Carina
A strongly typed infrastructure management tool written in Rust.
Key Features
- Custom DSL for infrastructure definition (
.crnfiles) - Effects as Values - side effects are represented as data, inspectable before execution
- Strong Typing - resource attributes are validated at parse time
- Provider Architecture - pluggable providers (AWS, AWSCC)
- Modules - reusable infrastructure components
- State Management - S3 backend for remote state
- LSP Support - editor integration with completions and diagnostics
Quick Start
# Build from source
cargo build --release
# Validate a configuration
cargo run --bin carina -- validate example.crn
# Preview changes
aws-vault exec <profile> -- cargo run --bin carina -- plan example.crn
# Apply changes
aws-vault exec <profile> -- cargo run --bin carina -- apply example.crn
Providers
- AWSCC Provider - AWS Cloud Control API provider
For more details, see the README.
AWSCC Provider
The awscc provider manages AWS resources through the AWS Cloud Control API.
Configuration
provider awscc {
region = aws.Region.ap_northeast_1
}
Usage
Resources are defined using the awscc.<resource_type> syntax:
let vpc = awscc.ec2_vpc {
name = "my-vpc"
cidr_block = "10.0.0.0/16"
tags = {
Environment = "production"
}
}
Named resources (using let) can be referenced by other resources:
let subnet = awscc.ec2_subnet {
name = "my-subnet"
vpc_id = vpc.vpc_id
cidr_block = "10.0.1.0/24"
availability_zone = "ap-northeast-1a"
}
Enum Values
Some attributes accept enum values. These can be specified in three formats:
- Bare value:
instance_tenancy = default - TypeName.value:
instance_tenancy = InstanceTenancy.default - Full namespace:
instance_tenancy = awscc.ec2_vpc.InstanceTenancy.default
Supported Resource Types
| Resource Type | CloudFormation Type | Description |
|---|---|---|
| ec2_vpc | AWS::EC2::VPC | Virtual Private Cloud |
| ec2_subnet | AWS::EC2::Subnet | VPC Subnet |
| ec2_internet_gateway | AWS::EC2::InternetGateway | Internet Gateway |
| ec2_vpc_gateway_attachment | AWS::EC2::VPCGatewayAttachment | VPC Gateway Attachment |
| ec2_route_table | AWS::EC2::RouteTable | Route Table |
| ec2_route | AWS::EC2::Route | Route |
| ec2_subnet_route_table_association | AWS::EC2::SubnetRouteTableAssociation | Subnet Route Table Association |
| ec2_eip | AWS::EC2::EIP | Elastic IP Address |
| ec2_nat_gateway | AWS::EC2::NatGateway | NAT Gateway |
| ec2_security_group | AWS::EC2::SecurityGroup | Security Group |
| ec2_security_group_ingress | AWS::EC2::SecurityGroupIngress | Security Group Ingress Rule |
| ec2_security_group_egress | AWS::EC2::SecurityGroupEgress | Security Group Egress Rule |
| ec2_vpc_endpoint | AWS::EC2::VPCEndpoint | VPC Endpoint |
| ec2_flow_log | AWS::EC2::FlowLog | VPC Flow Log |
awscc.ec2_vpc
CloudFormation Type: AWS::EC2::VPC
Specifies a virtual private cloud (VPC). To add an IPv6 CIDR block to the VPC, see AWS::EC2::VPCCidrBlock. For more information, see Virtual private clouds (VPC) in the Amazon VPC User Guide.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
cidr_block | CIDR | No | The IPv4 network range for the VPC, in CIDR notation. For example, 10.0.0.0/16. We modify the specified CIDR block to its canonical form; for example, if you specify 100.68.0.18/18, we modify it to 100.68.0.0/18. You must specify eitherCidrBlock or Ipv4IpamPoolId. |
cidr_block_associations | List | (read-only) | |
default_network_acl | String | (read-only) | |
default_security_group | String | (read-only) | |
enable_dns_hostnames | Bool | No | Indicates whether the instances launched in the VPC get DNS hostnames. If enabled, instances in the VPC get DNS hostnames; otherwise, they do not. Disabled by default for nondefault VPCs. For more information, see DNS attributes in your VPC. You can only enable DNS hostnames if you’ve enabled DNS support. |
enable_dns_support | Bool | No | Indicates whether the DNS resolution is supported for the VPC. If enabled, queries to the Amazon provided DNS server at the 169.254.169.253 IP address, or the reserved IP address at the base of the VPC network range “plus two” succeed. If disabled, the Amazon provided DNS service in the VPC that resolves public DNS hostnames to IP addresses is not enabled. Enabled by default. For more information, see DNS attributes in your VPC. |
instance_tenancy | Enum (InstanceTenancy) | No | The allowed tenancy of instances launched into the VPC. + default: An instance launched into the VPC runs on shared hardware by default, unless you explicitly specify a different tenancy during instance launch. + dedicated: An instance launched into the VPC runs on dedicated hardware by default, unless you explicitly specify a tenancy of host during instance launch. You cannot specify a tenancy of default during instance launch. Updating InstanceTenancy requires no replacement only if you are updating its value from dedicated to default. Updating InstanceTenancy from default to dedicated requires replacement. |
ipv4_ipam_pool_id | String | No | The ID of an IPv4 IPAM pool you want to use for allocating this VPC’s CIDR. For more information, see What is IPAM? in the Amazon VPC IPAM User Guide. You must specify eitherCidrBlock or Ipv4IpamPoolId. |
ipv4_netmask_length | Int | No | The netmask length of the IPv4 CIDR you want to allocate to this VPC from an Amazon VPC IP Address Manager (IPAM) pool. For more information about IPAM, see What is IPAM? in the Amazon VPC IPAM User Guide. |
ipv6_cidr_blocks | List | (read-only) | |
tags | Map | No | The tags for the VPC. |
vpc_id | String | (read-only) |
Enum Values
instance_tenancy (InstanceTenancy)
| Value | DSL Identifier |
|---|---|
default | awscc.ec2_vpc.InstanceTenancy.default |
dedicated | awscc.ec2_vpc.InstanceTenancy.dedicated |
host | awscc.ec2_vpc.InstanceTenancy.host |
Shorthand formats: default or InstanceTenancy.default
Example
awscc.ec2_vpc {
name = "example-vpc"
cidr_block = "10.0.0.0/16"
enable_dns_support = true
enable_dns_hostnames = true
instance_tenancy = default
tags = {
Environment = "example"
}
}
awscc.ec2_subnet
CloudFormation Type: AWS::EC2::Subnet
Specifies a subnet for the specified VPC. For an IPv4 only subnet, specify an IPv4 CIDR block. If the VPC has an IPv6 CIDR block, you can create an IPv6 only subnet or a dual stack subnet instead. For an IPv6 only subnet, specify an IPv6 CIDR block. For a dual stack subnet, specify both an IPv4 CIDR block and an IPv6 CIDR block. For more information, see Subnets for your VPC in the Amazon VPC User Guide.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
assign_ipv6_address_on_creation | Bool | No | Indicates whether a network interface created in this subnet receives an IPv6 address. The default value is false. If you specify AssignIpv6AddressOnCreation, you must also specify an IPv6 CIDR block. |
availability_zone | String | No | The Availability Zone of the subnet. If you update this property, you must also update the CidrBlock property. |
availability_zone_id | String | No | The AZ ID of the subnet. |
block_public_access_states | Map | (read-only) | |
cidr_block | CIDR | No | The IPv4 CIDR block assigned to the subnet. If you update this property, we create a new subnet, and then delete the existing one. |
enable_dns64 | Bool | No | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. You must first configure a NAT gateway in a public subnet (separate from the subnet containing the IPv6-only workloads). For example, the subnet containing the NAT gateway should have a 0.0.0.0/0 route pointing to the internet gateway. For more information, see Configure DNS64 and NAT64 in the User Guide. |
enable_lni_at_device_index | Int | No | Indicates the device position for local network interfaces in this subnet. For example, 1 indicates local network interfaces in this subnet are the secondary network interface (eth1). |
ipv4_ipam_pool_id | String | No | An IPv4 IPAM pool ID for the subnet. |
ipv4_netmask_length | Int | No | An IPv4 netmask length for the subnet. |
ipv6_cidr_block | CIDR | No | The IPv6 CIDR block. If you specify AssignIpv6AddressOnCreation, you must also specify an IPv6 CIDR block. |
ipv6_cidr_blocks | List | (read-only) | |
ipv6_ipam_pool_id | String | No | An IPv6 IPAM pool ID for the subnet. |
ipv6_native | Bool | No | Indicates whether this is an IPv6 only subnet. For more information, see Subnet basics in the User Guide. |
ipv6_netmask_length | Int | No | An IPv6 netmask length for the subnet. |
map_public_ip_on_launch | Bool | No | Indicates whether instances launched in this subnet receive a public IPv4 address. The default value is false. AWS charges for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the Public IPv4 Address tab on the VPC pricing page. |
network_acl_association_id | String | (read-only) | |
outpost_arn | String | No | The Amazon Resource Name (ARN) of the Outpost. |
private_dns_name_options_on_launch | Map | No | The hostname type for EC2 instances launched into this subnet and how DNS A and AAAA record queries to the instances should be handled. For more information, see Amazon EC2 instance hostname types in the User Guide. Available options: + EnableResourceNameDnsAAAARecord (true | false) + EnableResourceNameDnsARecord (true | false) + HostnameType (ip-name | resource-name) |
subnet_id | String | (read-only) | |
tags | Map | No | Any tags assigned to the subnet. |
vpc_id | String | Yes | The ID of the VPC the subnet is in. If you update this property, you must also update the CidrBlock property. |
Example
let vpc = awscc.ec2_vpc {
name = "example-vpc"
cidr_block = "10.0.0.0/16"
enable_dns_support = true
enable_dns_hostnames = true
}
awscc.ec2_subnet {
name = "example-public-subnet"
vpc_id = vpc.vpc_id
cidr_block = "10.0.1.0/24"
availability_zone = "ap-northeast-1a"
map_public_ip_on_launch = true
tags = {
Environment = "example"
}
}
awscc.ec2_internet_gateway
CloudFormation Type: AWS::EC2::InternetGateway
Allocates an internet gateway for use with a VPC. After creating the Internet gateway, you then attach it to a VPC.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
internet_gateway_id | String | (read-only) | |
tags | Map | No | Any tags to assign to the internet gateway. |
Example
awscc.ec2_internet_gateway {
name = "example-igw"
tags = {
Environment = "example"
}
}
awscc.ec2_route_table
CloudFormation Type: AWS::EC2::RouteTable
Specifies a route table for the specified VPC. After you create a route table, you can add routes and associate the table with a subnet. For more information, see Route tables in the Amazon VPC User Guide.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
route_table_id | String | (read-only) | |
tags | Map | No | Any tags assigned to the route table. |
vpc_id | String | Yes | The ID of the VPC. |
Example
let vpc = awscc.ec2_vpc {
name = "example-vpc"
cidr_block = "10.0.0.0/16"
enable_dns_support = true
enable_dns_hostnames = true
}
awscc.ec2_route_table {
name = "example-public-rt"
vpc_id = vpc.vpc_id
tags = {
Environment = "example"
}
}
awscc.ec2_route
CloudFormation Type: AWS::EC2::Route
Specifies a route in a route table. For more information, see Routes in the Amazon VPC User Guide.
You must specify either a destination CIDR block or prefix list ID. You must also specify exactly one of the resources as the target.
If you create a route that references a transit gateway in the same template where you create the transit gateway, you must declare a dependency on the transit gateway attachment. The route table cannot use the transit gateway until it has successfully attached to the VPC. Add a DependsOn Attribute in the AWS::EC2::Route resource to explicitly declare a dependency on the AWS::EC2::TransitGatewayAttachment resource.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
carrier_gateway_id | String | No | The ID of the carrier gateway. You can only use this option when the VPC contains a subnet which is associated with a Wavelength Zone. |
cidr_block | CIDR | (read-only) | |
core_network_arn | String | No | The Amazon Resource Name (ARN) of the core network. |
destination_cidr_block | CIDR | No | The IPv4 CIDR address block used for the destination match. Routing decisions are based on the most specific match. We modify the specified CIDR block to its canonical form; for example, if you specify 100.68.0.18/18, we modify it to 100.68.0.0/18. |
destination_ipv6_cidr_block | CIDR | No | The IPv6 CIDR block used for the destination match. Routing decisions are based on the most specific match. |
destination_prefix_list_id | String | No | The ID of a prefix list used for the destination match. |
egress_only_internet_gateway_id | String | No | [IPv6 traffic only] The ID of an egress-only internet gateway. |
gateway_id | String | No | The ID of an internet gateway or virtual private gateway attached to your VPC. |
instance_id | String | No | The ID of a NAT instance in your VPC. The operation fails if you specify an instance ID unless exactly one network interface is attached. |
local_gateway_id | String | No | The ID of the local gateway. |
nat_gateway_id | String | No | [IPv4 traffic only] The ID of a NAT gateway. |
network_interface_id | String | No | The ID of a network interface. |
route_table_id | String | Yes | The ID of the route table for the route. |
transit_gateway_id | String | No | The ID of a transit gateway. |
vpc_endpoint_id | String | No | The ID of a VPC endpoint. Supported for Gateway Load Balancer endpoints only. |
vpc_peering_connection_id | String | No | The ID of a VPC peering connection. |
Example
let vpc = awscc.ec2_vpc {
name = "example-vpc"
cidr_block = "10.0.0.0/16"
enable_dns_support = true
enable_dns_hostnames = true
}
let igw = awscc.ec2_internet_gateway {
name = "example-igw"
}
let igw_attachment = awscc.ec2_vpc_gateway_attachment {
name = "example-igw-attachment"
vpc_id = vpc.vpc_id
internet_gateway_id = igw.internet_gateway_id
}
let rt = awscc.ec2_route_table {
name = "example-public-rt"
vpc_id = vpc.vpc_id
}
awscc.ec2_route {
name = "example-internet-route"
route_table_id = rt.route_table_id
destination_cidr_block = "0.0.0.0/0"
gateway_id = igw_attachment.internet_gateway_id
}
awscc.ec2_subnet_route_table_association
CloudFormation Type: AWS::EC2::SubnetRouteTableAssociation
Associates a subnet with a route table. The subnet and route table must be in the same VPC. This association causes traffic originating from the subnet to be routed according to the routes in the route table. A route table can be associated with multiple subnets. To create a route table, see AWS::EC2::RouteTable.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
id | String | (read-only) | |
route_table_id | String | Yes | The ID of the route table. The physical ID changes when the route table ID is changed. |
subnet_id | String | Yes | The ID of the subnet. |
Example
let vpc = awscc.ec2_vpc {
name = "example-vpc"
cidr_block = "10.0.0.0/16"
enable_dns_support = true
enable_dns_hostnames = true
}
let subnet = awscc.ec2_subnet {
name = "example-subnet"
vpc_id = vpc.vpc_id
cidr_block = "10.0.1.0/24"
availability_zone = "ap-northeast-1a"
}
let rt = awscc.ec2_route_table {
name = "example-rt"
vpc_id = vpc.vpc_id
}
awscc.ec2_subnet_route_table_association {
name = "example-subnet-rt-assoc"
subnet_id = subnet.subnet_id
route_table_id = rt.route_table_id
}
awscc.ec2_eip
CloudFormation Type: AWS::EC2::EIP
Specifies an Elastic IP (EIP) address and can, optionally, associate it with an Amazon EC2 instance. You can allocate an Elastic IP address from an address pool owned by AWS or from an address pool created from a public IPv4 address range that you have brought to AWS for use with your AWS resources using bring your own IP addresses (BYOIP). For more information, see Bring Your Own IP Addresses (BYOIP) in the Amazon EC2 User Guide. For more information, see Elastic IP Addresses in the Amazon EC2 User Guide.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
address | String | No | |
allocation_id | String | (read-only) | |
domain | String | No | The network (vpc). If you define an Elastic IP address and associate it with a VPC that is defined in the same template, you must declare a dependency on the VPC-gateway attachment by using the DependsOn Attribute on this resource. |
instance_id | String | No | The ID of the instance. Updates to the InstanceId property may require some interruptions. Updates on an EIP reassociates the address on its associated resource. |
ipam_pool_id | String | No | |
network_border_group | String | No | A unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses. Use this parameter to limit the IP address to this location. IP addresses cannot move between network border groups. Use DescribeAvailabilityZones to view the network border groups. |
public_ip | String | (read-only) | |
public_ipv4_pool | String | No | The ID of an address pool that you own. Use this parameter to let Amazon EC2 select an address from the address pool. Updates to the PublicIpv4Pool property may require some interruptions. Updates on an EIP reassociates the address on its associated resource. |
tags | Map | No | Any tags assigned to the Elastic IP address. Updates to the Tags property may require some interruptions. Updates on an EIP reassociates the address on its associated resource. |
transfer_address | String | No | The Elastic IP address you are accepting for transfer. You can only accept one transferred address. For more information on Elastic IP address transfers, see Transfer Elastic IP addresses in the Amazon Virtual Private Cloud User Guide. |
Example
awscc.ec2_eip {
name = "example-eip"
domain = "vpc"
tags = {
Environment = "example"
}
}
awscc.ec2_nat_gateway
CloudFormation Type: AWS::EC2::NatGateway
Specifies a network address translation (NAT) gateway in the specified subnet. You can create either a public NAT gateway or a private NAT gateway. The default is a public NAT gateway. If you create a public NAT gateway, you must specify an elastic IP address.
With a NAT gateway, instances in a private subnet can connect to the internet, other AWS services, or an on-premises network using the IP address of the NAT gateway. For more information, see NAT gateways in the Amazon VPC User Guide.
If you add a default route (AWS::EC2::Route resource) that points to a NAT gateway, specify the NAT gateway ID for the route’s NatGatewayId property.
When you associate an Elastic IP address or secondary Elastic IP address with a public NAT gateway, the network border group of the Elastic IP address must match the network border group of the Availability Zone (AZ) that the public NAT gateway is in. Otherwise, the NAT gateway fails to launch. You can see the network border group for the AZ by viewing the details of the subnet. Similarly, you can view the network border group for the Elastic IP address by viewing its details. For more information, see Allocate an Elastic IP address in the Amazon VPC User Guide.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
allocation_id | String | No | [Public NAT gateway only] The allocation ID of the Elastic IP address that’s associated with the NAT gateway. This property is required for a public NAT gateway and cannot be specified with a private NAT gateway. |
auto_provision_zones | String | (read-only) | |
auto_scaling_ips | String | (read-only) | |
availability_mode | String | No | Indicates whether this is a zonal (single-AZ) or regional (multi-AZ) NAT gateway. A zonal NAT gateway is a NAT Gateway that provides redundancy and scalability within a single availability zone. A regional NAT gateway is a single NAT Gateway that works across multiple availability zones (AZs) in your VPC, providing redundancy, scalability and availability across all the AZs in a Region. For more information, see Regional NAT gateways for automatic multi-AZ expansion in the Amazon VPC User Guide. |
availability_zone_addresses | List | No | For regional NAT gateways only: Specifies which Availability Zones you want the NAT gateway to support and the Elastic IP addresses (EIPs) to use in each AZ. The regional NAT gateway uses these EIPs to handle outbound NAT traffic from their respective AZs. If not specified, the NAT gateway will automatically expand to new AZs and associate EIPs upon detection of an elastic network interface. If you specify this parameter, auto-expansion is disabled and you must manually manage AZ coverage. A regional NAT gateway is a single NAT Gateway that works across multiple availability zones (AZs) in your VPC, providing redundancy, scalability and availability across all the AZs in a Region. For more information, see Regional NAT gateways for automatic multi-AZ expansion in the Amazon VPC User Guide. |
connectivity_type | String | No | Indicates whether the NAT gateway supports public or private connectivity. The default is public connectivity. |
eni_id | String | (read-only) | |
max_drain_duration_seconds | Int | No | The maximum amount of time to wait (in seconds) before forcibly releasing the IP addresses if connections are still in progress. Default value is 350 seconds. |
nat_gateway_id | String | (read-only) | |
private_ip_address | String | No | The private IPv4 address to assign to the NAT gateway. If you don’t provide an address, a private IPv4 address will be automatically assigned. |
route_table_id | String | (read-only) | |
secondary_allocation_ids | List | No | Secondary EIP allocation IDs. For more information, see Create a NAT gateway in the Amazon VPC User Guide. |
secondary_private_ip_address_count | Int | No | [Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. For more information about secondary addresses, see Create a NAT gateway in the Amazon Virtual Private Cloud User Guide. SecondaryPrivateIpAddressCount and SecondaryPrivateIpAddresses cannot be set at the same time. |
secondary_private_ip_addresses | List | No | Secondary private IPv4 addresses. For more information about secondary addresses, see Create a NAT gateway in the Amazon Virtual Private Cloud User Guide. SecondaryPrivateIpAddressCount and SecondaryPrivateIpAddresses cannot be set at the same time. |
subnet_id | String | No | The ID of the subnet in which the NAT gateway is located. |
tags | Map | No | The tags for the NAT gateway. |
vpc_id | String | No | The ID of the VPC in which the NAT gateway is located. |
Example
let vpc = awscc.ec2_vpc {
name = "example-vpc"
cidr_block = "10.0.0.0/16"
enable_dns_support = true
enable_dns_hostnames = true
}
let public_subnet = awscc.ec2_subnet {
name = "example-public-subnet"
vpc_id = vpc.vpc_id
cidr_block = "10.0.1.0/24"
availability_zone = "ap-northeast-1a"
map_public_ip_on_launch = true
}
let eip = awscc.ec2_eip {
name = "example-nat-eip"
domain = "vpc"
}
awscc.ec2_nat_gateway {
name = "example-nat-gw"
allocation_id = eip.allocation_id
subnet_id = public_subnet.subnet_id
tags = {
Environment = "example"
}
}
awscc.ec2_security_group
CloudFormation Type: AWS::EC2::SecurityGroup
Resource Type definition for AWS::EC2::SecurityGroup
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
group_description | String | Yes | A description for the security group. |
group_id | String | (read-only) | |
group_name | String | No | The name of the security group. |
id | String | (read-only) | |
security_group_egress | List | No | [VPC only] The outbound rules associated with the security group. There is a short interruption during which you cannot connect to the security group. |
security_group_ingress | List | No | The inbound rules associated with the security group. There is a short interruption during which you cannot connect to the security group. |
tags | Map | No | Any tags assigned to the security group. |
vpc_id | String | No | The ID of the VPC for the security group. |
Example
let vpc = awscc.ec2_vpc {
name = "example-vpc"
cidr_block = "10.0.0.0/16"
}
awscc.ec2_security_group {
name = "example-sg"
vpc_id = vpc.vpc_id
group_description = "Example security group"
tags = {
Environment = "example"
}
}
awscc.ec2_security_group_ingress
CloudFormation Type: AWS::EC2::SecurityGroupIngress
Resource Type definition for AWS::EC2::SecurityGroupIngress
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
cidr_ip | String | No | The IPv4 ranges |
cidr_ipv6 | String | No | [VPC only] The IPv6 ranges |
description | String | No | Updates the description of an ingress (inbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously |
from_port | Int | No | The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes. Use this for ICMP and any protocol that uses ports. |
group_id | String | No | The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID. You must specify the GroupName property or the GroupId property. For security groups that are in a VPC, you must use the GroupId property. |
group_name | String | No | The name of the security group. |
id | String | (read-only) | |
ip_protocol | String | Yes | The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers). [VPC only] Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp, udp, icmp, or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp, udp, and icmp, you must specify a port range. For icmpv6, the port range is optional; if you omit the port range, traffic for all types and codes is allowed. |
source_prefix_list_id | String | No | [EC2-VPC only] The ID of a prefix list. |
source_security_group_id | String | No | The ID of the security group. You must specify either the security group ID or the security group name. For security groups in a nondefault VPC, you must specify the security group ID. |
source_security_group_name | String | No | [EC2-Classic, default VPC] The name of the source security group. You must specify the GroupName property or the GroupId property. For security groups that are in a VPC, you must use the GroupId property. |
source_security_group_owner_id | String | No | [nondefault VPC] The AWS account ID that owns the source security group. You can’t specify this property with an IP address range. If you specify SourceSecurityGroupName or SourceSecurityGroupId and that security group is owned by a different account than the account creating the stack, you must specify the SourceSecurityGroupOwnerId; otherwise, this property is optional. |
to_port | Int | No | The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of -1 indicates all ICMP/ICMPv6 codes for the specified ICMP type. If you specify all ICMP/ICMPv6 types, you must specify all codes. Use this for ICMP and any protocol that uses ports. |
Example
let vpc = awscc.ec2_vpc {
name = "example-vpc"
cidr_block = "10.0.0.0/16"
}
let sg = awscc.ec2_security_group {
name = "example-sg"
vpc_id = vpc.vpc_id
group_description = "Example security group"
}
awscc.ec2_security_group_ingress {
name = "example-https-ingress"
group_id = sg.group_id
description = "Allow HTTPS from VPC"
ip_protocol = "tcp"
from_port = 443
to_port = 443
cidr_ip = "10.0.0.0/16"
}
awscc.ec2_security_group_egress
CloudFormation Type: AWS::EC2::SecurityGroupEgress
Adds the specified outbound (egress) rule to a security group. An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 address range, the IP addresses that are specified by a prefix list, or the instances that are associated with a destination security group. For more information, see Security group rules. You must specify exactly one of the following destinations: an IPv4 address range, an IPv6 address range, a prefix list, or a security group. You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code. To specify all types or all codes, use -1. Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
cidr_ip | String | No | The IPv4 address range, in CIDR format. You must specify exactly one of the following: CidrIp, CidrIpv6, DestinationPrefixListId, or DestinationSecurityGroupId. For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the User Guide. |
cidr_ipv6 | String | No | The IPv6 address range, in CIDR format. You must specify exactly one of the following: CidrIp, CidrIpv6, DestinationPrefixListId, or DestinationSecurityGroupId. For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the User Guide. |
description | String | No | The description of an egress (outbound) security group rule. Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$* |
destination_prefix_list_id | String | No | The prefix list IDs for an AWS service. This is the AWS service to access through a VPC endpoint from instances associated with the security group. You must specify exactly one of the following: CidrIp, CidrIpv6, DestinationPrefixListId, or DestinationSecurityGroupId. |
destination_security_group_id | String | No | The ID of the security group. You must specify exactly one of the following: CidrIp, CidrIpv6, DestinationPrefixListId, or DestinationSecurityGroupId. |
from_port | Int | No | If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types). |
group_id | String | Yes | The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID. |
id | String | (read-only) | |
ip_protocol | Enum (IpProtocol) | Yes | The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers). Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp, udp, icmp, or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp, udp, and icmp, you must specify a port range. For icmpv6, the port range is optional; if you omit the port range, traffic for all types and codes is allowed. |
to_port | Int | No | If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes). |
Enum Values
ip_protocol (IpProtocol)
| Value | DSL Identifier |
|---|---|
tcp | awscc.ec2_security_group_egress.IpProtocol.tcp |
udp | awscc.ec2_security_group_egress.IpProtocol.udp |
icmp | awscc.ec2_security_group_egress.IpProtocol.icmp |
icmpv6 | awscc.ec2_security_group_egress.IpProtocol.icmpv6 |
-1 | awscc.ec2_security_group_egress.IpProtocol.-1 |
Shorthand formats: tcp or IpProtocol.tcp
Example
let vpc = awscc.ec2_vpc {
name = "example-vpc"
cidr_block = "10.0.0.0/16"
}
let sg = awscc.ec2_security_group {
name = "example-sg"
vpc_id = vpc.vpc_id
group_description = "Example security group"
}
awscc.ec2_security_group_egress {
name = "example-all-outbound"
group_id = sg.group_id
description = "Allow all outbound traffic"
ip_protocol = "-1"
cidr_ip = "0.0.0.0/0"
}
awscc.ec2_vpc_endpoint
CloudFormation Type: AWS::EC2::VPCEndpoint
Specifies a VPC endpoint. A VPC endpoint provides a private connection between your VPC and an endpoint service. You can use an endpoint service provided by AWS, an MKT Partner, or another AWS accounts in your organization. For more information, see the User Guide.
An endpoint of type Interface establishes connections between the subnets in your VPC and an AWS-service, your own service, or a service hosted by another AWS-account. With an interface VPC endpoint, you specify the subnets in which to create the endpoint and the security groups to associate with the endpoint network interfaces.
An endpoint of type gateway serves as a target for a route in your route table for traffic destined for S3 or DDB. You can specify an endpoint policy for the endpoint, which controls access to the service from your VPC. You can also specify the VPC route tables that use the endpoint. For more information about connectivity to S3, see Why can’t I connect to an S3 bucket using a gateway VPC endpoint?
An endpoint of type GatewayLoadBalancer provides private connectivity between your VPC and virtual appliances from a service provider.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
creation_timestamp | String | (read-only) | |
dns_entries | List | (read-only) | |
dns_options | String | No | Describes the DNS options for an endpoint. |
id | String | (read-only) | |
ip_address_type | Enum (IpAddressType) | No | The supported IP address types. |
network_interface_ids | List | (read-only) | |
policy_document | String | No | An endpoint policy, which controls access to the service from the VPC. The default endpoint policy allows full access to the service. Endpoint policies are supported only for gateway and interface endpoints. For CloudFormation templates in YAML, you can provide the policy in JSON or YAML format. For example, if you have a JSON policy, you can convert it to YAML before including it in the YAML template, and CFNlong converts the policy to JSON format before calling the API actions for privatelink. Alternatively, you can include the JSON directly in the YAML, as shown in the following Properties section: Properties: VpcEndpointType: 'Interface' ServiceName: !Sub 'com.amazonaws.${AWS::Region}.logs' PolicyDocument: '{ "Version":"2012-10-17", "Statement": [{ "Effect":"Allow", "Principal":"*", "Action":["logs:Describe*","logs:Get*","logs:List*","logs:FilterLogEvents"], "Resource":"*" }] }' |
private_dns_enabled | Bool | No | Indicate whether to associate a private hosted zone with the specified VPC. The private hosted zone contains a record set for the default public DNS name for the service for the Region (for example, kinesis.us-east-1.amazonaws.com), which resolves to the private IP addresses of the endpoint network interfaces in the VPC. This enables you to make requests to the default public DNS name for the service instead of the public DNS names that are automatically generated by the VPC endpoint service. To use a private hosted zone, you must set the following VPC attributes to true: enableDnsHostnames and enableDnsSupport. This property is supported only for interface endpoints. Default: false |
resource_configuration_arn | String | No | The Amazon Resource Name (ARN) of the resource configuration. |
route_table_ids | List | No | The IDs of the route tables. Routing is supported only for gateway endpoints. |
security_group_ids | List | No | The IDs of the security groups to associate with the endpoint network interfaces. If this parameter is not specified, we use the default security group for the VPC. Security groups are supported only for interface endpoints. |
service_name | String | No | The name of the endpoint service. |
service_network_arn | String | No | The Amazon Resource Name (ARN) of the service network. |
service_region | String | No | Describes a Region. |
subnet_ids | List | No | The IDs of the subnets in which to create endpoint network interfaces. You must specify this property for an interface endpoint or a Gateway Load Balancer endpoint. You can’t specify this property for a gateway endpoint. For a Gateway Load Balancer endpoint, you can specify only one subnet. |
tags | Map | No | The tags to associate with the endpoint. |
vpc_endpoint_type | Enum (VpcEndpointType) | No | The type of endpoint. Default: Gateway |
vpc_id | String | Yes | The ID of the VPC. |
Enum Values
ip_address_type (IpAddressType)
| Value | DSL Identifier |
|---|---|
ipv4 | awscc.ec2_vpc_endpoint.IpAddressType.ipv4 |
ipv6 | awscc.ec2_vpc_endpoint.IpAddressType.ipv6 |
dualstack | awscc.ec2_vpc_endpoint.IpAddressType.dualstack |
not-specified | awscc.ec2_vpc_endpoint.IpAddressType.not-specified |
Shorthand formats: ipv4 or IpAddressType.ipv4
vpc_endpoint_type (VpcEndpointType)
| Value | DSL Identifier |
|---|---|
Interface | awscc.ec2_vpc_endpoint.VpcEndpointType.Interface |
Gateway | awscc.ec2_vpc_endpoint.VpcEndpointType.Gateway |
GatewayLoadBalancer | awscc.ec2_vpc_endpoint.VpcEndpointType.GatewayLoadBalancer |
ServiceNetwork | awscc.ec2_vpc_endpoint.VpcEndpointType.ServiceNetwork |
Resource | awscc.ec2_vpc_endpoint.VpcEndpointType.Resource |
Shorthand formats: Interface or VpcEndpointType.Interface
Example
let vpc = awscc.ec2_vpc {
name = "example-vpc"
cidr_block = "10.0.0.0/16"
enable_dns_support = true
enable_dns_hostnames = true
}
let subnet = awscc.ec2_subnet {
name = "example-private-subnet"
vpc_id = vpc.vpc_id
cidr_block = "10.0.100.0/24"
availability_zone = "ap-northeast-1a"
}
let sg = awscc.ec2_security_group {
name = "example-endpoint-sg"
vpc_id = vpc.vpc_id
group_description = "SG for VPC Endpoint"
}
awscc.ec2_security_group_ingress {
name = "example-endpoint-https"
group_id = sg.group_id
description = "Allow HTTPS from VPC"
ip_protocol = "tcp"
from_port = 443
to_port = 443
cidr_ip = "10.0.0.0/16"
}
awscc.ec2_vpc_endpoint {
name = "example-ecr-dkr"
vpc_id = vpc.vpc_id
service_name = "com.amazonaws.ap-northeast-1.ecr.dkr"
vpc_endpoint_type = "Interface"
subnet_ids = [subnet.subnet_id]
security_group_ids = [sg.group_id]
private_dns_enabled = true
}
awscc.ec2_vpc_gateway_attachment
CloudFormation Type: AWS::EC2::VPCGatewayAttachment
Resource Type definition for AWS::EC2::VPCGatewayAttachment
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
attachment_type | String | (read-only) | |
internet_gateway_id | String | No | The ID of the internet gateway. You must specify either InternetGatewayId or VpnGatewayId, but not both. |
vpc_id | String | Yes | The ID of the VPC. |
vpn_gateway_id | String | No | The ID of the virtual private gateway. You must specify either InternetGatewayId or VpnGatewayId, but not both. |
Example
let vpc = awscc.ec2_vpc {
name = "example-vpc"
cidr_block = "10.0.0.0/16"
enable_dns_support = true
enable_dns_hostnames = true
}
let igw = awscc.ec2_internet_gateway {
name = "example-igw"
}
awscc.ec2_vpc_gateway_attachment {
name = "example-igw-attachment"
vpc_id = vpc.vpc_id
internet_gateway_id = igw.internet_gateway_id
}
awscc.ec2_flow_log
CloudFormation Type: AWS::EC2::FlowLog
Specifies a VPC flow log, which enables you to capture IP traffic for a specific network interface, subnet, or VPC.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
deliver_cross_account_role | String | No | The ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts. |
deliver_logs_permission_arn | String | No | The ARN for the IAM role that permits Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName. |
destination_options | Map | No | |
id | String | (read-only) | |
log_destination | String | No | Specifies the destination to which the flow log data is to be published. Flow log data can be published to a CloudWatch Logs log group, an Amazon S3 bucket, or a Kinesis Firehose stream. The value specified for this parameter depends on the value specified for LogDestinationType. |
log_destination_type | Enum (LogDestinationType) | No | Specifies the type of destination to which the flow log data is to be published. Flow log data can be published to CloudWatch Logs or Amazon S3. |
log_format | String | No | The fields to include in the flow log record, in the order in which they should appear. |
log_group_name | String | No | The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName. |
max_aggregation_interval | Int | No | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. You can specify 60 seconds (1 minute) or 600 seconds (10 minutes). |
resource_id | String | Yes | The ID of the subnet, network interface, or VPC for which you want to create a flow log. |
resource_type | Enum (ResourceType) | Yes | The type of resource for which to create the flow log. For example, if you specified a VPC ID for the ResourceId property, specify VPC for this property. |
tags | Map | No | The tags to apply to the flow logs. |
traffic_type | Enum (TrafficType) | No | The type of traffic to log. You can log traffic that the resource accepts or rejects, or all traffic. |
Enum Values
log_destination_type (LogDestinationType)
| Value | DSL Identifier |
|---|---|
cloud-watch-logs | awscc.ec2_flow_log.LogDestinationType.cloud-watch-logs |
s3 | awscc.ec2_flow_log.LogDestinationType.s3 |
kinesis-data-firehose | awscc.ec2_flow_log.LogDestinationType.kinesis-data-firehose |
Shorthand formats: cloud-watch-logs or LogDestinationType.cloud-watch-logs
resource_type (ResourceType)
| Value | DSL Identifier |
|---|---|
NetworkInterface | awscc.ec2_flow_log.ResourceType.NetworkInterface |
Subnet | awscc.ec2_flow_log.ResourceType.Subnet |
VPC | awscc.ec2_flow_log.ResourceType.VPC |
TransitGateway | awscc.ec2_flow_log.ResourceType.TransitGateway |
TransitGatewayAttachment | awscc.ec2_flow_log.ResourceType.TransitGatewayAttachment |
RegionalNatGateway | awscc.ec2_flow_log.ResourceType.RegionalNatGateway |
Shorthand formats: NetworkInterface or ResourceType.NetworkInterface
traffic_type (TrafficType)
| Value | DSL Identifier |
|---|---|
ACCEPT | awscc.ec2_flow_log.TrafficType.ACCEPT |
ALL | awscc.ec2_flow_log.TrafficType.ALL |
REJECT | awscc.ec2_flow_log.TrafficType.REJECT |
Shorthand formats: ACCEPT or TrafficType.ACCEPT
Example
let vpc = awscc.ec2_vpc {
name = "example-vpc"
cidr_block = "10.0.0.0/16"
}
awscc.ec2_flow_log {
name = "example-flow-log"
resource_id = vpc.vpc_id
resource_type = VPC
traffic_type = ALL
log_destination_type = s3
log_destination = "arn:aws:s3:::example-flow-logs-bucket"
tags = {
Environment = "example"
}
}