Application Resources

An Application is a collection of Resources. These are the Resources which can exist as part of an Application.

ApiGatewayRestApi

An ApiGateway Rest API resource.

API Gateway REST API example

type: ApiGatewayRestApi
order: 10
enabled: true
fail_on_warnings: true
description: "My REST API"
endpoint_configuration:
  - 'REGIONAL'
models:
  emptyjson:
    content_type: 'application/json'
cognito_authorizers:
  cognito:
    identity_source: 'Authorization'
    user_pools:
      - paco.ref netenv.mynet.applications.app.groups.cognito.resources.userpool
dns:
  - domain_name: api.example.com
    hosted_zone: paco.ref resource.route53.example_com
    ssl_certificate:  arn:aws:acm:us-east-1:*******:certificate/********
    base_path_mappings:
        - base_path: ''
          stage: 'prod'
methods:
  get:
    http_method: GET
    authorizer: cognito_authorizers.cognito
    integration:
      integration_type: AWS
      integration_lambda: paco.ref netenv.mynet.applications.app.groups.restapi.resources.mylambda
      integration_responses:
        - status_code: '200'
          response_templates:
            'application/json': ''
      request_parameters:
        "integration.request.querystring.my_id": "method.request.querystring.my_id"
    authorization_type: NONE
    request_parameters:
      "method.request.querystring.my_id": false
      "method.request.querystring.token": false
    method_responses:
      - status_code: '200'
        response_models:
          - content_type: 'application/json'
            model_name: 'emptyjson'
  post:
    http_method: POST
    integration:
      integration_type: AWS
      integration_lambda: paco.ref netenv.mynet.applications.app.groups.restapi.resources.mylambda
      integration_responses:
        - status_code: '200'
          response_templates:
            'application/json': ''
    authorization_type: NONE
    method_responses:
      - status_code: '200'
        response_models:
          - content_type: 'application/json'
            model_name: 'emptyjson'
stages:
  prod:
    deployment_id: 'prod'
    description: 'Prod Stage'
    stage_name: 'prod'

ApiGatewayRestApi

Field name	Type	Purpose	Constraints	Default
api_key_source_type	String	API Key Source Type	Must be one of ‘HEADER’ to read the API key from the X-API-Key header of a request or ‘AUTHORIZER’ to read the API key from the UsageIdentifierKey from a Lambda authorizer.
binary_media_types	List<String>	Binary Media Types. The list of binary media types that are supported by the RestApi resource, such as image/png or application/octet-stream. By default, RestApi supports only UTF-8-encoded text payloads.	Duplicates are not allowed. Slashes must be escaped with ~1. For example, image/png would be image~1png in the BinaryMediaTypes list.
body	String	Body. An OpenAPI specification that defines a set of RESTful APIs in JSON or YAML format. For YAML templates, you can also provide the specification in YAML format.	Must be valid JSON.
body_file_location	StringFileReference	Path to a file containing the Body.	Must be valid path to a valid JSON document.
body_s3_location	String	The Amazon Simple Storage Service (Amazon S3) location that points to an OpenAPI file, which defines a set of RESTful APIs in JSON or YAML format.	Valid S3Location string to a valid JSON or YAML document.
clone_from	String	CloneFrom. The ID of the RestApi resource that you want to clone.
cognito_authorizers	Container<ApiGatewayCognitoAuthorizers>	Authorizors
description	String	Description of the RestApi resource.
dns	List<ApiGatewayDNS>	DNS domains to create to resolve to the ApiGateway Endpoint
endpoint_configuration	List<String>	Endpoint configuration. A list of the endpoint types of the API. Use this field when creating an API. When importing an existing API, specify the endpoint configuration types using the parameters field.	List of strings, each must be one of ‘EDGE’, ‘REGIONAL’, ‘PRIVATE’
fail_on_warnings	Boolean	Indicates whether to roll back the resource if a warning occurs while API Gateway is creating the RestApi resource.		False
methods	Container<ApiGatewayMethods>
minimum_compression_size	Int	An integer that is used to enable compression on an API. When compression is enabled, compression or decompression is not applied on the payload if the payload size is smaller than this value. Setting it to zero allows compression for any payload size.	A non-negative integer between 0 and 10485760 (10M) bytes, inclusive.
models	Container<ApiGatewayModels>
parameters	Dict	Parameters. Custom header parameters for the request.	Dictionary of key/value pairs that are strings.	{}
policy	String	A policy document that contains the permissions for the RestApi resource, in JSON format. To set the ARN for the policy, use the !Join intrinsic function with “” as delimiter and values of “execute-api:/” and “*”.	Valid JSON document
resources	Container<ApiGatewayResources>
stages	Container<ApiGatewayStages>

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

ApiGatewayMethods

Container for ApiGatewayMethod objects.

ApiGatewayMethods Container<ApiGatewayMethod>

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

ApiGatewayMethod

API Gateway Method

ApiGatewayMethod

Field name	Type	Purpose	Constraints	Default
authorization_type	String	Authorization Type	Must be one of NONE, AWS_IAM, CUSTOM or COGNITO_USER_POOLS	NONE
authorizer	String	Authorizer	Must be tan authorizer type and authorizer name in this API Gateway, seperated by a . char. For example, ‘cognito_authorizers.cognito’.
http_method	String	HTTP Method	Must be one of ANY, DELETE, GET, HEAD, OPTIONS, PATCH, POST or PUT.
integration	Object<ApiGatewayMethodIntegration>	Integration
method_responses	List<ApiGatewayMethodMethodResponse>	Method Responses	List of ApiGatewayMethod MethodResponses
request_parameters	Dict	Request Parameters	Specify request parameters as key-value pairs (string-to-Boolean mapping), with a source as the key and a Boolean as the value. The Boolean specifies whether a parameter is required. A source must match the format method.request.location.name, where the location is query string, path, or header, and name is a valid, unique parameter name.	{}
resource_name	String	Resource Name

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

ApiGatewayModels

Container for ApiGatewayModel objects.

ApiGatewayModels Container<ApiGatewayModel>

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

ApiGatewayModel

ApiGatewayModel

Field name	Type	Purpose	Constraints	Default
content_type	String	Content Type
description	String	Description
schema	Dict	Schema	JSON format. Will use null({}) if left empty.	{}

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

ApiGatewayResources

Container for ApiGatewayResource objects.

ApiGatewayResources Container<ApiGatewayResource>

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

ApiGatewayResource

ApiGatewayResource Container<`unknown`_>

Field name	Type	Purpose	Constraints	Default
child_resources	Container<ApiGatewayResources>	Child Api Gateway Resources
enable_cors	Boolean	Enable CORS		False
path_part	String	Path Part

Base Schemas Named, Title

ApiGatewayStages

Container for ApiGatewayStage objects

ApiGatewayStages Container<ApiGatewayStages>

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

ApiGatewayStage

API Gateway Stage

ApiGatewayStage

Field name	Type	Purpose	Constraints	Default
deployment_id	String	Deployment ID
description	String	Description
stage_name	String	Stage name

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

ApiGatewayMethodIntegration

ApiGatewayMethodIntegration

Field name	Type	Purpose	Constraints	Default
integration_http_method	String	Integration HTTP Method	Must be one of ANY, DELETE, GET, HEAD, OPTIONS, PATCH, POST or PUT.	POST
integration_lambda	PacoReference	Integration Lambda	Paco Reference to Lambda.
integration_responses	List<ApiGatewayMethodIntegrationResponse>	Integration Responses
integration_type	String	Integration Type	Must be one of AWS, AWS_PROXY, HTTP, HTTP_PROXY or MOCK.	AWS
pass_through_behavior	Choice	Pass Through Behaviour
request_parameters	Dict	The request parameters that API Gateway sends with the backend request.	Specify request parameters as key-value pairs (string-to-string mappings), with a destination as the key and a source as the value. Specify the destination by using the following pattern integration.request.location.name, where location is query string, path, or header, and name is a valid, unique parameter name. The source must be an existing method request parameter or a static value. You must enclose static values in single quotation marks and pre-encode these values based on their destination in the request.	{}
request_templates	Dict	Request Templates		{}
uri	String	Integration URI

ApiGatewayMethodIntegrationResponse

ApiGatewayMethodIntegrationResponse

Field name	Type	Purpose	Constraints	Default
content_handling	String	Specifies how to handle request payload content type conversions.	Valid values are: CONVERT_TO_BINARY: Converts a request payload from a base64-encoded string to a binary blob. CONVERT_TO_TEXT: Converts a request payload from a binary blob to a base64-encoded string. If this property isn’t defined, the request payload is passed through from the method request to the integration request without modification.
response_parameters	Dict	Response Parameters		{}
response_templates	Dict	Response Templates		{}
selection_pattern	String	A regular expression that specifies which error strings or status codes from the backend map to the integration response.
status_code	String	The status code that API Gateway uses to map the integration response to a MethodResponse status code.	Must match a status code in the method_respones for this API Gateway REST API.

ApiGatewayMethodMethodResponse

ApiGatewayMethodMethodResponse

Field name	Type	Purpose	Constraints	Default
response_models	List<ApiGatewayMethodMethodResponseModel>	The resources used for the response’s content type.	Specify response models as key-value pairs (string-to-string maps), with a content type as the key and a Model Paco name as the value.
response_parameters	Dict	Response Parameters		{}
status_code	String	HTTP Status code

ApiGatewayMethodMethodResponseModel

ApiGatewayMethodMethodResponseModel

Field name	Type	Purpose	Constraints	Default
content_type	String	Content Type
model_name	String	Model name

ApiGatewayCognitoAuthorizers

Container for `ApiGatewayAuthorizer`_ objects.

ApiGatewayCognitoAuthorizers Container<`ApiGatewayCognitoAuthorizer`_>

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

ApiGatewayDNS

ApiGatewayDNS

Field name	Type	Purpose	Constraints	Default
base_path_mappings	List<String>	Base Path Mappings		[]
ssl_certificate	PacoReference|String	SSL certificate Reference	Paco Reference to ACM. String Ok.

Base Schemas DNS

ASG

An AutoScalingGroup (ASG) contains a collection of Amazon EC2 instances that are treated as a logical grouping for the purposes of automatic scaling and management.

The Paco ASG resource provisions an AutoScalingGroup as well as LaunchConfiguration and TargetGroups for that ASG.

Prescribed Automation

ASGs use Paco’s LaunchBundles. A LaunchBundle is a zip file of code and configuration files that is automatically created and stored in an S3 Bucket that the ASG has read permissions to. Paco adds BASH code to the UserData script for the ASG’s LaunchConfiguration that will iterate through all of the LaunchBundles and download and run them. For example, if you specify in-host metrics for an ASG, it will have a LaunchBundle created with the necessary CloudWatch agent configuration and a BASH script to install and configure the agent.

launch_options: Options to add actions to newly launched instances: ssm_agent, update_packages and cfn_init_config_sets. The ssm_agent field will install the SSM Agent and is true by default. Paco’s LaunchBundles feature requires the SSM Agent installed and running. The update_packages field will perform a operating system package update (yum update or apt-get update). This happens immediately after the user_data_pre_script commands, but before the LaunchBundle commands and user_data_script commands. The cfn_init_config_sets field is a list of CfnInitConfigurationSets that will be run at launch.

cfn_init: Contains CloudFormationInit (cfn-init) configuration. Paco allows reading cfn-init files from the filesystem, and also does additional validation checks on the configuration to ensure it is correct. The launch_options has a cfn_init_config_sets field to specify which CfnInitConfigurationSets you want to automatically call during instance launch with a LaunchBundle.

ebs_volume_mounts: Adds an EBS LaunchBundle that mounts all EBS Volumes to the EC2 instance launched by the ASG. If the EBS Volume is unformatted, it will be formatted to the specified filesystem. This feature only works with “self-healing” ASGs. A “self-healing” ASG is an ASG with max_instances set to 1. Trying to launch a second instance in the ASG will fail to mount the EBS Volume as it can only be mounted to one instance at a time.

eip: Adds an EIP LaunchBundle which will attach an Elastic IP to a launched instance. This feature only works with “self-healing” ASGs. A “self-healing” ASG is an ASG with max_instances set to 1. Trying to launch a second instance in the ASG will fail to attach the EIP as it can only be mounted to one instance at a time.

efs_mounts: Adds an EFS LaunchBundle that mounts all EFS locations. A SecurityGroup must still be manually configured to allow the ASG instances to network access to the EFS filesystem.

monitoring: Any fields specified in the metrics or log_sets fields will add a CloudWatchAgent LaunchBundle that will install a CloudWatch Agent and configure it to collect all specified metrics and log sources.

secrets: Adds a policy to the Instance Role which allows instances to access the specified secrets.

ssh_access: Grants users and groups SSH access to the instances.

example ASG configuration

type: ASG
order: 30
enabled: true
associate_public_ip_address: false
cooldown_secs: 200
ebs_optimized: false
health_check_grace_period_secs: 240
health_check_type: EC2
availability_zone: 1
ebs_volume_mounts:
  - volume: paco.ref netenv.mynet.applications.app.groups.storage.resources.my_volume
    enabled: true
    folder: /var/www/html
    device: /dev/xvdf
    filesystem: ext4
efs_mounts:
  - enabled: true
    folder: /mnt/wp_efs
    target: paco.ref netenv.mynet.applications.app.groups.storage.resources.my_efs
instance_iam_role:
  enabled: true
  policies:
    - name: DNSRecordSet
      statement:
        - effect: Allow
          action:
            - route53:ChangeResourceRecordSets
          resource:
            - 'arn:aws:route53:::hostedzone/HHIHkjhdhu744'
instance_ami: paco.ref function.aws.ec2.ami.latest.amazon-linux-2
instance_ami_type: amazon
instance_key_pair: paco.ref resource.ec2.keypairs.my_keypair
instance_monitoring: true
instance_type: t2.medium
desired_capacity: 1
max_instances: 3
min_instances: 1
rolling_update_policy:
  max_batch_size: 1
  min_instances_in_service: 1
  pause_time: PT3M
  wait_on_resource_signals: false
target_groups:
  - paco.ref netenv.mynet.applications.app.groups.web.resources.alb.target_groups.cloud
security_groups:
  - paco.ref netenv.mynet.network.vpc.security_groups.web.asg
segment: private
termination_policies:
  - Default
scaling_policy_cpu_average: 60
ssh_access:
  users:
    - bdobbs
  groups:
    - developers
launch_options:
    update_packages: true
    ssm_agent: true
    cfn_init_config_sets:
    - "InstallApp"
cfn_init:
  config_sets:
    InstallApp:
      - "InstallApp"
  configurations:
    InstallApp:
      packages:
        yum:
          python3: []
      users:
        www-data:
          uid: 2000
          home_dir: /home/www-data
      files:
        "/etc/systemd/system/pypiserver.service":
          content_file: ./pypi-config/pypiserver.service
          mode: '000755'
          owner: root
          group: root
      commands:
        00_pypiserver:
          command: "/bin/pip3 install pypiserver"
        01_passlib_dependency:
          command: "/bin/pip3 install passlib"
        02_prep_mount:
           command: "chown www-data:www-data /var/pypi"
      services:
        sysvinit:
          pypiserver:
            enabled: true
            ensure_running: true
monitoring:
  enabled: true
  collection_interval: 60
  metrics:
    - name: swap
      measurements:
        - used_percent
    - name: disk
      measurements:
        - free
      resources:
        - '/'
        - '/var/www/html'
      collection_interval: 300
user_data_script: |
  echo "Hello World!"

AutoScalingGroup Rolling Update Policy

When changes are applied to an AutoScalingGroup that modify the configuration of newly launched instances, AWS can automatically launch instances with the new configuration and terminate old instances that have stale configuration. This can be configured so that there is no interruption of service as the new instances gradually replace old ones. This configuration is set with the rolling_update_policy field.

The rolling update policy must be able to work within the minimum/maximum number of instances in the ASG. Consider the following ASG configuration.

example ASG configuration

type: ASG
max_instances: 2
min_instances: 1
desired_capacity: 1
rolling_update_policy:
  max_batch_size: 1
  min_instances_in_service: 1
  pause_time: PT0S # default setting
  wait_on_resource_signals: false # default setting

This will normally run a single instance in the ASG. The ASG is never allowed to launch more than 2 instances at one time. When an update happens, a new batch of instances is launched - in this example just one instance. There wil be only 1 instance in service, but the capacity will be at 2 instances will the new instance is launched. After the instance is put into service by the ASG, it will immediately terminate the old instance.

The wait_on_resource_signals can be set to tell AWS CloudFormation to wait on making changes to the AutoScalingGroup configuration until a new instance is finished configuring and installing applications and is ready for service. If this field is enabled, then the pause_time default is PT05 (5 minutes). If CloudFormation does not get a SUCCESS signal within the pause_time then it will mark the new instance as failed and terminate it.

If you use pause_time with the default wait_on_resource_signals: false then AWS will simply wait for the full duration of the pause time and then consider the instance ready. pause_time is in format PT#H#M#S, where each # is the number of hours, minutes, and seconds, respectively. The maximum pause_time is one hour. For example:

pause_time: PT0S # 0 seconds
pause_time: PT5M # 5 minutes
pause_time: PT2M30S # 2 minutes and 30 seconds

ASGs will use default settings for a rolling update policy. If you do not want to use an update policies at all, then you must disable the rolling_update_policy explicitly:

type: ASG
rolling_update_policy:
  enabled: false

With no rolling update policy, when you make configuration changes, then existing instances with old configuration will continue to run and instances with the new configuration will not happen until the AutoScalingGroup needs to launch new instances. You must be careful with this approach as you can not know 100% that your new configuration launches instances proprely until some point in the future when new instances are requested by the ASG.

Prescribed Automation

Paco can help you send signals to CloudFormation when using wait_on_resource_signals. If you set wait_on_resource_signals: true then Paco will automatically grant the needed cloudformation:SignalResource and cloudformation:DescribeStacks to the IAM Role associated with the instance for you. Paco also provides an ec2lm_signal_asg_resource BASH function available in your user_data_script that you can run to signal the instance is ready: ec2lm_signal_asg_resource SUCCESS or ec2lm_signal_asg_resource SUCCESS.

If you want to wait until load balancer health checks are passing before an instance is considered healthy, then send the SUCCESS signal to CloudFormation, you will need to configure this yourself.

example ASG signalling using ELB health checks

'until [ "$state" == ""InService"" ]; do state=$(aws --region ${AWS::Region} elb describe-instance-health
--load-balancer-name ${ElasticLoadBalancer}
--instances $(curl -s http://169.254.169.254/latest/meta-data/instance-id)
--query InstanceStates[0].State); sleep 10; done'

See the AWS documentation for more information on how AutoScalingRollingUpdate Policy configuration is used.

ASG

Field name	Type	Purpose	Constraints	Default
associate_public_ip_address	Boolean	Associate Public IP Address		False
availability_zone	String	Availability Zones to launch instances in.		all
block_device_mappings	List<BlockDeviceMapping>	Block Device Mappings
cfn_init	Object<CloudFormationInit>	CloudFormation Init
cooldown_secs	Int	Cooldown seconds		300
desired_capacity	Int	Desired capacity		1
desired_capacity_ignore_changes	Boolean	Ignore changes to the desired_capacity after the ASG is created.		False
dns	List<DNS>	DNS domains to create to resolve to one of the ASGs EC2 Instances
ebs_optimized	Boolean	EBS Optimized		False
ebs_volume_mounts	List<EBSVolumeMount>	Elastic Block Store Volume Mounts
ecs	Object<ECSASGConfiguration>	ECS Configuration
efs_mounts	List<EFSMount>	Elastic Filesystem Configuration
eip	PacoReference|String	Elastic IP or AllocationId to attach to instance at launch	Paco Reference to EIP. String Ok.
health_check_grace_period_secs	Int	Health check grace period in seconds		300
health_check_type	String	Health check type	Must be one of: ‘EC2’, ‘ELB’	EC2
instance_ami	PacoReference|String	Instance AMI	Paco Reference to Function. String Ok.
instance_ami_ignore_changes	Boolean	Do not update the instance_ami after creation.		False
instance_ami_type	String	The AMI Operating System family	Must be one of amazon, centos, suse, debian, ubuntu, microsoft or redhat.	amazon
instance_iam_role	Object<Role>
instance_key_pair	PacoReference	Key pair to connect to launched instances	Paco Reference to EC2KeyPair.
instance_monitoring	Boolean	Instance monitoring		False
instance_type	String	Instance type
launch_options	Object<EC2LaunchOptions>	EC2 Launch Options
lifecycle_hooks	Container<ASGLifecycleHooks>	Lifecycle Hooks
load_balancers	List<PacoReference>	Target groups	Paco Reference to TargetGroup.
max_instances	Int	Maximum instances		2
min_instances	Int	Minimum instances		1
rolling_update_policy	Object<ASGRollingUpdatePolicy>	Rolling Update Policy
scaling_policies	Container<ASGScalingPolicies>	Scaling Policies
scaling_policy_cpu_average	Int	Average CPU Scaling Polciy		0
secrets	List<PacoReference>	List of Secrets Manager References	Paco Reference to SecretsManagerSecret.
security_groups	List<PacoReference>	Security groups	Paco Reference to SecurityGroup.
segment	String	Segment
ssh_access	Object<SSHAccess>	SSH Access
target_groups	List<PacoReference>	Target groups	Paco Reference to TargetGroup.
termination_policies	List<String>	Terminiation policies
user_data_pre_script	String	User data pre-script
user_data_script	String	User data script

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

ASGLifecycleHooks

Container for ASGLifecycleHook objects.

ASGLifecycleHooks Container<ASGLifecycleHook>

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

ASGLifecycleHook

ASG Lifecycle Hook

ASGLifecycleHook

Field name	Type	Purpose	Constraints	Default
default_result	String	Default Result
lifecycle_transition	String	ASG Lifecycle Transition
notification_target_arn	String	Lifecycle Notification Target Arn
role_arn	String	Licecycel Publish Role ARN

Base Schemas Deployable, Named, Title

ASGScalingPolicies

Container for ASGScalingPolicy objects.

ASGScalingPolicies Container<ASGScalingPolicy>

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

ASGScalingPolicy

Auto Scaling Group Scaling Policy

ASGScalingPolicy

Field name	Type	Purpose	Constraints	Default
adjustment_type	String	Adjustment Type		ChangeInCapacity
alarms	List<SimpleCloudWatchAlarm>	Alarms
cooldown	Int	Scaling Cooldown in Seconds		300
policy_type	String	Policy Type		SimpleScaling
scaling_adjustment	Int	Scaling Adjustment

Base Schemas Deployable, Named, Title

ASGRollingUpdatePolicy

AutoScalingRollingUpdate Policy

ASGRollingUpdatePolicy

Field name	Type	Purpose	Constraints	Default
enabled	Boolean	Enable an UpdatePolicy for the ASG		True
max_batch_size	Int	Maximum batch size		1
min_instances_in_service	Int	Minimum instances in service		0
pause_time	String	Minimum instances in service	Must be in the format PT#H#M#S
wait_on_resource_signals	Boolean	Wait for resource signals		False

Base Schemas Named, Title

ECSASGConfiguration

ECSASGConfiguration

Field name	Type	Purpose	Constraints	Default
capacity_provider	Object<ECSCapacityProvider>	Capacity Provider
cluster	PacoReference	Cluster	Paco Reference to ECSCluster.
log_level	Choice	Log Level		error

Base Schemas Named, Title

ECSCapacityProvider

ECSCapacityProvider

Field name	Type	Purpose	Constraints	Default
maximum_scaling_step_size	Int	Maximum Scaling Step Size		10000
minimum_scaling_step_size	Int	Minimum Scaling Step Size		1
target_capacity	Int	Target Capacity		100

Base Schemas Deployable, Named, Title

SSHAccess

SSHAccess

Field name	Type	Purpose	Constraints	Default
groups	List<String>	Groups	Must match a group declared in resource/ec2.yaml	[]
users	List<String>	User	Must match a user declared in resource/ec2.yaml	[]

Base Schemas Named, Title

BlockDeviceMapping

BlockDeviceMapping

Field name	Type	Purpose	Constraints	Default
device_name	String	The device name exposed to the EC2 instance
ebs	Object<BlockDevice>	Amazon Ebs volume
virtual_name	String	The name of the virtual device.	The name must be in the form ephemeralX where X is a number starting from zero (0), for example, ephemeral0.

BlockDevice

BlockDevice

Field name	Type	Purpose	Constraints	Default
delete_on_termination	Boolean	Indicates whether to delete the volume when the instance is terminated.		True
encrypted	Boolean	Specifies whether the EBS volume is encrypted.
iops	Int	The number of I/O operations per second (IOPS) to provision for the volume.	The maximum ratio of IOPS to volume size (in GiB) is 50:1, so for 5,000 provisioned IOPS, you need at least 100 GiB storage on the volume.
size_gib	Int	The volume size, in Gibibytes (GiB).	This can be a number from 1-1,024 for standard, 4-16,384 for io1, 1-16,384 for gp2, and 500-16,384 for st1 and sc1.
snapshot_id	String	The snapshot ID of the volume to use.
volume_type	String	The volume type, which can be standard for Magnetic, io1 for Provisioned IOPS SSD, gp2 for General Purpose SSD, st1 for Throughput Optimized HDD, or sc1 for Cold HDD.	Must be one of standard, io1, gp2, st1 or sc1.

EBSVolumeMount

EBS Volume Mount Configuration

EBSVolumeMount

Field name	Type	Purpose	Constraints	Default
device	String	Device to mount the EBS Volume with.
filesystem	String	Filesystem to mount the EBS Volume with.
folder	String	Folder to mount the EBS Volume
volume	PacoReference|String	EBS Volume Resource Reference	Paco Reference to EBS. String Ok.

Base Schemas Deployable

EFSMount

EFS Mount Folder and Target Configuration

EFSMount

Field name	Type	Purpose	Constraints	Default
folder	String	Folder to mount the EFS target
target	PacoReference|String	EFS Target Resource Reference	Paco Reference to EFS. String Ok.

Base Schemas Deployable

EC2LaunchOptions

EC2 Launch Options

EC2LaunchOptions

Field name	Type	Purpose	Constraints	Default
cfn_init_config_sets	List<String>	List of cfn-init config sets		[]
codedeploy_agent	Boolean	Install CodeDeploy Agent		False
ssm_agent	Boolean	Install SSM Agent		True
ssm_expire_events_after_days	String	Retention period of SSM logs		30
update_packages	Boolean	Update Distribution Packages		False

Base Schemas Named, Title

CloudFormationInit

CloudFormation Init is a method to configure an EC2 instance after it is launched. CloudFormation Init is a much more complete and robust method to install configuration files and pakcages than using a UserData script.

It stores information about packages, files, commands and more in CloudFormation metadata. It is accompanied by a cfn-init script which will run on the instance to fetch this configuration metadata and apply it. The whole system is often referred to simply as cfn-init after this script.

The cfn_init field of for an ASG contains all of the cfn-init configuration. After an instance is launched, it needs to run a local cfn-init script to pull the configuration from the CloudFromation stack and apply it. After cfn-init has applied configuration, you will run cfn-signal to tell CloudFormation the configuration was successfully applied. Use the launch_options field for an ASG to let Paco take care of all this for you.

Prescribed Automation

launch_options: The cfn_init_config_sets: field is a list of cfn-init configurations to apply at launch. This list will be applied in order. On Amazon Linux the cfn-init script is pre-installed in /opt/aws/bin. If you enable a cfn-init launch option, Paco will install cfn-init in /opt/paco/bin for you.

Refer to the CloudFormation Init docs for a complete description of all the configuration options available.

cfn_init with launch_options

launch_options:
    cfn_init_config_sets:
    - "Install"
cfn_init:
  parameters:
    BasicKey: static-string
    DatabasePasswordarn: paco.ref netenv.mynet.secrets_manager.app.site.database.arn
  config_sets:
    Install:
      - "Install"
  configurations:
    Install:
      packages:
        rpm:
          epel: "http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm"
        yum:
          jq: []
          python3: []
      files:
        "/tmp/get_rds_dsn.sh":
          content_cfn_file: ./webapp/get_rds_dsn.sh
          mode: '000700'
          owner: root
          group: root
        "/etc/httpd/conf.d/saas_wsgi.conf":
          content_file: ./webapp/saas_wsgi.conf
          mode: '000600'
          owner: root
          group: root
        "/etc/httpd/conf.d/wsgi.conf":
          content: "LoadModule wsgi_module modules/mod_wsgi.so"
          mode: '000600'
          owner: root
          group: root
        "/tmp/install_codedeploy.sh":
          source: https://aws-codedeploy-us-west-2.s3.us-west-2.amazonaws.com/latest/install
          mode: '000700'
          owner: root
          group: root
      commands:
        10_install_codedeploy:
          command: "/tmp/install_codedeploy.sh auto > /var/log/cfn-init-codedeploy.log 2>&1"
      services:
        sysvinit:
          codedeploy-agent:
            enabled: true
            ensure_running: true

The parameters field is a set of Parameters that will be passed to the CloudFormation stack. This can be static strings or paco.ref that are looked up from already provisioned cloud resources.

CloudFormation Init can be organized into Configsets. With raw cfn-init using Configsets is optional, but is required with Paco.

In a Configset, the files field has four fields for specifying the file contents.

• content_file: A path to a file on the local filesystem. A convenient practice is to make a sub-directory in the netenv directory for keeping cfn-init files.
• content_cfn_file: A path to a file on the local filesystem. This file will have FnSub and FnJoin CloudFormation applied to it.
• content: For small files, the content can be in-lined directly in this field.
• source: Fetches the file from a URL.

If you are using content_cfn_file to interpolate Parameters, the file might look like:

!Sub |
    #!/bin/bash

    echo "Database ARN is " ${DatabasePasswordarn}
    echo "AWS Region is " ${AWS::Region}

If you want to include a raw ${SomeValue} string in your file, use the ! character to escape it like this: ${!SomeValue}. cfn-init also supports interpolation with Mustache templates, but Paco support for this is not yet implemented.

CloudFormationInit

Field name	Type	Purpose	Constraints	Default
config_sets	Container<CloudFormationConfigSets>	CloudFormation Init configSets
configurations	Container<CloudFormationConfigurations>	CloudFormation Init configurations
parameters	Dict	Parameters		{}

Base Schemas Named, Title

CloudFormationConfigSets

CloudFormationConfigSets

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

CloudFormationConfigurations

CloudFormationConfigurations Container<CloudFormationConfiguration>

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

CloudFormationConfiguration

CloudFormationConfiguration

Field name	Type	Purpose	Constraints	Default
commands	Container<CloudFormationInitCommands>	Commands
files	Container<CloudFormationInitFiles>	Files
groups	Object<CloudFormationInitGroups>	Groups
packages	Object<CloudFormationInitPackages>	Packages
services	Object<CloudFormationInitServices>	Services
sources	Container<CloudFormationInitSources>	Sources
users	Object<CloudFormationInitUsers>	Users

Base Schemas Named, Title

CloudFormationInitCommands

CloudFormationInitCommands

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

CloudFormationInitCommand

CloudFormationInitCommand

Field name	Type	Purpose	Constraints	Default
command	String	Command
cwd	String	Cwd. The working directory
env	Dict	Environment Variables. This property overwrites, rather than appends, the existing environment.		{}
ignore_errors	Boolean	Ingore errors - determines whether cfn-init continues to run if the command in contained in the command key fails (returns a non-zero value). Set to true if you want cfn-init to continue running even if the command fails.		False
test	String	A test command that determines whether cfn-init runs commands that are specified in the command key. If the test passes, cfn-init runs the commands.

CloudFormationInitFiles

CloudFormationInitFiles

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

CloudFormationInitFile

CloudFormationInitFile

Field name	Type	Purpose	Constraints	Default
authentication	String	The name of an authentication method to use.
content	Object<Interface>	Either a string or a properly formatted YAML object.
content_cfn_file	YAMLFileReference	File path to a properly formatted CloudFormation Functions YAML object.
content_file	StringFileReference	File path to a string.
context	String	Specifies a context for files that are to be processed as Mustache templates.
encoding	String	The encoding format.
group	String	The name of the owning group for this file. Not supported for Windows systems.
mode	String	A six-digit octal value representing the mode for this file.
owner	String	The name of the owning user for this file. Not supported for Windows systems.
source	String	A URL to load the file from.

Base Schemas Named, Title

CloudFormationInitGroups

Container for CloudFormationInit Groups

CloudFormationInitPackages

CloudFormationInitPackages

Field name	Type	Purpose	Constraints	Default
apt	Container<CloudFormationInitVersionedPackageSet>	Apt packages
msi	Container<CloudFormationInitPathOrUrlPackageSet>	MSI packages
python	Container<CloudFormationInitVersionedPackageSet>	Apt packages
rpm	Container<CloudFormationInitPathOrUrlPackageSet>	RPM packages
rubygems	Container<CloudFormationInitVersionedPackageSet>	Rubygems packages
yum	Container<CloudFormationInitVersionedPackageSet>	Yum packages

Base Schemas Named, Title

CloudFormationInitVersionedPackageSet

CloudFormationInitPathOrUrlPackageSet

CloudFormationInitServiceCollection

CloudFormationInitServiceCollection

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

CloudFormationInitServices

CloudFormationInitServices

Field name	Type	Purpose	Constraints	Default
sysvinit	Container<CloudFormationInitServiceCollection>	SysVInit Services for Linux OS
windows	Container<CloudFormationInitServiceCollection>	Windows Services for Windows OS

Base Schemas Named, Title

CloudFormationInitService

CloudFormationInitService

Field name	Type	Purpose	Constraints	Default
commands	List<String>	A list of command names. If cfn-init runs the specified command, this service will be restarted.
enabled	Boolean	Ensure that the service will be started or not started upon boot.
ensure_running	Boolean	Ensure that the service is running or stopped after cfn-init finishes.
files	List<String>	A list of files. If cfn-init changes one directly via the files block, this service will be restarted
packages	Dict	A map of package manager to list of package names. If cfn-init installs or updates one of these packages, this service will be restarted.		{}
sources	List<String>	A list of directories. If cfn-init expands an archive into one of these directories, this service will be restarted.

CloudFormationInitSources

CloudFormationInitSources

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

CloudFormationInitUsers

Container for CloudFormationInit Users

ACM

ACM

Field name	Type	Purpose	Constraints	Default
domain_name	String	Domain Name
external_resource	Boolean	Marks this resource as external to avoid creating and validating it.		False
private_ca	String	Private Certificate Authority ARN
region	String	AWS Region	Must be a valid AWS Region name
subject_alternative_names	List<String>	Subject alternative names

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

CloudFront

CloudFront CDN Configuration

CloudFront

Field name	Type	Purpose	Constraints	Default
cache_behaviors	List<CloudFrontCacheBehavior>	List of Cache Behaviors
custom_error_responses	List<CloudFrontCustomErrorResponse>	List of Custom Error Responses
default_cache_behavior	Object<CloudFrontDefaultCacheBehavior>	Default Cache Behavior
default_root_object	String	The default path to load from the origin.
domain_aliases	List<DNS>	List of DNS for the Distribution
factory	Container<CloudFrontFactories_>	CloudFront Factory
origins	Container<CloudFrontOrigins_>	Map of Origins
price_class	String	Price Class		All
viewer_certificate	Object<CloudFrontViewerCertificate>	Viewer Certificate
webacl_id	String	WAF WebACLId

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

CloudFrontDefaultCacheBehavior

CloudFrontDefaultCacheBehavior

Field name	Type	Purpose	Constraints	Default
allowed_methods	List<String>	List of Allowed HTTP Methods		[‘DELETE’, ‘GET’, ‘HEAD’, ‘OPTIONS’, ‘PATCH’, ‘POST’, ‘PUT’]
cached_methods	List<String>	List of HTTP Methods to cache		[‘GET’, ‘HEAD’, ‘OPTIONS’]
compress	Boolean	Compress certain files automatically		False
default_ttl	Int	Default TTL		86400
forwarded_values	Object<CloudFrontForwardedValues>	Forwarded Values
lambda_function_associations	List<CloudFrontLambdaFunctionAssocation>	Lambda Function Associations
max_ttl	Int	Maximum TTL		31536000
min_ttl	Int	Minimum TTL		0
target_origin	PacoReference	Target Origin	Paco Reference to CloudFrontOrigin.
viewer_protocol_policy	String	Viewer Protocol Policy		redirect-to-https

Base Schemas Named, Title

CloudFrontCacheBehavior

CloudFrontCacheBehavior

Field name	Type	Purpose	Constraints	Default
path_pattern	String	Path Pattern

Base Schemas CloudFrontDefaultCacheBehavior, Named, Title

CloudFrontFactory

CloudFront Factory

CloudFrontFactory

Field name	Type	Purpose	Constraints	Default
domain_aliases	List<DNS>	List of DNS for the Distribution
viewer_certificate	Object<CloudFrontViewerCertificate>	Viewer Certificate

Base Schemas Named, Title

CloudFrontOrigin

CloudFront Origin Configuration

CloudFrontOrigin

Field name	Type	Purpose	Constraints	Default
custom_origin_config	Object<CloudFrontCustomOriginConfig>	Custom Origin Configuration
domain_name	PacoReference|String	Origin Resource Reference	Paco Reference to Route53HostedZone. String Ok.
s3_bucket	PacoReference	Origin S3 Bucket Reference	Paco Reference to S3Bucket.

Base Schemas Named, Title

CloudFrontCustomOriginConfig

CloudFrontCustomOriginConfig

Field name	Type	Purpose	Constraints	Default
http_port	Int	HTTP Port
https_port	Int	HTTPS Port
keepalive_timeout	Int	HTTP Keepalive Timeout		5
protocol_policy	String	Protocol Policy
read_timeout	Int	Read timeout		30
ssl_protocols	List<String>	List of SSL Protocols

Base Schemas Named, Title

CloudFrontCustomErrorResponse

CloudFrontCustomErrorResponse

Field name	Type	Purpose	Constraints	Default
error_caching_min_ttl	Int	Error Caching Min TTL		300
error_code	Int	HTTP Error Code
response_code	Int	HTTP Response Code
response_page_path	String	Response Page Path

CloudFrontViewerCertificate

CloudFrontViewerCertificate

Field name	Type	Purpose	Constraints	Default
certificate	PacoReference	Certificate Reference	Paco Reference to ACM.
minimum_protocol_version	String	Minimum SSL Protocol Version		TLSv1.1_2016
ssl_supported_method	String	SSL Supported Method		sni-only

Base Schemas Named, Title

CloudFrontForwardedValues

CloudFrontForwardedValues

Field name	Type	Purpose	Constraints	Default
cookies	Object<CloudFrontCookies>	Forward Cookies
headers	List<String>	Forward Headers		[‘*’]
query_string	Boolean	Forward Query Strings		True

Base Schemas Named, Title

CloudFrontCookies

CloudFrontCookies

Field name	Type	Purpose	Constraints	Default
forward	String	Cookies Forward Action		all
whitelisted_names	List<String>	White Listed Names

Base Schemas Named, Title

CloudFrontLambdaFunctionAssocation

CloudFrontLambdaFunctionAssocation

Field name	Type	Purpose	Constraints	Default
event_type	Choice	Event Type	Must be one of ‘origin-request’, ‘origin-response’, ‘viewer-request’ or ‘viewer-response’
include_body	Boolean	Include Body		False
lambda_function	PacoReference	Lambda Function	Paco Reference to Lambda.

Base Schemas Named, Title

CognitoLambdaTriggers

CognitoLambdaTriggers

Field name	Type	Purpose	Constraints	Default
create_auth_challenge	PacoReference	CreateAuthChallenge Lambda trigger	Paco Reference to Lambda.
custom_message	PacoReference	CustomMessage Lambda trigger	Paco Reference to Lambda.
define_auth_challenge	PacoReference	DefineAuthChallenge Lambda trigger	Paco Reference to Lambda.
post_authentication	PacoReference	PostAuthentication Lambda trigger	Paco Reference to Lambda.
post_confirmation	PacoReference	PostConfirmation Lambda trigger	Paco Reference to Lambda.
pre_authentication	PacoReference	PreAuthentication Lambda trigger	Paco Reference to Lambda.
pre_sign_up	PacoReference	PreSignUp Lambda trigger	Paco Reference to Lambda.
pre_token_generation	PacoReference	PreTokenGeneration Lambda trigger	Paco Reference to Lambda.
user_migration	PacoReference	UserMigration Lambda trigger	Paco Reference to Lambda.
verify_auth_challenge_response	PacoReference	VerifyAuthChallengeResponse Lambda trigger	Paco Reference to Lambda.

CodeDeployApplication

CodeDeploy Application creates CodeDeploy Application and Deployment Groups for that application.

This resource can be used when you already have another process in-place to put deploy artifacts into an S3 Bucket. If you also need to build artifacts, use DeploymentPipeline instead.

Prescribed Automation

CodeDeploy Service Role: The AWS CodeDeploy service needs a Service Role that it is allowed to assume to allow the service to run in your AWS Account. Paco will automatically create such a service role for every CodeDeploy Application.

Example CodeDeployApplication resource YAML

type: CodeDeployApplication
order: 40
compute_platform: "Server"
deployment_groups:
  deployment:
    title: "My Deployment Group description"
    ignore_application_stop_failures: true
    revision_location_s3: paco.ref netenv.mynet.applications.app.groups.deploybucket
    autoscalinggroups:
      - paco.ref netenv.mynet.applications.app.groups.web

It can be convienent to install the CodeDeploy agent on your instances using CloudFormationInit.

Example ASG configuration for cfn_init to install CodeDeploy agent

launch_options:
  cfn_init_config_sets:
    - "InstallCodeDeploy"
cfn_init:
  config_sets:
    InstallCodeDeploy:
      - "InstallCodeDeploy"
  files:
    "/tmp/install_codedeploy.sh":
      source: https://aws-codedeploy-us-west-2.s3.us-west-2.amazonaws.com/latest/install
      mode: '000700'
      owner: root
      group: root
  commands:
    01_install_codedeploy:
      command: "/tmp/install_codedeploy.sh auto > /var/log/cfn-init-codedeploy.log 2>&1"
  services:
    sysvinit:
      codedeploy-agent:
        enabled: true
        ensure_running: true

CodeDeployApplication

Field name	Type	Purpose	Constraints	Default
compute_platform	String	Compute Platform	Must be one of Lambda, Server or ECS
deployment_groups	Container<CodeDeployDeploymentGroups>	CodeDeploy Deployment Groups

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

CodeDeployDeploymentGroups

CodeDeployDeploymentGroups

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

CodeDeployDeploymentGroup

CodeDeployDeploymentGroup

Field name	Type	Purpose	Constraints	Default
autoscalinggroups	List<PacoReference>	AutoScalingGroups that CodeDeploy automatically deploys revisions to when new instances are created	Paco Reference to ASG.
ignore_application_stop_failures	Boolean	Ignore Application Stop Failures
revision_location_s3	Object<DeploymentGroupS3Location>	S3 Bucket revision location
role_policies	List<Policy>	Policies to grant the deployment group role

Base Schemas Deployable, Named, Title

CognitoUserPool

Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps.

The CognitoUserPool resource type is a user directory in Amazon Cognito. With a user pool, users can sign in to your web or mobile app through Amazon Cognito.

Prescribed Automation

mfa: If this is on or optional then an IAM Role will be created to allow sending SMS reset codes. If you are supporting SMS with Cognito, then you will also need to manually create an AWS Support ticket to raise the accounts limit of SMS spending beyond the default of $1/month.

Example CognituUserPool YAML

type: CognitoUserPool
order: 10
enabled: true
auto_verified_attributes: email
mfa: 'optional'
mfa_methods:
 - software_token
 - sms
account_recovery: verified_email
password:
  minimum_length: 12
  require_lowercase: true
  require_uppercase: true
  require_numbers: false
  require_symbols: false
email:
  reply_to_address: reply-to@example.com
user_creation:
  admin_only: true
  unused_account_validity_in_days: 7
  invite_message_templates:
    email_subject: 'Invite to the App!'
    email_message: >
      <p>You've had an account created for you on the app.</p>
      <p><b>Username:</b> {username}</p>
      <p><b>Temporary password:</b> {####}</p>
      <p>Please login and set a secure password. This request will expire in 7 days.</p>
lambda_triggers:
  pre_sign_up: paco.ref netenv.mynet.applications.app.groups.serverless.resources.mylambda
schema:
  - attribute_name: email
    attribute_data_type: string
    mutable: false
    required: true
  - attribute_name: name
    attribute_data_type: string
    mutable: true
    required: true
  - attribute_name: phone_number
    attribute_data_type: string
    mutable: true
    required: false
ui_customizations:
  logo_file: './images/logo.png'
  css_file: './images/cognito.css'
app_clients:
  web:
    generate_secret: false
    callback_urls:
      - https://example.com
      - https://example.com/parseauth
      - https://example.com/refreshauth
    logout_urls:
      - https://example.com/signout
    allowed_oauth_flows:
        - code
    allowed_oauth_scopes:
        - email
        - openid
    domain_name: exampledomain
    identity_providers:
      - cognito

CognitoUserPool

Field name	Type	Purpose	Constraints	Default
account_recovery	String	Account Recovery Options (in order of priority)	Can be either ‘admin_only’, ‘verified_email’, ‘verified_phone_number’, ‘verified_phone_number,verified_email’ or ‘verified_email,verified_phone_number’
app_clients	Container<CognitoUserPoolClients>	App Clients
auto_verified_attributes	String	Auto Verified Attributes	Can be either ‘email’, ‘phone_number’ or ‘email,phone_number’
email	Object<CognitoEmailConfiguration>	Email Configuration
lambda_triggers	Object<CognitoLambdaTriggers>	Lambda Triggers
mfa	Choice	MFA Configuration	Must be one of ‘off’, ‘on’ or ‘optional’	off
mfa_methods	Choice	Enabled MFA methods	List of ‘sms’ or ‘software_token’	[]
password	Object<CognitoUserPoolPasswordPolicy>	Password Configuration
schema	List<CognitoUserPoolSchemaAttribute>	Schema Attributes		[]
ui_customizations	Object<CognitoUICustomizations>	UI Customizations
user_creation	Object<CognitoUserCreation>	User Creation

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

CognitoInviteMessageTemplates

CognitoInviteMessageTemplates

Field name	Type	Purpose	Constraints	Default
email_message	String	Email Message
email_subject	String	Email Subject
sms_message	String	SMS Message

Base Schemas Named, Title

CognitoUserPoolClients

A container of CognitoUserPoolClient objects.

CognitoUserPoolClients Container<CognitoUserPoolClient>

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

CognitoUserPoolClient

CognitoUserPoolClient

Field name	Type	Purpose	Constraints	Default
allowed_oauth_flows	Choice	Allowed OAuth Flows		[]
allowed_oauth_scopes	List<String>	Allow OAuth Scopes		[]
callback_urls	List<String>	Callback URLs		[]
domain_name	String	Domain Name or domain prefix
generate_secret	Boolean	Generate Secret		False
identity_providers	Choice	Identity Providers		[]
logout_urls	List<String>	Logout URLs		[]

Base Schemas Named, Title

CognitoEmailConfiguration

CognitoEmailConfiguration

Field name	Type	Purpose	Constraints	Default
from_address	String	From Email Address
reply_to_address	String	Reply To Email Address
verification_message	String	Verification Message
verification_subject	String	Verification Subject

Base Schemas Named, Title

CognitoUserPoolPasswordPolicy

CognitoUserPoolPasswordPolicy

Field name	Type	Purpose	Constraints	Default
minimum_length	Int	Minimum Length
require_lowercase	Boolean	Require Lowercase		True
require_numbers	Boolean	Require Numbers		True
require_symbols	Boolean	Require Symbols		True
require_uppercase	Boolean	Require Uppercase		True

Base Schemas Named, Title

CognitoUserPoolSchemaAttribute

CognitoUserPoolSchemaAttribute

Field name	Type	Purpose	Constraints	Default
attribute_data_type	Choice	Attribute Data Type
attribute_name	String	Name	From 1 to 20 characters
mutable	Boolean	Mutable
required	Boolean	Required

CognitoUICustomizations

CognitoUICustomizations

Field name	Type	Purpose	Constraints	Default
css_file	StringFileReference	File path to a CSS file.	Contents must be valid CSS that applies to the Cognito Hosted UI.
logo_file	BinaryFileReference	File path to an image.	Must be a PNG or JPEG and max 100 Kb.

Base Schemas Named, Title

CognitoUserCreation

CognitoUserCreation

Field name	Type	Purpose	Constraints	Default
admin_only	Boolean	Allow only Admin to create users		False
invite_message_templates	Object<CognitoInviteMessageTemplates>	Invite Message Templates
unused_account_validity_in_days	Int	Unused Account Validity in Days		7

Base Schemas Named, Title

CognitoIdentityPool

The CognitoIdentityPool resource type grants authorization of Cognito User Pool users to resources.

Example CognituIdentityPool YAML

type: CognitoIdentityPool
order: 20
enabled: true
allow_unauthenticated_identities: true
identity_providers:
 - userpool_client: paco.ref netenv.mynet.applications.myapp.groups.cognito.resources.cup.app_clients.web
   serverside_token_check: false
unauthenticated_role:
  enabled: true
  policies:
    - name: CognitoSyncAll
      statement:
        - effect: Allow
          action:
            - "cognito-sync:*"
          resource:
            - '*'
authenticated_role:
  enabled: true
  policies:
    - name: ViewDescribe
      statement:
        - effect: Allow
          action:
            - "cognito-sync:*"
            - "cognito-identity:*"
          resource:
            - '*'
        - effect: Allow
          action:
            - "lambda:InvokeFunction"
          resource:
            - '*'

CognitoIdentityPool

Field name	Type	Purpose	Constraints	Default
allow_unauthenticated_identities	Boolean	Allow Unauthenticated Identities		False
authenticated_role	Object<RoleDefaultEnabled>
identity_providers	List<CognitoIdentityProvider>	Identity Providers		[]
unauthenticated_role	Object<RoleDefaultEnabled>

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

CognitoIdentityProvider

CognitoIdentityProvider

Field name	Type	Purpose	Constraints	Default
serverside_token_check	Boolean	ServerSide Token Check		False
userpool_client	PacoReference	Identity Provider	Paco Reference to CognitoUserPoolClient.

DeploymentPipeline

DeploymentPipeline creates AWS CodePipeline resources configured to act as CI/CDs to deploy code and assets to application resources. DeploymentPipelines allow you to express complex CI/CDs with minimal configuration.

A DeploymentPipeline has a number of Actions for three pre-defined Stages: source, build and deploy. The currently supported list of actions for each stage is:

Current Actions available by Stage

source:
  type: CodeCommit.Source
  type: ECR.Source
  type: GitHub.Source
build:
  type: CodeBuild.Build
deploy:
  type: CodeDeploy.Deploy
  type: ECS.Deploy
  type: ManualApproval

DeploymentPipelines can be configured to work cross-account and will automatically encrypt the artifacts S3 Bucket with a KMS-CMK key that can only be accessed by the pipeline. The configuration field lets you set the account that the DeploymentPipeline’s CodePipeilne resource will be created in and also specify the S3 Bucket to use for artifacts.

Configure a DeploymentPipeline to run in the tools account

configuration:
  artifacts_bucket: paco.ref netenv.mynet.applications.myapp.groups.cicd.resources.artifacts
  account: paco.ref accounts.tools

DeploymentPipeline caveats - there are a few things to consider when creating pipelines:

• You need to create an S3 Bucket that will be configured to for artifacts. Even pipelines which don’t create artifacts will need this resource to hold ephemeral files created by CodePipeline.
• A pipeline that deploys artifacts to an AutoScalingGroup will need the artifacts_bucket to allow the IAM Instance Role to read from the bucket.
• A pipeline with an ECR.Source source must be in the same account as the ECR Repository.
• A pipeline with an ECR.Source source must have at least one image alreaay created in it before it can be created.
• A pipeline that is building Docker images needs to set privileged_mode: true.
• If you are using a manual approval step before deploying, pay attention to the run_order field. Normally you will want the approval action to happen before the deploy action.

Example S3 Bucket for a DeploymentPipeline that deploys to an AutoScalingGroup

type: S3Bucket
enabled: true
order: 10
bucket_name: "artifacts"
deletion_policy: "delete"
account: paco.ref accounts.tools
versioning: true
policy:
  - aws:
      - paco.sub '${paco.ref netenv.mynet.applications.myapp.groups.container.resources.asg.instance_iam_role.arn}'
    effect: 'Allow'
    action:
      - 's3:Get*'
      - 's3:List*'
    resource_suffix:
      - '/*'
      - ''

Example DeploymentPipeline to deploy to ECS when an ECR Repository is updated

type: DeploymentPipeline
order: 10
enabled: true
configuration:
  artifacts_bucket: paco.ref netenv.mynet.applications.myapp.groups.cicd.resources.artifacts
  account: paco.ref accounts.tools
source:
  ecr:
    type: ECR.Source
    repository: paco.ref netenv.mynet.applications.myapp.groups.container.resources.ecr_example
    image_tag: latest
deploy:
  ecs:
    type: ECS.Deploy
    cluster: paco.ref netenv.mynet.applications.myapp.groups.container.resources.ecs_cluster
    service: paco.ref netenv.mynet.applications.myapp.groups.container.resources.ecs_config.services.simple_app

Example DeploymentPipeline to pull from GitHub, build a Docker image and then deploy from an ECR Repo

type: DeploymentPipeline
order: 20
enabled: true
configuration:
  artifacts_bucket: paco.ref netenv.mynet.applications.myapp.groups.cicd.resources.artifacts
  account: paco.ref accounts.tools
source:
  github:
    type: GitHub.Source
    deployment_branch_name: "prod"
    github_access_token: paco.ref netenv.mynet.secrets_manager.myapp.github.token
    github_owner: MyExample
    github_repository: MyExample-FrontEnd
    poll_for_source_changes: false
build:
  codebuild:
    type: CodeBuild.Build
    deployment_environment: "prod"
    codebuild_image: 'aws/codebuild/standard:4.0'
    codebuild_compute_type: BUILD_GENERAL1_MEDIUM
    privileged_mode: true # To allow docker images to be built
    codecommit_repo_users:
      - paco.ref resource.codecommit.mygroup.myrepo.users.MyCodeCommitUser
    secrets:
      - paco.ref netenv.mynet.secrets_manager.myapp.github.ssh_private_key
    role_policies:
      - name: AmazonEC2ContainerRegistryPowerUser
        statement:
          - effect: Allow
            action:
              - ecr:GetAuthorizationToken
              - ecr:BatchCheckLayerAvailability
              - ecr:GetDownloadUrlForLayer
              - ecr:GetRepositoryPolicy
              - ecr:DescribeRepositories
              - ecr:ListImages
              - ecr:DescribeImages
              - ecr:BatchGetImage
              - ecr:GetLifecyclePolicy
              - ecr:GetLifecyclePolicyPreview
              - ecr:ListTagsForResource
              - ecr:DescribeImageScanFindings
              - ecr:InitiateLayerUpload
              - ecr:UploadLayerPart
              - ecr:CompleteLayerUpload
              - ecr:PutImage
            resource:
              - '*'
deploy:
  ecs:
    type: ECS.Deploy
    cluster: paco.ref netenv.mynet.applications.myapp.groups.container.resources.cluster
    service: paco.ref netenv.mynet.applications.myapp.groups.container.resources.services.services.frontend

Example DeploymentPipeline to pull from CodeCommit, build an app artifact and then deploy to an ASG using CodeDeploy

type: DeploymentPipeline
order: 30
enabled: true
configuration:
  artifacts_bucket: paco.ref netenv.mynet.applications.myapp.groups.cicd.resources.artifacts
  account: paco.ref accounts.tools
source:
  codecommit:
    type: CodeCommit.Source
    codecommit_repository: paco.ref resource.codecommit.mygroup.myrepo
    deployment_branch_name: "prod"
build:
  codebuild:
    type: CodeBuild.Build
    deployment_environment: "prod"
    codebuild_image: 'aws/codebuild/amazonlinux2-x86_64-standard:1.0'
    codebuild_compute_type: BUILD_GENERAL1_SMALL
deploy:
  approval:
    type: ManualApproval
    run_order: 1
    manual_approval_notification_email:
      - bob@example.com
      - sally@example.com
  codedeploy:
    type: CodeDeploy.Deploy
    run_order: 2
    alb_target_group: paco.ref netenv.mynet.applications.myapp.groups.backend.resources.alb.target_groups.api
    auto_scaling_group: paco.ref netenv.mynet.applications.myapp.groups.backend.resources.api
    auto_rollback_enabled: true
    minimum_healthy_hosts:
      type: HOST_COUNT
      value: 0
    deploy_style_option: WITHOUT_TRAFFIC_CONTROL

DeploymentPipeline

Field name	Type	Purpose	Constraints	Default
build	Container<DeploymentPipelineBuildStage>	Deployment Pipeline Build Stage
configuration	Object<DeploymentPipelineConfiguration>	Deployment Pipeline General Configuration
deploy	Container<DeploymentPipelineDeployStage>	Deployment Pipeline Deploy Stage
source	Container<DeploymentPipelineSourceStage>	Deployment Pipeline Source Stage
stages	Container<CodePipelineStages>	Stages

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

CodePipelineStages

Container for CodePipelineStage objects.

CodePipelineStages Container<CodePipelineStage>

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

CodePipelineStage

Container for different types of DeploymentPipelineStageAction objects.

CodePipelineStage

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

DeploymentPipelineSourceStage

A map of DeploymentPipeline source stage actions

DeploymentPipelineSourceStage

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

DeploymentPipelineDeployStage

A map of DeploymentPipeline deploy stage actions

DeploymentPipelineDeployStage

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

DeploymentPipelineBuildStage

A map of DeploymentPipeline build stage actions

DeploymentPipelineBuildStage

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

DeploymentPipelineDeployCodeDeploy

CodeDeploy DeploymentPipeline Deploy Stage

DeploymentPipelineDeployCodeDeploy

Field name	Type	Purpose	Constraints	Default
alb_target_group	PacoReference	ALB Target Group Reference	Paco Reference to TargetGroup.
auto_rollback_enabled	Boolean	Automatic rollback enabled		True
auto_scaling_group	PacoReference	ASG Reference	Paco Reference to ASG.
deploy_instance_role	PacoReference	Deploy Instance Role Reference	Paco Reference to Role.
deploy_style_option	String	Deploy Style Option		WITH_TRAFFIC_CONTROL
elb_name	String	ELB Name
minimum_healthy_hosts	Object<CodeDeployMinimumHealthyHosts>	The minimum number of healthy instances that should be available at any time during the deployment.

Base Schemas Enablable, Named, DeploymentPipelineStageAction, Title

DeploymentPipelineSourceECR

Amazon ECR DeploymentPipeline Source Stage

This Action is triggered whenever a new image is pushed to an Amazon ECR repository.

pipeline:
  type: DeploymentPipeline
  stages:
    source:
      ecr:
        type: ECR.Source
        enabled: true
        repository:  paco.ref netenv.mynet.applications.myapp.groups.ecr.resources.myecr
        image_tag: "latest"

DeploymentPipelineSourceECR

Field name	Type	Purpose	Constraints	Default
image_tag	String	The name of the tag used for the image.		latest
repository	PacoReference|String	An ECRRepository ref or the name of the an ECR repository.	Paco Reference to ECRRepository. String Ok.

Base Schemas Enablable, Named, DeploymentPipelineStageAction, Title

CodeDeployMinimumHealthyHosts

CodeDeploy Minimum Healthy Hosts

CodeDeployMinimumHealthyHosts

Field name	Type	Purpose	Constraints	Default
type	String	Deploy Config Type		HOST_COUNT
value	Int	Deploy Config Value		0

Base Schemas Named, Title

DeploymentPipelineManualApproval

ManualApproval DeploymentPipeline

DeploymentPipelineManualApproval

Field name	Type	Purpose	Constraints	Default
manual_approval_notification_email	List<String>	Manual Approval Notification Email List

Base Schemas Enablable, Named, DeploymentPipelineStageAction, Title

DeploymentPipelineDeployS3

Amazon S3 Deployment Provider

DeploymentPipelineDeployS3

Field name	Type	Purpose	Constraints	Default
bucket	PacoReference	S3 Bucket Reference	Paco Reference to S3Bucket.
extract	Boolean	Boolean indicating whether the deployment artifact will be unarchived.		True
input_artifacts	List<String>	Input Artifacts
object_key	String	S3 object key to store the deployment artifact as.

Base Schemas Enablable, Named, DeploymentPipelineStageAction, Title

DeploymentPipelineBuildCodeBuild

CodeBuild DeploymentPipeline Build Stage

DeploymentPipelineBuildCodeBuild

Field name	Type	Purpose	Constraints	Default
buildspec	String	buildspec.yml filename
codebuild_compute_type	String	CodeBuild Compute Type
codebuild_image	String	CodeBuild Docker Image
codecommit_repo_users	List<PacoReference>	CodeCommit Users	Paco Reference to CodeCommitUser.
deployment_environment	String	Deployment Environment
ecr_repositories	List<ECRRepositoryPermission>	ECR Respository Permissions		[]
privileged_mode	Boolean	Privileged Mode		False
role_policies	List<Policy>	Project IAM Role Policies
secrets	List<PacoReference>	List of PacoReferences to Secrets Manager secrets	Paco Reference to SecretsManagerSecret.
timeout_mins	Int	Timeout in Minutes		60

Base Schemas Enablable, Named, DeploymentPipelineStageAction, Title

DeploymentPipelineSourceCodeCommit

CodeCommit DeploymentPipeline Source Stage

DeploymentPipelineSourceCodeCommit

Field name	Type	Purpose	Constraints	Default
codecommit_repository	PacoReference	CodeCommit Respository	Paco Reference to CodeCommitRepository.
deployment_branch_name	String	Deployment Branch Name

Base Schemas Enablable, Named, DeploymentPipelineStageAction, Title

DeploymentPipelineStageAction

Deployment Pipeline Source Stage

DeploymentPipelineStageAction

Field name	Type	Purpose	Constraints	Default
run_order	Int	The order in which to run this stage		1
type	String	The type of DeploymentPipeline Source Stage

Base Schemas Enablable, Named, Title

DeploymentPipelineConfiguration

Deployment Pipeline General Configuration

DeploymentPipelineConfiguration

Field name	Type	Purpose	Constraints	Default
account	PacoReference	The account where Pipeline tools will be provisioned.	Paco Reference to Account.
artifacts_bucket	PacoReference	Artifacts S3 Bucket Reference	Paco Reference to S3Bucket.

Base Schemas Named, Title

DeploymentGroupS3Location

DeploymentGroupS3Location

Field name	Type	Purpose	Constraints	Default
bucket	PacoReference	S3 Bucket revision location	Paco Reference to S3Bucket.
bundle_type	String	Bundle Type	Must be one of JSON, tar, tgz, YAML or zip.
key	String	The name of the Amazon S3 object that represents the bundled artifacts for the application revision.

EBS

Elastic Block Store (EBS) Volume.

It is required to specify the availability_zone the EBS Volume will be created in. If the volume is going to be used by an ASG, it should launch an instance in the same availability_zone (and region).

Example EBS resource YAML

type: EBS
order: 5
enabled: true
size_gib: 4
volume_type: gp2
availability_zone: 1

EBS

Field name	Type	Purpose	Constraints	Default
availability_zone	Int	Availability Zone to create Volume in.
size_gib	Int	Volume Size in GiB		10
snapshot_id	String	Snapshot ID
volume_type	String	Volume Type	Must be one of: gp2 | io1 | sc1 | st1 | standard	gp2

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

EC2

EC2 Instance

EC2

Field name	Type	Purpose	Constraints	Default
associate_public_ip_address	Boolean	Associate Public IP Address		False
disable_api_termination	Boolean	Disable API Termination		False
instance_ami	String	Instance AMI
instance_key_pair	PacoReference	key pair for connections to instance	Paco Reference to EC2KeyPair.
instance_type	String	Instance type
private_ip_address	String	Private IP Address
root_volume_size_gb	Int	Root volume size GB		8
security_groups	List<PacoReference>	Security groups	Paco Reference to SecurityGroup.
segment	String	Segment
user_data_script	String	User data script

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

ECRRepository

Elastic Container Registry (ECR) Repository is a fully-managed Docker container registry.

Prescribed Automation

cross_account_access: Adds a Repository Policy that grants full access to the listed AWS Accounts.

Example ECRRepository

type: ECRRepository
enabled: true
order: 10
repository_name: 'ecr-example'
cross_account_access:
  - paco.ref accounts.dev
  - paco.ref accounts.tools

ECRRepository

Field name	Type	Purpose	Constraints	Default
account	PacoReference	Account the ECR Repository belongs to	Paco Reference to Account.
cross_account_access	List<PacoReference>	Accounts to grant access to this ECR.	Paco Reference to Account.
lifecycle_policy_registry_id	String	Lifecycle Policy Registry Id
lifecycle_policy_text	String	Lifecycle Policy
repository_name	String	Repository Name
repository_policy	Object<Policy>	Repository Policy

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

ECRRepositoryPermission

ECRRepositoryPermission

Field name	Type	Purpose	Constraints	Default
permission	Choice	Permission	Must be one of ‘Push’, ‘Pull’ or ‘PushAndPull’
repository	PacoReference	ECR Repository	Paco Reference to ECRRepository.

ECSCluster

The ECSCluster resource type creates an Amazon Elastic Container Service (Amazon ECS) cluster.

example ECSCluster configuration YAML

type: ECSCluster
title: My ECS Cluster
enabled: true
order: 10

ECSCluster

Field name	Type	Purpose	Constraints	Default

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

ECSServices

The ECSServices resource type creates one or more ECS Services and their TaskDefinitions that can run in an ECSCluster.

example ECSServices configuration YAML

type: ECSServices
title: "My ECS Services"
enabled: true
order: 40
cluster: paco.ref netenv.mynet.applications.myapp.groups.ecs.resources.cluster
service_discovery_namespace_name: 'private-name'
secrets_manager_access:
  - paco.ref netenv.mynet.secrets_manager.store.database.mydb
task_definitions:
  frontend:
    container_definitions:
      frontend:
        cpu: 256
        essential: true
        image: paco.ref netenv.mynet.applications.myapp.groups.ecr.resources.frontend
        image_tag: latest
        memory: 150 # in MiB
        logging:
          driver: awslogs
          expire_events_after_days: 90
        port_mappings:
          - container_port: 80
            host_port: 0
            protocol: tcp
        secrets:
          - name: DATABASE_PASSWORD
            value_from: paco.ref netenv.mynet.secrets_manager.store.database.mydb
        environment:
          - name: POSTGRES_HOSTNAME
            value: paco.ref netenv.mynet.applications.myapp.groups.database.resources.postgresql.endpoint.address
  demoservice:
    container_definitions:
      demoservice:
        cpu: 256
        essential: true
        image: paco.ref netenv.mynet.applications.myapp.groups.ecr.resources.demoservice
        image_tag: latest
        memory: 100 # in MiB
        logging:
          driver: awslogs
          expire_events_after_days: 90
        port_mappings:
          - container_port: 80
            host_port: 0
            protocol: tcp

services:
  frontend:
    desired_count: 0
    task_definition: frontend
    deployment_controller: ecs
    hostname: frontend.myapp
    load_balancers:
      - container_name: frontend
        container_port: 80
        target_group: paco.ref netenv.mynet.applications.myapp.groups.lb.resources.external.target_groups.frontend
  demoservice:
    desired_count: 0
    task_definition: demoservice
    deployment_controller: ecs
    load_balancers:
      - container_name: demoservice
        container_port: 80
        target_group: paco.ref netenv.mynet.applications.myapp.groups.lb.resources.internal.target_groups.demoservice

ECSServices

Field name	Type	Purpose	Constraints	Default
cluster	PacoReference	Cluster	Paco Reference to ECSCluster.
secrets_manager_access	List<PacoReference>	List Secrets Manager secret Paco references	Paco Reference to SecretsManagerSecret.
service_discovery_namespace_name	String	Service Discovery Namespace
services	Container<ECSServicesContainer>	Service
setting_groups	Container<ECSSettingsGroups_>	Setting Groups
task_definitions	Container<ECSTaskDefinitions>	Task Definitions

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

ECSServicesContainer

Container for ECSService objects.

ECSServicesContainer Container<ECSService>

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

ECSService

ECS Service

ECSService

Field name	Type	Purpose	Constraints	Default
deployment_controller	Choice	Deployment Controller	One of ecs, code_deploy or external	ecs
deployment_maximum_percent	Int	Deployment Maximum Percent		200
deployment_minimum_healthy_percent	Int	Deployment Minimum Healthy Percent		100
desired_count	Int	Desired Count
health_check_grace_period_seconds	Int	Health Check Grace Period (seconds)		0
hostname	String	Container hostname
launch_type	Choice	Launch Type	Must be one of EC2 or Fargate	EC2
load_balancers	List<ECSLoadBalancer>	Load Balancers		[]
maximum_tasks	Int	Maximum Tasks in service		0
minimum_tasks	Int	Minimum Tasks in service		0
suspend_scaling	Boolean	Suspend any Service Scaling activities		False
target_tracking_scaling_policies	Container<ECSTargetTrackingScalingPolicies>	Target Tracking Scaling Policies
task_definition	String	Task Definition
vpc_config	Object<ServiceVPCConfiguration>	VPC Configuration

Base Schemas Monitorable, Named, Title

ECSTaskDefinitions

Container for ECSTaskDefinition objects.

ECSTaskDefinitions Container<ECSTaskDefinition>

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

ECSTaskDefinition

ECS Task Definition

ECSTaskDefinition

Field name	Type	Purpose	Constraints	Default
container_definitions	Container<ECSContainerDefinitions>	Container Definitions
cpu_units	Int	CPU in Units	Must be one of 256, 512, 1024, 2048 or 4096	256
fargate_compatibile	Boolean	Require Fargate Compability		False
memory_in_mb	Int	Memory in Mb	Must be one of 512, 1024, 2048, 2048 or 4096 thru 30720	512
network_mode	Choice	Network Mode	Must be one of awsvpc, bridge, host or none	bridge
volumes	List<ECSVolume>	Volume definitions for the task		[]

Base Schemas Named, Title

ECSContainerDefinitions

Container for ECSContainerDefinition objects.

ECSContainerDefinitions Container<ECSContainerDefinition>

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

ECSContainerDefinition

ECS Container Definition

ECSContainerDefinition

Field name	Type	Purpose	Constraints	Default
command	List<String>	Command (Docker CMD)	List of strings
cpu	Int	Cpu units
depends_on	List<ECSContainerDependency>	Depends On	List of ECS Container Dependencies	[]
disable_networking	Boolean	Disable Networking		False
dns_search_domains	List<String>	List of DNS search domains. Maps to ‘DnsSearch’ in Docker.		[]
dns_servers	List<String>	List of DNS servers. Maps to ‘Dns’ in Docker.		[]
docker_labels	Container<DockerLabels>	A key/value map of labels. Maps to ‘Labels’ in Docker.
docker_security_options	Choice	List of custom labels for SELinux and AppArmor multi-level security systems.	Must be a list of no-new-privileges, apparmor:PROFILE, label:value, or credentialspec:CredentialSpecFilePath	[]
entry_point	List<String>	Entry Pont (Docker ENTRYPOINT)	List of strings
environment	List<NameValuePair>	List of environment name value pairs.
essential	Boolean	Essential		False
extra_hosts	List<ECSHostEntry>	List of hostnames and IP address mappings to append to the /etc/hosts file on the container.		[]
health_check	Object<ECSHealthCheck>	The container health check command and associated configuration parameters for the container. This parameter maps to ‘HealthCheck’ in Docker.
hostname	String	Hostname to use for your container. This parameter maps to ‘Hostname’ in Docker.
image	PacoReference|String	The image used to start a container. This string is passed directly to the Docker daemon.	If a paco.ref is used to ECR, then the image_tag field will provide that tag used. Paco Reference to ECRRepository. String Ok.
image_tag	String	Tag used for the ECR Repository Image		latest
interactive	Boolean	When this parameter is true, this allows you to deploy containerized applications that require stdin or a tty to be allocated. This parameter maps to ‘OpenStdin’ in Docker.
logging	Object<ECSLogging>	Logging Configuration
memory	Int	The amount (in MiB) of memory to present to the container. If your container attempts to exceed the memory specified here, the container is killed.
memory_reservation	Int	The soft limit (in MiB) of memory to reserve for the container. When system memory is under heavy contention, Docker attempts to keep the container memory to this soft limit.
mount_points	List<ECSMountPoint>	The mount points for data volumes in your container.
port_mappings	List<PortMapping>	Port Mappings		[]
privileged	Boolean	Give the container elevated privileges on the host container instance (similar to the root user).		False
pseudo_terminal	Boolean	Allocate a TTY. This parameter maps to ‘Tty’ in Docker.
readonly_root_filesystem	Boolean	Read-only access to its root file system. This parameter maps to ‘ReadonlyRootfs’ in Docker.
secrets	List<ECSTaskDefinitionSecret>	List of name, value_from pairs to secret manager Paco references.
setting_groups	List<String>	List of names of setting_groups.		[]
start_timeout	Int	Time duration (in seconds) to wait before giving up on resolving dependencies for a container.		300
stop_timeout	Int	Time duration (in seconds) to wait before the container is forcefully killed if it doesn’t exit normally on its own.		30
ulimits	List<ECSUlimit>	List of ulimits to set in the container. This parameter maps to ‘Ulimits’ in Docker		[]
user	String	The user name to use inside the container. This parameter maps to ‘User’ in Docker.
volumes_from	List<ECSVolumesFrom>	Volumes to mount from another container (Docker VolumesFrom).		[]
working_directory	String	The working directory in which to run commands inside the container. This parameter maps to ‘WorkingDir’ in Docker.

Base Schemas Named, Title

ECSLoadBalancer

ECS Load Balancer

ECSLoadBalancer

Field name	Type	Purpose	Constraints	Default
container_name	String	Container Name
container_port	Int	Container Port
target_group	PacoReference	Target Group	Paco Reference to TargetGroup.

Base Schemas Named, Title

ECSVolume

ECS Volume

ECSVolume

Field name	Type	Purpose	Constraints	Default
name	String	Name

ECSUlimit

ECS Ulimit

ECSUlimit

Field name	Type	Purpose	Constraints	Default
hard_limit	Int	The hard limit for the ulimit type.
name	Choice	The type of the ulimit
soft_limit	Int	The soft limit for the ulimit type.

ECSHealthCheck

ECS Health Check

ECSHealthCheck

Field name	Type	Purpose	Constraints	Default
command	List<String>	A string array representing the command that the container runs to determine if it is healthy. The string array must start with CMD to execute the command arguments directly, or CMD-SHELL to run the command with the container’s default shell.
interval	Int	The time period in seconds between each health check execution.		30
retries	Int	Retries		3
start_period	Int	The optional grace period within which to provide containers time to bootstrap before failed health checks count towards the maximum number of retries.
timeout	Int	The time period in seconds to wait for a health check to succeed before it is considered a failure.		5

Base Schemas Named, Title

ECSHostEntry

ECS Host Entry

ECSHostEntry

Field name	Type	Purpose	Constraints	Default
hostname	String	Hostname
ip_address	String	IP Address

DockerLabels

DockerLabels

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

ECSContainerDependency

ECS Container Dependency

ECSContainerDependency

Field name	Type	Purpose	Constraints	Default
condition	Choice	Condition	Must be one of COMPLETE, HEALTHY, START or SUCCESS
container_name	String	Container Name	Must be an existing container name.

ECSTaskDefinitionSecret

A Name/ValueFrom pair of Paco references to Secrets Manager secrets

ECSTaskDefinitionSecret

Field name	Type	Purpose	Constraints	Default
name	String	Name
value_from	PacoReference	Paco reference to Secrets manager	Paco Reference to SecretsManagerSecret.

ECSLogging

ECS Logging Configuration

ECSLogging

Field name	Type	Purpose	Constraints	Default
driver	Choice	Log Driver	One of awsfirelens, awslogs, fluentd, gelf, journald, json-file, splunk, syslog

Base Schemas CloudWatchLogRetention, Named, Title

ECSVolumesFrom

VoumesFrom

ECSVolumesFrom

Field name	Type	Purpose	Constraints	Default
read_only	Boolean	Read Only		False
source_container	String	The name of another container within the same task definition from which to mount volumes.

ECSTargetTrackingScalingPolicies

Container for ECSTargetTrackingScalingPolicy objects.

ECSTargetTrackingScalingPolicies Container<ECSTargetTrackingScalingPolicy>

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

ECSTargetTrackingScalingPolicy

ECSTargetTrackingScalingPolicy

Field name	Type	Purpose	Constraints	Default
disable_scale_in	Boolean	Disable ScaleIn		False
predefined_metric	Choice	Predfined Metric to scale on	Must be one of ALBRequestCountPerTarget, ECSServiceAverageMemoryUtilization or ECSServiceAverageCPUUtilization
scale_in_cooldown	Int	ScaleIn Cooldown		300
scale_out_cooldown	Int	ScaleIn Cooldown		300
target	Int	Target
target_group	PacoReference	ALB TargetGroup	Paco Reference to TargetGroup.

Base Schemas Enablable, Named, Title

ServiceVPCConfiguration

ServiceVPCConfiguration

Field name	Type	Purpose	Constraints	Default
assign_public_ip	Boolean	Assign Public IP		False

Base Schemas Named, VPCConfiguration, Title

ECSMountPoint

ECS TaskDefinition Mount Point

ECSMountPoint

Field name	Type	Purpose	Constraints	Default
container_path	String	The path on the container to mount the host volume at.
read_only	Boolean	Read Only		False
source_volume	String	The name of the volume to mount.	Must be a volume name referenced in the name parameter of task definition volume.

PortMapping

Port Mapping

PortMapping

Field name	Type	Purpose	Constraints	Default
container_port	Int	Container Port
host_port	Int	Host Port
protocol	Choice	Protocol	Must be either ‘tcp’ or ‘udp’	tcp

EIP

Elastic IP (EIP) resource.

Prescribed Automation

dns: Adds a DNS CNAME to resolve to this EIP’s IP address to the Route 53 HostedZone.

Example EIP resource YAML

type: EIP
order: 5
enabled: true
dns:
  - domain_name: example.com
    hosted_zone: paco.ref resource.route53.examplecom
    ttl: 60

EIP

Field name	Type	Purpose	Constraints	Default
dns	List<DNS>	List of DNS for the EIP

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

EFS

AWS Elastic File System (EFS) resource.

Example EFS resource

type: EFS
order: 20
enabled: true
encrypted: false
segment: private
security_groups:
  - paco.ref netenv.mynet.network.vpc.security_groups.cloud.content

EFS

Field name	Type	Purpose	Constraints	Default
encrypted	Boolean	Encryption at Rest		False
security_groups	List<PacoReference>	Security groups	SecurityGroup the EFS belongs to Paco Reference to SecurityGroup.
segment	String	Segment

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

ElastiCache

Base ElastiCache Interface

ElastiCache

Field name	Type	Purpose	Constraints	Default
at_rest_encryption	Boolean	Enable encryption at rest
auto_minor_version_upgrade	Boolean	Enable automatic minor version upgrades
automatic_failover_enabled	Boolean	Specifies whether a read-only replica is automatically promoted to read/write primary if the existing primary fails
az_mode	String	AZ mode
cache_clusters	Int	Number of Cache Clusters
cache_node_type	String	Cache Node Instance type
description	String	Replication Description
engine	String	ElastiCache Engine
engine_version	String	ElastiCache Engine Version
maintenance_preferred_window	String	Preferred maintenance window
number_of_read_replicas	Int	Number of read replicas
parameter_group	PacoReference|String	Parameter Group name	Paco Reference to Interface. String Ok.
port	Int	Port
security_groups	List<PacoReference>	List of Security Groups	Paco Reference to SecurityGroup.
segment	PacoReference	Segment	Paco Reference to Segment.

ElastiCacheRedis

Redis ElastiCache Interface

ElastiCacheRedis

Field name	Type	Purpose	Constraints	Default
cache_parameter_group_family	String	Cache Parameter Group Family
snapshot_retention_limit_days	Int	Snapshot Retention Limit in Days
snapshot_window	String	The daily time range (in UTC) during which ElastiCache begins taking a daily snapshot of your node group (shard).

Base Schemas ElastiCache, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

ElasticsearchDomain

Amazon Elasticsearch Service (Amazon ES) is a managed service for Elasticsearch clusters. An Amazon ES domain is synonymous with an Elasticsearch cluster. Domains are clusters with the settings, instance types, instance counts, and storage resources that you specify.

Prescribed Automation

segment: Including the segment will place the Elasticsearch cluster within the Availability Zones for that segment. If an Elasticsearch ServiceLinkedRole is not already provisioned for that account and region, Paco will create it for you. This role is used by AWS to place the Elasticsearch cluster within the subnets that belong that segment and VPC.

If segment is not set, then you will have a public Elasticsearch cluster with an endpoint.

example Elasticsearch configuration

type: ElasticsearchDomain
order: 10
title: "Elasticsearch Domain"
enabled: true
access_policies_json: ./es-config/es-access.json
advanced_options:
  indices.fielddata.cache.size: ""
  rest.action.multi.allow_explicit_index: "true"
cluster:
  instance_count: 2
  zone_awareness_enabled: false
  instance_type: "t2.micro.elasticsearch"
  dedicated_master_enabled: true
  dedicated_master_type: "t2.micro.elasticsearch"
  dedicated_master_count: 2
ebs_volumes:
  enabled: true
  iops: 0
  volume_size_gb: 10
  volume_type: 'gp2'
segment: web
security_groups:
  - paco.ref netenv.mynet.network.vpc.security_groups.app.search

ElasticsearchDomain

Field name	Type	Purpose	Constraints	Default
access_policies_json	StringFileReference	Policy document that specifies who can access the Amazon ES domain and their permissions.
advanced_options	Container<ESAdvancedOptions>	Advanced Options
cluster	Object<ElasticsearchCluster>	Elasticsearch Cluster configuration
ebs_volumes	Object<EBSOptions>	EBS volumes that are attached to data nodes in the Amazon ES domain.
elasticsearch_version	String	The version of Elasticsearch to use, such as 2.3.		1.5
node_to_node_encryption	Boolean	Enable node-to-node encryption
security_groups	List<PacoReference>	List of Security Groups	Paco Reference to SecurityGroup.
segment	String	Segment
snapshot_start_hour	Int	The hour in UTC during which the service takes an automated daily snapshot of the indices in the Amazon ES domain.

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

ElasticsearchCluster

ElasticsearchCluster

Field name	Type	Purpose	Constraints	Default
dedicated_master_count	Int	The number of instances to use for the master node.	If you specify this field, you must specify true for the dedicated_master_enabled field.
dedicated_master_enabled	Boolean	Indicates whether to use a dedicated master node for the Amazon ES domain.
dedicated_master_type	String	The hardware configuration of the computer that hosts the dedicated master node	Valid Elasticsearch instance type, such as m3.medium.elasticsearch. See https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-supported-instance-types.html
instance_count	Int	The number of data nodes (instances) to use in the Amazon ES domain.
instance_type	String	The instance type for your data nodes.	Valid Elasticsearch instance type, such as m3.medium.elasticsearch. See https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-supported-instance-types.html
zone_awareness_availability_zone_count	Int	If you enabled multiple Availability Zones (AZs), the number of AZs that you want the domain to use.		2
zone_awareness_enabled	Boolean	Enable zone awareness for the Amazon ES domain.

EBSOptions

EBSOptions

Field name	Type	Purpose	Constraints	Default
enabled	Boolean	Specifies whether Amazon EBS volumes are attached to data nodes in the Amazon ES domain.
iops	Int	The number of I/O operations per second (IOPS) that the volume supports.
volume_size_gb	Int	The size (in GiB) of the EBS volume for each data node.	The minimum and maximum size of an EBS volume depends on the EBS volume type and the instance type to which it is attached.
volume_type	String	The EBS volume type to use with the Amazon ES domain.	Must be one of: standard, gp2, io1, st1, or sc1

ESAdvancedOptions

An unconstrainted set of key-value pairs used to set advanced options for Elasticsearch.

EventsRule

Events Rule resources match incoming or scheduled events and route them to target using Amazon EventBridge.

Prescribed Automation

targets: If the target is a Lambda, an IAM Role will be created that is granted permission to invoke it by this EventRule.

Lambda function resource YAML

type: EventsRule
enabled: true
order: 10
description: Invoke a Lambda every other minute
schedule_expression: "cron(*/2 * * * ? *)"
targets:
    - target: paco.ref netenv.mynet.applications.myapp.groups.mygroup.resources.mylambda

EventsRule

Field name	Type	Purpose	Constraints	Default
description	String	Description
enabled_state	Boolean	Enabled State		True
schedule_expression	String	Schedule Expression
targets	List<EventTarget>	The AWS Resources that are invoked when the Rule is triggered.

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

EventTarget

EventTarget

Field name	Type	Purpose	Constraints	Default
input_json	String	Valid JSON passed as input to the target.
target	PacoReference	Paco Reference to an AWS Resource to invoke	Paco Reference to Interface.

Base Schemas Named, Title

Lambda

Lambda Functions allow you to run code without provisioning servers and only pay for the compute time when the code is running.

The code for the Lambda function can be specified in one of three ways in the code: field:

• S3 Bucket artifact: Supply an``s3_bucket`` and s3_key where you have an existing code artifact file.
• Local file: Supply the zipfile as a path to a local file on disk. This will be inlined into CloudFormation and has a size limitation of only 4 Kb.
• Local directory: Supply the zipfile as a path to a directory on disk. This directory will be packaged into a zip file and Paco will create an S3 Bucket where it will upload and manage Lambda deployment artifacts.

Lambda code from S3 Bucket or local disk

code:
    s3_bucket: my-bucket-name
    s3_key: 'myapp-1.0.zip'

code:
    zipfile: ./lambda-dir/my-lambda.py

code:
    zipfile: ~/code/my-app/lambda_target/

Prescribed Automation

expire_events_after_days: Sets the Retention for the Lambda execution Log Group.

log_group_names: Creates CloudWatch Log Group(s) prefixed with ‘<env>-<appname>-<groupname>-<lambdaname>-’ (or for Environment-less applications like Services it will be ‘<appname>-<groupname>-<lambdaname>-‘) and grants permission for the Lambda role to interact with those Log Group(s). The expire_events_after_days field will set the Log Group retention period. Paco will also add a comma-seperated Environment Variable named PACO_LOG_GROUPS to the Lambda with the expanded names of the Log Groups.

sdb_cache: Create a SimpleDB Domain and IAM Policy that grants full access to that domain. Will also make the domain available to the Lambda function as an environment variable named SDB_CACHE_DOMAIN.

sns_topics: Subscribes the Lambda to SNS Topics. For each Paco reference to an SNS Topic, Paco will create an SNS Topic Subscription so that the Lambda function will recieve all messages sent to that SNS Topic. It will also create a Lambda Permission granting that SNS Topic the ability to publish to the Lambda.

Lambda Permissions Paco will check all resources in the Application for any: S3Bucket configured to notify this Lambda, EventsRule to invoke this Lambda, IoTAnalyticsPipeline activities to invoke this Lambda. These resources will automatically gain a Lambda Permission to be able to invoke the Lambda.

Lambda function resource YAML

type: Lambda
enabled: true
order: 1
title: 'My Lambda Application'
description: 'Checks the Widgets Service and applies updates to a Route 53 Record Set.'
code:
    s3_bucket: my-bucket-name
    s3_key: 'myapp-1.0.zip'
environment:
    variables:
    - key: 'VAR_ONE'
      value: 'hey now!'
    - key: 'VAR_TWO'
      value: 'Hank Kingsley'
iam_role:
    enabled: true
    policies:
      - name: DNSRecordSet
        statement:
          - effect: Allow
            action:
              - route53:ChangeResourceRecordSets
            resource:
              - 'arn:aws:route53:::hostedzone/AJKDU9834DUY934'
handler: 'myapp.lambda_handler'
memory_size: 128
runtime: 'python3.7'
timeout: 900
expire_events_after_days: 90
log_group_names:
  - AppGroupOne
sns_topics:
  - paco.ref netenv.app.applications.app.groups.web.resources.snstopic
vpc_config:
    segments:
      - paco.ref netenv.app.network.vpc.segments.public
    security_groups:
      - paco.ref netenv.app.network.vpc.security_groups.app.function

Lambda

Field name	Type	Purpose	Constraints	Default
code	Object<LambdaFunctionCode>	The function deployment package.
description	String	A description of the function.
edge	Object<LambdaAtEdgeConfiguration>	Lambda@Edge configuration
environment	Object<LambdaEnvironment>	Lambda Function Environment
handler	String	Function Handler
iam_role	Object<Role>	The IAM Role this Lambda will execute as.
layers	List<String>	Layers	Up to 5 Layer ARNs
log_group_names	List<String>	Log Group names	List of Log Group names	[]
memory_size	Int	Function memory size (MB)		128
reserved_concurrent_executions	Int	Reserved Concurrent Executions		0
runtime	String	Runtime environment		python3.7
sdb_cache	Boolean	SDB Cache Domain		False
sns_topics	List<PacoReference>	List of SNS Topic Paco references or SNS Topic ARNs to subscribe the Lambda to.	Paco Reference to SNSTopic. String Ok.
timeout	Int	The amount of time that Lambda allows a function to run before stopping it.		3
vpc_config	Object<LambdaVpcConfig>	Vpc Configuration

Base Schemas Resource, DNSEnablable, Deployable, CloudWatchLogRetention, Monitorable, Named, Title, Type

LambdaFunctionCode

The deployment package for a Lambda function.

LambdaFunctionCode

Field name	Type	Purpose	Constraints	Default
s3_bucket	PacoReference|String	An Amazon S3 bucket in the same AWS Region as your function	Paco Reference to S3Bucket. String Ok.
s3_key	String	The Amazon S3 key of the deployment package.
zipfile	LocalPath	The function code as a local file or directory.	Maximum of 4096 characters.

LambdaEnvironment

Lambda Environment

LambdaEnvironment

Field name	Type	Purpose	Constraints	Default
variables	List<LambdaVariable>	Lambda Function Variables

LambdaVpcConfig

Lambda Environment

LambdaVpcConfig

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, VPCConfiguration, Title

LambdaVariable

Lambda Environment Variable

LambdaVariable

Field name	Type	Purpose	Constraints	Default
key	String	Variable Name
value	PacoReference|String	String Value or a Paco Reference to a resource output	Paco Reference to Interface. String Ok.

LambdaAtEdgeConfiguration

LambdaAtEdgeConfiguration

Field name	Type	Purpose	Constraints	Default
auto_publish_version	String	Automatically publish a Version. Update this name to publish a new Version.

Base Schemas Enablable, Named, Title

LoadBalancer

Base class for Load Balancers

LoadBalancer

Field name	Type	Purpose	Constraints	Default
access_logs_bucket	PacoReference	Bucket to store access logs in	Paco Reference to S3Bucket.
access_logs_prefix	String	Access Logs S3 Bucket prefix
dns	List<DNS>	List of DNS for the ALB
enable_access_logs	Boolean	Write access logs to an S3 Bucket
idle_timeout_secs	Int	Idle timeout in seconds	The idle timeout value, in seconds.	60
listeners	Container<Listeners>	Listeners
scheme	Choice	Scheme
security_groups	List<PacoReference>	Security Groups	Paco Reference to SecurityGroup.
segment	String	Id of the segment stack
target_groups	Container<TargetGroups>	Target Groups

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

ApplicationLoadBalancer

The LBApplication resource type creates an Application Load Balancer. Use load balancers to route traffic from the internet to your web servers.

Load balancers have listeners which will accept requrests on specified ports and protocols. If a listener uses the HTTPS protocol, it can have a Paco reference to an SSL Certificate. A listener can then either redirect the traffic to another port/protcol or send it one of it’s named target_groups.

Each target group will specify it’s health check configuration. To specify which resources will belong to a target group, use the target_groups field on an ASG resource.

Prescribed Automation

dns: Creates Route 53 Record Sets that will resolve DNS records to the domain name of the load balancer.

enable_access_logs: Set to True to turn on access logs for the load balancer, and will automatically create an S3 Bucket with permissions for AWS to write to that bucket.

access_logs_bucket: Name an existing S3 Bucket (in the same region) instead of automatically creating a new one. Remember that if you supply your own S3 Bucket, you are responsible for ensuring that the bucket policy for it grants AWS the s3:PutObject permission.

Example LBApplication load balancer resource YAML

type: LBApplication
enabled: true
enable_access_logs: true
target_groups:
    api:
        health_check_interval: 30
        health_check_timeout: 10
        healthy_threshold: 2
        unhealthy_threshold: 2
        port: 3000
        protocol: HTTP
        health_check_http_code: 200
        health_check_path: /
        connection_drain_timeout: 30
listeners:
    http:
        port: 80
        protocol: HTTP
        redirect:
            port: 443
            protocol: HTTPS
    https:
        port: 443
        protocol: HTTPS
        ssl_certificates:
            - paco.ref netenv.app.applications.app.groups.certs.resources.root
        target_group: api
dns:
    - hosted_zone: paco.ref resource.route53.mynetenv
      domain_name: api.example.com
scheme: internet-facing
security_groups:
    - paco.ref netenv.app.network.vpc.security_groups.app.alb
segment: public

ApplicationLoadBalancer

Field name	Type	Purpose	Constraints	Default

Base Schemas LoadBalancer, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

NetworkLoadBalancer

The LBNetwork resource type creates a Network Load Balancer. Use load balancers to route traffic from the internet to your web servers.

Prescribed Automation

dns: Creates Route 53 Record Sets that will resolve DNS records to the domain name of the load balancer.

enable_access_logs: Set to True to turn on access logs for the load balancer, and will automatically create an S3 Bucket with permissions for AWS to write to that bucket.

access_logs_bucket: Name an existing S3 Bucket (in the same region) instead of automatically creating a new one. Remember that if you supply your own S3 Bucket, you are responsible for ensuring that the bucket policy for it grants AWS the s3:PutObject permission.

Example LBNetwork load balancer resource YAML

type: LBNetwork
enabled: true
enable_access_logs: true
target_groups:
    api:
        health_check_interval: 30
        health_check_timeout: 10
        healthy_threshold: 2
        unhealthy_threshold: 2
        port: 3000
        protocol: HTTP
        health_check_http_code: 200
        health_check_path: /
        connection_drain_timeout: 30
listeners:
    http:
        port: 80
        protocol: HTTP
        redirect:
            port: 443
            protocol: HTTPS
    https:
        port: 443
        protocol: HTTPS
        ssl_certificates:
            - paco.ref netenv.app.applications.app.groups.certs.resources.root
        target_group: api
dns:
    - hosted_zone: paco.ref resource.route53.mynetenv
      domain_name: api.example.com
scheme: internet-facing
segment: public

NetworkLoadBalancer

Field name	Type	Purpose	Constraints	Default

Base Schemas LoadBalancer, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

DNS

DNS

Field name	Type	Purpose	Constraints	Default
domain_name	PacoReference|String	Domain name	Paco Reference to Route53HostedZone. String Ok.
hosted_zone	PacoReference|String	Hosted Zone Id	Paco Reference to HostedZone. String Ok.
ssl_certificate	PacoReference	SSL certificate Reference	Paco Reference to ACM.
ttl	Int	TTL		300

Listeners

Container for Listener objects.

Listeners Container<Listener>

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

Listener

Listener

Field name	Type	Purpose	Constraints	Default
redirect	Object<PortProtocol>	Redirect
rules	Container<ListenerRules_>	Container of listener rules
ssl_certificates	List<PacoReference>	List of SSL certificate References	Paco Reference to ACM.
ssl_policy	Choice	SSL Policy
target_group	String	Target group

Base Schemas PortProtocol

ListenerRule

ListenerRule

Field name	Type	Purpose	Constraints	Default
host	String	Host header value
path_pattern	List<String>	List of paths to match
priority	Int	Forward condition priority		1
redirect_host	String	The host to redirect to
rule_type	String	Type of Rule
target_group	String	Target group name

Base Schemas Deployable, Named, Title

PortProtocol

Port and Protocol

PortProtocol

Field name	Type	Purpose	Constraints	Default
port	Int	Port
protocol	Choice	Protocol

TargetGroups

Container for TargetGroup objects.

TargetGroups Container<TargetGroup>

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

TargetGroup

Target Group

TargetGroup

Field name	Type	Purpose	Constraints	Default
connection_drain_timeout	Int	Connection drain timeout
health_check_http_code	String	Health check HTTP codes
health_check_interval	Int	Health check interval
health_check_path	String	Health check path		/
health_check_protocol	Choice	Protocol		HTTP
health_check_timeout	Int	Health check timeout
healthy_threshold	Int	Healthy threshold
target_type	Choice	Target Type	Must be one of ‘instance’, ‘ip’ or ‘lambda’.	instance
unhealthy_threshold	Int	Unhealthy threshold

Base Schemas Resource, DNSEnablable, Deployable, Named, PortProtocol, Title, Type

PinpointApplication

Amazon Pinpoint is a flexible and scalable outbound and inbound marketing communications service. You can connect with customers over channels like email, SMS, push, or voice.

A Pinpoint Application is a collection of related settings, customer information, segments, campaigns, and other types of Amazon Pinpoint resources.

Currently AWS Pinpoint only supports general configuration suitable for sending transactional messages.

Prescribed Automation

email_channel: Will build an ARN to a Simple Email Service Verified Email in the same account and region.

example Pinpoint Application configuration

type: PinpointApplication
enabled: true
order: 20
title: "My SaaS Transactional Message Service"
email_channel:
    enable_email: true
    from_address: "bob@example.com"
sms_channel:
    enable_sms: true
    sender_id: MyUniqueName

PinpointApplication

Field name	Type	Purpose	Constraints	Default
email_channel	Object<PinpointEmailChannel>	Email Channel
sms_channel	Object<PinpointSMSChannel>	SMS Channel

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

PinpointSMSChannel

Pinpoint SMS Channel

PinpointSMSChannel

Field name	Type	Purpose	Constraints	Default
enable_sms	Boolean	Enable SMS		True
sender_id	String	The identity that you want to display on recipients’ devices when they receive messages from the SMS channel.
short_code	String	The registered short code that you want to use when you send messages through the SMS channel.

PinpointEmailChannel

Pinpoint Email Channel

PinpointEmailChannel

Field name	Type	Purpose	Constraints	Default
enable_email	Boolean	Enable Email		True
from_address	String	The verified email address that you want to send email from when you send email through the channel.

IoTTopicRule

IoTTopicRule allows you to create a list of actions that will be triggered from a MQTT message coming in to IoT Core.

Prescribed Automation

IoTTopicRule Role Every IoTTopicRule will have a Role created that it can assume to perform any actions that it has. For example, it will be allowed to call a Lambda or an IoTAnalyticsPipeline.

example IoTTopicRule configuration

type: IoTTopicRule
title: Rule to take action for MQTT messages sent to 'sensor/example'
order: 20
enabled: true
actions:
  - awslambda:
      function: paco.ref netenv.mynet.applications.app.groups.app.resources.iotlambda
  - iotanalytics:
      pipeline: paco.ref netenv.mynet.applications.app.groups.app.resources.analyticspipeline
aws_iot_sql_version: '2016-03-23'
rule_enabled: true
sql: "SELECT * FROM 'sensor/example'"

IoTTopicRule

Field name	Type	Purpose	Constraints	Default
actions	List<IoTTopicRuleAction>	Actions	An IoTTopicRule must define at least one action.	[]
aws_iot_sql_version	String	AWS IoT SQL Version		2016-03-23
rule_enabled	Boolean	Rule is Enabled		True
sql	String	SQL statement used to query the topic	Must be a valid Sql statement

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

IoTTopicRuleAction

IoTTopicRuleAction

Field name	Type	Purpose	Constraints	Default
awslambda	Object<IoTTopicRuleLambdaAction>	Lambda Action
iotanalytics	Object<IoTTopicRuleIoTAnalyticsAction>	IoT Analytics Action

IoTTopicRuleIoTAnalyticsAction

IoTTopicRuleIoTAnalyticsAction

Field name	Type	Purpose	Constraints	Default
pipeline	PacoReference	IoT Analytics pipeline	Paco Reference to IoTAnalyticsPipeline.

IoTTopicRuleLambdaAction

IoTTopicRuleLambdaAction

Field name	Type	Purpose	Constraints	Default
function	PacoReference	Lambda function	Paco Reference to Lambda.

IoTAnalyticsPipeline

An IoTAnalyticsPipeline composes four closely related resources: IoT Analytics Channel, IoT Analytics Pipeline, IoT Analytics Datastore and IoT Analytics Dataset.

An IoT Analytics Pipeline begins with a Channel. A Channel is an S3 Bucket of raw incoming messages. A Channel provides an ARN that an IoTTopicRule can send MQTT messages to. These messages can later be re-processed if the analysis pipeline changes. Use the channel_storage field to configure the Channel storage.

Next the Pipeline applies a series of pipeline_activities to the incoming Channel messages. After any message modifications have been made, they are stored in a Datastore.

A Datastore is S3 Bucket storage of messages that are ready to be analyzed. Use the datastore_storage field to configure the Datastore storage. The datastore_name is an optional field to give your Datastore a fixed name, this can be useful if you use Dataset SQL Query analysis which needs to use the Datastore name in a SELECT query. However, if you use datastore_name it doesn’t vary by Environment - if you use name then it is recommended to use different Regions and Accounts for each IoTAnalytics environment.

Lastly the Datastore can be analyzed and have the resulting output saved as a Dataset. There may be multiple Datasets to create different analysis of the data. Datasets can be analyzed on a managed host running a Docker container or with an SQL Query to create subsets of a Datastore suitable for analysis with tools such as AWS QuickSight.

Prescribed Automation

IoTAnalyticsPipeline Role Every IoTAnalyticsPipeline has an IAM Role associated with it. This Role will have access to every S3 Bucket that is referenced by a Channel, Datastore or Dataset.

pipeline_activities: Every list of activities beings with an implicit Channel activity and ends with a Datastore activity.

example IoTAnalyticsPipeline configuration

type: IoTAnalyticsPipeline
title: My IoT Analytics Pipeline
order: 100
enabled: true
channel_storage:
  bucket: paco.ref netenv.mynet.applications.app.groups.iot.resources.iotbucket
  key_prefix: raw_input/
pipeline_activities:
  adddatetime:
    activity_type: lambda
    function: paco.ref netenv.mynet.applications.app.groups.iot.resources.iotfunc
    batch_size: 10
  filter:
    activity_type: filter
    filter: "temperature > 0"
datastore_name: example
datastore_storage:
  expire_events_after_days: 30
datasets:
  hightemp:
    query_action:
      sql_query: "SELECT * FROM example WHERE temperature > 20"
    content_delivery_rules:
      s3temperature:
        s3_destination:
          bucket: paco.ref netenv.mynet.applications.app.groups.iot.resources.iotbucket
          key: "/HighTemp/!{iotanalytics:scheduleTime}/!{iotanalytics:versionId}.csv"
    expire_events_after_days: 3
    version_history: 5

IoTAnalyticsPipeline

Field name	Type	Purpose	Constraints	Default
channel_storage	Object<IotAnalyticsStorage>	IoT Analytics Channel raw storage
datasets	Container<IoTDatasets>	IoT Analytics Datasets
datastore_name	String	Datastore name
datastore_storage	Object<IotAnalyticsStorage>	IoT Analytics Datastore storage
pipeline_activities	Container<IoTPipelineActivities>	IoT Analytics Pipeline Activies

Base Schemas Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

IoTDatasets

Container for IoTDataset objects.

IoTDatasets Container<IoTDataset>

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

IoTDataset

IoTDataset

Field name	Type	Purpose	Constraints	Default
container_action	Object<DatasetContainerAction>	Dataset Container action
content_delivery_rules	Container<DatasetContentDeliveryRules>	Content Delivery Rules
query_action	Object<DatasetQueryAction>	SQL Query action
triggers	List<DatasetTrigger>	Triggers		[]
version_history	Int	How many versions of dataset contents are kept. 0 indicates Unlimited. If not specified or set to null, only the latest version plus the latest succeeded version (if they are different) are kept for the time period specified by expire_events_after_days field.

Base Schemas StorageRetention, Named, Title

DatasetTrigger

DatasetTrigger

Field name	Type	Purpose	Constraints	Default
schedule_expression	String	Schedule Expression
triggering_dataset	String	Triggering Dataset

DatasetContentDeliveryRules

Container for DatasetContentDeliveryRule objects.

DatasetContentDeliveryRules Container<DatasetContentDeliveryRule>

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

DatasetContentDeliveryRule

DatasetContentDeliveryRule

Field name	Type	Purpose	Constraints	Default
s3_destination	Object<DatasetS3Destination>	S3 Destination

Base Schemas Named, Title

DatasetS3Destination

DatasetS3Destination

Field name	Type	Purpose	Constraints	Default
bucket	PacoReference	S3 Bucket	Paco Reference to S3Bucket.
key	String	Key

DatasetQueryAction

DatasetQueryAction

Field name	Type	Purpose	Constraints	Default
filters	List<String>	Filters		[]
sql_query	String	Sql Query Dataset Action object

Base Schemas Named, Title

DatasetContainerAction

DatasetContainerAction

Field name	Type	Purpose	Constraints	Default
image_arn	String	Image ARN
resource_compute_type	Choice	Resource Compute Type	Either ACU_1 (vCPU=4, memory=16 GiB) or ACU_2 (vCPU=8, memory=32 GiB)
resource_volume_size_gb	Int	Resource Volume Size in GB
variables	Container<DatasetVariables>	Variables

Base Schemas Named, Title

DatasetVariables

Container for DatasetVariables objects.

DatasetVariables Container<DatasetVariables>

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

DatasetVariable

DatasetVariable

Field name	Type	Purpose	Constraints	Default
double_value	Float	Double Value
output_file_uri_value	String	Output file URI value	The URI of the location where dataset contents are stored, usually the URI of a file in an S3 bucket.
string_value	String	String Value

Base Schemas Named, Title

IoTPipelineActivities

Container for IoTPipelineActivity objects.

IoTPipelineActivities Container<IoTPipelineActivity>

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

IoTPipelineActivity

Each activity must have an activity_type and supply fields specific for that type. There is an implicit Channel activity before all other activities and an an implicit Datastore activity after all other activities.

All example types for IoTAnalyticsPipeline pipeline_activities

activity_type: lambda
batch_size: 1
function: paco.ref netenv.mynet[...]mylambda

activity_type: add_attributes
attributes:
  key1: hello
  key2: world

activity_type: remove_attributes
attribute_list:
  - key1
  - key2

activity_type: select_attributes
attribute_list:
  - key1
  - key2

activity_type: filter
filter: "attribute1 > 40 AND attribute2 < 20"

activity_type: math
attribute: "attribute1"
math: "attribute1 - 10"

activity_type: device_registry_enrich
attribute: "attribute1"
thing_name: "mything"

activity_type: device_shadow_enrich
attribute: "attribute1"
thing_name: "mything"

IoTPipelineActivity

Field name	Type	Purpose	Constraints	Default
activity_type	String	Activity Type
attribute	String	Attribute
attribute_list	List<String>	Attribute List
attributes	Container<Attributes>	Attributes
batch_size	Int	Batch Size
filter	String	Filter
function	PacoReference	Lambda function	Paco Reference to Lambda.
math	String	Math
thing_name	String	Thing Name

Base Schemas Named, Title

Attributes

Dictionary of Attributes

Attributes

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

IotAnalyticsStorage

IotAnalyticsStorage

Field name	Type	Purpose	Constraints	Default
bucket	PacoReference	S3 Bucket	Paco Reference to S3Bucket.
key_prefix	String	Key Prefix for S3 Bucket

Base Schemas StorageRetention, Named, Title

StorageRetention

StorageRetention

Field name	Type	Purpose	Constraints	Default
expire_events_after_days	Int	Expire Events After Days	Must be 1 or greater. If set to an explicit 0 then it is considered unlimited.	0

ManagedPolicy

IAM Managed Policy

ManagedPolicy

Field name	Type	Purpose	Constraints	Default
path	String	Path		/
policy_name	String	Policy Name used in AWS. This will be prefixed with an 8 character hash.
roles	List<String>	List of Role Names
statement	List<Statement>	Statements
users	List<String>	List of IAM Users

Base Schemas Deployable, Named, Title

RDS

Relational Database Service (RDS) allows you to set up, operate, and scale a relational database in AWS.

You can create a single DB Instance or an Aurora DB Cluster.

DB Instance

Currently Paco supports RDSMysql and RDSPostgresql for single database instances.

Prescribed Automation

Using Secrets Manager with RDS

You can set the initial password with master_user_password, however this requires storing a password in plain-text on disk. This is fine if you have a process for changing the password after creating a database, however, the Paco Secrets Manager support allows you to use a secrets_password instead of the master_user_password field:

type: RDSMysql
secrets_password: paco.ref netenv.mynet.secrets_manager.app.grp.mysql

Then in your NetworkEnvironments secrets_manager configuration you would write:

secrets_manager:
  app: # application name
    grp: # group name
        mysql: # secret name
          enabled: true
          generate_secret_string:
            enabled: true
            # secret_string_template and generate_string_key must
            # have the following values for RDS secrets
            secret_string_template: '{"username": "admin"}'
            generate_string_key: "password"

This would generate a new, random password in the AWS Secrets Manager service when the database is provisioned and connect that password with RDS.

RDSMysql resource example

type: RDSMysql
order: 1
title: "Joe's MySQL Database server"
enabled: true
engine_version: 5.7.26
db_instance_type: db.t3.micro
port: 3306
storage_type: gp2
storage_size_gb: 20
storage_encrypted: true
multi_az: true
allow_major_version_upgrade: false
auto_minor_version_upgrade: true
publically_accessible: false
master_username: root
master_user_password: "change-me"
backup_preferred_window: 08:00-08:30
backup_retention_period: 7
maintenance_preferred_window: 'sat:10:00-sat:10:30'
license_model: "general-public-license"
cloudwatch_logs_exports:
  - error
  - slowquery
security_groups:
  - paco.ref netenv.mynet.network.vpc.security_groups.app.database
segment: paco.ref netenv.mynet.network.vpc.segments.private
primary_domain_name: database.example.internal
primary_hosted_zone: paco.ref netenv.mynet.network.vpc.private_hosted_zone
parameter_group: paco.ref netenv.mynet.applications.app.groups.web.resources.dbparams_performance

Aurora DB Cluster

AWS Aurora is relational databases built for the cloud. Aurora features a distributed, fault-tolerant, self-healing storage system and can easily scale from a single database instance to a cluster of multiple database instances.

When creating an Aurora RDS resource, you must specify your db_instances. If you specify more than one database instance, then Aurora will automatically designate one instance as a Writer and all other instances will be Readers.

Each db_instance can specify it’s own complete set of configuration or you can use the default_instance field to shared default configuration between instances. If a db_instance doesn’t specify a value but it is specified by default_instance it will fall back to using that value.

A simple Aurora with only a single database instance could be:

Simple Aurora single instance

type: RDSMysqlAurora
default_instance:
  db_instance_type: db.t3.medium
db_instances:
  single:

A more complex Aurora with a cluster of three database instances could be:

Three instance Aurora cluster

type: RDSMysqlAurora
default_instance:
  db_instance_type: db.t3.medium
  enhanced_monitoring_interval_in_seconds: 30
db_instances:
  first:
    availability_zone: 1
    db_instance_type: db.t3.large
    enhanced_monitoring_interval_in_seconds: 5
  second:
    availability_zone: 2
  third:
    availability_zone: 3

Prescribed Automation

secrets_password: Uses a Secrets Manager secret for the database master password.

enable_kms_encryption: Encrypts the database storage. Paco will creates a KMS-CMK dedicated to the DB Cluster. This key can only be accessed by the AWS RDS service.

enhanced_monitoring_interval_in_seconds: Paco will create an IAM Role to allow the RDS monitoring service access to perform enhanced monitoring.

cluster_event_notifications and event_notifications must reference a group specified in resource/sns.yaml. This group (SNS Topic) must already be provisioned in the same account and region as the database.

monitoring applies to db_instances and will apply CloudWatch Alarms that are specific to each database instance in the Aurora cluster.

RDSPostgresqlAurora db cluster example

type: RDSPostgresqlAurora
order: 10
enabled: true
availability_zones: all
engine_version: '11.7'
port: 5432
master_username: master
secrets_password: paco.ref netenv.anet.secrets_manager.anet.app.database
backup_preferred_window: 04:00-05:00
backup_retention_period: 7
maintenance_preferred_window: 'Sat:07:00-Sat:08:00'
cluster_parameter_group: paco.ref netenv.mynet.applications.app.groups.web.resources.clusterparams
cloudwatch_logs_exports:
  - error
security_groups:
  - paco.ref netenv.mynet.network.vpc.security_groups.app.database
segment: paco.ref netenv.anet.network.vpc.segments.private
dns:
  - domain_name: database.test.internal
    hosted_zone: paco.ref netenv.mynet.network.vpc.private_hosted_zone
enable_kms_encryption: true
cluster_event_notifications:
  groups:
    - wb_low
  event_categories:
    - failover
    - failure
    - notification
default_instance:
  parameter_group: paco.ref netenv.mynet.applications.app.groups.web.resources.dbparams_performance
  enable_performance_insights: true
  publicly_accessible: false
  db_instance_type: db.t3.medium
  allow_major_version_upgrade: true
  auto_minor_version_upgrade: true
  event_notifications:
    groups:
      - admin
    event_categories:
      - availability
      - configuration change
      - deletion
      - failover
      - failure
      - maintenance
      - notification
      - recovery
  monitoring:
    enabled: true
    alarm_sets:
      basic_dbinstance:
db_instances:
  first:
    db_instance_type: db.t3.medium
    enhanced_monitoring_interval_in_seconds: 30
    availability_zone: 1
    monitoring:
      enabled: true
      alarm_sets:
        complex_dbinstance:
  second:
    enable_performance_insights: false
    event_notifications:
      groups:
        - admin
      event_categories:
        - maintenance

RDSMysql

RDS for MySQL

RDSMysql

Field name	Type	Purpose	Constraints	Default

Base Schemas RDSInstance, RDS, Resource, DNSEnablable, Deployable, Monitorable, RDSMultiAZ, Named, Title, Type

RDSPostgresql

RDS for Postgresql

RDSPostgresql

Field name	Type	Purpose	Constraints	Default

Base Schemas RDSInstance, RDS, Resource, DNSEnablable, Deployable, Monitorable, RDSMultiAZ, Named, Title, Type

RDSPostgresqlAurora

RDS PostgreSQL Aurora Cluster

RDSPostgresqlAurora

Field name	Type	Purpose	Constraints	Default
database_name	String	Database Name to create in the cluster	Must be a valid database name for the DB Engine. Must contain 1 to 63 letters, numbers or underscores. Must begin with a letter or an underscore. Can’t be PostgreSQL reserved word.

Base Schemas RDSAurora, RDS, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

RDSMysqlAurora

RDS MySQL Aurora Cluster

RDSMysqlAurora

Field name	Type	Purpose	Constraints	Default
database_name	String	Database Name to create in the cluster	Must be a valid database name for the DB Engine. Must contain 1 to 64 letters or numbers. Can’t be MySQL reserved word.

Base Schemas RDSAurora, RDS, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

RDSOptionConfiguration

Option groups enable and configure features that are specific to a particular DB engine.

RDSOptionConfiguration

Field name	Type	Purpose	Constraints	Default
option_name	String	Option Name
option_settings	List<NameValuePair>	List of option name value pairs.
option_version	String	Option Version
port	String	Port

NameValuePair

A Name/Value pair to use for RDS Option Group configuration

NameValuePair

Field name	Type	Purpose	Constraints	Default
name	String	Name
value	PacoReference|String	Value	Paco Reference to Interface. String Ok.

RDSMultiAZ

RDS with MultiAZ capabilities. When you provision a Multi-AZ DB Instance, Amazon RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ).

RDSMultiAZ

Field name	Type	Purpose	Constraints	Default
multi_az	Boolean	Multiple Availability Zone deployment		False

Base Schemas RDSInstance, RDS, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

RDSInstance

RDS DB Instance

RDSInstance

Field name	Type	Purpose	Constraints	Default
allow_major_version_upgrade	Boolean	Allow major version upgrades
auto_minor_version_upgrade	Boolean	Automatic minor version upgrades
db_instance_type	String	RDS Instance Type
license_model	String	License Model
option_configurations	List<RDSOptionConfiguration>	Option Configurations
parameter_group	PacoReference	RDS Parameter Group	Paco Reference to DBParameterGroup.
publically_accessible	Boolean	Assign a Public IP address
storage_encrypted	Boolean	Enable Storage Encryption
storage_size_gb	Int	DB Storage Size in Gigabytes
storage_type	String	DB Storage Type

Base Schemas RDS, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

RDSAurora

RDS Aurora DB Cluster

RDSAurora

Field name	Type	Purpose	Constraints	Default
availability_zones	String	Availability Zones to launch instances in.	Must be one of all, 1, 2, 3 …	all
backtrack_window_in_seconds	Int	Backtrack Window in seconds. Disabled when set to 0.	Maximum is 72 hours (259,200 seconds).	0
cluster_event_notifications	Object<RDSDBClusterEventNotifications>	Cluster Event Notifications
cluster_parameter_group	PacoReference	DB Cluster Parameter Group	Paco Reference to DBClusterParameterGroup.
db_instances	Container<RDSClusterInstances>	DB Instances
default_instance	Object<RDSClusterDefaultInstance>	Default DB Instance configuration
enable_http_endpoint	Boolean	Enable an HTTP endpoint to provide a connectionless web service API for running SQL queries		False
enable_kms_encryption	Boolean	Enable KMS Key encryption. Will create one KMS-CMK key dedicated to each DBCluster.		False
engine_mode	Choice	Engine Mode	Must be one of provisioned, serverless, parallelquery, global, or multimaster.
read_dns	List<DNS>	DNS domains to create to resolve to the connection Read Endpoint
restore_type	Choice	Restore Type	Must be one of full-copy or copy-on-write	full-copy
use_latest_restorable_time	Boolean	Restore the DB cluster to the latest restorable backup time		False

Base Schemas RDS, Resource, DNSEnablable, Deployable, Monitorable, Named, Title, Type

RDSDBInstanceEventNotifications

DB Instance Event Notifications

RDSDBInstanceEventNotifications

Field name	Type	Purpose	Constraints	Default
event_categories	Choice	Event Categories
groups	List<String>	Groups

Base Schemas Named, Title

RDSClusterDefaultInstance

Default configuration for a DB Instance that belongs to a DB Cluster.

RDSClusterDefaultInstance

Field name	Type	Purpose	Constraints	Default
allow_major_version_upgrade	Boolean	Allow major version upgrades
auto_minor_version_upgrade	Boolean	Automatic minor version upgrades
availability_zone	Int	Availability Zone where the instance will be provisioned.	Must be one of 1, 2, 3 …
db_instance_type	String	DB Instance Type
enable_performance_insights	Boolean	Enable Performance Insights		False
enhanced_monitoring_interval_in_seconds	Int	Enhanced Monitoring interval in seconds. This will enable enhanced monitoring unless set to 0.	Must be one of 0, 1, 5, 10, 15, 30, 60.	0
event_notifications	Object<RDSDBInstanceEventNotifications>	DB Instance Event Notifications
parameter_group	PacoReference	DB Parameter Group	Paco Reference to DBParameterGroup.
publicly_accessible	Boolean	Assign a Public IP address		False

Base Schemas Monitorable, Named, Title

RDSClusterInstance

DB Instance that belongs to a DB Cluster.

RDSClusterInstance

Field name	Type	Purpose	Constraints	Default
allow_major_version_upgrade	Boolean	Allow major version upgrades
auto_minor_version_upgrade	Boolean	Automatic minor version upgrades
availability_zone	Int	Availability Zone where the instance will be provisioned.	Must be one of 1, 2, 3 …
db_instance_type	String	DB Instance Type
enable_performance_insights	Boolean	Enable Performance Insights
enhanced_monitoring_interval_in_seconds	Int	Enhanced Monitoring interval in seconds. This will enable enhanced monitoring unless set to 0.	Must be one of 0, 1, 5, 10, 15, 30, 60.
event_notifications	Object<RDSDBInstanceEventNotifications>	DB Instance Event Notifications
parameter_group	PacoReference	DB Parameter Group	Paco Reference to DBParameterGroup.
publicly_accessible	Boolean	Assign a Public IP address

Base Schemas Monitorable, Named, Title

RDSClusterInstances

Container for RDSClusterInstance objects.

RDSClusterInstances Container<RDSClusterInstances>

Field name	Type	Purpose	Constraints	Default

Base Schemas Named, Title

RDSDBClusterEventNotifications

Event Notifications for a DB Cluster

RDSDBClusterEventNotifications

Field name	Type	Purpose	Constraints	Default
event_categories	Choice	Event Categories
groups	List<String>	Groups

Base Schemas Named, Title

DBParameters

If you want to use DB Parameter Groups with your RDS, then use the parameter_group field to reference a DBParameterGroup resource. Keeping DB Parameter Groups as separate resources allows having multiple Paramater Groups provisioned at the same time. For example, you might have both resources for dbparams_performance and dbparams_debug, allowing you to use the AWS Console to switch between performance and debug configuration quickl in an emergency.

DBParameterGroup

DBParameterGroup

DBParameterGroup

Field name	Type	Purpose	Constraints	Default
description	String	Description
family	String	Database Family
parameters	Container<DBParameters>	Database Parameter set

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

DBClusterParameterGroup

DBCluster Parameter Group

DBClusterParameterGroup

Field name	Type	Purpose	Constraints	Default

Base Schemas Resource, DBParameterGroup, DNSEnablable, Deployable, Named, Title, Type

Route53HealthCheck

Route53 Health Check

Route53HealthCheck

Field name	Type	Purpose	Constraints	Default
domain_name	String	Fully Qualified Domain Name	Either this or the load_balancer field can be set but not both.
enable_sni	Boolean	Enable SNI		False
failure_threshold	Int	Number of consecutive health checks that an endpoint must pass or fail for Amazon Route 53 to change the current status of the endpoint from unhealthy to healthy or vice versa.		3
health_check_type	String	Health Check Type	Must be one of HTTP, HTTPS or TCP
health_checker_regions	List<String>	Health checker regions	List of AWS Region names (e.g. us-west-2) from which to make health checks.
ip_address	PacoReference|String	IP Address	Paco Reference to EIP. String Ok.
latency_graphs	Boolean	Measure latency and display CloudWatch graph in the AWS Console		False
load_balancer	PacoReference|String	Load Balancer Endpoint	Paco Reference to LoadBalancer. String Ok.
match_string	String	String to match in the first 5120 bytes of the response
port	Int	Port		80
request_interval_fast	Boolean	Fast request interval will only wait 10 seconds between each health check response instead of the standard 30		False
resource_path	String	Resource Path	String such as ‘/health.html’. Path should return a 2xx or 3xx. Query string parameters are allowed: ‘/search?query=health’	/

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

S3Bucket

S3Bucket is an object storage resource in the Amazon S3 service.

S3Buckets may be declared either in the global resource/s3.yaml file or in a network environment in as an application resource.

S3Buckets in an application context will use the same account and region as the application, although it is still possible to override this to use other accouns and regions if desired.

Prescribed Automation

deletion_policy: The deletion_policy: field supports a delete or keep values. The delete choice will delete all objects from the S3 Bucket if a Paco delete command is applied. Otherwise AWS will not allow you to delete an S3 Bucket that is not empty until all objects are deleted.

resource_suffix: The policy field allows you to declare S3 Bucket policies. These policies need to be restricted to the S3 Bucket resource itself. The resource_suffix will be prefixed with the S3 Bucket ARN and you only need to declare keys within the bucket.

example S3Bucket resource

type: S3Bucket
title: My S3 Bucket
enabled: true
order: 10
account: paco.ref accounts.data
region: us-west-2
deletion_policy: "delete"
notifications:
    lambdas:
     - paco.ref netenv.mynet.applications.app.groups.serverless.resources.mylambda
cloudfront_origin: false
external_resource: false
versioning: false
add_paco_suffix: true
policy:
  - principal:
      Service: iotanalytics.amazonaws.com
    effect: 'Allow'
    action:
      - s3:Get*
      - s3:ListBucket
      - s3:ListBucketMultipartUploads
      - s3:ListMultipartUploadParts
    resource_suffix:
      - '/*'
      - ''
    condition:
      StringEquals:
        s3:x-amz-acl:
          "public-read"
      IpAddress:
        "aws:SourceIp": "192.0.2.0/24"
      NotIpAddress:
        "aws:SourceIp": "192.0.2.188/32"

  - aws:
      - paco.sub '${paco.ref netenv.mynet.applications.app.groups.site.resources.demo.instance_iam_role.arn}'
    effect: 'Allow'
    action:
      - 's3:Get*'
      - 's3:List*'
    resource_suffix:
      - '/*'
      - ''

S3Bucket

Field name	Type	Purpose	Constraints	Default
account	PacoReference	Account that S3 Bucket belongs to.	Paco Reference to Account.
add_paco_suffix	Boolean	Add the Paco s3bucket_hash suffix to the bucket name		False
bucket_name	String	Bucket Name	A short unique name to assign the bucket.	bucket
cloudfront_origin	Boolean	Creates and listens for a CloudFront Access Origin Identity		False
deletion_policy	String	Bucket Deletion Policy		delete
external_resource	Boolean	Boolean indicating whether the S3 Bucket already exists or not		False
notifications	Object<S3NotificationConfiguration>	Notification configuration
policy	List<S3BucketPolicy>	List of S3 Bucket Policies
region	String	Bucket region
static_website_hosting	Object<S3StaticWebsiteHosting>	Static website hosting configuration.
versioning	Boolean	Enable Versioning on the bucket.		False

Base Schemas Resource, DNSEnablable, Deployable, Named, Title, Type

S3BucketPolicy

S3 Bucket Policy

S3BucketPolicy

Field name	Type	Purpose	Constraints	Default
action	List<String>	List of Actions
aws	List<String>	List of AWS Principals.	Either this field or the principal field must be set.
condition	Dict	Condition	Each Key is the Condition name and the Value must be a dictionary of request filters. e.g. { “StringEquals” : { “aws:username” : “johndoe” }}	{}
effect	Choice	Effect	Must be one of ‘Allow’ or ‘Deny’
principal	Dict	Prinicpals	Either this field or the aws field must be set. Key should be one of: AWS, Federated, Service or CanonicalUser. Value can be either a String or a List.	{}
resource_suffix	List<String>	List of AWS Resources Suffixes
sid	String	Statement Id

S3LambdaConfiguration

S3LambdaConfiguration

Field name	Type	Purpose	Constraints	Default
event	String	S3 bucket event for which to invoke the AWS Lambda function	Must be a supported event type: https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html
function	PacoReference	Lambda function to notify	Paco Reference to Lambda.

S3NotificationConfiguration

S3NotificationConfiguration

Field name	Type	Purpose	Constraints	Default
lambdas	List<S3LambdaConfiguration>	Lambda configurations

S3StaticWebsiteHosting

S3StaticWebsiteHosting

Field name	Type	Purpose	Constraints	Default
redirect_requests	Object<S3StaticWebsiteHostingRedirectRequests>	Redirect requests configuration.

Base Schemas Deployable

S3StaticWebsiteHostingRedirectRequests

S3StaticWebsiteHostingRedirectRequests

Field name	Type	Purpose	Constraints	Default
protocol	String	Protocol
target	PacoReference|String	Target S3 Bucket or domain.	Paco Reference to S3Bucket. String Ok.

SNSTopic

Simple Notification Service (SNS) Topic resource.

Prescribed Automation

cross_account_access: Creates an SNS Topic Policy which will grant all of the AWS Accounts in this Paco Project access to the sns.Publish permission for this SNS Topic.

Example SNSTopic resource YAML

type: SNSTopic
order: 1
enabled: true
display_name: "Waterbear Cloud AWS"
cross_account_access: true
subscriptions:
  - endpoint: http://example.com/yes
    protocol: http
  - endpoint: https://example.com/orno
    protocol: https
  - endpoint: bob@example.com
    protocol: email
  - endpoint: bob@example.com
    protocol: email-json
    filter_policy: '{"State": [ { "anything-but": "COMPLETED" } ] }'
  - endpoint: '555-555-5555'
    protocol: sms
  - endpoint: arn:aws:sqs:us-east-2:444455556666:queue1
    protocol: sqs
  - endpoint: arn:aws:sqs:us-east-2:444455556666:queue1
    protocol: application
  - endpoint: arn:aws:lambda:us-east-1:123456789012:function:my-function
    protocol: lambda

SNSTopic

Field name	Type	Purpose	Constraints	Default
cross_account_access	Boolean	Cross-account access from all other accounts in this project.		False
display_name	String	Display name for SMS Messages
locations	List<AccountRegions>	Locations	Only applies to a global SNS Topic	[]
subscriptions	List<SNSTopicSubscription>	List of SNS Topic Subscriptions

Base Schemas Resource, DNSEnablable, Enablable, Named, Title, Type

SNSTopicSubscription

SNSTopicSubscription

Field name	Type	Purpose	Constraints	Default
endpoint	PacoReference|String	SNS Topic ARN or Paco Reference	Paco Reference to SNSTopic. String Ok.
filter_policy	String	Filter Policy	Must be valid JSON
protocol	String	Notification protocol	Must be a valid SNS Topic subscription protocol: ‘http’, ‘https’, ‘email’, ‘email-json’, ‘sms’, ‘sqs’, ‘application’, ‘lambda’.	email