

CloudFrontViewerCertificate
Field name Type Purpose Constraints Default
certificate PacoReference Certificate Reference Paco Reference to AWSCertificateManager.  
minimum_protocol_version String Minimum SSL Protocol Version   TLSv1.1_2016
ssl_supported_method String SSL Supported Method   sni-only

Base Schemas Named, Title

CloudFrontForwardedValues

CloudFrontForwardedValues
Field name Type Purpose Constraints Default
cookies Object<CloudFrontCookies> Forward Cookies    
headers List<String> Forward Headers   [‘*’]
query_string Boolean Forward Query Strings   True

Base Schemas Named, Title

CloudFrontCookies

CloudFrontCookies
Field name Type Purpose Constraints Default
forward String Cookies Forward Action   all
whitelisted_names List<String> White Listed Names    

Base Schemas Named, Title

CodeDeployApplication

CodeDeploy Application creates CodeDeploy Application and Deployment Groups for that application.

This resource can be used when you already have another process in-place to put deploy artifacts into an S3 Bucket. If you also need to build artifacts, use DeploymentPipeline instead.

Example CodeDeployApplication resource YAML
type: CodeDeployApplication
order: 40
compute_platform: "Server"
deployment_groups:
  deployment:
    title: "My Deployment Group description"
    ignore_application_stop_failures: true
    revision_location_s3: paco.ref netenv.mynet.applications.app.groups.deploybucket
    autoscalinggroups:
      - paco.ref netenv.mynet.applications.app.groups.web

It can be convienent to install the CodeDeploy agent on your instances using CloudFormationInit.

Example ASG configuration for cfn_init to install CodeDeploy agent
launch_options:
  cfn_init_config_sets:
    - "InstallCodeDeploy"
cfn_init:
  config_sets:
    InstallCodeDeploy:
      - "InstallCodeDeploy"
  files:
    "/tmp/install_codedeploy.sh":
      source: https://aws-codedeploy-us-west-2.s3.us-west-2.amazonaws.com/latest/install
      mode: '000700'
      owner: root
      group: root
  commands:
    01_install_codedeploy:
      command: "/tmp/install_codedeploy.sh auto > /var/log/cfn-init-codedeploy.log 2>&1"
  services:
    sysvinit:
      codedeploy-agent:
        enabled: true
        ensure_running: true
CodeDeployApplication
Field name Type Purpose Constraints Default
compute_platform String Compute Platform Must be one of Lambda, Server or ECS  
deployment_groups Container<CodeDeployDeploymentGroups> CodeDeploy Deployment Groups    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

CodeDeployDeploymentGroups

CodeDeployDeploymentGroups
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

CodeDeployDeploymentGroup

CodeDeployDeploymentGroup
Field name Type Purpose Constraints Default
autoscalinggroups List<PacoReference> AutoScalingGroups that CodeDeploy automatically deploys revisions to when new instances are created Paco Reference to ASG.  
ignore_application_stop_failures Boolean Ignore Application Stop Failures    
revision_location_s3 Object<DeploymentGroupS3Location> S3 Bucket revision location    
role_policies List<Policy> Policies to grant the deployment group role    

Base Schemas Deployable, Named, Title

DeploymentPipeline

CodePipeline: Source, Build and Deploy or Stages

DeploymentPipeline
Field name Type Purpose Constraints Default
build Container<DeploymentPipelineBuildStage> Deployment Pipeline Build Stage    
configuration Object<DeploymentPipelineConfiguration> Deployment Pipeline General Configuration    
deploy Container<DeploymentPipelineDeployStage> Deployment Pipeline Deploy Stage    
source Container<DeploymentPipelineSourceStage> Deployment Pipeline Source Stage    
stages Container<CodePipelineStages> Stages    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

CodePipelineStages

Container for CodePipelineStage objects.

CodePipelineStages Container<CodePipelineStage>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

CodePipelineStage

Container for different types of DeploymentPipelineStageAction objects.

CodePipelineStage
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

DeploymentPipelineSourceStage

A map of DeploymentPipeline source stage actions

DeploymentPipelineSourceStage
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

DeploymentPipelineDeployStage

A map of DeploymentPipeline deploy stage actions

DeploymentPipelineDeployStage
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

DeploymentPipelineBuildStage

A map of DeploymentPipeline build stage actions

DeploymentPipelineBuildStage
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

DeploymentPipelineDeployCodeDeploy

CodeDeploy DeploymentPipeline Deploy Stage

DeploymentPipelineDeployCodeDeploy
Field name Type Purpose Constraints Default
alb_target_group PacoReference ALB Target Group Reference Paco Reference to TargetGroup.  
auto_rollback_enabled Boolean Automatic rollback enabled   True
auto_scaling_group PacoReference ASG Reference Paco Reference to ASG.  
deploy_instance_role PacoReference Deploy Instance Role Reference Paco Reference to Role.  
deploy_style_option String Deploy Style Option   WITH_TRAFFIC_CONTROL
elb_name String ELB Name    
minimum_healthy_hosts Object<CodeDeployMinimumHealthyHosts> The minimum number of healthy instances that should be available at any time during the deployment.    

Base Schemas Deployable, Named, DeploymentPipelineStageAction, Title

CodeDeployMinimumHealthyHosts

CodeDeploy Minimum Healthy Hosts

CodeDeployMinimumHealthyHosts
Field name Type Purpose Constraints Default
type String Deploy Config Type   HOST_COUNT
value Int Deploy Config Value   0

Base Schemas Named, Title

DeploymentPipelineManualApproval

ManualApproval DeploymentPipeline

DeploymentPipelineManualApproval
Field name Type Purpose Constraints Default
manual_approval_notification_email List<String> Manual Approval Notification Email List    

Base Schemas Deployable, Named, DeploymentPipelineStageAction, Title

DeploymentPipelineDeployS3

Amazon S3 Deployment Provider

DeploymentPipelineDeployS3
Field name Type Purpose Constraints Default
bucket PacoReference S3 Bucket Reference Paco Reference to S3Bucket.  
extract Boolean Boolean indicating whether the deployment artifact will be unarchived.   True
input_artifacts List<String> Input Artifacts    
object_key String S3 object key to store the deployment artifact as.    

Base Schemas Deployable, Named, DeploymentPipelineStageAction, Title

DeploymentPipelineBuildCodeBuild

CodeBuild DeploymentPipeline Build Stage

DeploymentPipelineBuildCodeBuild
Field name Type Purpose Constraints Default
codebuild_compute_type String CodeBuild Compute Type    
codebuild_image String CodeBuild Docker Image    
deployment_environment String Deployment Environment    
role_policies List<Policy> Project IAM Role Policies    
timeout_mins Int Timeout in Minutes   60

Base Schemas Deployable, Named, DeploymentPipelineStageAction, Title

DeploymentPipelineSourceCodeCommit

CodeCommit DeploymentPipeline Source Stage

DeploymentPipelineSourceCodeCommit
Field name Type Purpose Constraints Default
codecommit_repository PacoReference CodeCommit Respository Paco Reference to CodeCommitRepository.  
deployment_branch_name String Deployment Branch Name    

Base Schemas Deployable, Named, DeploymentPipelineStageAction, Title

DeploymentPipelineStageAction

Deployment Pipeline Source Stage

DeploymentPipelineStageAction
Field name Type Purpose Constraints Default
run_order Int The order in which to run this stage   1
type String The type of DeploymentPipeline Source Stage    

Base Schemas Deployable, Named, Title

DeploymentPipelineConfiguration

Deployment Pipeline General Configuration

DeploymentPipelineConfiguration
Field name Type Purpose Constraints Default
account PacoReference The account where Pipeline tools will be provisioned. Paco Reference to Account.  
artifacts_bucket PacoReference Artifacts S3 Bucket Reference Paco Reference to S3Bucket.  

Base Schemas Named, Title

DeploymentGroupS3Location

DeploymentGroupS3Location
Field name Type Purpose Constraints Default
bucket PacoReference S3 Bucket revision location Paco Reference to S3Bucket.  
bundle_type String Bundle Type Must be one of JSON, tar, tgz, YAML or zip.  
key String The name of the Amazon S3 object that represents the bundled artifacts for the application revision.    

EBS

Elastic Block Store (EBS) Volume.

It is required to specify the availability_zone the EBS Volume will be created in. If the volume is going to be used by an ASG, it should launch an instance in the same availability_zone (and region).

Example EBS resource YAML
type: EBS
order: 5
enabled: true
size_gib: 4
volume_type: gp2
availability_zone: 1
EBS
Field name Type Purpose Constraints Default
availability_zone Int Availability Zone to create Volume in.    
size_gib Int Volume Size in GiB   10
snapshot_id String Snapshot ID    
volume_type String Volume Type Must be one of: gp2 | io1 | sc1 | st1 | standard gp2

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

EC2

EC2 Instance

EC2
Field name Type Purpose Constraints Default
associate_public_ip_address Boolean Associate Public IP Address   False
disable_api_termination Boolean Disable API Termination   False
instance_ami String Instance AMI    
instance_key_pair PacoReference key pair for connections to instance Paco Reference to EC2KeyPair.  
instance_type String Instance type    
private_ip_address String Private IP Address    
root_volume_size_gb Int Root volume size GB   8
security_groups List<PacoReference> Security groups Paco Reference to SecurityGroup.  
segment String Segment    
user_data_script String User data script    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

EIP

Elastic IP (EIP) resource.

Example EIP resource YAML
type: EIP
order: 5
enabled: true
dns:
  - domain_name: example.com
    hosted_zone: paco.ref resource.route53.examplecom
    ttl: 60
EIP
Field name Type Purpose Constraints Default
dns List<DNS> List of DNS for the EIP    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

EFS

AWS Elastic File System (EFS) resource.

Example EFS resource YAML
type: EFS
order: 20
enabled: true
encrypted: false
segment: private
security_groups:
  - paco.ref netenv.mynet.network.vpc.security_groups.cloud.content
EFS
Field name Type Purpose Constraints Default
encrypted Boolean Encryption at Rest   False
security_groups List<PacoReference> Security groups SecurityGroup the EFS belongs to Paco Reference to SecurityGroup.  
segment String Segment    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

ElastiCache

Base ElastiCache Interface

ElastiCache
Field name Type Purpose Constraints Default
at_rest_encryption Boolean Enable encryption at rest    
auto_minor_version_upgrade Boolean Enable automatic minor version upgrades    
automatic_failover_enabled Boolean Specifies whether a read-only replica is automatically promoted to read/write primary if the existing primary fails    
az_mode String AZ mode    
cache_clusters Int Number of Cache Clusters    
cache_node_type String Cache Node Instance type    
description String Replication Description    
engine String ElastiCache Engine    
engine_version String ElastiCache Engine Version    
maintenance_preferred_window String Preferred maintenance window    
number_of_read_replicas Int Number of read replicas    
parameter_group PacoReference|String Parameter Group name Paco Reference to Interface. String Ok.  
port Int Port    
security_groups List<PacoReference> List of Security Groups Paco Reference to SecurityGroup.  
segment PacoReference Segment Paco Reference to Segment.  

ElastiCacheRedis

Redis ElastiCache Interface

ElastiCacheRedis
Field name Type Purpose Constraints Default
cache_parameter_group_family String Cache Parameter Group Family    
snapshot_retention_limit_days Int Snapshot Retention Limit in Days    
snapshot_window String The daily time range (in UTC) during which ElastiCache begins taking a daily snapshot of your node group (shard).    

Base Schemas ElastiCache, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

ElasticsearchDomain

Amazon Elasticsearch Service (Amazon ES) is a managed service for Elasticsearch clusters. An Amazon ES domain is synonymous with an Elasticsearch cluster. Domains are clusters with the settings, instance types, instance counts, and storage resources that you specify.

example Elasticsearch configuration
type: ElasticsearchDomain
order: 10
title: "Elasticsearch Domain"
enabled: true
access_policies_json: ./es-config/es-access.json
advanced_options:
  indices.fielddata.cache.size: ""
  rest.action.multi.allow_explicit_index: "true"
cluster:
  instance_count: 2
  zone_awareness_enabled: false
  instance_type: "t2.micro.elasticsearch"
  dedicated_master_enabled: true
  dedicated_master_type: "t2.micro.elasticsearch"
  dedicated_master_count: 2
ebs_volumes:
  enabled: true
  iops: 0
  volume_size_gb: 10
  volume_type: 'gp2'
segment: web
security_groups:
  - paco.ref netenv.mynet.network.vpc.security_groups.app.search
ElasticsearchDomain
Field name Type Purpose Constraints Default
access_policies_json StringFileReference Policy document that specifies who can access the Amazon ES domain and their permissions.    
advanced_options Container<ESAdvancedOptions> Advanced Options    
cluster Object<ElasticsearchCluster> Elasticsearch Cluster configuration    
ebs_volumes Object<EBSOptions> EBS volumes that are attached to data nodes in the Amazon ES domain.    
elasticsearch_version String The version of Elasticsearch to use, such as 2.3.   1.5
node_to_node_encryption Boolean Enable node-to-node encryption    
security_groups List<PacoReference> List of Security Groups Paco Reference to SecurityGroup.  
segment String Segment    
snapshot_start_hour Int The hour in UTC during which the service takes an automated daily snapshot of the indices in the Amazon ES domain.    

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

ElasticsearchCluster

ElasticsearchCluster
Field name Type Purpose Constraints Default
dedicated_master_count Int The number of instances to use for the master node. If you specify this field, you must specify true for the dedicated_master_enabled field.  
dedicated_master_enabled Boolean Indicates whether to use a dedicated master node for the Amazon ES domain.    
dedicated_master_type String The hardware configuration of the computer that hosts the dedicated master node Valid Elasticsearch instance type, such as m3.medium.elasticsearch. See https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-supported-instance-types.html  
instance_count Int The number of data nodes (instances) to use in the Amazon ES domain.    
instance_type String The instance type for your data nodes. Valid Elasticsearch instance type, such as m3.medium.elasticsearch. See https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-supported-instance-types.html  
zone_awareness_availability_zone_count Int If you enabled multiple Availability Zones (AZs), the number of AZs that you want the domain to use.   2
zone_awareness_enabled Boolean Enable zone awareness for the Amazon ES domain.    

EBSOptions

EBSOptions
Field name Type Purpose Constraints Default
enabled Boolean Specifies whether Amazon EBS volumes are attached to data nodes in the Amazon ES domain.    
iops Int The number of I/O operations per second (IOPS) that the volume supports.    
volume_size_gb Int The size (in GiB) of the EBS volume for each data node. The minimum and maximum size of an EBS volume depends on the EBS volume type and the instance type to which it is attached.  
volume_type String The EBS volume type to use with the Amazon ES domain. Must be one of: standard, gp2, io1, st1, or sc1  

ESAdvancedOptions

An unconstrainted set of key-value pairs used to set advanced options for Elasticsearch.

EventsRule

Events Rule

EventsRule
Field name Type Purpose Constraints Default
description String Description    
enabled_state Boolean Enabled State   True
schedule_expression String Schedule Expression    
targets List<EventTarget> The AWS Resources that are invoked when the Rule is triggered.    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

EventTarget

EventTarget
Field name Type Purpose Constraints Default
input_json String Valid JSON passed as input to the target.    
target PacoReference Paco Reference to an AWS Resource to invoke Paco Reference to Interface.  

Base Schemas Named, Title

Lambda

Lambda Functions allow you to run code without provisioning servers and only pay for the compute time when the code is running.

The code for the Lambda function can be specified in one of three ways in the code: field:

  • S3 Bucket artifact: Supply an``s3_bucket`` and s3_key where you have an existing code artifact file.
  • Local file: Supply the zipfile as a path to a local file on disk. This will be inlined into CloudFormation and has a size limitation of only 4 Kb.
  • Local directory: Supply the zipfile as a path to a directory on disk. This directory will be packaged into a zip file and Paco will create an S3 Bucket where it will upload and manage Lambda deployment artifacts.
Lambda code from S3 Bucket or local disk
code:
    s3_bucket: my-bucket-name
    s3_key: 'myapp-1.0.zip'

code:
    zipfile: ./lambda-dir/my-lambda.py

code:
    zipfile: ~/code/my-app/lambda_target/
Lambda function resource YAML
type: Lambda
enabled: true
order: 1
title: 'My Lambda Application'
description: 'Checks the Widgets Service and applies updates to a Route 53 Record Set.'
code:
    s3_bucket: my-bucket-name
    s3_key: 'myapp-1.0.zip'
environment:
    variables:
    - key: 'VAR_ONE'
      value: 'hey now!'
    - key: 'VAR_TWO'
      value: 'Hank Kingsley'
iam_role:
    enabled: true
    policies:
      - name: DNSRecordSet
        statement:
          - effect: Allow
            action:
              - route53:ChangeResourceRecordSets
            resource:
              - 'arn:aws:route53:::hostedzone/AJKDU9834DUY934'
handler: 'myapp.lambda_handler'
memory_size: 128
runtime: 'python3.7'
timeout: 900
expire_events_after_days: 90
log_group_names:
  - AppGroupOne
sns_topics:
  - paco.ref netenv.app.applications.app.groups.web.resources.snstopic
vpc_config:
    segments:
      - paco.ref netenv.app.network.vpc.segments.public
    security_groups:
      - paco.ref netenv.app.network.vpc.security_groups.app.function
Lambda
Field name Type Purpose Constraints Default
code Object<LambdaFunctionCode> The function deployment package.    
description String A description of the function.    
environment Object<LambdaEnvironment> Lambda Function Environment    
handler String Function Handler    
iam_role Object<Role> The IAM Role this Lambda will execute as.    
layers List<String> Layers Up to 5 Layer ARNs  
log_group_names List<String> Log Group names List of Log Group names []
memory_size Int Function memory size (MB)   128
reserved_concurrent_executions Int Reserved Concurrent Executions   0
runtime String Runtime environment   python3.7
sdb_cache Boolean SDB Cache Domain   False
sns_topics List<PacoReference> List of SNS Topic Paco references or SNS Topic ARNs to subscribe the Lambda to. Paco Reference to SNSTopic. String Ok.  
timeout Int Max function execution time in seconds. Must be between 0 and 900 seconds.  
vpc_config Object<LambdaVpcConfig> Vpc Configuration    

Base Schemas Resource, DNSEnablable, Deployable, CloudWatchLogRetention, Monitorable, Named, Title, Type

LambdaFunctionCode

The deployment package for a Lambda function.

LambdaFunctionCode
Field name Type Purpose Constraints Default
s3_bucket PacoReference|String An Amazon S3 bucket in the same AWS Region as your function Paco Reference to S3Bucket. String Ok.  
s3_key String The Amazon S3 key of the deployment package.    
zipfile LocalPath The function code as a local file or directory. Maximum of 4096 characters.  

LambdaEnvironment

Lambda Environment

LambdaEnvironment
Field name Type Purpose Constraints Default
variables List<LambdaVariable> Lambda Function Variables    

LambdaVpcConfig

Lambda Environment

LambdaVpcConfig
Field name Type Purpose Constraints Default
security_groups List<PacoReference> List of VPC Security Group Ids Paco Reference to SecurityGroup.  
segments List<PacoReference> VPC Segments to attach the function Paco Reference to Segment.  

Base Schemas Named, Title

LambdaVariable

Lambda Environment Variable
LambdaVariable
Field name Type Purpose Constraints Default
key String Variable Name    
value PacoReference|String String Value or a Paco Reference to a resource output Paco Reference to Interface. String Ok.  

LBApplication

The LBApplication resource type creates an Application Load Balancer. Use load balancers to route traffic from the internet to your web servers.

Load balancers have listeners which will accept requrests on specified ports and protocols. If a listener uses the HTTPS protocol, it can have a Paco reference to an SSL Certificate. A listener can then either redirect the traffic to another port/protcol or send it one of it’s named target_groups.

Each target group will specify it’s health check configuration. To specify which resources will belong to a target group, use the target_groups field on an ASG resource.

Example LBApplication load balancer resource YAML
type: LBApplication
enabled: true
enable_access_logs: true
target_groups:
    api:
        health_check_interval: 30
        health_check_timeout: 10
        healthy_threshold: 2
        unhealthy_threshold: 2
        port: 3000
        protocol: HTTP
        health_check_http_code: 200
        health_check_path: /
        connection_drain_timeout: 30
listeners:
    http:
        port: 80
        protocol: HTTP
        redirect:
            port: 443
            protocol: HTTPS
    https:
        port: 443
        protocol: HTTPS
        ssl_certificates:
            - paco.ref netenv.app.applications.app.groups.certs.resources.root
        target_group: api
dns:
    - hosted_zone: paco.ref resource.route53.mynetenv
      domain_name: api.example.com
scheme: internet-facing
security_groups:
    - paco.ref netenv.app.network.vpc.security_groups.app.alb
segment: public
LBApplication
Field name Type Purpose Constraints Default
access_logs_bucket PacoReference Bucket to store access logs in Paco Reference to S3Bucket.  
access_logs_prefix String Access Logs S3 Bucket prefix    
dns List<DNS> List of DNS for the ALB    
enable_access_logs Boolean Write access logs to an S3 Bucket    
idle_timeout_secs Int Idle timeout in seconds The idle timeout value, in seconds. 60
listeners Container<Listeners> Listeners    
scheme Choice Scheme    
security_groups List<PacoReference> Security Groups Paco Reference to SecurityGroup.  
segment String Id of the segment stack    
target_groups Container<TargetGroups> Target Groups    

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

DNS

DNS
Field name Type Purpose Constraints Default
domain_name PacoReference|String Domain name Paco Reference to Route53HostedZone. String Ok.  
hosted_zone PacoReference|String Hosted Zone Id Paco Reference to Route53HostedZone. String Ok.  
ssl_certificate PacoReference SSL certificate Reference Paco Reference to AWSCertificateManager.  
ttl Int TTL   300

Listeners

Container for Listener objects.

Listeners Container<Listener>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

Listener

Listener
Field name Type Purpose Constraints Default
redirect Object<PortProtocol> Redirect    
rules Container<ListenerRule> Container of listener rules    
ssl_certificates List<PacoReference> List of SSL certificate References Paco Reference to AWSCertificateManager.  
ssl_policy Choice SSL Policy    
target_group String Target group    

Base Schemas PortProtocol

ListenerRule

ListenerRule
Field name Type Purpose Constraints Default
host String Host header value    
path_pattern List<String> List of paths to match    
priority Int Forward condition priority   1
redirect_host String The host to redirect to    
rule_type String Type of Rule    
target_group String Target group name    

Base Schemas Deployable

PortProtocol

Port and Protocol

PortProtocol
Field name Type Purpose Constraints Default
port Int Port    
protocol Choice Protocol    

TargetGroups

Container for TargetGroup objects.

TargetGroups Container<TargetGroup>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

TargetGroup

Target Group

TargetGroup
Field name Type Purpose Constraints Default
connection_drain_timeout Int Connection drain timeout    
health_check_http_code String Health check HTTP codes    
health_check_interval Int Health check interval    
health_check_path String Health check path   /
health_check_timeout Int Health check timeout    
healthy_threshold Int Healthy threshold    
unhealthy_threshold Int Unhealthy threshold    

Base Schemas Resource, DNSEnablable, Deployable, Named, PortProtocol, Title, Type

IoTTopicRule

IoTTopicRule allows you to create a list of actions that will be triggered from a MQTT message coming in to IoT Core.

example IoTTopicRule configuration
type: IoTTopicRule
title: Rule to take action for MQTT messages sent to 'sensor/example'
order: 20
enabled: true
actions:
  - awslambda:
      function: paco.ref netenv.mynet.applications.app.groups.app.resources.iotlambda
  - iotanalytics:
      pipeline: paco.ref netenv.mynet.applications.app.groups.app.resources.analyticspipeline
aws_iot_sql_version: '2016-03-23'
rule_enabled: true
sql: "SELECT * FROM 'sensor/example'"
IoTTopicRule
Field name Type Purpose Constraints Default
actions List<IoTTopicRuleAction> Actions An IoTTopicRule must define at least one action. []
aws_iot_sql_version String AWS IoT SQL Version   2016-03-23
rule_enabled Boolean Rule is Enabled   True
sql String SQL statement used to query the topic Must be a valid Sql statement  

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

IoTTopicRuleAction

IoTTopicRuleAction
Field name Type Purpose Constraints Default
awslambda Object<IoTTopicRuleLambdaAction> Lambda Action    
iotanalytics Object<IoTTopicRuleIoTAnalyticsAction> IoT Analytics Action    

IoTTopicRuleIoTAnalyticsAction

IoTTopicRuleIoTAnalyticsAction
Field name Type Purpose Constraints Default
pipeline PacoReference IoT Analytics pipeline Paco Reference to IoTAnalyticsPipeline.  

IoTTopicRuleLambdaAction

IoTTopicRuleLambdaAction
Field name Type Purpose Constraints Default
function PacoReference Lambda function Paco Reference to Lambda.  

IoTAnalyticsPipeline

An IoTAnalyticsPipeline composes four closely related resources: IoT Analytics Channel, IoT Analytics Pipeline, IoT Analytics Datastore and IoT Analytics Dataset.

An IoT Analytics Pipeline begins with a Channel. A Channel is an S3 Bucket of raw incoming messages. A Channel provides an ARN that an IoTTopicRule can send MQTT messages to. These messages can later be re-processed if the analysis pipeline changes. Use the channel_storage field to configure the Channel storage.

Next the Pipeline applies a series of pipeline_activities to the incoming Channel messages. After any message modifications have been made, they are stored in a Datastore.

A Datastore is S3 Bucket storage of messages that are ready to be analyzed. Use the datastore_storage field to configure the Datastore storage. The datastore_name is an optional field to give your Datastore a fixed name, this can be useful if you use Dataset SQL Query analysis which needs to use the Datastore name in a SELECT query. However, if you use datastore_name it doesn’t vary by Environment - if you use name then it is recommended to use different Regions and Accounts for each IoTAnalytics environment.

Lastly the Datastore can be analyzed and have the resulting output saved as a Dataset. There may be multiple Datasets to create different analysis of the data. Datasets can be analyzed on a managed host running a Docker container or with an SQL Query to create subsets of a Datastore suitable for analysis with tools such as AWS QuickSight.

example IoTAnalyticsPipeline configuration
type: IoTAnalyticsPipeline
title: My IoT Analytics Pipeline
order: 100
enabled: true
channel_storage:
  bucket: paco.ref netenv.mynet.applications.app.groups.iot.resources.iotbucket
  key_prefix: raw_input/
pipeline_activities:
  adddatetime:
    activity_type: lambda
    function: paco.ref netenv.mynet.applications.app.groups.iot.resources.iotfunc
    batch_size: 10
  filter:
    activity_type: filter
    filter: "temperature > 0"
datastore_name: example
datastore_storage:
  expire_events_after_days: 30
datasets:
  hightemp:
    query_action:
      sql_query: "SELECT * FROM example WHERE temperature > 20"
    content_delivery_rules:
      s3temperature:
        s3_destination:
          bucket: paco.ref netenv.mynet.applications.app.groups.iot.resources.iotbucket
          key: "/HighTemp/!{iotanalytics:scheduleTime}/!{iotanalytics:versionId}.csv"
    expire_events_after_days: 3
    version_history: 5
IoTAnalyticsPipeline
Field name Type Purpose Constraints Default
channel_storage Object<IotAnalyticsStorage> IoT Analytics Channel raw storage    
datasets Container<IoTDatasets> IoT Analytics Datasets    
datastore_name String Datastore name    
datastore_storage Object<IotAnalyticsStorage> IoT Analytics Datastore storage    
pipeline_activities Container<IoTPipelineActivities> IoT Analytics Pipeline Activies    

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

IoTDatasets

Container for IoTDataset objects.

IoTDatasets Container<IoTDataset>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

IoTDataset

IoTDataset
Field name Type Purpose Constraints Default
container_action Object<DatasetContainerAction> Dataset Container action    
content_delivery_rules Container<DatasetContentDeliveryRules> Content Delivery Rules    
query_action Object<DatasetQueryAction> SQL Query action    
triggers List<DatasetTrigger> Triggers   []
version_history Int How many versions of dataset contents are kept. 0 indicates Unlimited. If not specified or set to null, only the latest version plus the latest succeeded version (if they are different) are kept for the time period specified by expire_events_after_days field.    

Base Schemas StorageRetention, Named, Title

DatasetTrigger

DatasetTrigger
Field name Type Purpose Constraints Default
schedule_expression String Schedule Expression    
triggering_dataset String Triggering Dataset    

DatasetContentDeliveryRules

Container for DatasetContentDeliveryRule objects.

DatasetContentDeliveryRules Container<DatasetContentDeliveryRule>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

DatasetContentDeliveryRule

DatasetContentDeliveryRule
Field name Type Purpose Constraints Default
s3_destination Object<DatasetS3Destination> S3 Destination    

Base Schemas Named, Title

DatasetS3Destination

DatasetS3Destination
Field name Type Purpose Constraints Default
bucket PacoReference S3 Bucket Paco Reference to S3Bucket.  
key String Key    

DatasetQueryAction

DatasetQueryAction
Field name Type Purpose Constraints Default
filters List<String> Filters   []
sql_query String Sql Query Dataset Action object    

Base Schemas Named, Title

DatasetContainerAction

DatasetContainerAction
Field name Type Purpose Constraints Default
image_arn String Image ARN    
resource_compute_type Choice Resource Compute Type Either ACU_1 (vCPU=4, memory=16 GiB) or ACU_2 (vCPU=8, memory=32 GiB)  
resource_volume_size_gb Int Resource Volume Size in GB    
variables Container<DatasetVariables> Variables    

Base Schemas Named, Title

DatasetVariables

Container for DatasetVariables objects.

DatasetVariables Container<DatasetVariables>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

DatasetVariable

DatasetVariable
Field name Type Purpose Constraints Default
double_value Float Double Value    
output_file_uri_value String Output file URI value The URI of the location where dataset contents are stored, usually the URI of a file in an S3 bucket.  
string_value String String Value    

Base Schemas Named, Title

IoTPipelineActivities

Container for IoTPipelineActivity objects.

IoTPipelineActivities Container<IoTPipelineActivity>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

IoTPipelineActivity

Each activity must have an activity_type and supply fields specific for that type. There is an implicit Channel activity before all other activities and an an implicit Datastore activity after all other activities.

IoTPipelineActivity
Field name Type Purpose Constraints Default
activity_type String Activity Type    
attribute String Attribute    
attribute_list List<String> Attribute List    
attributes Container<Attributes> Attributes    
batch_size Int Batch Size    
filter String Filter    
function PacoReference Lambda function Paco Reference to Lambda.  
math String Math    
thing_name String Thing Name    

Base Schemas Named, Title

Attributes

Dictionary of Attributes

Attributes
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

IotAnalyticsStorage

IotAnalyticsStorage
Field name Type Purpose Constraints Default
bucket PacoReference S3 Bucket Paco Reference to S3Bucket.  
key_prefix String Key Prefix for S3 Bucket    

Base Schemas StorageRetention, Named, Title

StorageRetention

StorageRetention
Field name Type Purpose Constraints Default
expire_events_after_days Int Expire Events After Days Must be 1 or greater. If set to an explicit 0 then it is considered unlimited. 0

ManagedPolicy

IAM Managed Policy

ManagedPolicy
Field name Type Purpose Constraints Default
path String Path   /
policy_name String Policy Name used in AWS. This will be prefixed with an 8 character hash.    
roles List<String> List of Role Names    
statement List<Statement> Statements    
users List<String> List of IAM Users    

Base Schemas Deployable, Named, Title

RDS

Relational Database Service (RDS) is a collection of relational databases.

There is no plain vanilla RDS type, but rather choose the type that specifies which kind of relational database engine to use. For example, RDSMysql for MySQL on RDS or RDSAurora for an Amazon Aurora database.

If you want to use DB Parameter Groups with your RDS, then use the parameter_group field to reference a DBParameterGroup resource. Keeping DB Parameter Group as a separate resource allows you to have multiple Paramater Groups provisioned at the same time. For example, you might have both resources for dbparams_performance and dbparams_debug, allowing you to use the AWS Console to switch between performance and debug configuration quickl in an emergency.

RDSMysql resource example
type: RDSMysql
order: 1
title: "Joe's MySQL Database server"
enabled: true
engine_version: 5.7.26
db_instance_type: db.t3.micro
port: 3306
storage_type: gp2
storage_size_gb: 20
storage_encrypted: true
multi_az: true
allow_major_version_upgrade: false
auto_minor_version_upgrade: true
publically_accessible: false
master_username: root
master_user_password: "change-me"
backup_preferred_window: 08:00-08:30
backup_retention_period: 7
maintenance_preferred_window: 'sat:10:00-sat:10:30'
license_model: "general-public-license"
cloudwatch_logs_exports:
  - error
  - slowquery
security_groups:
  - paco.ref netenv.mynet.network.vpc.security_groups.app.database
segment: paco.ref netenv.mynet.network.vpc.segments.private
primary_domain_name: database.example.internal
primary_hosted_zone: paco.ref netenv.mynet.network.vpc.private_hosted_zone
parameter_group: paco.ref netenv.mynet.applications.app.groups.web.resources.dbparams_performance

RDSOptionConfiguration

Option groups enable and configure features that are specific to a particular DB engine.

RDSOptionConfiguration
Field name Type Purpose Constraints Default
option_name String Option Name    
option_settings List<NameValuePair> List of option name value pairs.    
option_version String Option Version    
port String Port    

NameValuePair

A Name/Value pair to use for RDS Option Group configuration

NameValuePair
Field name Type Purpose Constraints Default
name String Name    
value String Value    

RDSMysql

RDS for MySQL

RDSMysql
Field name Type Purpose Constraints Default
         

Base Schemas RDS, Resource, DNSEnablable, Deployable, Monitorable, `RDSMultiAZ`_, Named, Title, Type

RDSPostgresql

RDS for Postgresql

RDSPostgresql
Field name Type Purpose Constraints Default
         

Base Schemas RDS, Resource, DNSEnablable, Deployable, Monitorable, `RDSMultiAZ`_, Named, Title, Type

RDSAurora

RDS Aurora

RDSAurora
Field name Type Purpose Constraints Default
secondary_domain_name PacoReference|String Secondary Domain Name Paco Reference to Route53HostedZone. String Ok.  
secondary_hosted_zone PacoReference Secondary Hosted Zone Paco Reference to Route53HostedZone.  

Base Schemas RDS, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

DBParameterGroup

DBParameterGroup

DBParameterGroup
Field name Type Purpose Constraints Default
description String Description    
family String Database Family    
parameters Container<DBParameters> Database Parameter set    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

DBParameters

A unconstrainted set of key-value pairs.

Route53HealthCheck

Route53 Health Check

Route53HealthCheck
Field name Type Purpose Constraints Default
domain_name String Fully Qualified Domain Name Either this or the load_balancer field can be set but not both.  
enable_sni Boolean Enable SNI   False
failure_threshold Int Number of consecutive health checks that an endpoint must pass or fail for Amazon Route 53 to change the current status of the endpoint from unhealthy to healthy or vice versa.   3
health_check_type String Health Check Type Must be one of HTTP, HTTPS or TCP  
health_checker_regions List<String> Health checker regions List of AWS Region names (e.g. us-west-2) from which to make health checks.  
ip_address PacoReference|String IP Address Paco Reference to EIP. String Ok.  
latency_graphs Boolean Measure latency and display CloudWatch graph in the AWS Console   False
load_balancer PacoReference|String Load Balancer Endpoint Paco Reference to LBApplication. String Ok.  
match_string String String to match in the first 5120 bytes of the response    
port Int Port   80
request_interval_fast Boolean Fast request interval will only wait 10 seconds between each health check response instead of the standard 30   False
resource_path String Resource Path String such as ‘/health.html’. Path should return a 2xx or 3xx. Query string parameters are allowed: ‘/search?query=health’ /

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

S3Bucket

S3Bucket is an object storage resource in the Amazon S3 service.

S3Buckets may be declared either in the global resource/s3.yaml file or in a network environment in as an application resource.

S3Buckets in an application context will use the same account and region as the application, although it is still possible to override this to use other accouns and regions if desired.

example S3Bucket resource
type: S3Bucket
title: My S3 Bucket
enabled: true
order: 10
account: paco.ref accounts.data
region: us-west-2
deletion_policy: "delete"
notifications:
    lambdas:
     - paco.ref netenv.mynet.applications.app.groups.serverless.resources.mylambda
cloudfront_origin: false
external_resource: false
versioning: false
policy:
  - principal:
      Service: iotanalytics.amazonaws.com
    effect: 'Allow'
    action:
      - s3:Get*
      - s3:ListBucket
      - s3:ListBucketMultipartUploads
      - s3:ListMultipartUploadParts
    resource_suffix:
      - '/*'
      - ''
  - aws:
      - paco.sub '${paco.ref netenv.mynet.applications.app.groups.site.resources.demo.instance_iam_role.arn}'
    effect: 'Allow'
    action:
      - 's3:Get*'
      - 's3:List*'
    resource_suffix:
      - '/*'
      - ''
S3Bucket
Field name Type Purpose Constraints Default
account PacoReference Account that S3 Bucket belongs to. Paco Reference to Account.  
bucket_name String Bucket Name A short unique name to assign the bucket. bucket
cloudfront_origin Boolean Creates and listens for a CloudFront Access Origin Identity   False
deletion_policy String Bucket Deletion Policy   delete
external_resource Boolean Boolean indicating whether the S3 Bucket already exists or not   False
notifications Object<S3NotificationConfiguration> Notification configuration    
policy List<S3BucketPolicy> List of S3 Bucket Policies    
region String Bucket region    
static_website_hosting Object<S3StaticWebsiteHosting_> Static website hosting configuration.    
versioning Boolean Enable Versioning on the bucket.   False

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

S3BucketPolicy

S3 Bucket Policy

S3BucketPolicy
Field name Type Purpose Constraints Default
action List<String> List of Actions    
aws List<String> List of AWS Principles. Either this field or the principal field must be set.  
condition Dict Condition Each Key is the Condition name and the Value must be a dictionary of request filters. e.g. { “StringEquals” : { “aws:username” : “johndoe” }} {}
effect String Effect Must be one of: ‘Allow’, ‘Deny’ Deny
principal Dict Prinicpals Either this field or the aws field must be set. Key should be one of: AWS, Federated, Service or CanonicalUser. Value can be either a String or a List. {}
resource_suffix List<String> List of AWS Resources Suffixes    

S3LambdaConfiguration

S3LambdaConfiguration
Field name Type Purpose Constraints Default
event String S3 bucket event for which to invoke the AWS Lambda function Must be a supported event type: https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html  
function PacoReference Lambda function to notify Paco Reference to Lambda.  

S3NotificationConfiguration

S3NotificationConfiguration
Field name Type Purpose Constraints Default
lambdas List<S3LambdaConfiguration> Lambda configurations    

SNSTopic

Simple Notification Service (SNS) Topic resource.

Example SNSTopic resource YAML
type: SNSTopic
order: 1
enabled: true
display_name: "Waterbear Cloud AWS"
cross_account_access: true
subscriptions:
  - endpoint: http://example.com/yes
    protocol: http
  - endpoint: https://example.com/orno
    protocol: https
  - endpoint: [email protected]
    protocol: email
  - endpoint: [email protected]
    protocol: email-json
  - endpoint: '555-555-5555'
    protocol: sms
  - endpoint: arn:aws:sqs:us-east-2:444455556666:queue1
    protocol: sqs
  - endpoint: arn:aws:sqs:us-east-2:444455556666:queue1
    protocol: application
  - endpoint: arn:aws:lambda:us-east-1:123456789012:function:my-function
    protocol: lambda
SNSTopic
Field name Type Purpose Constraints Default
cross_account_access Boolean Cross-account access from all other accounts in this project.   False
display_name String Display name for SMS Messages    
subscriptions List<SNSTopicSubscription> List of SNS Topic Subscriptions    

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

SNSTopicSubscription

SNSTopicSubscription
Field name Type Purpose Constraints Default
endpoint PacoReference|String SNS Topic ARN or Paco Reference Paco Reference to SNSTopic. String Ok.  
protocol String Notification protocol Must be a valid SNS Topic subscription protocol: ‘http’, ‘https’, ‘email’, ‘email-json’, ‘sms’, ‘sqs’, ‘application’, ‘lambda’. email