Application Resources¶
An Application is a collection of Resources. These are the Resources which can exist as part of an Application.
ApiGatewayRestApi¶
An ApiGateway Rest API resource.
type: ApiGatewayRestApi
order: 10
enabled: true
fail_on_warnings: true
description: "My REST API"
endpoint_configuration:
- 'REGIONAL'
models:
emptyjson:
content_type: 'application/json'
cognito_authorizers:
cognito:
identity_source: 'Authorization'
user_pools:
- paco.ref netenv.mynet.applications.app.groups.cognito.resources.userpool
dns:
- domain_name: api.example.com
hosted_zone: paco.ref resource.route53.example_com
ssl_certificate: arn:aws:acm:us-east-1:*******:certificate/********
base_path_mappings:
- base_path: ''
stage: 'prod'
methods:
get:
http_method: GET
authorizer: cognito_authorizers.cognito
integration:
integration_type: AWS
integration_lambda: paco.ref netenv.mynet.applications.app.groups.restapi.resources.mylambda
integration_responses:
- status_code: '200'
response_templates:
'application/json': ''
request_parameters:
"integration.request.querystring.my_id": "method.request.querystring.my_id"
authorization_type: NONE
request_parameters:
"method.request.querystring.my_id": false
"method.request.querystring.token": false
method_responses:
- status_code: '200'
response_models:
- content_type: 'application/json'
model_name: 'emptyjson'
post:
http_method: POST
integration:
integration_type: AWS
integration_lambda: paco.ref netenv.mynet.applications.app.groups.restapi.resources.mylambda
integration_responses:
- status_code: '200'
response_templates:
'application/json': ''
authorization_type: NONE
method_responses:
- status_code: '200'
response_models:
- content_type: 'application/json'
model_name: 'emptyjson'
stages:
prod:
deployment_id: 'prod'
description: 'Prod Stage'
stage_name: 'prod'
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
api_key_source_type | String | API Key Source Type | Must be one of ‘HEADER’ to read the API key from the X-API-Key header of a request or ‘AUTHORIZER’ to read the API key from the UsageIdentifierKey from a Lambda authorizer. | |
binary_media_types | List<String> | Binary Media Types. The list of binary media types that are supported by the RestApi resource, such as image/png or application/octet-stream. By default, RestApi supports only UTF-8-encoded text payloads. | Duplicates are not allowed. Slashes must be escaped with ~1. For example, image/png would be image~1png in the BinaryMediaTypes list. | |
body | String | Body. An OpenAPI specification that defines a set of RESTful APIs in JSON or YAML format. For YAML templates, you can also provide the specification in YAML format. | Must be valid JSON. | |
body_file_location | StringFileReference | Path to a file containing the Body. | Must be valid path to a valid JSON document. | |
body_s3_location | String | The Amazon Simple Storage Service (Amazon S3) location that points to an OpenAPI file, which defines a set of RESTful APIs in JSON or YAML format. | Valid S3Location string to a valid JSON or YAML document. | |
clone_from | String | CloneFrom. The ID of the RestApi resource that you want to clone. | ||
cognito_authorizers | Container<ApiGatewayCognitoAuthorizers> | Authorizors | ||
description | String | Description of the RestApi resource. | ||
dns | List<ApiGatewayDNS> | DNS domains to create to resolve to the ApiGateway Endpoint | ||
endpoint_configuration | List<String> | Endpoint configuration. A list of the endpoint types of the API. Use this field when creating an API. When importing an existing API, specify the endpoint configuration types using the parameters field. | List of strings, each must be one of ‘EDGE’, ‘REGIONAL’, ‘PRIVATE’ | |
fail_on_warnings | Boolean | Indicates whether to roll back the resource if a warning occurs while API Gateway is creating the RestApi resource. | False | |
methods | Container<ApiGatewayMethods> | |||
minimum_compression_size | Int | An integer that is used to enable compression on an API. When compression is enabled, compression or decompression is not applied on the payload if the payload size is smaller than this value. Setting it to zero allows compression for any payload size. | A non-negative integer between 0 and 10485760 (10M) bytes, inclusive. | |
models | Container<ApiGatewayModels> | |||
parameters | Dict | Parameters. Custom header parameters for the request. | Dictionary of key/value pairs that are strings. | {} |
policy | String | A policy document that contains the permissions for the RestApi resource, in JSON format. To set the ARN for the policy, use the !Join intrinsic function with “” as delimiter and values of “execute-api:/” and “*”. | Valid JSON document | |
resources | Container<ApiGatewayResources> | |||
stages | Container<ApiGatewayStages> |
Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type
ApiGatewayMethods¶
Container for ApiGatewayMethod objects.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
ApiGatewayMethod¶
API Gateway Method
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
authorization_type | String | Authorization Type | Must be one of NONE, AWS_IAM, CUSTOM or COGNITO_USER_POOLS | NONE |
authorizer | String | Authorizer | Must be tan authorizer type and authorizer name in this API Gateway, seperated by a . char. For example, ‘cognito_authorizers.cognito’. | |
http_method | String | HTTP Method | Must be one of ANY, DELETE, GET, HEAD, OPTIONS, PATCH, POST or PUT. | |
integration | Object<ApiGatewayMethodIntegration> | Integration | ||
method_responses | List<ApiGatewayMethodMethodResponse> | Method Responses | List of ApiGatewayMethod MethodResponses | |
request_parameters | Dict | Request Parameters |
|
{} |
resource_name | String | Resource Name |
Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type
ApiGatewayModels¶
Container for ApiGatewayModel objects.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
ApiGatewayModel¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
content_type | String | Content Type | ||
description | String | Description | ||
schema | Dict | Schema | JSON format. Will use null({}) if left empty. | {} |
Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type
ApiGatewayResources¶
Container for ApiGatewayResource objects.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
ApiGatewayResource¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
child_resources | Container<ApiGatewayResources> | Child Api Gateway Resources | ||
enable_cors | Boolean | Enable CORS | False | |
path_part | String | Path Part |
ApiGatewayStages¶
Container for ApiGatewayStage objects
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
ApiGatewayStage¶
API Gateway Stage
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
deployment_id | String | Deployment ID | ||
description | String | Description | ||
stage_name | String | Stage name |
Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type
ApiGatewayMethodIntegration¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
integration_http_method | String | Integration HTTP Method | Must be one of ANY, DELETE, GET, HEAD, OPTIONS, PATCH, POST or PUT. | POST |
integration_lambda | PacoReference | Integration Lambda | Paco Reference to Lambda. | |
integration_responses | List<ApiGatewayMethodIntegrationResponse> | Integration Responses | ||
integration_type | String | Integration Type | Must be one of AWS, AWS_PROXY, HTTP, HTTP_PROXY or MOCK. | AWS |
pass_through_behavior | Choice | Pass Through Behaviour | ||
request_parameters | Dict | The request parameters that API Gateway sends with the backend request. | Specify request parameters as key-value pairs (string-to-string mappings), with a destination as the key and a source as the value. Specify the destination by using the following pattern integration.request.location.name, where location is query string, path, or header, and name is a valid, unique parameter name. The source must be an existing method request parameter or a static value. You must enclose static values in single quotation marks and pre-encode these values based on their destination in the request. |
{} |
request_templates | Dict | Request Templates | {} | |
uri | String | Integration URI |
ApiGatewayMethodIntegrationResponse¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
content_handling | String | Specifies how to handle request payload content type conversions. | Valid values are: CONVERT_TO_BINARY: Converts a request payload from a base64-encoded string to a binary blob. CONVERT_TO_TEXT: Converts a request payload from a binary blob to a base64-encoded string. If this property isn’t defined, the request payload is passed through from the method request to the integration request without modification. |
|
response_parameters | Dict | Response Parameters | {} | |
response_templates | Dict | Response Templates | {} | |
selection_pattern | String | A regular expression that specifies which error strings or status codes from the backend map to the integration response. | ||
status_code | String | The status code that API Gateway uses to map the integration response to a MethodResponse status code. | Must match a status code in the method_respones for this API Gateway REST API. |
ApiGatewayMethodMethodResponse¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
response_models | List<ApiGatewayMethodMethodResponseModel> | The resources used for the response’s content type. | Specify response models as key-value pairs (string-to-string maps), with a content type as the key and a Model Paco name as the value. | |
response_parameters | Dict | Response Parameters | {} | |
status_code | String | HTTP Status code |
ApiGatewayMethodMethodResponseModel¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
content_type | String | Content Type | ||
model_name | String | Model name |
ApiGatewayCognitoAuthorizers¶
Container for `ApiGatewayAuthorizer`_ objects.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
ASG¶
An AutoScalingGroup (ASG) contains a collection of Amazon EC2 instances that are treated as a logical grouping for the purposes of automatic scaling and management.
The Paco ASG resource provisions an AutoScalingGroup as well as LaunchConfiguration and TargetGroups for that ASG.
type: ASG
order: 30
enabled: true
associate_public_ip_address: false
cooldown_secs: 200
ebs_optimized: false
health_check_grace_period_secs: 240
health_check_type: EC2
availability_zone: 1
ebs_volume_mounts:
- volume: paco.ref netenv.mynet.applications.app.groups.storage.resources.my_volume
enabled: true
folder: /var/www/html
device: /dev/xvdf
filesystem: ext4
efs_mounts:
- enabled: true
folder: /mnt/wp_efs
target: paco.ref netenv.mynet.applications.app.groups.storage.resources.my_efs
instance_iam_role:
enabled: true
policies:
- name: DNSRecordSet
statement:
- effect: Allow
action:
- route53:ChangeResourceRecordSets
resource:
- 'arn:aws:route53:::hostedzone/HHIHkjhdhu744'
instance_ami: paco.ref function.aws.ec2.ami.latest.amazon-linux-2
instance_ami_type: amazon
instance_key_pair: paco.ref resource.ec2.keypairs.my_keypair
instance_monitoring: true
instance_type: t2.medium
desired_capacity: 1
max_instances: 3
min_instances: 1
rolling_update_policy:
max_batch_size: 1
min_instances_in_service: 1
pause_time: PT3M
wait_on_resource_signals: false
target_groups:
- paco.ref netenv.mynet.applications.app.groups.web.resources.alb.target_groups.cloud
security_groups:
- paco.ref netenv.mynet.network.vpc.security_groups.web.asg
segment: private
termination_policies:
- Default
scaling_policy_cpu_average: 60
ssh_access:
users:
- bdobbs
groups:
- developers
launch_options:
update_packages: true
ssm_agent: true
cfn_init_config_sets:
- "InstallApp"
cfn_init:
config_sets:
InstallApp:
- "InstallApp"
configurations:
InstallApp:
packages:
yum:
python3: []
users:
www-data:
uid: 2000
home_dir: /home/www-data
files:
"/etc/systemd/system/pypiserver.service":
content_file: ./pypi-config/pypiserver.service
mode: '000755'
owner: root
group: root
commands:
00_pypiserver:
command: "/bin/pip3 install pypiserver"
01_passlib_dependency:
command: "/bin/pip3 install passlib"
02_prep_mount:
command: "chown www-data:www-data /var/pypi"
services:
sysvinit:
pypiserver:
enabled: true
ensure_running: true
monitoring:
enabled: true
collection_interval: 60
metrics:
- name: swap
measurements:
- used_percent
- name: disk
measurements:
- free
resources:
- '/'
- '/var/www/html'
collection_interval: 300
user_data_script: |
echo "Hello World!"
AutoScalingGroup Rolling Update Policy¶
When changes are applied to an AutoScalingGroup that modify the configuration of newly launched instances,
AWS can automatically launch instances with the new configuration and terminate old instances that have stale configuration.
This can be configured so that there is no interruption of service as the new instances gradually replace old ones.
This configuration is set with the rolling_update_policy
field.
The rolling update policy must be able to work within the minimum/maximum number of instances in the ASG. Consider the following ASG configuration.
type: ASG
max_instances: 2
min_instances: 1
desired_capacity: 1
rolling_update_policy:
max_batch_size: 1
min_instances_in_service: 1
pause_time: PT0S # default setting
wait_on_resource_signals: false # default setting
This will normally run a single instance in the ASG. The ASG is never allowed to launch more than 2 instances at one time. When an update happens, a new batch of instances is launched - in this example just one instance. There wil be only 1 instance in service, but the capacity will be at 2 instances will the new instance is launched. After the instance is put into service by the ASG, it will immediately terminate the old instance.
The wait_on_resource_signals
can be set to tell AWS CloudFormation to wait on making changes to the AutoScalingGroup configuration
until a new instance is finished configuring and installing applications and is ready for service. If this field is enabled,
then the pause_time
default is PT05 (5 minutes). If CloudFormation does not get a SUCCESS signal within the pause_time
then it will mark the new instance as failed and terminate it.
If you use pause_time
with the default wait_on_resource_signals: false
then AWS will simply wait for the full
duration of the pause time and then consider the instance ready. pause_time
is in format PT#H#M#S, where each # is the number of
hours, minutes, and seconds, respectively. The maximum pause_time
is one hour. For example:
pause_time: PT0S # 0 seconds
pause_time: PT5M # 5 minutes
pause_time: PT2M30S # 2 minutes and 30 seconds
ASGs will use default settings for a rolling update policy. If you do not want to use an update policies at all, then
you must disable the rolling_update_policy
explicitly:
type: ASG
rolling_update_policy:
enabled: false
With no rolling update policy, when you make configuration changes, then existing instances with old configuration will continue to run and instances with the new configuration will not happen until the AutoScalingGroup needs to launch new instances. You must be careful with this approach as you can not know 100% that your new configuration launches instances proprely until some point in the future when new instances are requested by the ASG.
See the AWS documentation for more information on how AutoScalingRollingUpdate Policy configuration is used.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
associate_public_ip_address | Boolean | Associate Public IP Address | False | |
availability_zone | String | Availability Zones to launch instances in. | all | |
block_device_mappings | List<BlockDeviceMapping> | Block Device Mappings | ||
cfn_init | Object<CloudFormationInit> | CloudFormation Init | ||
cooldown_secs | Int | Cooldown seconds | 300 | |
desired_capacity | Int | Desired capacity | 1 | |
desired_capacity_ignore_changes | Boolean | Ignore changes to the desired_capacity after the ASG is created. | False | |
dns | List<DNS> | DNS domains to create to resolve to one of the ASGs EC2 Instances | ||
ebs_optimized | Boolean | EBS Optimized | False | |
ebs_volume_mounts | List<EBSVolumeMount> | Elastic Block Store Volume Mounts | ||
ecs | Object<ECSASGConfiguration> | ECS Configuration | ||
efs_mounts | List<EFSMount> | Elastic Filesystem Configuration | ||
eip | PacoReference|String | Elastic IP or AllocationId to attach to instance at launch | Paco Reference to EIP. String Ok. | |
health_check_grace_period_secs | Int | Health check grace period in seconds | 300 | |
health_check_type | String | Health check type | Must be one of: ‘EC2’, ‘ELB’ | EC2 |
instance_ami | PacoReference|String | Instance AMI | Paco Reference to Function. String Ok. | |
instance_ami_ignore_changes | Boolean | Do not update the instance_ami after creation. | False | |
instance_ami_type | String | The AMI Operating System family | Must be one of amazon, centos, suse, debian, ubuntu, microsoft or redhat. | amazon |
instance_iam_role | Object<Role> | |||
instance_key_pair | PacoReference | Key pair to connect to launched instances | Paco Reference to EC2KeyPair. | |
instance_monitoring | Boolean | Instance monitoring | False | |
instance_type | String | Instance type | ||
launch_options | Object<EC2LaunchOptions> | EC2 Launch Options | ||
lifecycle_hooks | Container<ASGLifecycleHooks> | Lifecycle Hooks | ||
load_balancers | List<PacoReference> | Target groups | Paco Reference to TargetGroup. | |
max_instances | Int | Maximum instances | 2 | |
min_instances | Int | Minimum instances | 1 | |
rolling_update_policy | Object<ASGRollingUpdatePolicy> | Rolling Update Policy | ||
scaling_policies | Container<ASGScalingPolicies> | Scaling Policies | ||
scaling_policy_cpu_average | Int | Average CPU Scaling Polciy | 0 | |
secrets | List<PacoReference> | List of Secrets Manager References | Paco Reference to SecretsManagerSecret. | |
security_groups | List<PacoReference> | Security groups | Paco Reference to SecurityGroup. | |
segment | String | Segment | ||
ssh_access | Object<SSHAccess> | SSH Access | ||
target_groups | List<PacoReference> | Target groups | Paco Reference to TargetGroup. | |
termination_policies | List<String> | Terminiation policies | ||
user_data_pre_script | String | User data pre-script | ||
user_data_script | String | User data script |
Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type
ASGLifecycleHooks¶
Container for ASGLifecycleHook objects.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
ASGLifecycleHook¶
ASG Lifecycle Hook
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
default_result | String | Default Result | ||
lifecycle_transition | String | ASG Lifecycle Transition | ||
notification_target_arn | String | Lifecycle Notification Target Arn | ||
role_arn | String | Licecycel Publish Role ARN |
Base Schemas Deployable, Named, Title
ASGScalingPolicies¶
Container for ASGScalingPolicy objects.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
ASGScalingPolicy¶
Auto Scaling Group Scaling Policy
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
adjustment_type | String | Adjustment Type | ChangeInCapacity | |
alarms | List<SimpleCloudWatchAlarm> | Alarms | ||
cooldown | Int | Scaling Cooldown in Seconds | 300 | |
policy_type | String | Policy Type | SimpleScaling | |
scaling_adjustment | Int | Scaling Adjustment |
Base Schemas Deployable, Named, Title
ASGRollingUpdatePolicy¶
AutoScalingRollingUpdate Policy
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
enabled | Boolean | Enable an UpdatePolicy for the ASG | True | |
max_batch_size | Int | Maximum batch size | 1 | |
min_instances_in_service | Int | Minimum instances in service | 0 | |
pause_time | String | Minimum instances in service | Must be in the format PT#H#M#S | |
wait_on_resource_signals | Boolean | Wait for resource signals | False |
ECSASGConfiguration¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
capacity_provider | Object<ECSCapacityProvider> | Capacity Provider | ||
cluster | PacoReference | Cluster | Paco Reference to ECSCluster. | |
log_level | Choice | Log Level | error |
ECSCapacityProvider¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
maximum_scaling_step_size | Int | Maximum Scaling Step Size | 10000 | |
minimum_scaling_step_size | Int | Minimum Scaling Step Size | 1 | |
target_capacity | Int | Target Capacity | 100 |
Base Schemas Deployable, Named, Title
SSHAccess¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
groups | List<String> | Groups | Must match a group declared in resource/ec2.yaml | [] |
users | List<String> | User | Must match a user declared in resource/ec2.yaml | [] |
BlockDeviceMapping¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
device_name | String | The device name exposed to the EC2 instance | ||
ebs | Object<BlockDevice> | Amazon Ebs volume | ||
virtual_name | String | The name of the virtual device. | The name must be in the form ephemeralX where X is a number starting from zero (0), for example, ephemeral0. |
BlockDevice¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
delete_on_termination | Boolean | Indicates whether to delete the volume when the instance is terminated. | True | |
encrypted | Boolean | Specifies whether the EBS volume is encrypted. | ||
iops | Int | The number of I/O operations per second (IOPS) to provision for the volume. | The maximum ratio of IOPS to volume size (in GiB) is 50:1, so for 5,000 provisioned IOPS, you need at least 100 GiB storage on the volume. | |
size_gib | Int | The volume size, in Gibibytes (GiB). | This can be a number from 1-1,024 for standard, 4-16,384 for io1, 1-16,384 for gp2, and 500-16,384 for st1 and sc1. | |
snapshot_id | String | The snapshot ID of the volume to use. | ||
volume_type | String | The volume type, which can be standard for Magnetic, io1 for Provisioned IOPS SSD, gp2 for General Purpose SSD, st1 for Throughput Optimized HDD, or sc1 for Cold HDD. | Must be one of standard, io1, gp2, st1 or sc1. |
EBSVolumeMount¶
EBS Volume Mount Configuration
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
device | String | Device to mount the EBS Volume with. | ||
filesystem | String | Filesystem to mount the EBS Volume with. | ||
folder | String | Folder to mount the EBS Volume | ||
volume | PacoReference|String | EBS Volume Resource Reference | Paco Reference to EBS. String Ok. |
Base Schemas Deployable
EFSMount¶
EFS Mount Folder and Target Configuration
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
folder | String | Folder to mount the EFS target | ||
target | PacoReference|String | EFS Target Resource Reference | Paco Reference to EFS. String Ok. |
Base Schemas Deployable
EC2LaunchOptions¶
EC2 Launch Options
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
cfn_init_config_sets | List<String> | List of cfn-init config sets | [] | |
codedeploy_agent | Boolean | Install CodeDeploy Agent | False | |
ssm_agent | Boolean | Install SSM Agent | True | |
ssm_expire_events_after_days | String | Retention period of SSM logs | 30 | |
update_packages | Boolean | Update Distribution Packages | False |
CloudFormationInit¶
CloudFormation Init is a method to configure an EC2 instance after it is launched. CloudFormation Init is a much more complete and robust method to install configuration files and pakcages than using a UserData script.
It stores information about packages, files, commands and more in CloudFormation metadata. It is accompanied
by a cfn-init
script which will run on the instance to fetch this configuration metadata and apply
it. The whole system is often referred to simply as cfn-init after this script.
The cfn_init
field of for an ASG contains all of the cfn-init configuration. After an instance
is launched, it needs to run a local cfn-init script to pull the configuration from the CloudFromation
stack and apply it. After cfn-init has applied configuration, you will run cfn-signal to tell CloudFormation
the configuration was successfully applied. Use the launch_options
field for an ASG to let Paco take care of all this
for you.
Refer to the CloudFormation Init docs for a complete description of all the configuration options available.
launch_options:
cfn_init_config_sets:
- "Install"
cfn_init:
parameters:
BasicKey: static-string
DatabasePasswordarn: paco.ref netenv.mynet.secrets_manager.app.site.database.arn
config_sets:
Install:
- "Install"
configurations:
Install:
packages:
rpm:
epel: "http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm"
yum:
jq: []
python3: []
files:
"/tmp/get_rds_dsn.sh":
content_cfn_file: ./webapp/get_rds_dsn.sh
mode: '000700'
owner: root
group: root
"/etc/httpd/conf.d/saas_wsgi.conf":
content_file: ./webapp/saas_wsgi.conf
mode: '000600'
owner: root
group: root
"/etc/httpd/conf.d/wsgi.conf":
content: "LoadModule wsgi_module modules/mod_wsgi.so"
mode: '000600'
owner: root
group: root
"/tmp/install_codedeploy.sh":
source: https://aws-codedeploy-us-west-2.s3.us-west-2.amazonaws.com/latest/install
mode: '000700'
owner: root
group: root
commands:
10_install_codedeploy:
command: "/tmp/install_codedeploy.sh auto > /var/log/cfn-init-codedeploy.log 2>&1"
services:
sysvinit:
codedeploy-agent:
enabled: true
ensure_running: true
The parameters
field is a set of Parameters that will be passed to the CloudFormation stack. This
can be static strings or paco.ref
that are looked up from already provisioned cloud resources.
CloudFormation Init can be organized into Configsets. With raw cfn-init using Configsets is optional, but is required with Paco.
In a Configset, the files
field has four fields for specifying the file contents.
content_file:
A path to a file on the local filesystem. A convenient practice is to make a sub-directory in thenetenv
directory for keeping cfn-init files.content_cfn_file:
A path to a file on the local filesystem. This file will have FnSub and FnJoin CloudFormation applied to it.content:
For small files, the content can be in-lined directly in this field.source:
Fetches the file from a URL.
If you are using content_cfn_file
to interpolate Parameters, the file might look like:
!Sub |
#!/bin/bash
echo "Database ARN is " ${DatabasePasswordarn}
echo "AWS Region is " ${AWS::Region}
If you want to include a raw ${SomeValue}
string in your file, use the ! character to escape it like this:
${!SomeValue}
. cfn-init also supports interpolation with Mustache templates, but Paco support for this is
not yet implemented.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
config_sets | Container<CloudFormationConfigSets> | CloudFormation Init configSets | ||
configurations | Container<CloudFormationConfigurations> | CloudFormation Init configurations | ||
parameters | Dict | Parameters | {} |
CloudFormationConfiguration¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
commands | Container<CloudFormationInitCommands> | Commands | ||
files | Container<CloudFormationInitFiles> | Files | ||
groups | Object<CloudFormationInitGroups> | Groups | ||
packages | Object<CloudFormationInitPackages> | Packages | ||
services | Object<CloudFormationInitServices> | Services | ||
sources | Container<CloudFormationInitSources> | Sources | ||
users | Object<CloudFormationInitUsers> | Users |
CloudFormationInitCommand¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
command | String | Command | ||
cwd | String | Cwd. The working directory | ||
env | Dict | Environment Variables. This property overwrites, rather than appends, the existing environment. | {} | |
ignore_errors | Boolean | Ingore errors - determines whether cfn-init continues to run if the command in contained in the command key fails (returns a non-zero value). Set to true if you want cfn-init to continue running even if the command fails. | False | |
test | String | A test command that determines whether cfn-init runs commands that are specified in the command key. If the test passes, cfn-init runs the commands. |
CloudFormationInitFile¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
authentication | String | The name of an authentication method to use. | ||
content | Object<Interface> | Either a string or a properly formatted YAML object. | ||
content_cfn_file | YAMLFileReference | File path to a properly formatted CloudFormation Functions YAML object. | ||
content_file | StringFileReference | File path to a string. | ||
context | String | Specifies a context for files that are to be processed as Mustache templates. | ||
encoding | String | The encoding format. | ||
group | String | The name of the owning group for this file. Not supported for Windows systems. | ||
mode | String | A six-digit octal value representing the mode for this file. | ||
owner | String | The name of the owning user for this file. Not supported for Windows systems. | ||
source | String | A URL to load the file from. |
CloudFormationInitPackages¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
apt | Container<CloudFormationInitVersionedPackageSet> | Apt packages | ||
msi | Container<CloudFormationInitPathOrUrlPackageSet> | MSI packages | ||
python | Container<CloudFormationInitVersionedPackageSet> | Apt packages | ||
rpm | Container<CloudFormationInitPathOrUrlPackageSet> | RPM packages | ||
rubygems | Container<CloudFormationInitVersionedPackageSet> | Rubygems packages | ||
yum | Container<CloudFormationInitVersionedPackageSet> | Yum packages |
CloudFormationInitVersionedPackageSet¶
CloudFormationInitPathOrUrlPackageSet¶
CloudFormationInitServices¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
sysvinit | Container<CloudFormationInitServiceCollection> | SysVInit Services for Linux OS | ||
windows | Container<CloudFormationInitServiceCollection> | Windows Services for Windows OS |
CloudFormationInitService¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
commands | List<String> | A list of command names. If cfn-init runs the specified command, this service will be restarted. | ||
enabled | Boolean | Ensure that the service will be started or not started upon boot. | ||
ensure_running | Boolean | Ensure that the service is running or stopped after cfn-init finishes. | ||
files | List<String> | A list of files. If cfn-init changes one directly via the files block, this service will be restarted | ||
packages | Dict | A map of package manager to list of package names. If cfn-init installs or updates one of these packages, this service will be restarted. | {} | |
sources | List<String> | A list of directories. If cfn-init expands an archive into one of these directories, this service will be restarted. |
ACM¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
domain_name | String | Domain Name | ||
external_resource | Boolean | Marks this resource as external to avoid creating and validating it. | False | |
private_ca | String | Private Certificate Authority ARN | ||
region | String | AWS Region | Must be a valid AWS Region name | |
subject_alternative_names | List<String> | Subject alternative names |
Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type
CloudFront¶
CloudFront CDN Configuration
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
cache_behaviors | List<CloudFrontCacheBehavior> | List of Cache Behaviors | ||
custom_error_responses | List<CloudFrontCustomErrorResponse> | List of Custom Error Responses | ||
default_cache_behavior | Object<CloudFrontDefaultCacheBehavior> | Default Cache Behavior | ||
default_root_object | String | The default path to load from the origin. | ||
domain_aliases | List<DNS> | List of DNS for the Distribution | ||
factory | Container<CloudFrontFactories_> | CloudFront Factory | ||
origins | Container<CloudFrontOrigins_> | Map of Origins | ||
price_class | String | Price Class | All | |
viewer_certificate | Object<CloudFrontViewerCertificate> | Viewer Certificate | ||
webacl_id | String | WAF WebACLId |
Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type
CloudFrontDefaultCacheBehavior¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
allowed_methods | List<String> | List of Allowed HTTP Methods | [‘DELETE’, ‘GET’, ‘HEAD’, ‘OPTIONS’, ‘PATCH’, ‘POST’, ‘PUT’] | |
cached_methods | List<String> | List of HTTP Methods to cache | [‘GET’, ‘HEAD’, ‘OPTIONS’] | |
compress | Boolean | Compress certain files automatically | False | |
default_ttl | Int | Default TTL | 86400 | |
forwarded_values | Object<CloudFrontForwardedValues> | Forwarded Values | ||
lambda_function_associations | List<CloudFrontLambdaFunctionAssocation> | Lambda Function Associations | ||
max_ttl | Int | Maximum TTL | 31536000 | |
min_ttl | Int | Minimum TTL | 0 | |
target_origin | PacoReference | Target Origin | Paco Reference to CloudFrontOrigin. | |
viewer_protocol_policy | String | Viewer Protocol Policy | redirect-to-https |
CloudFrontCacheBehavior¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
path_pattern | String | Path Pattern |
Base Schemas CloudFrontDefaultCacheBehavior, Named, Title
CloudFrontFactory¶
CloudFront Factory
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
domain_aliases | List<DNS> | List of DNS for the Distribution | ||
viewer_certificate | Object<CloudFrontViewerCertificate> | Viewer Certificate |
CloudFrontOrigin¶
CloudFront Origin Configuration
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
custom_origin_config | Object<CloudFrontCustomOriginConfig> | Custom Origin Configuration | ||
domain_name | PacoReference|String | Origin Resource Reference | Paco Reference to Route53HostedZone. String Ok. | |
s3_bucket | PacoReference | Origin S3 Bucket Reference | Paco Reference to S3Bucket. |
CloudFrontCustomOriginConfig¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
http_port | Int | HTTP Port | ||
https_port | Int | HTTPS Port | ||
keepalive_timeout | Int | HTTP Keepalive Timeout | 5 | |
protocol_policy | String | Protocol Policy | ||
read_timeout | Int | Read timeout | 30 | |
ssl_protocols | List<String> | List of SSL Protocols |
CloudFrontCustomErrorResponse¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
error_caching_min_ttl | Int | Error Caching Min TTL | 300 | |
error_code | Int | HTTP Error Code | ||
response_code | Int | HTTP Response Code | ||
response_page_path | String | Response Page Path |
CloudFrontViewerCertificate¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
certificate | PacoReference | Certificate Reference | Paco Reference to ACM. | |
minimum_protocol_version | String | Minimum SSL Protocol Version | TLSv1.1_2016 | |
ssl_supported_method | String | SSL Supported Method | sni-only |
CloudFrontForwardedValues¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
cookies | Object<CloudFrontCookies> | Forward Cookies | ||
headers | List<String> | Forward Headers | [‘*’] | |
query_string | Boolean | Forward Query Strings | True |
CloudFrontCookies¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
forward | String | Cookies Forward Action | all | |
whitelisted_names | List<String> | White Listed Names |
CloudFrontLambdaFunctionAssocation¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
event_type | Choice | Event Type | Must be one of ‘origin-request’, ‘origin-response’, ‘viewer-request’ or ‘viewer-response’ | |
include_body | Boolean | Include Body | False | |
lambda_function | PacoReference | Lambda Function | Paco Reference to Lambda. |
CognitoLambdaTriggers¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
create_auth_challenge | PacoReference | CreateAuthChallenge Lambda trigger | Paco Reference to Lambda. | |
custom_message | PacoReference | CustomMessage Lambda trigger | Paco Reference to Lambda. | |
define_auth_challenge | PacoReference | DefineAuthChallenge Lambda trigger | Paco Reference to Lambda. | |
post_authentication | PacoReference | PostAuthentication Lambda trigger | Paco Reference to Lambda. | |
post_confirmation | PacoReference | PostConfirmation Lambda trigger | Paco Reference to Lambda. | |
pre_authentication | PacoReference | PreAuthentication Lambda trigger | Paco Reference to Lambda. | |
pre_sign_up | PacoReference | PreSignUp Lambda trigger | Paco Reference to Lambda. | |
pre_token_generation | PacoReference | PreTokenGeneration Lambda trigger | Paco Reference to Lambda. | |
user_migration | PacoReference | UserMigration Lambda trigger | Paco Reference to Lambda. | |
verify_auth_challenge_response | PacoReference | VerifyAuthChallengeResponse Lambda trigger | Paco Reference to Lambda. |
CodeDeployApplication¶
CodeDeploy Application creates CodeDeploy Application and Deployment Groups for that application.
This resource can be used when you already have another process in-place to put deploy artifacts into an S3 Bucket. If you also need to build artifacts, use DeploymentPipeline instead.
type: CodeDeployApplication
order: 40
compute_platform: "Server"
deployment_groups:
deployment:
title: "My Deployment Group description"
ignore_application_stop_failures: true
revision_location_s3: paco.ref netenv.mynet.applications.app.groups.deploybucket
autoscalinggroups:
- paco.ref netenv.mynet.applications.app.groups.web
It can be convienent to install the CodeDeploy agent on your instances using CloudFormationInit.
launch_options:
cfn_init_config_sets:
- "InstallCodeDeploy"
cfn_init:
config_sets:
InstallCodeDeploy:
- "InstallCodeDeploy"
files:
"/tmp/install_codedeploy.sh":
source: https://aws-codedeploy-us-west-2.s3.us-west-2.amazonaws.com/latest/install
mode: '000700'
owner: root
group: root
commands:
01_install_codedeploy:
command: "/tmp/install_codedeploy.sh auto > /var/log/cfn-init-codedeploy.log 2>&1"
services:
sysvinit:
codedeploy-agent:
enabled: true
ensure_running: true
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
compute_platform | String | Compute Platform | Must be one of Lambda, Server or ECS | |
deployment_groups | Container<CodeDeployDeploymentGroups> | CodeDeploy Deployment Groups |
Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type
CodeDeployDeploymentGroup¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
autoscalinggroups | List<PacoReference> | AutoScalingGroups that CodeDeploy automatically deploys revisions to when new instances are created | Paco Reference to ASG. | |
ignore_application_stop_failures | Boolean | Ignore Application Stop Failures | ||
revision_location_s3 | Object<DeploymentGroupS3Location> | S3 Bucket revision location | ||
role_policies | List<Policy> | Policies to grant the deployment group role |
Base Schemas Deployable, Named, Title
CognitoUserPool¶
Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps.
The CognitoUserPool
resource type is a user directory in Amazon Cognito. With a user pool,
users can sign in to your web or mobile app through Amazon Cognito.
type: CognitoUserPool
order: 10
enabled: true
auto_verified_attributes: email
mfa: 'optional'
mfa_methods:
- software_token
- sms
account_recovery: verified_email
password:
minimum_length: 12
require_lowercase: true
require_uppercase: true
require_numbers: false
require_symbols: false
email:
reply_to_address: reply-to@example.com
user_creation:
admin_only: true
unused_account_validity_in_days: 7
invite_message_templates:
email_subject: 'Invite to the App!'
email_message: >
<p>You've had an account created for you on the app.</p>
<p><b>Username:</b> {username}</p>
<p><b>Temporary password:</b> {####}</p>
<p>Please login and set a secure password. This request will expire in 7 days.</p>
lambda_triggers:
pre_sign_up: paco.ref netenv.mynet.applications.app.groups.serverless.resources.mylambda
schema:
- attribute_name: email
attribute_data_type: string
mutable: false
required: true
- attribute_name: name
attribute_data_type: string
mutable: true
required: true
- attribute_name: phone_number
attribute_data_type: string
mutable: true
required: false
ui_customizations:
logo_file: './images/logo.png'
css_file: './images/cognito.css'
app_clients:
web:
generate_secret: false
callback_urls:
- https://example.com
- https://example.com/parseauth
- https://example.com/refreshauth
logout_urls:
- https://example.com/signout
allowed_oauth_flows:
- code
allowed_oauth_scopes:
- email
- openid
domain_name: exampledomain
identity_providers:
- cognito
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
account_recovery | String | Account Recovery Options (in order of priority) | Can be either ‘admin_only’, ‘verified_email’, ‘verified_phone_number’, ‘verified_phone_number,verified_email’ or ‘verified_email,verified_phone_number’ | |
app_clients | Container<CognitoUserPoolClients> | App Clients | ||
auto_verified_attributes | String | Auto Verified Attributes | Can be either ‘email’, ‘phone_number’ or ‘email,phone_number’ | |
Object<CognitoEmailConfiguration> | Email Configuration | |||
lambda_triggers | Object<CognitoLambdaTriggers> | Lambda Triggers | ||
mfa | Choice | MFA Configuration | Must be one of ‘off’, ‘on’ or ‘optional’ | off |
mfa_methods | Choice | Enabled MFA methods | List of ‘sms’ or ‘software_token’ | [] |
password | Object<CognitoUserPoolPasswordPolicy> | Password Configuration | ||
schema | List<CognitoUserPoolSchemaAttribute> | Schema Attributes | [] | |
ui_customizations | Object<CognitoUICustomizations> | UI Customizations | ||
user_creation | Object<CognitoUserCreation> | User Creation |
Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type
CognitoInviteMessageTemplates¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
email_message | String | Email Message | ||
email_subject | String | Email Subject | ||
sms_message | String | SMS Message |
CognitoUserPoolClients¶
A container of CognitoUserPoolClient objects.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
CognitoUserPoolClient¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
allowed_oauth_flows | Choice | Allowed OAuth Flows | [] | |
allowed_oauth_scopes | List<String> | Allow OAuth Scopes | [] | |
callback_urls | List<String> | Callback URLs | [] | |
domain_name | String | Domain Name or domain prefix | ||
generate_secret | Boolean | Generate Secret | False | |
identity_providers | Choice | Identity Providers | [] | |
logout_urls | List<String> | Logout URLs | [] |
CognitoEmailConfiguration¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
from_address | String | From Email Address | ||
reply_to_address | String | Reply To Email Address | ||
verification_message | String | Verification Message | ||
verification_subject | String | Verification Subject |
CognitoUserPoolPasswordPolicy¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
minimum_length | Int | Minimum Length | ||
require_lowercase | Boolean | Require Lowercase | True | |
require_numbers | Boolean | Require Numbers | True | |
require_symbols | Boolean | Require Symbols | True | |
require_uppercase | Boolean | Require Uppercase | True |
CognitoUserPoolSchemaAttribute¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
attribute_data_type | Choice | Attribute Data Type | ||
attribute_name | String | Name | From 1 to 20 characters | |
mutable | Boolean | Mutable | ||
required | Boolean | Required |
CognitoUICustomizations¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
css_file | StringFileReference | File path to a CSS file. | Contents must be valid CSS that applies to the Cognito Hosted UI. | |
logo_file | BinaryFileReference | File path to an image. | Must be a PNG or JPEG and max 100 Kb. |
CognitoUserCreation¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
admin_only | Boolean | Allow only Admin to create users | False | |
invite_message_templates | Object<CognitoInviteMessageTemplates> | Invite Message Templates | ||
unused_account_validity_in_days | Int | Unused Account Validity in Days | 7 |
CognitoIdentityPool¶
The CognitoIdentityPool
resource type grants authorization of Cognito User Pool users to resources.
type: CognitoIdentityPool
order: 20
enabled: true
allow_unauthenticated_identities: true
identity_providers:
- userpool_client: paco.ref netenv.mynet.applications.myapp.groups.cognito.resources.cup.app_clients.web
serverside_token_check: false
unauthenticated_role:
enabled: true
policies:
- name: CognitoSyncAll
statement:
- effect: Allow
action:
- "cognito-sync:*"
resource:
- '*'
authenticated_role:
enabled: true
policies:
- name: ViewDescribe
statement:
- effect: Allow
action:
- "cognito-sync:*"
- "cognito-identity:*"
resource:
- '*'
- effect: Allow
action:
- "lambda:InvokeFunction"
resource:
- '*'
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
allow_unauthenticated_identities | Boolean | Allow Unauthenticated Identities | False | |
authenticated_role | Object<RoleDefaultEnabled> | |||
identity_providers | List<CognitoIdentityProvider> | Identity Providers | [] | |
unauthenticated_role | Object<RoleDefaultEnabled> |
Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type
CognitoIdentityProvider¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
serverside_token_check | Boolean | ServerSide Token Check | False | |
userpool_client | PacoReference | Identity Provider | Paco Reference to CognitoUserPoolClient. |
DeploymentPipeline¶
DeploymentPipeline creates AWS CodePipeline resources configured to act as CI/CDs to deploy code and assets to application resources. DeploymentPipelines allow you to express complex CI/CDs with minimal configuration.
A DeploymentPipeline has a number of Actions for three pre-defined Stages: source, build and deploy. The currently supported list of actions for each stage is:
source:
type: CodeCommit.Source
type: ECR.Source
type: GitHub.Source
build:
type: CodeBuild.Build
deploy:
type: CodeDeploy.Deploy
type: ECS.Deploy
type: ManualApproval
DeploymentPipelines can be configured to work cross-account and will automatically encrypt
the artifacts S3 Bucket with a KMS-CMK key that can only be accessed by the pipeline.
The configuration
field lets you set the account that the DeploymentPipeline’s CodePipeilne
resource will be created in and also specify the S3 Bucket to use for artifacts.
configuration:
artifacts_bucket: paco.ref netenv.mynet.applications.myapp.groups.cicd.resources.artifacts
account: paco.ref accounts.tools
DeploymentPipeline caveats - there are a few things to consider when creating pipelines:
- You need to create an S3 Bucket that will be configured to for artifacts. Even pipelines which don’t create artifacts will need this resource to hold ephemeral files created by CodePipeline.
- A pipeline that deploys artifacts to an AutoScalingGroup will need the
artifacts_bucket
to allow the IAM Instance Role to read from the bucket.- A pipeline with an
ECR.Source
source must be in the same account as the ECR Repository.- A pipeline with an
ECR.Source
source must have at least one image alreaay created in it before it can be created.- A pipeline that is building Docker images needs to set
privileged_mode: true
.- If you are using a manual approval step before deploying, pay attention to the
run_order
field. Normally you will want the approval action to happen before the deploy action.
type: S3Bucket
enabled: true
order: 10
bucket_name: "artifacts"
deletion_policy: "delete"
account: paco.ref accounts.tools
versioning: true
policy:
- aws:
- paco.sub '${paco.ref netenv.mynet.applications.myapp.groups.container.resources.asg.instance_iam_role.arn}'
effect: 'Allow'
action:
- 's3:Get*'
- 's3:List*'
resource_suffix:
- '/*'
- ''
type: DeploymentPipeline
order: 10
enabled: true
configuration:
artifacts_bucket: paco.ref netenv.mynet.applications.myapp.groups.cicd.resources.artifacts
account: paco.ref accounts.tools
source:
ecr:
type: ECR.Source
repository: paco.ref netenv.mynet.applications.myapp.groups.container.resources.ecr_example
image_tag: latest
deploy:
ecs:
type: ECS.Deploy
cluster: paco.ref netenv.mynet.applications.myapp.groups.container.resources.ecs_cluster
service: paco.ref netenv.mynet.applications.myapp.groups.container.resources.ecs_config.services.simple_app
type: DeploymentPipeline
order: 20
enabled: true
configuration:
artifacts_bucket: paco.ref netenv.mynet.applications.myapp.groups.cicd.resources.artifacts
account: paco.ref accounts.tools
source:
github:
type: GitHub.Source
deployment_branch_name: "prod"
github_access_token: paco.ref netenv.mynet.secrets_manager.myapp.github.token
github_owner: MyExample
github_repository: MyExample-FrontEnd
poll_for_source_changes: false
build:
codebuild:
type: CodeBuild.Build
deployment_environment: "prod"
codebuild_image: 'aws/codebuild/standard:4.0'
codebuild_compute_type: BUILD_GENERAL1_MEDIUM
privileged_mode: true # To allow docker images to be built
codecommit_repo_users:
- paco.ref resource.codecommit.mygroup.myrepo.users.MyCodeCommitUser
secrets:
- paco.ref netenv.mynet.secrets_manager.myapp.github.ssh_private_key
role_policies:
- name: AmazonEC2ContainerRegistryPowerUser
statement:
- effect: Allow
action:
- ecr:GetAuthorizationToken
- ecr:BatchCheckLayerAvailability
- ecr:GetDownloadUrlForLayer
- ecr:GetRepositoryPolicy
- ecr:DescribeRepositories
- ecr:ListImages
- ecr:DescribeImages
- ecr:BatchGetImage
- ecr:GetLifecyclePolicy
- ecr:GetLifecyclePolicyPreview
- ecr:ListTagsForResource
- ecr:DescribeImageScanFindings
- ecr:InitiateLayerUpload
- ecr:UploadLayerPart
- ecr:CompleteLayerUpload
- ecr:PutImage
resource:
- '*'
deploy:
ecs:
type: ECS.Deploy
cluster: paco.ref netenv.mynet.applications.myapp.groups.container.resources.cluster
service: paco.ref netenv.mynet.applications.myapp.groups.container.resources.services.services.frontend
type: DeploymentPipeline
order: 30
enabled: true
configuration:
artifacts_bucket: paco.ref netenv.mynet.applications.myapp.groups.cicd.resources.artifacts
account: paco.ref accounts.tools
source:
codecommit:
type: CodeCommit.Source
codecommit_repository: paco.ref resource.codecommit.mygroup.myrepo
deployment_branch_name: "prod"
build:
codebuild:
type: CodeBuild.Build
deployment_environment: "prod"
codebuild_image: 'aws/codebuild/amazonlinux2-x86_64-standard:1.0'
codebuild_compute_type: BUILD_GENERAL1_SMALL
deploy:
approval:
type: ManualApproval
run_order: 1
manual_approval_notification_email:
- bob@example.com
- sally@example.com
codedeploy:
type: CodeDeploy.Deploy
run_order: 2
alb_target_group: paco.ref netenv.mynet.applications.myapp.groups.backend.resources.alb.target_groups.api
auto_scaling_group: paco.ref netenv.mynet.applications.myapp.groups.backend.resources.api
auto_rollback_enabled: true
minimum_healthy_hosts:
type: HOST_COUNT
value: 0
deploy_style_option: WITHOUT_TRAFFIC_CONTROL
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
build | Container<DeploymentPipelineBuildStage> | Deployment Pipeline Build Stage | ||
configuration | Object<DeploymentPipelineConfiguration> | Deployment Pipeline General Configuration | ||
deploy | Container<DeploymentPipelineDeployStage> | Deployment Pipeline Deploy Stage | ||
source | Container<DeploymentPipelineSourceStage> | Deployment Pipeline Source Stage | ||
stages | Container<CodePipelineStages> | Stages |
Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type
CodePipelineStages¶
Container for CodePipelineStage objects.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
CodePipelineStage¶
Container for different types of DeploymentPipelineStageAction objects.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
DeploymentPipelineSourceStage¶
A map of DeploymentPipeline source stage actions
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
DeploymentPipelineDeployStage¶
A map of DeploymentPipeline deploy stage actions
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
DeploymentPipelineBuildStage¶
A map of DeploymentPipeline build stage actions
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
DeploymentPipelineDeployCodeDeploy¶
CodeDeploy DeploymentPipeline Deploy Stage
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
alb_target_group | PacoReference | ALB Target Group Reference | Paco Reference to TargetGroup. | |
auto_rollback_enabled | Boolean | Automatic rollback enabled | True | |
auto_scaling_group | PacoReference | ASG Reference | Paco Reference to ASG. | |
deploy_instance_role | PacoReference | Deploy Instance Role Reference | Paco Reference to Role. | |
deploy_style_option | String | Deploy Style Option | WITH_TRAFFIC_CONTROL | |
elb_name | String | ELB Name | ||
minimum_healthy_hosts | Object<CodeDeployMinimumHealthyHosts> | The minimum number of healthy instances that should be available at any time during the deployment. |
Base Schemas Enablable, Named, DeploymentPipelineStageAction, Title
DeploymentPipelineSourceECR¶
Amazon ECR DeploymentPipeline Source Stage
This Action is triggered whenever a new image is pushed to an Amazon ECR repository.
pipeline:
type: DeploymentPipeline
stages:
source:
ecr:
type: ECR.Source
enabled: true
repository: paco.ref netenv.mynet.applications.myapp.groups.ecr.resources.myecr
image_tag: "latest"
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
image_tag | String | The name of the tag used for the image. | latest | |
repository | PacoReference|String | An ECRRepository ref or the name of the an ECR repository. | Paco Reference to ECRRepository. String Ok. |
Base Schemas Enablable, Named, DeploymentPipelineStageAction, Title
CodeDeployMinimumHealthyHosts¶
CodeDeploy Minimum Healthy Hosts
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
type | String | Deploy Config Type | HOST_COUNT | |
value | Int | Deploy Config Value | 0 |
DeploymentPipelineManualApproval¶
ManualApproval DeploymentPipeline
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
manual_approval_notification_email | List<String> | Manual Approval Notification Email List |
Base Schemas Enablable, Named, DeploymentPipelineStageAction, Title
DeploymentPipelineDeployS3¶
Amazon S3 Deployment Provider
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
bucket | PacoReference | S3 Bucket Reference | Paco Reference to S3Bucket. | |
extract | Boolean | Boolean indicating whether the deployment artifact will be unarchived. | True | |
input_artifacts | List<String> | Input Artifacts | ||
object_key | String | S3 object key to store the deployment artifact as. |
Base Schemas Enablable, Named, DeploymentPipelineStageAction, Title
DeploymentPipelineBuildCodeBuild¶
CodeBuild DeploymentPipeline Build Stage
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
buildspec | String | buildspec.yml filename | ||
codebuild_compute_type | String | CodeBuild Compute Type | ||
codebuild_image | String | CodeBuild Docker Image | ||
codecommit_repo_users | List<PacoReference> | CodeCommit Users | Paco Reference to CodeCommitUser. | |
deployment_environment | String | Deployment Environment | ||
ecr_repositories | List<ECRRepositoryPermission> | ECR Respository Permissions | [] | |
privileged_mode | Boolean | Privileged Mode | False | |
role_policies | List<Policy> | Project IAM Role Policies | ||
secrets | List<PacoReference> | List of PacoReferences to Secrets Manager secrets | Paco Reference to SecretsManagerSecret. | |
timeout_mins | Int | Timeout in Minutes | 60 |
Base Schemas Enablable, Named, DeploymentPipelineStageAction, Title
DeploymentPipelineSourceCodeCommit¶
CodeCommit DeploymentPipeline Source Stage
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
codecommit_repository | PacoReference | CodeCommit Respository | Paco Reference to CodeCommitRepository. | |
deployment_branch_name | String | Deployment Branch Name |
Base Schemas Enablable, Named, DeploymentPipelineStageAction, Title
DeploymentPipelineStageAction¶
Deployment Pipeline Source Stage
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
run_order | Int | The order in which to run this stage | 1 | |
type | String | The type of DeploymentPipeline Source Stage |
DeploymentPipelineConfiguration¶
Deployment Pipeline General Configuration
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
account | PacoReference | The account where Pipeline tools will be provisioned. | Paco Reference to Account. | |
artifacts_bucket | PacoReference | Artifacts S3 Bucket Reference | Paco Reference to S3Bucket. |
DeploymentGroupS3Location¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
bucket | PacoReference | S3 Bucket revision location | Paco Reference to S3Bucket. | |
bundle_type | String | Bundle Type | Must be one of JSON, tar, tgz, YAML or zip. | |
key | String | The name of the Amazon S3 object that represents the bundled artifacts for the application revision. |
EBS¶
Elastic Block Store (EBS) Volume.
It is required to specify the availability_zone
the EBS Volume will be created in.
If the volume is going to be used by an ASG, it should launch an instance in the same
availability_zone
(and region).
type: EBS
order: 5
enabled: true
size_gib: 4
volume_type: gp2
availability_zone: 1
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
availability_zone | Int | Availability Zone to create Volume in. | ||
size_gib | Int | Volume Size in GiB | 10 | |
snapshot_id | String | Snapshot ID | ||
volume_type | String | Volume Type | Must be one of: gp2 | io1 | sc1 | st1 | standard | gp2 |
Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type
EC2¶
EC2 Instance
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
associate_public_ip_address | Boolean | Associate Public IP Address | False | |
disable_api_termination | Boolean | Disable API Termination | False | |
instance_ami | String | Instance AMI | ||
instance_key_pair | PacoReference | key pair for connections to instance | Paco Reference to EC2KeyPair. | |
instance_type | String | Instance type | ||
private_ip_address | String | Private IP Address | ||
root_volume_size_gb | Int | Root volume size GB | 8 | |
security_groups | List<PacoReference> | Security groups | Paco Reference to SecurityGroup. | |
segment | String | Segment | ||
user_data_script | String | User data script |
Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type
ECRRepository¶
Elastic Container Registry (ECR) Repository is a fully-managed Docker container registry.
type: ECRRepository
enabled: true
order: 10
repository_name: 'ecr-example'
cross_account_access:
- paco.ref accounts.dev
- paco.ref accounts.tools
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
account | PacoReference | Account the ECR Repository belongs to | Paco Reference to Account. | |
cross_account_access | List<PacoReference> | Accounts to grant access to this ECR. | Paco Reference to Account. | |
lifecycle_policy_registry_id | String | Lifecycle Policy Registry Id | ||
lifecycle_policy_text | String | Lifecycle Policy | ||
repository_name | String | Repository Name | ||
repository_policy | Object<Policy> | Repository Policy |
Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type
ECRRepositoryPermission¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
permission | Choice | Permission | Must be one of ‘Push’, ‘Pull’ or ‘PushAndPull’ | |
repository | PacoReference | ECR Repository | Paco Reference to ECRRepository. |
ECSCluster¶
The ECSCluster
resource type creates an Amazon Elastic Container Service (Amazon ECS) cluster.
type: ECSCluster
title: My ECS Cluster
enabled: true
order: 10
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type
ECSServices¶
The ECSServices
resource type creates one or more ECS Services and their TaskDefinitions
that can run in an ECSCluster.
type: ECSServices
title: "My ECS Services"
enabled: true
order: 40
cluster: paco.ref netenv.mynet.applications.myapp.groups.ecs.resources.cluster
service_discovery_namespace_name: 'private-name'
secrets_manager_access:
- paco.ref netenv.mynet.secrets_manager.store.database.mydb
task_definitions:
frontend:
container_definitions:
frontend:
cpu: 256
essential: true
image: paco.ref netenv.mynet.applications.myapp.groups.ecr.resources.frontend
image_tag: latest
memory: 150 # in MiB
logging:
driver: awslogs
expire_events_after_days: 90
port_mappings:
- container_port: 80
host_port: 0
protocol: tcp
secrets:
- name: DATABASE_PASSWORD
value_from: paco.ref netenv.mynet.secrets_manager.store.database.mydb
environment:
- name: POSTGRES_HOSTNAME
value: paco.ref netenv.mynet.applications.myapp.groups.database.resources.postgresql.endpoint.address
demoservice:
container_definitions:
demoservice:
cpu: 256
essential: true
image: paco.ref netenv.mynet.applications.myapp.groups.ecr.resources.demoservice
image_tag: latest
memory: 100 # in MiB
logging:
driver: awslogs
expire_events_after_days: 90
port_mappings:
- container_port: 80
host_port: 0
protocol: tcp
services:
frontend:
desired_count: 0
task_definition: frontend
deployment_controller: ecs
hostname: frontend.myapp
load_balancers:
- container_name: frontend
container_port: 80
target_group: paco.ref netenv.mynet.applications.myapp.groups.lb.resources.external.target_groups.frontend
demoservice:
desired_count: 0
task_definition: demoservice
deployment_controller: ecs
load_balancers:
- container_name: demoservice
container_port: 80
target_group: paco.ref netenv.mynet.applications.myapp.groups.lb.resources.internal.target_groups.demoservice
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
cluster | PacoReference | Cluster | Paco Reference to ECSCluster. | |
secrets_manager_access | List<PacoReference> | List Secrets Manager secret Paco references | Paco Reference to SecretsManagerSecret. | |
service_discovery_namespace_name | String | Service Discovery Namespace | ||
services | Container<ECSServicesContainer> | Service | ||
setting_groups | Container<ECSSettingsGroups_> | Setting Groups | ||
task_definitions | Container<ECSTaskDefinitions> | Task Definitions |
Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type
ECSServicesContainer¶
Container for ECSService objects.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
ECSService¶
ECS Service
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
deployment_controller | Choice | Deployment Controller | One of ecs, code_deploy or external | ecs |
deployment_maximum_percent | Int | Deployment Maximum Percent | 200 | |
deployment_minimum_healthy_percent | Int | Deployment Minimum Healthy Percent | 100 | |
desired_count | Int | Desired Count | ||
health_check_grace_period_seconds | Int | Health Check Grace Period (seconds) | 0 | |
hostname | String | Container hostname | ||
launch_type | Choice | Launch Type | Must be one of EC2 or Fargate | EC2 |
load_balancers | List<ECSLoadBalancer> | Load Balancers | [] | |
maximum_tasks | Int | Maximum Tasks in service | 0 | |
minimum_tasks | Int | Minimum Tasks in service | 0 | |
suspend_scaling | Boolean | Suspend any Service Scaling activities | False | |
target_tracking_scaling_policies | Container<ECSTargetTrackingScalingPolicies> | Target Tracking Scaling Policies | ||
task_definition | String | Task Definition | ||
vpc_config | Object<ServiceVPCConfiguration> | VPC Configuration |
Base Schemas Monitorable, Named, Title
ECSTaskDefinitions¶
Container for ECSTaskDefinition objects.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
ECSTaskDefinition¶
ECS Task Definition
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
container_definitions | Container<ECSContainerDefinitions> | Container Definitions | ||
cpu_units | Int | CPU in Units | Must be one of 256, 512, 1024, 2048 or 4096 | 256 |
fargate_compatibile | Boolean | Require Fargate Compability | False | |
memory_in_mb | Int | Memory in Mb | Must be one of 512, 1024, 2048, 2048 or 4096 thru 30720 | 512 |
network_mode | Choice | Network Mode | Must be one of awsvpc, bridge, host or none | bridge |
volumes | List<ECSVolume> | Volume definitions for the task | [] |
ECSContainerDefinitions¶
Container for ECSContainerDefinition objects.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
ECSContainerDefinition¶
ECS Container Definition
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
command | List<String> | Command (Docker CMD) | List of strings | |
cpu | Int | Cpu units | ||
depends_on | List<ECSContainerDependency> | Depends On | List of ECS Container Dependencies | [] |
disable_networking | Boolean | Disable Networking | False | |
dns_search_domains | List<String> | List of DNS search domains. Maps to ‘DnsSearch’ in Docker. | [] | |
dns_servers | List<String> | List of DNS servers. Maps to ‘Dns’ in Docker. | [] | |
docker_labels | Container<DockerLabels> | A key/value map of labels. Maps to ‘Labels’ in Docker. | ||
docker_security_options | Choice | List of custom labels for SELinux and AppArmor multi-level security systems. | Must be a list of no-new-privileges, apparmor:PROFILE, label:value, or credentialspec:CredentialSpecFilePath | [] |
entry_point | List<String> | Entry Pont (Docker ENTRYPOINT) | List of strings | |
environment | List<NameValuePair> | List of environment name value pairs. | ||
essential | Boolean | Essential | False | |
extra_hosts | List<ECSHostEntry> | List of hostnames and IP address mappings to append to the /etc/hosts file on the container. | [] | |
health_check | Object<ECSHealthCheck> | The container health check command and associated configuration parameters for the container. This parameter maps to ‘HealthCheck’ in Docker. | ||
hostname | String | Hostname to use for your container. This parameter maps to ‘Hostname’ in Docker. | ||
image | PacoReference|String | The image used to start a container. This string is passed directly to the Docker daemon. | If a paco.ref is used to ECR, then the image_tag field will provide that tag used. Paco Reference to ECRRepository. String Ok. | |
image_tag | String | Tag used for the ECR Repository Image | latest | |
interactive | Boolean | When this parameter is true, this allows you to deploy containerized applications that require stdin or a tty to be allocated. This parameter maps to ‘OpenStdin’ in Docker. | ||
logging | Object<ECSLogging> | Logging Configuration | ||
memory | Int | The amount (in MiB) of memory to present to the container. If your container attempts to exceed the memory specified here, the container is killed. | ||
memory_reservation | Int | The soft limit (in MiB) of memory to reserve for the container. When system memory is under heavy contention, Docker attempts to keep the container memory to this soft limit. | ||
mount_points | List<ECSMountPoint> | The mount points for data volumes in your container. | ||
port_mappings | List<PortMapping> | Port Mappings | [] | |
privileged | Boolean | Give the container elevated privileges on the host container instance (similar to the root user). | False | |
pseudo_terminal | Boolean | Allocate a TTY. This parameter maps to ‘Tty’ in Docker. | ||
readonly_root_filesystem | Boolean | Read-only access to its root file system. This parameter maps to ‘ReadonlyRootfs’ in Docker. | ||
secrets | List<ECSTaskDefinitionSecret> | List of name, value_from pairs to secret manager Paco references. | ||
setting_groups | List<String> | List of names of setting_groups. | [] | |
start_timeout | Int | Time duration (in seconds) to wait before giving up on resolving dependencies for a container. | 300 | |
stop_timeout | Int | Time duration (in seconds) to wait before the container is forcefully killed if it doesn’t exit normally on its own. | 30 | |
ulimits | List<ECSUlimit> | List of ulimits to set in the container. This parameter maps to ‘Ulimits’ in Docker | [] | |
user | String | The user name to use inside the container. This parameter maps to ‘User’ in Docker. | ||
volumes_from | List<ECSVolumesFrom> | Volumes to mount from another container (Docker VolumesFrom). | [] | |
working_directory | String | The working directory in which to run commands inside the container. This parameter maps to ‘WorkingDir’ in Docker. |
ECSLoadBalancer¶
ECS Load Balancer
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
container_name | String | Container Name | ||
container_port | Int | Container Port | ||
target_group | PacoReference | Target Group | Paco Reference to TargetGroup. |
ECSUlimit¶
ECS Ulimit
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
hard_limit | Int | The hard limit for the ulimit type. | ||
name | Choice | The type of the ulimit | ||
soft_limit | Int | The soft limit for the ulimit type. |
ECSHealthCheck¶
ECS Health Check
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
command | List<String> | A string array representing the command that the container runs to determine if it is healthy. The string array must start with CMD to execute the command arguments directly, or CMD-SHELL to run the command with the container’s default shell. | ||
interval | Int | The time period in seconds between each health check execution. | 30 | |
retries | Int | Retries | 3 | |
start_period | Int | The optional grace period within which to provide containers time to bootstrap before failed health checks count towards the maximum number of retries. | ||
timeout | Int | The time period in seconds to wait for a health check to succeed before it is considered a failure. | 5 |
ECSHostEntry¶
ECS Host Entry
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
hostname | String | Hostname | ||
ip_address | String | IP Address |
ECSContainerDependency¶
ECS Container Dependency
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
condition | Choice | Condition | Must be one of COMPLETE, HEALTHY, START or SUCCESS | |
container_name | String | Container Name | Must be an existing container name. |
ECSTaskDefinitionSecret¶
A Name/ValueFrom pair of Paco references to Secrets Manager secrets
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
name | String | Name | ||
value_from | PacoReference | Paco reference to Secrets manager | Paco Reference to SecretsManagerSecret. |
ECSLogging¶
ECS Logging Configuration
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
driver | Choice | Log Driver | One of awsfirelens, awslogs, fluentd, gelf, journald, json-file, splunk, syslog |
Base Schemas CloudWatchLogRetention, Named, Title
ECSVolumesFrom¶
VoumesFrom
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
read_only | Boolean | Read Only | False | |
source_container | String | The name of another container within the same task definition from which to mount volumes. |
ECSTargetTrackingScalingPolicies¶
Container for ECSTargetTrackingScalingPolicy objects.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
ECSTargetTrackingScalingPolicy¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
disable_scale_in | Boolean | Disable ScaleIn | False | |
predefined_metric | Choice | Predfined Metric to scale on | Must be one of ALBRequestCountPerTarget, ECSServiceAverageMemoryUtilization or ECSServiceAverageCPUUtilization | |
scale_in_cooldown | Int | ScaleIn Cooldown | 300 | |
scale_out_cooldown | Int | ScaleIn Cooldown | 300 | |
target | Int | Target | ||
target_group | PacoReference | ALB TargetGroup | Paco Reference to TargetGroup. |
ServiceVPCConfiguration¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
assign_public_ip | Boolean | Assign Public IP | False |
Base Schemas Named, VPCConfiguration, Title
ECSMountPoint¶
ECS TaskDefinition Mount Point
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
container_path | String | The path on the container to mount the host volume at. | ||
read_only | Boolean | Read Only | False | |
source_volume | String | The name of the volume to mount. | Must be a volume name referenced in the name parameter of task definition volume. |
EIP¶
Elastic IP (EIP) resource.
type: EIP
order: 5
enabled: true
dns:
- domain_name: example.com
hosted_zone: paco.ref resource.route53.examplecom
ttl: 60
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
dns | List<DNS> | List of DNS for the EIP |
Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type
EFS¶
AWS Elastic File System (EFS) resource.
type: EFS
order: 20
enabled: true
encrypted: false
segment: private
security_groups:
- paco.ref netenv.mynet.network.vpc.security_groups.cloud.content
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
encrypted | Boolean | Encryption at Rest | False | |
security_groups | List<PacoReference> | Security groups | SecurityGroup the EFS belongs to Paco Reference to SecurityGroup. | |
segment | String | Segment |
Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type
ElastiCache¶
Base ElastiCache Interface
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
at_rest_encryption | Boolean | Enable encryption at rest | ||
auto_minor_version_upgrade | Boolean | Enable automatic minor version upgrades | ||
automatic_failover_enabled | Boolean | Specifies whether a read-only replica is automatically promoted to read/write primary if the existing primary fails | ||
az_mode | String | AZ mode | ||
cache_clusters | Int | Number of Cache Clusters | ||
cache_node_type | String | Cache Node Instance type | ||
description | String | Replication Description | ||
engine | String | ElastiCache Engine | ||
engine_version | String | ElastiCache Engine Version | ||
maintenance_preferred_window | String | Preferred maintenance window | ||
number_of_read_replicas | Int | Number of read replicas | ||
parameter_group | PacoReference|String | Parameter Group name | Paco Reference to Interface. String Ok. | |
port | Int | Port | ||
security_groups | List<PacoReference> | List of Security Groups | Paco Reference to SecurityGroup. | |
segment | PacoReference | Segment | Paco Reference to Segment. |
ElastiCacheRedis¶
Redis ElastiCache Interface
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
cache_parameter_group_family | String | Cache Parameter Group Family | ||
snapshot_retention_limit_days | Int | Snapshot Retention Limit in Days | ||
snapshot_window | String | The daily time range (in UTC) during which ElastiCache begins taking a daily snapshot of your node group (shard). |
Base Schemas ElastiCache, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type
ElasticsearchDomain¶
Amazon Elasticsearch Service (Amazon ES) is a managed service for Elasticsearch clusters. An Amazon ES domain is synonymous with an Elasticsearch cluster. Domains are clusters with the settings, instance types, instance counts, and storage resources that you specify.
type: ElasticsearchDomain
order: 10
title: "Elasticsearch Domain"
enabled: true
access_policies_json: ./es-config/es-access.json
advanced_options:
indices.fielddata.cache.size: ""
rest.action.multi.allow_explicit_index: "true"
cluster:
instance_count: 2
zone_awareness_enabled: false
instance_type: "t2.micro.elasticsearch"
dedicated_master_enabled: true
dedicated_master_type: "t2.micro.elasticsearch"
dedicated_master_count: 2
ebs_volumes:
enabled: true
iops: 0
volume_size_gb: 10
volume_type: 'gp2'
segment: web
security_groups:
- paco.ref netenv.mynet.network.vpc.security_groups.app.search
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
access_policies_json | StringFileReference | Policy document that specifies who can access the Amazon ES domain and their permissions. | ||
advanced_options | Container<ESAdvancedOptions> | Advanced Options | ||
cluster | Object<ElasticsearchCluster> | Elasticsearch Cluster configuration | ||
ebs_volumes | Object<EBSOptions> | EBS volumes that are attached to data nodes in the Amazon ES domain. | ||
elasticsearch_version | String | The version of Elasticsearch to use, such as 2.3. | 1.5 | |
node_to_node_encryption | Boolean | Enable node-to-node encryption | ||
security_groups | List<PacoReference> | List of Security Groups | Paco Reference to SecurityGroup. | |
segment | String | Segment | ||
snapshot_start_hour | Int | The hour in UTC during which the service takes an automated daily snapshot of the indices in the Amazon ES domain. |
Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type
ElasticsearchCluster¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
dedicated_master_count | Int | The number of instances to use for the master node. | If you specify this field, you must specify true for the dedicated_master_enabled field. | |
dedicated_master_enabled | Boolean | Indicates whether to use a dedicated master node for the Amazon ES domain. | ||
dedicated_master_type | String | The hardware configuration of the computer that hosts the dedicated master node | Valid Elasticsearch instance type, such as m3.medium.elasticsearch. See https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-supported-instance-types.html | |
instance_count | Int | The number of data nodes (instances) to use in the Amazon ES domain. | ||
instance_type | String | The instance type for your data nodes. | Valid Elasticsearch instance type, such as m3.medium.elasticsearch. See https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-supported-instance-types.html | |
zone_awareness_availability_zone_count | Int | If you enabled multiple Availability Zones (AZs), the number of AZs that you want the domain to use. | 2 | |
zone_awareness_enabled | Boolean | Enable zone awareness for the Amazon ES domain. |
EBSOptions¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
enabled | Boolean | Specifies whether Amazon EBS volumes are attached to data nodes in the Amazon ES domain. | ||
iops | Int | The number of I/O operations per second (IOPS) that the volume supports. | ||
volume_size_gb | Int | The size (in GiB) of the EBS volume for each data node. | The minimum and maximum size of an EBS volume depends on the EBS volume type and the instance type to which it is attached. | |
volume_type | String | The EBS volume type to use with the Amazon ES domain. | Must be one of: standard, gp2, io1, st1, or sc1 |
ESAdvancedOptions¶
An unconstrainted set of key-value pairs used to set advanced options for Elasticsearch.
EventsRule¶
Events Rule resources match incoming or scheduled events and route them to target using Amazon EventBridge.
type: EventsRule
enabled: true
order: 10
description: Invoke a Lambda every other minute
schedule_expression: "cron(*/2 * * * ? *)"
targets:
- target: paco.ref netenv.mynet.applications.myapp.groups.mygroup.resources.mylambda
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
description | String | Description | ||
enabled_state | Boolean | Enabled State | True | |
schedule_expression | String | Schedule Expression | ||
targets | List<EventTarget> | The AWS Resources that are invoked when the Rule is triggered. |
Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type
Lambda¶
Lambda Functions allow you to run code without provisioning servers and only pay for the compute time when the code is running.
The code for the Lambda function can be specified in one of three ways in the code:
field:
- S3 Bucket artifact: Supply an``s3_bucket`` and
s3_key
where you have an existing code artifact file.- Local file: Supply the
zipfile
as a path to a local file on disk. This will be inlined into CloudFormation and has a size limitation of only 4 Kb.- Local directory: Supply the
zipfile
as a path to a directory on disk. This directory will be packaged into a zip file and Paco will create an S3 Bucket where it will upload and manage Lambda deployment artifacts.
code:
s3_bucket: my-bucket-name
s3_key: 'myapp-1.0.zip'
code:
zipfile: ./lambda-dir/my-lambda.py
code:
zipfile: ~/code/my-app/lambda_target/
type: Lambda
enabled: true
order: 1
title: 'My Lambda Application'
description: 'Checks the Widgets Service and applies updates to a Route 53 Record Set.'
code:
s3_bucket: my-bucket-name
s3_key: 'myapp-1.0.zip'
environment:
variables:
- key: 'VAR_ONE'
value: 'hey now!'
- key: 'VAR_TWO'
value: 'Hank Kingsley'
iam_role:
enabled: true
policies:
- name: DNSRecordSet
statement:
- effect: Allow
action:
- route53:ChangeResourceRecordSets
resource:
- 'arn:aws:route53:::hostedzone/AJKDU9834DUY934'
handler: 'myapp.lambda_handler'
memory_size: 128
runtime: 'python3.7'
timeout: 900
expire_events_after_days: 90
log_group_names:
- AppGroupOne
sns_topics:
- paco.ref netenv.app.applications.app.groups.web.resources.snstopic
vpc_config:
segments:
- paco.ref netenv.app.network.vpc.segments.public
security_groups:
- paco.ref netenv.app.network.vpc.security_groups.app.function
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
code | Object<LambdaFunctionCode> | The function deployment package. | ||
description | String | A description of the function. | ||
edge | Object<LambdaAtEdgeConfiguration> | Lambda@Edge configuration | ||
environment | Object<LambdaEnvironment> | Lambda Function Environment | ||
handler | String | Function Handler | ||
iam_role | Object<Role> | The IAM Role this Lambda will execute as. | ||
layers | List<String> | Layers | Up to 5 Layer ARNs | |
log_group_names | List<String> | Log Group names | List of Log Group names | [] |
memory_size | Int | Function memory size (MB) | 128 | |
reserved_concurrent_executions | Int | Reserved Concurrent Executions | 0 | |
runtime | String | Runtime environment | python3.7 | |
sdb_cache | Boolean | SDB Cache Domain | False | |
sns_topics | List<PacoReference> | List of SNS Topic Paco references or SNS Topic ARNs to subscribe the Lambda to. | Paco Reference to SNSTopic. String Ok. | |
timeout | Int | The amount of time that Lambda allows a function to run before stopping it. | 3 | |
vpc_config | Object<LambdaVpcConfig> | Vpc Configuration |
Base Schemas Resource, DNSEnablable, Deployable, CloudWatchLogRetention, Monitorable, Named, Title, Type
LambdaFunctionCode¶
The deployment package for a Lambda function.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
s3_bucket | PacoReference|String | An Amazon S3 bucket in the same AWS Region as your function | Paco Reference to S3Bucket. String Ok. | |
s3_key | String | The Amazon S3 key of the deployment package. | ||
zipfile | LocalPath | The function code as a local file or directory. | Maximum of 4096 characters. |
LambdaEnvironment¶
Lambda Environment
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
variables | List<LambdaVariable> | Lambda Function Variables |
LambdaVpcConfig¶
Lambda Environment
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
Base Schemas Named, VPCConfiguration, Title
LoadBalancer¶
Base class for Load Balancers
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
access_logs_bucket | PacoReference | Bucket to store access logs in | Paco Reference to S3Bucket. | |
access_logs_prefix | String | Access Logs S3 Bucket prefix | ||
dns | List<DNS> | List of DNS for the ALB | ||
enable_access_logs | Boolean | Write access logs to an S3 Bucket | ||
idle_timeout_secs | Int | Idle timeout in seconds | The idle timeout value, in seconds. | 60 |
listeners | Container<Listeners> | Listeners | ||
scheme | Choice | Scheme | ||
security_groups | List<PacoReference> | Security Groups | Paco Reference to SecurityGroup. | |
segment | String | Id of the segment stack | ||
target_groups | Container<TargetGroups> | Target Groups |
Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type
ApplicationLoadBalancer¶
The LBApplication
resource type creates an Application Load Balancer. Use load balancers to route traffic from
the internet to your web servers.
Load balancers have listeners
which will accept requrests on specified ports and protocols. If a listener
uses the HTTPS protocol, it can have a Paco reference to an SSL Certificate. A listener can then either
redirect the traffic to another port/protcol or send it one of it’s named target_groups
.
Each target group will specify it’s health check configuration. To specify which resources will belong
to a target group, use the target_groups
field on an ASG resource.
type: LBApplication
enabled: true
enable_access_logs: true
target_groups:
api:
health_check_interval: 30
health_check_timeout: 10
healthy_threshold: 2
unhealthy_threshold: 2
port: 3000
protocol: HTTP
health_check_http_code: 200
health_check_path: /
connection_drain_timeout: 30
listeners:
http:
port: 80
protocol: HTTP
redirect:
port: 443
protocol: HTTPS
https:
port: 443
protocol: HTTPS
ssl_certificates:
- paco.ref netenv.app.applications.app.groups.certs.resources.root
target_group: api
dns:
- hosted_zone: paco.ref resource.route53.mynetenv
domain_name: api.example.com
scheme: internet-facing
security_groups:
- paco.ref netenv.app.network.vpc.security_groups.app.alb
segment: public
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
Base Schemas LoadBalancer, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type
NetworkLoadBalancer¶
The LBNetwork
resource type creates a Network Load Balancer. Use load balancers to route traffic from
the internet to your web servers.
type: LBNetwork
enabled: true
enable_access_logs: true
target_groups:
api:
health_check_interval: 30
health_check_timeout: 10
healthy_threshold: 2
unhealthy_threshold: 2
port: 3000
protocol: HTTP
health_check_http_code: 200
health_check_path: /
connection_drain_timeout: 30
listeners:
http:
port: 80
protocol: HTTP
redirect:
port: 443
protocol: HTTPS
https:
port: 443
protocol: HTTPS
ssl_certificates:
- paco.ref netenv.app.applications.app.groups.certs.resources.root
target_group: api
dns:
- hosted_zone: paco.ref resource.route53.mynetenv
domain_name: api.example.com
scheme: internet-facing
segment: public
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
Base Schemas LoadBalancer, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type
DNS¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
domain_name | PacoReference|String | Domain name | Paco Reference to Route53HostedZone. String Ok. | |
hosted_zone | PacoReference|String | Hosted Zone Id | Paco Reference to HostedZone. String Ok. | |
ssl_certificate | PacoReference | SSL certificate Reference | Paco Reference to ACM. | |
ttl | Int | TTL | 300 |
Listener¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
redirect | Object<PortProtocol> | Redirect | ||
rules | Container<ListenerRules_> | Container of listener rules | ||
ssl_certificates | List<PacoReference> | List of SSL certificate References | Paco Reference to ACM. | |
ssl_policy | Choice | SSL Policy | ||
target_group | String | Target group |
Base Schemas PortProtocol
ListenerRule¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
host | String | Host header value | ||
path_pattern | List<String> | List of paths to match | ||
priority | Int | Forward condition priority | 1 | |
redirect_host | String | The host to redirect to | ||
rule_type | String | Type of Rule | ||
target_group | String | Target group name |
Base Schemas Deployable, Named, Title
PortProtocol¶
Port and Protocol
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
port | Int | Port | ||
protocol | Choice | Protocol |
TargetGroup¶
Target Group
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
connection_drain_timeout | Int | Connection drain timeout | ||
health_check_http_code | String | Health check HTTP codes | ||
health_check_interval | Int | Health check interval | ||
health_check_path | String | Health check path | / | |
health_check_protocol | Choice | Protocol | HTTP | |
health_check_timeout | Int | Health check timeout | ||
healthy_threshold | Int | Healthy threshold | ||
target_type | Choice | Target Type | Must be one of ‘instance’, ‘ip’ or ‘lambda’. | instance |
unhealthy_threshold | Int | Unhealthy threshold |
Base Schemas Resource, DNSEnablable, Deployable, Named, PortProtocol, Title, Type
PinpointApplication¶
Amazon Pinpoint is a flexible and scalable outbound and inbound marketing communications service. You can connect with customers over channels like email, SMS, push, or voice.
A Pinpoint Application is a collection of related settings, customer information, segments, campaigns, and other types of Amazon Pinpoint resources.
Currently AWS Pinpoint only supports general configuration suitable for sending transactional messages.
type: PinpointApplication
enabled: true
order: 20
title: "My SaaS Transactional Message Service"
email_channel:
enable_email: true
from_address: "bob@example.com"
sms_channel:
enable_sms: true
sender_id: MyUniqueName
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
email_channel | Object<PinpointEmailChannel> | Email Channel | ||
sms_channel | Object<PinpointSMSChannel> | SMS Channel |
Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type
PinpointSMSChannel¶
Pinpoint SMS Channel
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
enable_sms | Boolean | Enable SMS | True | |
sender_id | String | The identity that you want to display on recipients’ devices when they receive messages from the SMS channel. | ||
short_code | String | The registered short code that you want to use when you send messages through the SMS channel. |
IoTTopicRule¶
IoTTopicRule allows you to create a list of actions that will be triggered from a MQTT message coming in to IoT Core.
type: IoTTopicRule
title: Rule to take action for MQTT messages sent to 'sensor/example'
order: 20
enabled: true
actions:
- awslambda:
function: paco.ref netenv.mynet.applications.app.groups.app.resources.iotlambda
- iotanalytics:
pipeline: paco.ref netenv.mynet.applications.app.groups.app.resources.analyticspipeline
aws_iot_sql_version: '2016-03-23'
rule_enabled: true
sql: "SELECT * FROM 'sensor/example'"
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
actions | List<IoTTopicRuleAction> | Actions | An IoTTopicRule must define at least one action. | [] |
aws_iot_sql_version | String | AWS IoT SQL Version | 2016-03-23 | |
rule_enabled | Boolean | Rule is Enabled | True | |
sql | String | SQL statement used to query the topic | Must be a valid Sql statement |
Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type
IoTTopicRuleAction¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
awslambda | Object<IoTTopicRuleLambdaAction> | Lambda Action | ||
iotanalytics | Object<IoTTopicRuleIoTAnalyticsAction> | IoT Analytics Action |
IoTTopicRuleIoTAnalyticsAction¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
pipeline | PacoReference | IoT Analytics pipeline | Paco Reference to IoTAnalyticsPipeline. |
IoTAnalyticsPipeline¶
An IoTAnalyticsPipeline composes four closely related resources: IoT Analytics Channel, IoT Analytics Pipeline, IoT Analytics Datastore and IoT Analytics Dataset.
An IoT Analytics Pipeline begins with a Channel. A Channel is an S3 Bucket of raw incoming messages.
A Channel provides an ARN that an IoTTopicRule can send MQTT messages to. These messages can later be re-processed
if the analysis pipeline changes. Use the channel_storage
field to configure the Channel storage.
Next the Pipeline applies a series of pipeline_activities
to the incoming Channel messages. After any message
modifications have been made, they are stored in a Datastore.
A Datastore is S3 Bucket storage of messages that are ready to be analyzed. Use the datastore_storage
field to configure
the Datastore storage. The datastore_name
is an optional field to give your Datastore a fixed name, this can
be useful if you use Dataset SQL Query analysis which needs to use the Datastore name in a SELECT query. However,
if you use datastore_name
it doesn’t vary by Environment - if you use name then it is recommended to use different
Regions and Accounts for each IoTAnalytics environment.
Lastly the Datastore can be analyzed and have the resulting output saved as a Dataset. There may be multiple Datasets to create different analysis of the data. Datasets can be analyzed on a managed host running a Docker container or with an SQL Query to create subsets of a Datastore suitable for analysis with tools such as AWS QuickSight.
type: IoTAnalyticsPipeline
title: My IoT Analytics Pipeline
order: 100
enabled: true
channel_storage:
bucket: paco.ref netenv.mynet.applications.app.groups.iot.resources.iotbucket
key_prefix: raw_input/
pipeline_activities:
adddatetime:
activity_type: lambda
function: paco.ref netenv.mynet.applications.app.groups.iot.resources.iotfunc
batch_size: 10
filter:
activity_type: filter
filter: "temperature > 0"
datastore_name: example
datastore_storage:
expire_events_after_days: 30
datasets:
hightemp:
query_action:
sql_query: "SELECT * FROM example WHERE temperature > 20"
content_delivery_rules:
s3temperature:
s3_destination:
bucket: paco.ref netenv.mynet.applications.app.groups.iot.resources.iotbucket
key: "/HighTemp/!{iotanalytics:scheduleTime}/!{iotanalytics:versionId}.csv"
expire_events_after_days: 3
version_history: 5
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
channel_storage | Object<IotAnalyticsStorage> | IoT Analytics Channel raw storage | ||
datasets | Container<IoTDatasets> | IoT Analytics Datasets | ||
datastore_name | String | Datastore name | ||
datastore_storage | Object<IotAnalyticsStorage> | IoT Analytics Datastore storage | ||
pipeline_activities | Container<IoTPipelineActivities> | IoT Analytics Pipeline Activies |
Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type
IoTDataset¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
container_action | Object<DatasetContainerAction> | Dataset Container action | ||
content_delivery_rules | Container<DatasetContentDeliveryRules> | Content Delivery Rules | ||
query_action | Object<DatasetQueryAction> | SQL Query action | ||
triggers | List<DatasetTrigger> | Triggers | [] | |
version_history | Int | How many versions of dataset contents are kept. 0 indicates Unlimited. If not specified or set to null, only the latest version plus the latest succeeded version (if they are different) are kept for the time period specified by expire_events_after_days field. |
Base Schemas StorageRetention, Named, Title
DatasetTrigger¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
schedule_expression | String | Schedule Expression | ||
triggering_dataset | String | Triggering Dataset |
DatasetContentDeliveryRules¶
Container for DatasetContentDeliveryRule objects.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
DatasetContentDeliveryRule¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
s3_destination | Object<DatasetS3Destination> | S3 Destination |
DatasetS3Destination¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
bucket | PacoReference | S3 Bucket | Paco Reference to S3Bucket. | |
key | String | Key |
DatasetQueryAction¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
filters | List<String> | Filters | [] | |
sql_query | String | Sql Query Dataset Action object |
DatasetContainerAction¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
image_arn | String | Image ARN | ||
resource_compute_type | Choice | Resource Compute Type | Either ACU_1 (vCPU=4, memory=16 GiB) or ACU_2 (vCPU=8, memory=32 GiB) | |
resource_volume_size_gb | Int | Resource Volume Size in GB | ||
variables | Container<DatasetVariables> | Variables |
DatasetVariables¶
Container for DatasetVariables objects.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
DatasetVariable¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
double_value | Float | Double Value | ||
output_file_uri_value | String | Output file URI value | The URI of the location where dataset contents are stored, usually the URI of a file in an S3 bucket. | |
string_value | String | String Value |
IoTPipelineActivities¶
Container for IoTPipelineActivity objects.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
IoTPipelineActivity¶
Each activity must have an activity_type
and supply fields specific for that type.
There is an implicit Channel activity before all other activities and an an implicit Datastore
activity after all other activities.
activity_type: lambda
batch_size: 1
function: paco.ref netenv.mynet[...]mylambda
activity_type: add_attributes
attributes:
key1: hello
key2: world
activity_type: remove_attributes
attribute_list:
- key1
- key2
activity_type: select_attributes
attribute_list:
- key1
- key2
activity_type: filter
filter: "attribute1 > 40 AND attribute2 < 20"
activity_type: math
attribute: "attribute1"
math: "attribute1 - 10"
activity_type: device_registry_enrich
attribute: "attribute1"
thing_name: "mything"
activity_type: device_shadow_enrich
attribute: "attribute1"
thing_name: "mything"
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
activity_type | String | Activity Type | ||
attribute | String | Attribute | ||
attribute_list | List<String> | Attribute List | ||
attributes | Container<Attributes> | Attributes | ||
batch_size | Int | Batch Size | ||
filter | String | Filter | ||
function | PacoReference | Lambda function | Paco Reference to Lambda. | |
math | String | Math | ||
thing_name | String | Thing Name |
ManagedPolicy¶
IAM Managed Policy
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
path | String | Path | / | |
policy_name | String | Policy Name used in AWS. This will be prefixed with an 8 character hash. | ||
roles | List<String> | List of Role Names | ||
statement | List<Statement> | Statements | ||
users | List<String> | List of IAM Users |
Base Schemas Deployable, Named, Title
RDS¶
Relational Database Service (RDS) allows you to set up, operate, and scale a relational database in AWS.
You can create a single DB Instance or an Aurora DB Cluster.
DB Instance¶
Currently Paco supports RDSMysql
and RDSPostgresql
for single database instances.
type: RDSMysql
order: 1
title: "Joe's MySQL Database server"
enabled: true
engine_version: 5.7.26
db_instance_type: db.t3.micro
port: 3306
storage_type: gp2
storage_size_gb: 20
storage_encrypted: true
multi_az: true
allow_major_version_upgrade: false
auto_minor_version_upgrade: true
publically_accessible: false
master_username: root
master_user_password: "change-me"
backup_preferred_window: 08:00-08:30
backup_retention_period: 7
maintenance_preferred_window: 'sat:10:00-sat:10:30'
license_model: "general-public-license"
cloudwatch_logs_exports:
- error
- slowquery
security_groups:
- paco.ref netenv.mynet.network.vpc.security_groups.app.database
segment: paco.ref netenv.mynet.network.vpc.segments.private
primary_domain_name: database.example.internal
primary_hosted_zone: paco.ref netenv.mynet.network.vpc.private_hosted_zone
parameter_group: paco.ref netenv.mynet.applications.app.groups.web.resources.dbparams_performance
Aurora DB Cluster¶
AWS Aurora is relational databases built for the cloud. Aurora features a distributed, fault-tolerant, self-healing storage system and can easily scale from a single database instance to a cluster of multiple database instances.
When creating an Aurora RDS resource, you must specify your db_instances
. If you specify more than
one database instance, then Aurora will automatically designate one instance as a Writer and all other
instances will be Readers.
Each db_instance
can specify it’s own complete set of configuration or you can use the default_instance
field to shared default configuration between instances. If a db_instance
doesn’t specify a value but it is
specified by default_instance
it will fall back to using that value.
A simple Aurora with only a single database instance could be:
type: RDSMysqlAurora
default_instance:
db_instance_type: db.t3.medium
db_instances:
single:
A more complex Aurora with a cluster of three database instances could be:
type: RDSMysqlAurora
default_instance:
db_instance_type: db.t3.medium
enhanced_monitoring_interval_in_seconds: 30
db_instances:
first:
availability_zone: 1
db_instance_type: db.t3.large
enhanced_monitoring_interval_in_seconds: 5
second:
availability_zone: 2
third:
availability_zone: 3
type: RDSPostgresqlAurora
order: 10
enabled: true
availability_zones: all
engine_version: '11.7'
port: 5432
master_username: master
secrets_password: paco.ref netenv.anet.secrets_manager.anet.app.database
backup_preferred_window: 04:00-05:00
backup_retention_period: 7
maintenance_preferred_window: 'Sat:07:00-Sat:08:00'
cluster_parameter_group: paco.ref netenv.mynet.applications.app.groups.web.resources.clusterparams
cloudwatch_logs_exports:
- error
security_groups:
- paco.ref netenv.mynet.network.vpc.security_groups.app.database
segment: paco.ref netenv.anet.network.vpc.segments.private
dns:
- domain_name: database.test.internal
hosted_zone: paco.ref netenv.mynet.network.vpc.private_hosted_zone
enable_kms_encryption: true
cluster_event_notifications:
groups:
- wb_low
event_categories:
- failover
- failure
- notification
default_instance:
parameter_group: paco.ref netenv.mynet.applications.app.groups.web.resources.dbparams_performance
enable_performance_insights: true
publicly_accessible: false
db_instance_type: db.t3.medium
allow_major_version_upgrade: true
auto_minor_version_upgrade: true
event_notifications:
groups:
- admin
event_categories:
- availability
- configuration change
- deletion
- failover
- failure
- maintenance
- notification
- recovery
monitoring:
enabled: true
alarm_sets:
basic_dbinstance:
db_instances:
first:
db_instance_type: db.t3.medium
enhanced_monitoring_interval_in_seconds: 30
availability_zone: 1
monitoring:
enabled: true
alarm_sets:
complex_dbinstance:
second:
enable_performance_insights: false
event_notifications:
groups:
- admin
event_categories:
- maintenance
RDSMysql¶
RDS for MySQL
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
Base Schemas RDSInstance, RDS, Resource, DNSEnablable, Deployable, Monitorable, RDSMultiAZ, Named, Title, Type
RDSPostgresql¶
RDS for Postgresql
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
Base Schemas RDSInstance, RDS, Resource, DNSEnablable, Deployable, Monitorable, RDSMultiAZ, Named, Title, Type
RDSPostgresqlAurora¶
RDS PostgreSQL Aurora Cluster
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
database_name | String | Database Name to create in the cluster | Must be a valid database name for the DB Engine. Must contain 1 to 63 letters, numbers or underscores. Must begin with a letter or an underscore. Can’t be PostgreSQL reserved word. |
Base Schemas RDSAurora, RDS, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type
RDSMysqlAurora¶
RDS MySQL Aurora Cluster
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
database_name | String | Database Name to create in the cluster | Must be a valid database name for the DB Engine. Must contain 1 to 64 letters or numbers. Can’t be MySQL reserved word. |
Base Schemas RDSAurora, RDS, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type
RDSOptionConfiguration¶
Option groups enable and configure features that are specific to a particular DB engine.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
option_name | String | Option Name | ||
option_settings | List<NameValuePair> | List of option name value pairs. | ||
option_version | String | Option Version | ||
port | String | Port |
NameValuePair¶
A Name/Value pair to use for RDS Option Group configuration
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
name | String | Name | ||
value | PacoReference|String | Value | Paco Reference to Interface. String Ok. |
RDSMultiAZ¶
RDS with MultiAZ capabilities. When you provision a Multi-AZ DB Instance, Amazon RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ).
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
multi_az | Boolean | Multiple Availability Zone deployment | False |
Base Schemas RDSInstance, RDS, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type
RDSInstance¶
RDS DB Instance
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
allow_major_version_upgrade | Boolean | Allow major version upgrades | ||
auto_minor_version_upgrade | Boolean | Automatic minor version upgrades | ||
db_instance_type | String | RDS Instance Type | ||
license_model | String | License Model | ||
option_configurations | List<RDSOptionConfiguration> | Option Configurations | ||
parameter_group | PacoReference | RDS Parameter Group | Paco Reference to DBParameterGroup. | |
publically_accessible | Boolean | Assign a Public IP address | ||
storage_encrypted | Boolean | Enable Storage Encryption | ||
storage_size_gb | Int | DB Storage Size in Gigabytes | ||
storage_type | String | DB Storage Type |
Base Schemas RDS, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type
RDSAurora¶
RDS Aurora DB Cluster
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
availability_zones | String | Availability Zones to launch instances in. | Must be one of all, 1, 2, 3 … | all |
backtrack_window_in_seconds | Int | Backtrack Window in seconds. Disabled when set to 0. | Maximum is 72 hours (259,200 seconds). | 0 |
cluster_event_notifications | Object<RDSDBClusterEventNotifications> | Cluster Event Notifications | ||
cluster_parameter_group | PacoReference | DB Cluster Parameter Group | Paco Reference to DBClusterParameterGroup. | |
db_instances | Container<RDSClusterInstances> | DB Instances | ||
default_instance | Object<RDSClusterDefaultInstance> | Default DB Instance configuration | ||
enable_http_endpoint | Boolean | Enable an HTTP endpoint to provide a connectionless web service API for running SQL queries | False | |
enable_kms_encryption | Boolean | Enable KMS Key encryption. Will create one KMS-CMK key dedicated to each DBCluster. | False | |
engine_mode | Choice | Engine Mode | Must be one of provisioned, serverless, parallelquery, global, or multimaster. | |
read_dns | List<DNS> | DNS domains to create to resolve to the connection Read Endpoint | ||
restore_type | Choice | Restore Type | Must be one of full-copy or copy-on-write | full-copy |
use_latest_restorable_time | Boolean | Restore the DB cluster to the latest restorable backup time | False |
Base Schemas RDS, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type
RDSDBInstanceEventNotifications¶
DB Instance Event Notifications
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
event_categories | Choice | Event Categories | ||
groups | List<String> | Groups |
RDSClusterDefaultInstance¶
Default configuration for a DB Instance that belongs to a DB Cluster.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
allow_major_version_upgrade | Boolean | Allow major version upgrades | ||
auto_minor_version_upgrade | Boolean | Automatic minor version upgrades | ||
availability_zone | Int | Availability Zone where the instance will be provisioned. | Must be one of 1, 2, 3 … | |
db_instance_type | String | DB Instance Type | ||
enable_performance_insights | Boolean | Enable Performance Insights | False | |
enhanced_monitoring_interval_in_seconds | Int | Enhanced Monitoring interval in seconds. This will enable enhanced monitoring unless set to 0. | Must be one of 0, 1, 5, 10, 15, 30, 60. | 0 |
event_notifications | Object<RDSDBInstanceEventNotifications> | DB Instance Event Notifications | ||
parameter_group | PacoReference | DB Parameter Group | Paco Reference to DBParameterGroup. | |
publicly_accessible | Boolean | Assign a Public IP address | False |
Base Schemas Monitorable, Named, Title
RDSClusterInstance¶
DB Instance that belongs to a DB Cluster.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
allow_major_version_upgrade | Boolean | Allow major version upgrades | ||
auto_minor_version_upgrade | Boolean | Automatic minor version upgrades | ||
availability_zone | Int | Availability Zone where the instance will be provisioned. | Must be one of 1, 2, 3 … | |
db_instance_type | String | DB Instance Type | ||
enable_performance_insights | Boolean | Enable Performance Insights | ||
enhanced_monitoring_interval_in_seconds | Int | Enhanced Monitoring interval in seconds. This will enable enhanced monitoring unless set to 0. | Must be one of 0, 1, 5, 10, 15, 30, 60. | |
event_notifications | Object<RDSDBInstanceEventNotifications> | DB Instance Event Notifications | ||
parameter_group | PacoReference | DB Parameter Group | Paco Reference to DBParameterGroup. | |
publicly_accessible | Boolean | Assign a Public IP address |
Base Schemas Monitorable, Named, Title
RDSClusterInstances¶
Container for RDSClusterInstance objects.
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
RDSDBClusterEventNotifications¶
Event Notifications for a DB Cluster
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
event_categories | Choice | Event Categories | ||
groups | List<String> | Groups |
DBParameters¶
If you want to use DB Parameter Groups with your RDS, then use the parameter_group
field to
reference a DBParameterGroup resource. Keeping DB Parameter Groups as separate resources allows
having multiple Paramater Groups provisioned at the same time. For example, you might have both
resources for dbparams_performance
and dbparams_debug
, allowing you to use the AWS
Console to switch between performance and debug configuration quickl in an emergency.
DBParameterGroup¶
DBParameterGroup
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
description | String | Description | ||
family | String | Database Family | ||
parameters | Container<DBParameters> | Database Parameter set |
Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type
DBClusterParameterGroup¶
DBCluster Parameter Group
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
Base Schemas Resource, DBParameterGroup, DNSEnablable, Deployable, Named, Title, Type
Route53HealthCheck¶
Route53 Health Check
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
domain_name | String | Fully Qualified Domain Name | Either this or the load_balancer field can be set but not both. | |
enable_sni | Boolean | Enable SNI | False | |
failure_threshold | Int | Number of consecutive health checks that an endpoint must pass or fail for Amazon Route 53 to change the current status of the endpoint from unhealthy to healthy or vice versa. | 3 | |
health_check_type | String | Health Check Type | Must be one of HTTP, HTTPS or TCP | |
health_checker_regions | List<String> | Health checker regions | List of AWS Region names (e.g. us-west-2) from which to make health checks. | |
ip_address | PacoReference|String | IP Address | Paco Reference to EIP. String Ok. | |
latency_graphs | Boolean | Measure latency and display CloudWatch graph in the AWS Console | False | |
load_balancer | PacoReference|String | Load Balancer Endpoint | Paco Reference to LoadBalancer. String Ok. | |
match_string | String | String to match in the first 5120 bytes of the response | ||
port | Int | Port | 80 | |
request_interval_fast | Boolean | Fast request interval will only wait 10 seconds between each health check response instead of the standard 30 | False | |
resource_path | String | Resource Path | String such as ‘/health.html’. Path should return a 2xx or 3xx. Query string parameters are allowed: ‘/search?query=health’ | / |
Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type
S3Bucket¶
S3Bucket is an object storage resource in the Amazon S3 service.
S3Buckets may be declared either in the global resource/s3.yaml
file or in a network environment in
as an application resource.
S3Buckets in an application context will use the same account
and region
as the application, although
it is still possible to override this to use other accouns and regions if desired.
type: S3Bucket
title: My S3 Bucket
enabled: true
order: 10
account: paco.ref accounts.data
region: us-west-2
deletion_policy: "delete"
notifications:
lambdas:
- paco.ref netenv.mynet.applications.app.groups.serverless.resources.mylambda
cloudfront_origin: false
external_resource: false
versioning: false
add_paco_suffix: true
policy:
- principal:
Service: iotanalytics.amazonaws.com
effect: 'Allow'
action:
- s3:Get*
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:ListMultipartUploadParts
resource_suffix:
- '/*'
- ''
condition:
StringEquals:
s3:x-amz-acl:
"public-read"
IpAddress:
"aws:SourceIp": "192.0.2.0/24"
NotIpAddress:
"aws:SourceIp": "192.0.2.188/32"
- aws:
- paco.sub '${paco.ref netenv.mynet.applications.app.groups.site.resources.demo.instance_iam_role.arn}'
effect: 'Allow'
action:
- 's3:Get*'
- 's3:List*'
resource_suffix:
- '/*'
- ''
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
account | PacoReference | Account that S3 Bucket belongs to. | Paco Reference to Account. | |
add_paco_suffix | Boolean | Add the Paco s3bucket_hash suffix to the bucket name | False | |
bucket_name | String | Bucket Name | A short unique name to assign the bucket. | bucket |
cloudfront_origin | Boolean | Creates and listens for a CloudFront Access Origin Identity | False | |
deletion_policy | String | Bucket Deletion Policy | delete | |
external_resource | Boolean | Boolean indicating whether the S3 Bucket already exists or not | False | |
notifications | Object<S3NotificationConfiguration> | Notification configuration | ||
policy | List<S3BucketPolicy> | List of S3 Bucket Policies | ||
region | String | Bucket region | ||
static_website_hosting | Object<S3StaticWebsiteHosting> | Static website hosting configuration. | ||
versioning | Boolean | Enable Versioning on the bucket. | False |
Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type
S3BucketPolicy¶
S3 Bucket Policy
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
action | List<String> | List of Actions | ||
aws | List<String> | List of AWS Principals. | Either this field or the principal field must be set. | |
condition | Dict | Condition | Each Key is the Condition name and the Value must be a dictionary of request filters. e.g. { “StringEquals” : { “aws:username” : “johndoe” }} | {} |
effect | Choice | Effect | Must be one of ‘Allow’ or ‘Deny’ | |
principal | Dict | Prinicpals | Either this field or the aws field must be set. Key should be one of: AWS, Federated, Service or CanonicalUser. Value can be either a String or a List. | {} |
resource_suffix | List<String> | List of AWS Resources Suffixes | ||
sid | String | Statement Id |
S3LambdaConfiguration¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
event | String | S3 bucket event for which to invoke the AWS Lambda function | Must be a supported event type: https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html | |
function | PacoReference | Lambda function to notify | Paco Reference to Lambda. |
S3NotificationConfiguration¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
lambdas | List<S3LambdaConfiguration> | Lambda configurations |
S3StaticWebsiteHosting¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
redirect_requests | Object<S3StaticWebsiteHostingRedirectRequests> | Redirect requests configuration. |
Base Schemas Deployable
SNSTopic¶
Simple Notification Service (SNS) Topic resource.
type: SNSTopic
order: 1
enabled: true
display_name: "Waterbear Cloud AWS"
cross_account_access: true
subscriptions:
- endpoint: http://example.com/yes
protocol: http
- endpoint: https://example.com/orno
protocol: https
- endpoint: bob@example.com
protocol: email
- endpoint: bob@example.com
protocol: email-json
filter_policy: '{"State": [ { "anything-but": "COMPLETED" } ] }'
- endpoint: '555-555-5555'
protocol: sms
- endpoint: arn:aws:sqs:us-east-2:444455556666:queue1
protocol: sqs
- endpoint: arn:aws:sqs:us-east-2:444455556666:queue1
protocol: application
- endpoint: arn:aws:lambda:us-east-1:123456789012:function:my-function
protocol: lambda
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
cross_account_access | Boolean | Cross-account access from all other accounts in this project. | False | |
display_name | String | Display name for SMS Messages | ||
locations | List<AccountRegions> | Locations | Only applies to a global SNS Topic | [] |
subscriptions | List<SNSTopicSubscription> | List of SNS Topic Subscriptions |
Base Schemas Resource, DNSEnablable, Enablable, Named, Title, Type
SNSTopicSubscription¶
Field name | Type | Purpose | Constraints | Default |
---|---|---|---|---|
endpoint | PacoReference|String | SNS Topic ARN or Paco Reference | Paco Reference to SNSTopic. String Ok. | |
filter_policy | String | Filter Policy | Must be valid JSON | |
protocol | String | Notification protocol | Must be a valid SNS Topic subscription protocol: ‘http’, ‘https’, ‘email’, ‘email-json’, ‘sms’, ‘sqs’, ‘application’, ‘lambda’. |