Carina

A strongly typed infrastructure management tool written in Rust.

Key Features

• Custom DSL for infrastructure definition (.crn files)
• Effects as Values - side effects are represented as data, inspectable before execution
• Strong Typing - resource attributes are validated at parse time
• Provider Architecture - pluggable providers (AWS, AWSCC)
• Modules - reusable infrastructure components
• State Management - S3 backend for remote state
• LSP Support - editor integration with completions and diagnostics

Quick Start

# Build from source
cargo build --release

# Validate a configuration
cargo run --bin carina -- validate example.crn

# Preview changes
aws-vault exec <profile> -- cargo run --bin carina -- plan example.crn

# Apply changes
aws-vault exec <profile> -- cargo run --bin carina -- apply example.crn

Providers

• AWSCC Provider - AWS Cloud Control API provider

For more details, see the README.

AWSCC Provider

The awscc provider manages AWS resources through the AWS Cloud Control API.

Configuration

provider awscc {
  region = awscc.Region.ap_northeast_1
}

Usage

Resources are defined using the awscc.<service>.<resource_type> syntax:

let vpc = awscc.ec2.vpc {
  name       = "my-vpc"
  cidr_block = "10.0.0.0/16"
  tags = {
    Environment = "production"
  }
}

Named resources (using let) can be referenced by other resources:

let subnet = awscc.ec2.subnet {
  name              = "my-subnet"
  vpc_id            = vpc.vpc_id
  cidr_block        = "10.0.1.0/24"
  availability_zone = "ap-northeast-1a"
}

Enum Values

Some attributes accept enum values. These can be specified in three formats:

• Bare value: instance_tenancy = default
• TypeName.value: instance_tenancy = InstanceTenancy.default
• Full namespace: instance_tenancy = awscc.ec2.vpc.InstanceTenancy.default

awscc.ec2.egress_only_internet_gateway

CloudFormation Type: AWS::EC2::EgressOnlyInternetGateway

Resource Type definition for AWS::EC2::EgressOnlyInternetGateway

Example

let vpc = awscc.ec2.vpc {
  cidr_block = "10.0.0.0/16"
}

awscc.ec2.egress_only_internet_gateway {
  vpc_id = vpc.vpc_id

  tags = {
    Environment = "example"
  }
}

Argument Reference

tags

• Type: Map
• Required: No

Any tags assigned to the egress only internet gateway.

vpc_id

• Type: VpcId
• Required: Yes

The ID of the VPC for which to create the egress-only internet gateway.

Attribute Reference

id

• Type: EgressOnlyInternetGatewayId

awscc.ec2.eip

CloudFormation Type: AWS::EC2::EIP

Specifies an Elastic IP (EIP) address and can, optionally, associate it with an Amazon EC2 instance. You can allocate an Elastic IP address from an address pool owned by AWS or from an address pool created from a public IPv4 address range that you have brought to AWS for use with your AWS resources using bring your own IP addresses (BYOIP). For more information, see Bring Your Own IP Addresses (BYOIP) in the Amazon EC2 User Guide. For more information, see Elastic IP Addresses in the Amazon EC2 User Guide.

Example

awscc.ec2.eip {
  domain = "vpc"

  tags = {
    Environment = "example"
  }
}

Argument Reference

address

• Type: Ipv4Address
• Required: No

domain

• Type: Enum (Domain)
• Required: No

The network (vpc). If you define an Elastic IP address and associate it with a VPC that is defined in the same template, you must declare a dependency on the VPC-gateway attachment by using the DependsOn Attribute on this resource.

instance_id

• Type: InstanceId
• Required: No

The ID of the instance. Updates to the InstanceId property may require some interruptions. Updates on an EIP reassociates the address on its associated resource.

ipam_pool_id

• Type: IpamPoolId
• Required: No

network_border_group

• Type: String
• Required: No

A unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses. Use this parameter to limit the IP address to this location. IP addresses cannot move between network border groups. Use DescribeAvailabilityZones to view the network border groups.

public_ipv4_pool

• Type: String
• Required: No

The ID of an address pool that you own. Use this parameter to let Amazon EC2 select an address from the address pool. Updates to the PublicIpv4Pool property may require some interruptions. Updates on an EIP reassociates the address on its associated resource.

tags

• Type: Map
• Required: No

Any tags assigned to the Elastic IP address. Updates to the Tags property may require some interruptions. Updates on an EIP reassociates the address on its associated resource.

transfer_address

• Type: Ipv4Address
• Required: No

The Elastic IP address you are accepting for transfer. You can only accept one transferred address. For more information on Elastic IP address transfers, see Transfer Elastic IP addresses in the Amazon Virtual Private Cloud User Guide.

Enum Values

domain (Domain)

Shorthand formats: vpc or Domain.vpc

Attribute Reference

allocation_id

• Type: AllocationId

public_ip

• Type: Ipv4Address

awscc.ec2.flow_log

CloudFormation Type: AWS::EC2::FlowLog

Specifies a VPC flow log, which enables you to capture IP traffic for a specific network interface, subnet, or VPC.

Example

let vpc = awscc.ec2.vpc {
  cidr_block = "10.0.0.0/16"
}

awscc.ec2.flow_log {
  resource_id          = vpc.vpc_id
  resource_type        = VPC
  traffic_type         = ALL
  log_destination_type = s3
  log_destination      = "arn:aws:s3:::example-flow-logs-bucket"

  tags = {
    Environment = "example"
  }
}

Argument Reference

deliver_cross_account_role

• Type: IamRoleArn
• Required: No

The ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.

deliver_logs_permission_arn

• Type: IamRoleArn
• Required: No

The ARN for the IAM role that permits Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.

destination_options

• Type: Struct(DestinationOptions)
• Required: No

log_destination

• Type: Arn
• Required: No

Specifies the destination to which the flow log data is to be published. Flow log data can be published to a CloudWatch Logs log group, an Amazon S3 bucket, or a Kinesis Firehose stream. The value specified for this parameter depends on the value specified for LogDestinationType.

log_destination_type

• Type: Enum (LogDestinationType)
• Required: No

Specifies the type of destination to which the flow log data is to be published. Flow log data can be published to CloudWatch Logs or Amazon S3.

log_format

• Type: String
• Required: No

The fields to include in the flow log record, in the order in which they should appear.

log_group_name

• Type: String
• Required: No

The name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.

max_aggregation_interval

• Type: IntEnum([60, 600])
• Required: No

The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. You can specify 60 seconds (1 minute) or 600 seconds (10 minutes).

resource_id

• Type: String
• Required: Yes

The ID of the subnet, network interface, or VPC for which you want to create a flow log.

resource_type

• Type: Enum (ResourceType)
• Required: Yes

The type of resource for which to create the flow log. For example, if you specified a VPC ID for the ResourceId property, specify VPC for this property.

tags

• Type: Map
• Required: No

The tags to apply to the flow logs.

traffic_type

• Type: Enum (TrafficType)
• Required: No

The type of traffic to log. You can log traffic that the resource accepts or rejects, or all traffic.

Enum Values

file_format (FileFormat)

Shorthand formats: plain_text or FileFormat.plain_text

log_destination_type (LogDestinationType)

Shorthand formats: cloud_watch_logs or LogDestinationType.cloud_watch_logs

resource_type (ResourceType)

Shorthand formats: NetworkInterface or ResourceType.NetworkInterface

traffic_type (TrafficType)

Shorthand formats: ACCEPT or TrafficType.ACCEPT

Struct Definitions

DestinationOptions

Attribute Reference

id

• Type: FlowLogId

awscc.ec2.internet_gateway

CloudFormation Type: AWS::EC2::InternetGateway

Allocates an internet gateway for use with a VPC. After creating the Internet gateway, you then attach it to a VPC.

Example

awscc.ec2.internet_gateway {
  tags = {
    Environment = "example"
  }
}

Argument Reference

tags

• Type: Map
• Required: No

Any tags to assign to the internet gateway.

Attribute Reference

internet_gateway_id

• Type: InternetGatewayId

awscc.ec2.ipam_pool

CloudFormation Type: AWS::EC2::IPAMPool

Resource Schema of AWS::EC2::IPAMPool Type

Example

let ipam = awscc.ec2.ipam {
  description = "Example IPAM"
  tier        = free

  operating_region {
    region_name = "ap-northeast-1"
  }
}

awscc.ec2.ipam_pool {
  ipam_scope_id  = ipam.private_default_scope_id
  address_family = "IPv4"
  locale         = "ap-northeast-1"
  description    = "Example IPv4 IPAM Pool"

  provisioned_cidr {
    cidr = "10.0.0.0/8"
  }

  tags = {
    Environment = "example"
  }
}

Argument Reference

address_family

• Type: Enum (AddressFamily)
• Required: Yes

The address family of the address space in this pool. Either IPv4 or IPv6.

allocation_default_netmask_length

• Type: Int
• Required: No

The default netmask length for allocations made from this pool. This value is used when the netmask length of an allocation isn’t specified.

allocation_max_netmask_length

• Type: Int
• Required: No

The maximum allowed netmask length for allocations made from this pool.

allocation_min_netmask_length

• Type: Int
• Required: No

The minimum allowed netmask length for allocations made from this pool.

allocation_resource_tags

• Type: List<Map>
• Required: No

When specified, an allocation will not be allowed unless a resource has a matching set of tags.

auto_import

• Type: Bool
• Required: No

Determines what to do if IPAM discovers resources that haven’t been assigned an allocation. If set to true, an allocation will be made automatically.

aws_service

• Type: Enum (AwsService)
• Required: No

Limits which service in Amazon Web Services that the pool can be used in.

description

• Type: String
• Required: No

ipam_scope_id

• Type: String
• Required: Yes

The Id of the scope this pool is a part of.

locale

• Type: Region
• Required: No

The region of this pool. If not set, this will default to “None” which will disable non-custom allocations. If the locale has been specified for the source pool, this value must match.

provisioned_cidrs

• Type: List<ProvisionedCidr>
• Required: No

A list of cidrs representing the address space available for allocation in this pool.

public_ip_source

• Type: Enum (PublicIpSource)
• Required: No

The IP address source for pools in the public scope. Only used for provisioning IP address CIDRs to pools in the public scope. Default is byoip.

publicly_advertisable

• Type: Bool
• Required: No

Determines whether or not address space from this pool is publicly advertised. Must be set if and only if the pool is IPv6.

source_ipam_pool_id

• Type: IpamPoolId
• Required: No

The Id of this pool’s source. If set, all space provisioned in this pool must be free space provisioned in the parent pool.

source_resource

• Type: Struct(SourceResource)
• Required: No

tags

• Type: Map
• Required: No

An array of key-value pairs to apply to this resource.

Enum Values

address_family (AddressFamily)

Shorthand formats: IPv4 or AddressFamily.IPv4

aws_service (AwsService)

Shorthand formats: ec2 or AwsService.ec2

ipam_scope_type (IpamScopeType)

Shorthand formats: public or IpamScopeType.public

public_ip_source (PublicIpSource)

Shorthand formats: byoip or PublicIpSource.byoip

state (State)

Shorthand formats: create_in_progress or State.create_in_progress

Struct Definitions

ProvisionedCidr

SourceResource

Attribute Reference

arn

• Type: Arn

ipam_arn

• Type: Arn

ipam_pool_id

• Type: IpamPoolId

ipam_scope_arn

• Type: Arn

ipam_scope_type

• Type: Enum (IpamScopeType)

pool_depth

• Type: Int

state

• Type: Enum (State)

state_message

• Type: String

awscc.ec2.ipam

CloudFormation Type: AWS::EC2::IPAM

Resource Schema of AWS::EC2::IPAM Type

Example

awscc.ec2.ipam {
  description = "Example IPAM"
  tier        = free

  operating_region {
    region_name = "ap-northeast-1"
  }

  tags = {
    Environment = "example"
  }
}

Argument Reference

default_resource_discovery_organizational_unit_exclusions

• Type: List<IpamOrganizationalUnitExclusion>
• Required: No

A set of organizational unit (OU) exclusions for the default resource discovery, created with this IPAM.

description

• Type: String
• Required: No

enable_private_gua

• Type: Bool
• Required: No

Enable provisioning of GUA space in private pools.

metered_account

• Type: Enum (MeteredAccount)
• Required: No

A metered account is an account that is charged for active IP addresses managed in IPAM

operating_regions

• Type: List<IpamOperatingRegion>
• Required: No

The regions IPAM is enabled for. Allows pools to be created in these regions, as well as enabling monitoring

tags

• Type: Map
• Required: No

An array of key-value pairs to apply to this resource.

tier

• Type: Enum (Tier)
• Required: No

The tier of the IPAM.

Enum Values

metered_account (MeteredAccount)

Shorthand formats: ipam_owner or MeteredAccount.ipam_owner

tier (Tier)

Shorthand formats: free or Tier.free

Struct Definitions

IpamOperatingRegion

IpamOrganizationalUnitExclusion

Attribute Reference

arn

• Type: Arn

default_resource_discovery_association_id

• Type: String

default_resource_discovery_id

• Type: String

ipam_id

• Type: IpamId

private_default_scope_id

• Type: String

public_default_scope_id

• Type: String(len: ..=255)

resource_discovery_association_count

• Type: Int

scope_count

• Type: Int

awscc.ec2.nat_gateway

CloudFormation Type: AWS::EC2::NatGateway

Specifies a network address translation (NAT) gateway in the specified subnet. You can create either a public NAT gateway or a private NAT gateway. The default is a public NAT gateway. If you create a public NAT gateway, you must specify an elastic IP address. With a NAT gateway, instances in a private subnet can connect to the internet, other AWS services, or an on-premises network using the IP address of the NAT gateway. For more information, see NAT gateways in the Amazon VPC User Guide. If you add a default route (AWS::EC2::Route resource) that points to a NAT gateway, specify the NAT gateway ID for the route’s NatGatewayId property. When you associate an Elastic IP address or secondary Elastic IP address with a public NAT gateway, the network border group of the Elastic IP address must match the network border group of the Availability Zone (AZ) that the public NAT gateway is in. Otherwise, the NAT gateway fails to launch. You can see the network border group for the AZ by viewing the details of the subnet. Similarly, you can view the network border group for the Elastic IP address by viewing its details. For more information, see Allocate an Elastic IP address in the Amazon VPC User Guide.

Example

let vpc = awscc.ec2.vpc {
  cidr_block           = "10.0.0.0/16"
  enable_dns_support   = true
  enable_dns_hostnames = true
}

let public_subnet = awscc.ec2.subnet {
  vpc_id                  = vpc.vpc_id
  cidr_block              = "10.0.1.0/24"
  availability_zone       = "ap-northeast-1a"
  map_public_ip_on_launch = true
}

let eip = awscc.ec2.eip {
  domain = "vpc"
}

awscc.ec2.nat_gateway {
  allocation_id = eip.allocation_id
  subnet_id     = public_subnet.subnet_id

  tags = {
    Environment = "example"
  }
}

Argument Reference

allocation_id

• Type: AllocationId
• Required: No

[Public NAT gateway only] The allocation ID of the Elastic IP address that’s associated with the NAT gateway. This property is required for a public NAT gateway and cannot be specified with a private NAT gateway.

availability_mode

• Type: Enum (AvailabilityMode)
• Required: No

Indicates whether this is a zonal (single-AZ) or regional (multi-AZ) NAT gateway. A zonal NAT gateway is a NAT Gateway that provides redundancy and scalability within a single availability zone. A regional NAT gateway is a single NAT Gateway that works across multiple availability zones (AZs) in your VPC, providing redundancy, scalability and availability across all the AZs in a Region. For more information, see Regional NAT gateways for automatic multi-AZ expansion in the Amazon VPC User Guide.

availability_zone_addresses

• Type: List<AvailabilityZoneAddress>
• Required: No

For regional NAT gateways only: Specifies which Availability Zones you want the NAT gateway to support and the Elastic IP addresses (EIPs) to use in each AZ. The regional NAT gateway uses these EIPs to handle outbound NAT traffic from their respective AZs. If not specified, the NAT gateway will automatically expand to new AZs and associate EIPs upon detection of an elastic network interface. If you specify this parameter, auto-expansion is disabled and you must manually manage AZ coverage. A regional NAT gateway is a single NAT Gateway that works across multiple availability zones (AZs) in your VPC, providing redundancy, scalability and availability across all the AZs in a Region. For more information, see Regional NAT gateways for automatic multi-AZ expansion in the Amazon VPC User Guide.

connectivity_type

• Type: Enum (ConnectivityType)
• Required: No

Indicates whether the NAT gateway supports public or private connectivity. The default is public connectivity.

max_drain_duration_seconds

• Type: Int
• Required: No

The maximum amount of time to wait (in seconds) before forcibly releasing the IP addresses if connections are still in progress. Default value is 350 seconds.

private_ip_address

• Type: Ipv4Address
• Required: No

The private IPv4 address to assign to the NAT gateway. If you don’t provide an address, a private IPv4 address will be automatically assigned.

secondary_allocation_ids

• Type: List<AllocationId>
• Required: No

Secondary EIP allocation IDs. For more information, see Create a NAT gateway in the Amazon VPC User Guide.

secondary_private_ip_address_count

• Type: Int(1..)
• Required: No

[Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. For more information about secondary addresses, see Create a NAT gateway in the Amazon Virtual Private Cloud User Guide. SecondaryPrivateIpAddressCount and SecondaryPrivateIpAddresses cannot be set at the same time.

secondary_private_ip_addresses

• Type: List<Ipv4Address>
• Required: No

Secondary private IPv4 addresses. For more information about secondary addresses, see Create a NAT gateway in the Amazon Virtual Private Cloud User Guide. SecondaryPrivateIpAddressCount and SecondaryPrivateIpAddresses cannot be set at the same time.

subnet_id

• Type: SubnetId
• Required: No

The ID of the subnet in which the NAT gateway is located.

tags

• Type: Map
• Required: No

The tags for the NAT gateway.

vpc_id

• Type: VpcId
• Required: No

The ID of the VPC in which the NAT gateway is located.

Enum Values

availability_mode (AvailabilityMode)

Shorthand formats: zonal or AvailabilityMode.zonal

connectivity_type (ConnectivityType)

Shorthand formats: public or ConnectivityType.public

Struct Definitions

AvailabilityZoneAddress

Attribute Reference

auto_provision_zones

• Type: String

auto_scaling_ips

• Type: String

eni_id

• Type: NetworkInterfaceId

nat_gateway_id

• Type: NatGatewayId

route_table_id

• Type: RouteTableId

awscc.ec2.route_table

CloudFormation Type: AWS::EC2::RouteTable

Specifies a route table for the specified VPC. After you create a route table, you can add routes and associate the table with a subnet. For more information, see Route tables in the Amazon VPC User Guide.

Example

let vpc = awscc.ec2.vpc {
  cidr_block           = "10.0.0.0/16"
  enable_dns_support   = true
  enable_dns_hostnames = true
}

awscc.ec2.route_table {
  vpc_id = vpc.vpc_id

  tags = {
    Environment = "example"
  }
}

Argument Reference

tags

• Type: Map
• Required: No

Any tags assigned to the route table.

vpc_id

• Type: VpcId
• Required: Yes

The ID of the VPC.

Attribute Reference

route_table_id

• Type: RouteTableId

awscc.ec2.route

CloudFormation Type: AWS::EC2::Route

Specifies a route in a route table. For more information, see Routes in the Amazon VPC User Guide. You must specify either a destination CIDR block or prefix list ID. You must also specify exactly one of the resources as the target. If you create a route that references a transit gateway in the same template where you create the transit gateway, you must declare a dependency on the transit gateway attachment. The route table cannot use the transit gateway until it has successfully attached to the VPC. Add a DependsOn Attribute in the AWS::EC2::Route resource to explicitly declare a dependency on the AWS::EC2::TransitGatewayAttachment resource.

Example

let vpc = awscc.ec2.vpc {
  cidr_block           = "10.0.0.0/16"
  enable_dns_support   = true
  enable_dns_hostnames = true
}

let igw = awscc.ec2.internet_gateway {}

let igw_attachment = awscc.ec2.vpc_gateway_attachment {
  vpc_id              = vpc.vpc_id
  internet_gateway_id = igw.internet_gateway_id
}

let rt = awscc.ec2.route_table {
  vpc_id = vpc.vpc_id
}

awscc.ec2.route {
  route_table_id         = rt.route_table_id
  destination_cidr_block = "0.0.0.0/0"
  gateway_id             = igw_attachment.internet_gateway_id
}

Argument Reference

carrier_gateway_id

• Type: CarrierGatewayId
• Required: No

The ID of the carrier gateway. You can only use this option when the VPC contains a subnet which is associated with a Wavelength Zone.

core_network_arn

• Type: Arn
• Required: No

The Amazon Resource Name (ARN) of the core network.

destination_cidr_block

• Type: Ipv4Cidr
• Required: No

The IPv4 CIDR address block used for the destination match. Routing decisions are based on the most specific match. We modify the specified CIDR block to its canonical form; for example, if you specify 100.68.0.18/18, we modify it to 100.68.0.0/18.

destination_ipv6_cidr_block

• Type: Ipv6Cidr
• Required: No

The IPv6 CIDR block used for the destination match. Routing decisions are based on the most specific match.

destination_prefix_list_id

• Type: PrefixListId
• Required: No

The ID of a prefix list used for the destination match.

egress_only_internet_gateway_id

• Type: EgressOnlyInternetGatewayId
• Required: No

[IPv6 traffic only] The ID of an egress-only internet gateway.

gateway_id

• Type: GatewayId
• Required: No

The ID of an internet gateway or virtual private gateway attached to your VPC.

instance_id

• Type: InstanceId
• Required: No

The ID of a NAT instance in your VPC. The operation fails if you specify an instance ID unless exactly one network interface is attached.

local_gateway_id

• Type: LocalGatewayId
• Required: No

The ID of the local gateway.

nat_gateway_id

• Type: NatGatewayId
• Required: No

[IPv4 traffic only] The ID of a NAT gateway.

network_interface_id

• Type: NetworkInterfaceId
• Required: No

The ID of a network interface.

route_table_id

• Type: RouteTableId
• Required: Yes

The ID of the route table for the route.

transit_gateway_id

• Type: TransitGatewayId
• Required: No

The ID of a transit gateway.

vpc_endpoint_id

• Type: VpcEndpointId
• Required: No

The ID of a VPC endpoint. Supported for Gateway Load Balancer endpoints only.

vpc_peering_connection_id

• Type: VpcPeeringConnectionId
• Required: No

The ID of a VPC peering connection.

Attribute Reference

cidr_block

• Type: Ipv4Cidr

awscc.ec2.security_group_egress

CloudFormation Type: AWS::EC2::SecurityGroupEgress

Adds the specified outbound (egress) rule to a security group. An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 address range, the IP addresses that are specified by a prefix list, or the instances that are associated with a destination security group. For more information, see Security group rules. You must specify exactly one of the following destinations: an IPv4 address range, an IPv6 address range, a prefix list, or a security group. You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code. To specify all types or all codes, use -1. Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur.

Example

let vpc = awscc.ec2.vpc {
  cidr_block = "10.0.0.0/16"
}

let sg = awscc.ec2.security_group {
  vpc_id            = vpc.vpc_id
  group_description = "Example security group"
}

awscc.ec2.security_group_egress {
  group_id    = sg.group_id
  description = "Allow all outbound traffic"
  ip_protocol = all
  cidr_ip     = "0.0.0.0/0"
}

Argument Reference

cidr_ip

• Type: Ipv4Cidr
• Required: No

The IPv4 address range, in CIDR format. You must specify exactly one of the following: CidrIp, CidrIpv6, DestinationPrefixListId, or DestinationSecurityGroupId. For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the User Guide.

cidr_ipv6

• Type: Ipv6Cidr
• Required: No

The IPv6 address range, in CIDR format. You must specify exactly one of the following: CidrIp, CidrIpv6, DestinationPrefixListId, or DestinationSecurityGroupId. For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the User Guide.

description

• Type: String
• Required: No

The description of an egress (outbound) security group rule. Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

destination_prefix_list_id

• Type: PrefixListId
• Required: No

The prefix list IDs for an AWS service. This is the AWS service to access through a VPC endpoint from instances associated with the security group. You must specify exactly one of the following: CidrIp, CidrIpv6, DestinationPrefixListId, or DestinationSecurityGroupId.

destination_security_group_id

• Type: SecurityGroupId
• Required: No

The ID of the security group. You must specify exactly one of the following: CidrIp, CidrIpv6, DestinationPrefixListId, or DestinationSecurityGroupId.

from_port

• Type: Int(-1..=65535)
• Required: No

If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).

group_id

• Type: SecurityGroupId
• Required: Yes

The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.

ip_protocol

• Type: Enum (IpProtocol)
• Required: Yes

The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers). Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp, udp, icmp, or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp, udp, and icmp, you must specify a port range. For icmpv6, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.

to_port

• Type: Int(-1..=65535)
• Required: No

If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).

Enum Values

ip_protocol (IpProtocol)

Shorthand formats: tcp or IpProtocol.tcp

Attribute Reference

id

• Type: String

awscc.ec2.security_group_ingress

CloudFormation Type: AWS::EC2::SecurityGroupIngress

Resource Type definition for AWS::EC2::SecurityGroupIngress

Example

let vpc = awscc.ec2.vpc {
  cidr_block = "10.0.0.0/16"
}

let sg = awscc.ec2.security_group {
  vpc_id            = vpc.vpc_id
  group_description = "Example security group"
}

awscc.ec2.security_group_ingress {
  group_id    = sg.group_id
  description = "Allow HTTPS from VPC"
  ip_protocol = "tcp"
  from_port   = 443
  to_port     = 443
  cidr_ip     = "10.0.0.0/16"
}

Argument Reference

cidr_ip

• Type: Ipv4Cidr
• Required: No

The IPv4 ranges

cidr_ipv6

• Type: Ipv6Cidr
• Required: No

[VPC only] The IPv6 ranges

description

• Type: String
• Required: No

Updates the description of an ingress (inbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously

from_port

• Type: Int(-1..=65535)
• Required: No

The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes. Use this for ICMP and any protocol that uses ports.

group_id

• Type: SecurityGroupId
• Required: No

The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID. You must specify the GroupName property or the GroupId property. For security groups that are in a VPC, you must use the GroupId property.

group_name

• Type: String
• Required: No

The name of the security group.

ip_protocol

• Type: Enum (IpProtocol)
• Required: Yes

The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers). [VPC only] Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp, udp, icmp, or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp, udp, and icmp, you must specify a port range. For icmpv6, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.

source_prefix_list_id

• Type: PrefixListId
• Required: No

[EC2-VPC only] The ID of a prefix list.

source_security_group_id

• Type: SecurityGroupId
• Required: No

The ID of the security group. You must specify either the security group ID or the security group name. For security groups in a nondefault VPC, you must specify the security group ID.

source_security_group_name

• Type: String
• Required: No

[EC2-Classic, default VPC] The name of the source security group. You must specify the GroupName property or the GroupId property. For security groups that are in a VPC, you must use the GroupId property.

source_security_group_owner_id

• Type: AwsAccountId
• Required: No

[nondefault VPC] The AWS account ID that owns the source security group. You can’t specify this property with an IP address range. If you specify SourceSecurityGroupName or SourceSecurityGroupId and that security group is owned by a different account than the account creating the stack, you must specify the SourceSecurityGroupOwnerId; otherwise, this property is optional.

to_port

• Type: Int(-1..=65535)
• Required: No

The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of -1 indicates all ICMP/ICMPv6 codes for the specified ICMP type. If you specify all ICMP/ICMPv6 types, you must specify all codes. Use this for ICMP and any protocol that uses ports.

Enum Values

ip_protocol (IpProtocol)

Shorthand formats: tcp or IpProtocol.tcp

Attribute Reference

id

• Type: String

awscc.ec2.security_group

CloudFormation Type: AWS::EC2::SecurityGroup

Resource Type definition for AWS::EC2::SecurityGroup

Example

let vpc = awscc.ec2.vpc {
  cidr_block = "10.0.0.0/16"
}

awscc.ec2.security_group {
  vpc_id            = vpc.vpc_id
  group_description = "Example security group"

  security_group_ingress {
    ip_protocol = "tcp"
    from_port   = 80
    to_port     = 80
    cidr_ip     = "0.0.0.0/0"
  }

  security_group_ingress {
    ip_protocol = "tcp"
    from_port   = 443
    to_port     = 443
    cidr_ip     = "0.0.0.0/0"
  }

  tags = {
    Environment = "example"
  }
}

Argument Reference

group_description

• Type: String
• Required: Yes

A description for the security group.

group_name

• Type: String
• Required: No

The name of the security group.

security_group_egress

• Type: List<Egress>
• Required: No

[VPC only] The outbound rules associated with the security group. There is a short interruption during which you cannot connect to the security group.

security_group_ingress

• Type: List<Ingress>
• Required: No

The inbound rules associated with the security group. There is a short interruption during which you cannot connect to the security group.

tags

• Type: Map
• Required: No

Any tags assigned to the security group.

vpc_id

• Type: VpcId
• Required: No

The ID of the VPC for the security group.

Enum Values

ip_protocol (IpProtocol)

Shorthand formats: tcp or IpProtocol.tcp

Struct Definitions

Egress

Ingress

Attribute Reference

group_id

• Type: SecurityGroupId

id

• Type: SecurityGroupId

awscc.ec2.subnet_route_table_association

CloudFormation Type: AWS::EC2::SubnetRouteTableAssociation

Associates a subnet with a route table. The subnet and route table must be in the same VPC. This association causes traffic originating from the subnet to be routed according to the routes in the route table. A route table can be associated with multiple subnets. To create a route table, see AWS::EC2::RouteTable.

Example

let vpc = awscc.ec2.vpc {
  cidr_block           = "10.0.0.0/16"
  enable_dns_support   = true
  enable_dns_hostnames = true
}

let subnet = awscc.ec2.subnet {
  vpc_id            = vpc.vpc_id
  cidr_block        = "10.0.1.0/24"
  availability_zone = "ap-northeast-1a"
}

let rt = awscc.ec2.route_table {
  vpc_id = vpc.vpc_id
}

awscc.ec2.subnet_route_table_association {
  subnet_id      = subnet.subnet_id
  route_table_id = rt.route_table_id
}

Argument Reference

route_table_id

• Type: RouteTableId
• Required: Yes

The ID of the route table. The physical ID changes when the route table ID is changed.

subnet_id

• Type: SubnetId
• Required: Yes

The ID of the subnet.

Attribute Reference

id

• Type: SubnetRouteTableAssociationId

awscc.ec2.subnet

CloudFormation Type: AWS::EC2::Subnet

Specifies a subnet for the specified VPC. For an IPv4 only subnet, specify an IPv4 CIDR block. If the VPC has an IPv6 CIDR block, you can create an IPv6 only subnet or a dual stack subnet instead. For an IPv6 only subnet, specify an IPv6 CIDR block. For a dual stack subnet, specify both an IPv4 CIDR block and an IPv6 CIDR block. For more information, see Subnets for your VPC in the Amazon VPC User Guide.

Example

let vpc = awscc.ec2.vpc {
  cidr_block           = "10.0.0.0/16"
  enable_dns_support   = true
  enable_dns_hostnames = true
}

awscc.ec2.subnet {
  vpc_id                  = vpc.vpc_id
  cidr_block              = "10.0.1.0/24"
  availability_zone       = "ap-northeast-1a"
  map_public_ip_on_launch = true

  tags = {
    Environment = "example"
  }
}

Argument Reference

assign_ipv6_address_on_creation

• Type: Bool
• Required: No

Indicates whether a network interface created in this subnet receives an IPv6 address. The default value is false. If you specify AssignIpv6AddressOnCreation, you must also specify an IPv6 CIDR block.

availability_zone

• Type: AvailabilityZone
• Required: No

The Availability Zone of the subnet. If you update this property, you must also update the CidrBlock property.

availability_zone_id

• Type: AvailabilityZoneId
• Required: No

The AZ ID of the subnet.

cidr_block

• Type: Ipv4Cidr
• Required: No

The IPv4 CIDR block assigned to the subnet. If you update this property, we create a new subnet, and then delete the existing one.

enable_dns64

• Type: Bool
• Required: No

Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. You must first configure a NAT gateway in a public subnet (separate from the subnet containing the IPv6-only workloads). For example, the subnet containing the NAT gateway should have a 0.0.0.0/0 route pointing to the internet gateway. For more information, see Configure DNS64 and NAT64 in the User Guide.

enable_lni_at_device_index

• Type: Int
• Required: No

Indicates the device position for local network interfaces in this subnet. For example, 1 indicates local network interfaces in this subnet are the secondary network interface (eth1).

ipv4_ipam_pool_id

• Type: IpamPoolId
• Required: No

An IPv4 IPAM pool ID for the subnet.

ipv4_netmask_length

• Type: Int(0..=32)
• Required: No

An IPv4 netmask length for the subnet.

ipv6_cidr_block

• Type: Ipv6Cidr
• Required: No

The IPv6 CIDR block. If you specify AssignIpv6AddressOnCreation, you must also specify an IPv6 CIDR block.

ipv6_ipam_pool_id

• Type: IpamPoolId
• Required: No

An IPv6 IPAM pool ID for the subnet.

ipv6_native

• Type: Bool
• Required: No

Indicates whether this is an IPv6 only subnet. For more information, see Subnet basics in the User Guide.

ipv6_netmask_length

• Type: Int(0..=128)
• Required: No

An IPv6 netmask length for the subnet.

map_public_ip_on_launch

• Type: Bool
• Required: No

Indicates whether instances launched in this subnet receive a public IPv4 address. The default value is false. AWS charges for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the Public IPv4 Address tab on the VPC pricing page.

outpost_arn

• Type: Arn
• Required: No

The Amazon Resource Name (ARN) of the Outpost.

private_dns_name_options_on_launch

• Type: Struct(PrivateDnsNameOptionsOnLaunch)
• Required: No

The hostname type for EC2 instances launched into this subnet and how DNS A and AAAA record queries to the instances should be handled. For more information, see Amazon EC2 instance hostname types in the User Guide. Available options: + EnableResourceNameDnsAAAARecord (true | false) + EnableResourceNameDnsARecord (true | false) + HostnameType (ip-name | resource-name)

tags

• Type: Map
• Required: No

Any tags assigned to the subnet.

vpc_id

• Type: VpcId
• Required: Yes

The ID of the VPC the subnet is in. If you update this property, you must also update the CidrBlock property.

Enum Values

internet_gateway_block_mode (InternetGatewayBlockMode)

Shorthand formats: off or InternetGatewayBlockMode.off

hostname_type (HostnameType)

Shorthand formats: ip_name or HostnameType.ip_name

Struct Definitions

BlockPublicAccessStates

PrivateDnsNameOptionsOnLaunch

Attribute Reference

block_public_access_states

• Type: Struct(BlockPublicAccessStates)

ipv6_cidr_blocks

• Type: List<Ipv6Cidr>

network_acl_association_id

• Type: String

subnet_id

• Type: SubnetId

awscc.ec2.transit_gateway_attachment

CloudFormation Type: AWS::EC2::TransitGatewayAttachment

Resource Type definition for AWS::EC2::TransitGatewayAttachment

Example

let vpc = awscc.ec2.vpc {
  cidr_block = "10.0.0.0/16"
}

let subnet = awscc.ec2.subnet {
  vpc_id            = vpc.vpc_id
  cidr_block        = "10.0.1.0/24"
  availability_zone = "ap-northeast-1a"
}

let tgw = awscc.ec2.transit_gateway {
  description = "Example Transit Gateway"
}

awscc.ec2.transit_gateway_attachment {
  transit_gateway_id = tgw.id
  vpc_id             = vpc.vpc_id
  subnet_ids         = [subnet.subnet_id]

  tags = {
    Environment = "example"
  }
}

Argument Reference

options

• Type: Struct(Options)
• Required: No

The options for the transit gateway vpc attachment.

subnet_ids

• Type: List<SubnetId>
• Required: Yes

tags

• Type: Map
• Required: No

transit_gateway_id

• Type: TransitGatewayId
• Required: Yes

vpc_id

• Type: VpcId
• Required: Yes

Enum Values

appliance_mode_support (ApplianceModeSupport)

Shorthand formats: enable or ApplianceModeSupport.enable

dns_support (DnsSupport)

Shorthand formats: enable or DnsSupport.enable

ipv6_support (Ipv6Support)

Shorthand formats: enable or Ipv6Support.enable

security_group_referencing_support (SecurityGroupReferencingSupport)

Shorthand formats: enable or SecurityGroupReferencingSupport.enable

Struct Definitions

Options

Attribute Reference

id

• Type: TransitGatewayAttachmentId

awscc.ec2.transit_gateway

CloudFormation Type: AWS::EC2::TransitGateway

Resource Type definition for AWS::EC2::TransitGateway

Example

awscc.ec2.transit_gateway {
  description = "Example Transit Gateway"

  tags = {
    Environment = "example"
  }
}

Argument Reference

amazon_side_asn

• Type: Int(1..=4294967294)
• Required: No

association_default_route_table_id

• Type: TgwRouteTableId
• Required: No

auto_accept_shared_attachments

• Type: Enum (AutoAcceptSharedAttachments)
• Required: No

default_route_table_association

• Type: Enum (DefaultRouteTableAssociation)
• Required: No

default_route_table_propagation

• Type: Enum (DefaultRouteTablePropagation)
• Required: No

description

• Type: String
• Required: No

dns_support

• Type: Enum (DnsSupport)
• Required: No

encryption_support

• Type: Enum (EncryptionSupport)
• Required: No

multicast_support

• Type: Enum (MulticastSupport)
• Required: No

propagation_default_route_table_id

• Type: TgwRouteTableId
• Required: No

security_group_referencing_support

• Type: Enum (SecurityGroupReferencingSupport)
• Required: No

tags

• Type: Map
• Required: No

transit_gateway_cidr_blocks

• Type: List<Cidr>
• Required: No

vpn_ecmp_support

• Type: Enum (VpnEcmpSupport)
• Required: No

Enum Values

auto_accept_shared_attachments (AutoAcceptSharedAttachments)

Shorthand formats: enable or AutoAcceptSharedAttachments.enable

default_route_table_association (DefaultRouteTableAssociation)

Shorthand formats: enable or DefaultRouteTableAssociation.enable

default_route_table_propagation (DefaultRouteTablePropagation)

Shorthand formats: enable or DefaultRouteTablePropagation.enable

dns_support (DnsSupport)

Shorthand formats: enable or DnsSupport.enable

encryption_support (EncryptionSupport)

Shorthand formats: disable or EncryptionSupport.disable

encryption_support_state (EncryptionSupportState)

Shorthand formats: disable or EncryptionSupportState.disable

multicast_support (MulticastSupport)

Shorthand formats: enable or MulticastSupport.enable

security_group_referencing_support (SecurityGroupReferencingSupport)

Shorthand formats: enable or SecurityGroupReferencingSupport.enable

vpn_ecmp_support (VpnEcmpSupport)

Shorthand formats: enable or VpnEcmpSupport.enable

Attribute Reference

encryption_support_state

• Type: Enum (EncryptionSupportState)

id

• Type: TransitGatewayId

transit_gateway_arn

• Type: Arn

awscc.ec2.vpc_endpoint

CloudFormation Type: AWS::EC2::VPCEndpoint

Specifies a VPC endpoint. A VPC endpoint provides a private connection between your VPC and an endpoint service. You can use an endpoint service provided by AWS, an MKT Partner, or another AWS accounts in your organization. For more information, see the User Guide. An endpoint of type Interface establishes connections between the subnets in your VPC and an AWS-service, your own service, or a service hosted by another AWS-account. With an interface VPC endpoint, you specify the subnets in which to create the endpoint and the security groups to associate with the endpoint network interfaces. An endpoint of type gateway serves as a target for a route in your route table for traffic destined for S3 or DDB. You can specify an endpoint policy for the endpoint, which controls access to the service from your VPC. You can also specify the VPC route tables that use the endpoint. For more information about connectivity to S3, see Why can’t I connect to an S3 bucket using a gateway VPC endpoint? An endpoint of type GatewayLoadBalancer provides private connectivity between your VPC and virtual appliances from a service provider.

Example

let vpc = awscc.ec2.vpc {
  cidr_block           = "10.0.0.0/16"
  enable_dns_support   = true
  enable_dns_hostnames = true
}

let subnet = awscc.ec2.subnet {
  vpc_id            = vpc.vpc_id
  cidr_block        = "10.0.100.0/24"
  availability_zone = "ap-northeast-1a"
}

let sg = awscc.ec2.security_group {
  vpc_id            = vpc.vpc_id
  group_description = "SG for VPC Endpoint"
}

awscc.ec2.security_group_ingress {
  group_id    = sg.group_id
  description = "Allow HTTPS from VPC"
  ip_protocol = "tcp"
  from_port   = 443
  to_port     = 443
  cidr_ip     = "10.0.0.0/16"
}

awscc.ec2.vpc_endpoint {
  vpc_id              = vpc.vpc_id
  service_name        = "com.amazonaws.ap-northeast-1.ecr.dkr"
  vpc_endpoint_type   = "Interface"
  subnet_ids          = [subnet.subnet_id]
  security_group_ids  = [sg.group_id]
  private_dns_enabled = true
}

Argument Reference

dns_options

• Type: Struct(DnsOptionsSpecification)
• Required: No

Describes the DNS options for an endpoint.

ip_address_type

• Type: Enum (IpAddressType)
• Required: No

The supported IP address types.

policy_document

• Type: IamPolicyDocument
• Required: No

An endpoint policy, which controls access to the service from the VPC. The default endpoint policy allows full access to the service. Endpoint policies are supported only for gateway and interface endpoints. For CloudFormation templates in YAML, you can provide the policy in JSON or YAML format. For example, if you have a JSON policy, you can convert it to YAML before including it in the YAML template, and CFNlong converts the policy to JSON format before calling the API actions for privatelink. Alternatively, you can include the JSON directly in the YAML, as shown in the following Properties section: Properties: VpcEndpointType: 'Interface' ServiceName: !Sub 'com.amazonaws.${AWS::Region}.logs' PolicyDocument: '{ "Version":"2012-10-17", "Statement": [{ "Effect":"Allow", "Principal":"*", "Action":["logs:Describe*","logs:Get*","logs:List*","logs:FilterLogEvents"], "Resource":"*" }] }'

private_dns_enabled

• Type: Bool
• Required: No

Indicate whether to associate a private hosted zone with the specified VPC. The private hosted zone contains a record set for the default public DNS name for the service for the Region (for example, kinesis.us-east-1.amazonaws.com), which resolves to the private IP addresses of the endpoint network interfaces in the VPC. This enables you to make requests to the default public DNS name for the service instead of the public DNS names that are automatically generated by the VPC endpoint service. To use a private hosted zone, you must set the following VPC attributes to true: enableDnsHostnames and enableDnsSupport. This property is supported only for interface endpoints. Default: false

resource_configuration_arn

• Type: Arn
• Required: No

The Amazon Resource Name (ARN) of the resource configuration.

route_table_ids

• Type: List<RouteTableId>
• Required: No

The IDs of the route tables. Routing is supported only for gateway endpoints.

security_group_ids

• Type: List<SecurityGroupId>
• Required: No

The IDs of the security groups to associate with the endpoint network interfaces. If this parameter is not specified, we use the default security group for the VPC. Security groups are supported only for interface endpoints.

service_name

• Type: String
• Required: No

The name of the endpoint service.

service_network_arn

• Type: Arn
• Required: No

The Amazon Resource Name (ARN) of the service network.

service_region

• Type: Region
• Required: No

Describes a Region.

subnet_ids

• Type: List<SubnetId>
• Required: No

The IDs of the subnets in which to create endpoint network interfaces. You must specify this property for an interface endpoint or a Gateway Load Balancer endpoint. You can’t specify this property for a gateway endpoint. For a Gateway Load Balancer endpoint, you can specify only one subnet.

tags

• Type: Map
• Required: No

The tags to associate with the endpoint.

vpc_endpoint_type

• Type: Enum (VpcEndpointType)
• Required: No

The type of endpoint. Default: Gateway

vpc_id

• Type: VpcId
• Required: Yes

The ID of the VPC.

Enum Values

dns_record_ip_type (DnsRecordIpType)

Shorthand formats: ipv4 or DnsRecordIpType.ipv4

private_dns_only_for_inbound_resolver_endpoint (PrivateDnsOnlyForInboundResolverEndpoint)

Shorthand formats: OnlyInboundResolver or PrivateDnsOnlyForInboundResolverEndpoint.OnlyInboundResolver

private_dns_preference (PrivateDnsPreference)

Shorthand formats: VERIFIED_DOMAINS_ONLY or PrivateDnsPreference.VERIFIED_DOMAINS_ONLY

ip_address_type (IpAddressType)

Shorthand formats: ipv4 or IpAddressType.ipv4

vpc_endpoint_type (VpcEndpointType)

Shorthand formats: Interface or VpcEndpointType.Interface

Struct Definitions

DnsOptionsSpecification

Attribute Reference

creation_timestamp

• Type: String

dns_entries

• Type: List<String>

id

• Type: VpcEndpointId

network_interface_ids

• Type: List<NetworkInterfaceId>

awscc.ec2.vpc_gateway_attachment

CloudFormation Type: AWS::EC2::VPCGatewayAttachment

Resource Type definition for AWS::EC2::VPCGatewayAttachment

Example

let vpc = awscc.ec2.vpc {
  cidr_block           = "10.0.0.0/16"
  enable_dns_support   = true
  enable_dns_hostnames = true
}

let igw = awscc.ec2.internet_gateway {}

awscc.ec2.vpc_gateway_attachment {
  vpc_id              = vpc.vpc_id
  internet_gateway_id = igw.internet_gateway_id
}

Argument Reference

internet_gateway_id

• Type: InternetGatewayId
• Required: No

The ID of the internet gateway. You must specify either InternetGatewayId or VpnGatewayId, but not both.

vpc_id

• Type: VpcId
• Required: Yes

The ID of the VPC.

vpn_gateway_id

• Type: VpnGatewayId
• Required: No

The ID of the virtual private gateway. You must specify either InternetGatewayId or VpnGatewayId, but not both.

Attribute Reference

attachment_type

• Type: String

awscc.ec2.vpc_peering_connection

CloudFormation Type: AWS::EC2::VPCPeeringConnection

Resource Type definition for AWS::EC2::VPCPeeringConnection

Example

let vpc1 = awscc.ec2.vpc {
  cidr_block = "10.0.0.0/16"
}

let vpc2 = awscc.ec2.vpc {
  cidr_block = "10.1.0.0/16"
}

awscc.ec2.vpc_peering_connection {
  vpc_id      = vpc1.vpc_id
  peer_vpc_id = vpc2.vpc_id

  tags = {
    Environment = "example"
  }
}

Argument Reference

assume_role_region

• Type: Region
• Required: No

The Region code to use when calling Security Token Service (STS) to assume the PeerRoleArn, if provided.

peer_owner_id

• Type: AwsAccountId
• Required: No

The AWS account ID of the owner of the accepter VPC.

peer_region

• Type: Region
• Required: No

The Region code for the accepter VPC, if the accepter VPC is located in a Region other than the Region in which you make the request.

peer_role_arn

• Type: IamRoleArn
• Required: No

The Amazon Resource Name (ARN) of the VPC peer role for the peering connection in another AWS account.

peer_vpc_id

• Type: VpcId
• Required: Yes

The ID of the VPC with which you are creating the VPC peering connection. You must specify this parameter in the request.

tags

• Type: Map
• Required: No

vpc_id

• Type: VpcId
• Required: Yes

The ID of the VPC.

Attribute Reference

id

• Type: VpcPeeringConnectionId

awscc.ec2.vpc

CloudFormation Type: AWS::EC2::VPC

Specifies a virtual private cloud (VPC). To add an IPv6 CIDR block to the VPC, see AWS::EC2::VPCCidrBlock. For more information, see Virtual private clouds (VPC) in the Amazon VPC User Guide.

Example

awscc.ec2.vpc {
  cidr_block           = "10.0.0.0/16"
  enable_dns_support   = true
  enable_dns_hostnames = true
  instance_tenancy     = default

  tags = {
    Environment = "example"
  }
}

Argument Reference

cidr_block

• Type: Ipv4Cidr
• Required: No

The IPv4 network range for the VPC, in CIDR notation. For example, 10.0.0.0/16. We modify the specified CIDR block to its canonical form; for example, if you specify 100.68.0.18/18, we modify it to 100.68.0.0/18. You must specify eitherCidrBlock or Ipv4IpamPoolId.

enable_dns_hostnames

• Type: Bool
• Required: No

Indicates whether the instances launched in the VPC get DNS hostnames. If enabled, instances in the VPC get DNS hostnames; otherwise, they do not. Disabled by default for nondefault VPCs. For more information, see DNS attributes in your VPC. You can only enable DNS hostnames if you’ve enabled DNS support.

enable_dns_support

• Type: Bool
• Required: No

Indicates whether the DNS resolution is supported for the VPC. If enabled, queries to the Amazon provided DNS server at the 169.254.169.253 IP address, or the reserved IP address at the base of the VPC network range “plus two” succeed. If disabled, the Amazon provided DNS service in the VPC that resolves public DNS hostnames to IP addresses is not enabled. Enabled by default. For more information, see DNS attributes in your VPC.

instance_tenancy

• Type: Enum (InstanceTenancy)
• Required: No

The allowed tenancy of instances launched into the VPC. + default: An instance launched into the VPC runs on shared hardware by default, unless you explicitly specify a different tenancy during instance launch. + dedicated: An instance launched into the VPC runs on dedicated hardware by default, unless you explicitly specify a tenancy of host during instance launch. You cannot specify a tenancy of default during instance launch. Updating InstanceTenancy requires no replacement only if you are updating its value from dedicated to default. Updating InstanceTenancy from default to dedicated requires replacement.

ipv4_ipam_pool_id

• Type: IpamPoolId
• Required: No

The ID of an IPv4 IPAM pool you want to use for allocating this VPC’s CIDR. For more information, see What is IPAM? in the Amazon VPC IPAM User Guide. You must specify eitherCidrBlock or Ipv4IpamPoolId.

ipv4_netmask_length

• Type: Int(0..=32)
• Required: No

The netmask length of the IPv4 CIDR you want to allocate to this VPC from an Amazon VPC IP Address Manager (IPAM) pool. For more information about IPAM, see What is IPAM? in the Amazon VPC IPAM User Guide.

tags

• Type: Map
• Required: No

The tags for the VPC.

Enum Values

instance_tenancy (InstanceTenancy)

Shorthand formats: default or InstanceTenancy.default

Attribute Reference

cidr_block_associations

• Type: List<VpcCidrBlockAssociationId>

default_network_acl

• Type: NetworkAclId

default_security_group

• Type: SecurityGroupId

ipv6_cidr_blocks

• Type: List<Ipv6Cidr>

vpc_id

• Type: VpcId

awscc.ec2.vpn_gateway

CloudFormation Type: AWS::EC2::VPNGateway

Specifies a virtual private gateway. A virtual private gateway is the endpoint on the VPC side of your VPN connection. You can create a virtual private gateway before creating the VPC itself. For more information, see in the User Guide.

Example

awscc.ec2.vpn_gateway {
  type = awscc.ec2.vpn_gateway.Type.ipsec.1

  tags = {
    Environment = "example"
  }
}

Argument Reference

amazon_side_asn

• Type: Int(1..=4294967294)
• Required: No

The private Autonomous System Number (ASN) for the Amazon side of a BGP session.

tags

• Type: Map
• Required: No

Any tags assigned to the virtual private gateway.

type

• Type: String
• Required: Yes

The type of VPN connection the virtual private gateway supports.

Attribute Reference

vpn_gateway_id

• Type: VpnGatewayId

awscc.iam.role

CloudFormation Type: AWS::IAM::Role

Creates a new role for your AWS-account. For more information about roles, see IAM roles in the IAM User Guide. For information about quotas for role names and the number of roles you can create, see IAM and quotas in the IAM User Guide.

Example

awscc.iam.role {
  role_name = "my-example-role"

  assume_role_policy_document = {
    version = "2012-10-17"
    statement {
      effect    = "Allow"
      principal = {
        service = "lambda.amazonaws.com"
      }
      action    = "sts:AssumeRole"
    }
  }

  tags = {
    Environment = "example"
  }
}

Argument Reference

assume_role_policy_document

• Type: IamPolicyDocument
• Required: Yes

The trust policy that is associated with this role. Trust policies define which entities can assume the role. You can associate only one trust policy with a role. For an example of a policy that can be used to assume a role, see Template Examples. For more information about the elements that you can use in an IAM policy, see Policy Elements Reference in the User Guide.

description

• Type: String
• Required: No

A description of the role that you provide.

managed_policy_arns

• Type: List<IamPolicyArn>
• Required: No

A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the role. For more information about ARNs, see Amazon Resource Names (ARNs) and Service Namespaces in the General Reference.

max_session_duration

• Type: Int(3600..=43200)
• Required: No

The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default value of one hour is applied. This setting can have a value from 1 hour to 12 hours. Anyone who assumes the role from the CLI or API can use the DurationSeconds API parameter or the duration-secondsCLI parameter to request a longer session. The MaxSessionDuration setting determines the maximum duration that can be requested using the DurationSeconds parameter. If users don’t specify a value for the DurationSeconds parameter, their security credentials are valid for one hour by default. This applies when you use the AssumeRole* API operations or the assume-role*CLI operations but does not apply when you use those operations to create a console URL. For more information, see Using IAM roles in the IAM User Guide.

path

• Type: String
• Required: No
• Default: "/"

The path to the role. For more information about paths, see IAM Identifiers in the IAM User Guide. This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its regex pattern) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! (\u0021) through the DEL character (\u007F), including most punctuation characters, digits, and upper and lowercased letters.

permissions_boundary

• Type: IamPolicyArn
• Required: No

The ARN of the policy used to set the permissions boundary for the role. For more information about permissions boundaries, see Permissions boundaries for IAM identities in the IAM User Guide.

policies

• Type: List<Policy>
• Required: No

Adds or updates an inline policy document that is embedded in the specified IAM role. When you embed an inline policy in a role, the inline policy is used as part of the role’s access (permissions) policy. The role’s trust policy is created at the same time as the role. You can update a role’s trust policy later. For more information about IAM roles, go to Using Roles to Delegate Permissions and Federate Identities. A role can also have an attached managed policy. For information about policies, see Managed Policies and Inline Policies in the User Guide. For information about limits on the number of inline policies that you can embed with a role, see Limitations on Entities in the User Guide. If an external policy (such as AWS::IAM::Policy or AWS::IAM::ManagedPolicy) has a Ref to a role and if a resource (such as AWS::ECS::Service) also has a Ref to the same role, add a DependsOn attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role’s policy is available throughout the resource’s lifecycle. For example, when you delete a stack with an AWS::ECS::Service resource, the DependsOn attribute ensures that CFN deletes the AWS::ECS::Service resource before deleting its role’s policy.

role_name

• Type: String
• Required: No

A name for the IAM role, up to 64 characters in length. For valid values, see the RoleName parameter for the CreateRole action in the User Guide. This parameter allows (per its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The role name must be unique within the account. Role names are not distinguished by case. For example, you cannot create roles named both “Role1” and “role1”. If you don’t specify a name, CFN generates a unique physical ID and uses that ID for the role name. If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template’s capabilities. For more information, see Acknowledging Resources in Templates. Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}.

tags

• Type: Map
• Required: No

A list of tags that are attached to the role. For more information about tagging, see Tagging IAM resources in the IAM User Guide.

Struct Definitions

Policy

Attribute Reference

arn

• Type: IamRoleArn

role_id

• Type: IamRoleId

awscc.logs.log_group

CloudFormation Type: AWS::Logs::LogGroup

The AWS::Logs::LogGroup resource specifies a log group. A log group defines common properties for log streams, such as their retention and access control rules. Each log stream must belong to one log group. You can create up to 1,000,000 log groups per Region per account. You must use the following guidelines when naming a log group:

• Log group names must be unique within a Region for an AWS account.
• Log group names can be between 1 and 512 characters long.
• Log group names consist of the following characters: a-z, A-Z, 0-9, ‘_’ (underscore), ‘-’ (hyphen), ‘/’ (forward slash), and ‘.’ (period).

Example

awscc.logs.log_group {
  log_group_name    = "/example/my-app"
  retention_in_days = 30

  tags = {
    Environment = "example"
  }
}

Argument Reference

data_protection_policy

• Type: Map
• Required: No

Creates a data protection policy and assigns it to the log group. A data protection policy can help safeguard sensitive data that’s ingested by the log group by auditing and masking the sensitive log data. When a user who does not have permission to view masked data views a log event that includes masked data, the sensitive data is replaced by asterisks.

deletion_protection_enabled

• Type: Bool
• Required: No
• Default: false

Indicates whether deletion protection is enabled for this log group. When enabled, deletion protection blocks all deletion operations until it is explicitly disabled.

field_index_policies

• Type: List<String>
• Required: No

Creates or updates a field index policy for the specified log group. Only log groups in the Standard log class support field index policies. For more information about log classes, see Log classes. You can use field index policies to create field indexes on fields found in log events in the log group. Creating field indexes lowers the costs for CWL Insights queries that reference those field indexes, because these queries attempt to skip the processing of log events that are known to not match the indexed field. Good fields to index are fields that you often need to query for and fields that have high cardinality of values Common examples of indexes include request ID, session ID, userID, and instance IDs. For more information, see Create field indexes to improve query performance and reduce costs. Currently, this array supports only one field index policy object.

kms_key_id

• Type: KmsKeyArn
• Required: No

The Amazon Resource Name (ARN) of the KMS key to use when encrypting log data. To associate an KMS key with the log group, specify the ARN of that KMS key here. If you do so, ingested data is encrypted using this key. This association is stored as long as the data encrypted with the KMS key is still within CWL. This enables CWL to decrypt this data whenever it is requested. If you attempt to associate a KMS key with the log group but the KMS key doesn’t exist or is deactivated, you will receive an InvalidParameterException error. Log group data is always encrypted in CWL. If you omit this key, the encryption does not use KMS. For more information, see Encrypt log data in using

log_group_class

• Type: Enum (LogGroupClass)
• Required: No
• Default: "STANDARD"

Specifies the log group class for this log group. There are two classes: + The Standard log class supports all CWL features. + The Infrequent Access log class supports a subset of CWL features and incurs lower costs. For details about the features supported by each class, see Log classes

log_group_name

• Type: String(pattern, len: 1..=512)
• Required: No

The name of the log group. If you don’t specify a name, CFNlong generates a unique ID for the log group.

resource_policy_document

• Type: IamPolicyDocument
• Required: No

Creates or updates a resource policy for the specified log group that allows other services to put log events to this account. A LogGroup can have 1 resource policy.

retention_in_days

• Type: IntEnum([1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, 3653])
• Required: No

The number of days to retain the log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, and 3653. To set a log group so that its log events do not expire, do not specify this property.

tags

• Type: Map
• Required: No

An array of key-value pairs to apply to the log group. For more information, see Tag.

Enum Values

log_group_class (LogGroupClass)

Shorthand formats: STANDARD or LogGroupClass.STANDARD

Attribute Reference

arn

• Type: Arn

awscc.s3.bucket

CloudFormation Type: AWS::S3::Bucket

The AWS::S3::Bucket resource creates an Amazon S3 bucket in the same AWS Region where you create the AWS CloudFormation stack. To control how AWS CloudFormation handles the bucket when the stack is deleted, you can set a deletion policy for your bucket. You can choose to retain the bucket or to delete the bucket. For more information, see DeletionPolicy Attribute. You can only delete empty buckets. Deletion fails for buckets that have contents.

Example

awscc.s3.bucket {
  bucket_name = "my-example-bucket"

  versioning_configuration = {
    status = Enabled
  }

  tags = {
    Environment = "example"
  }
}

Argument Reference

abac_status

• Type: Enum (AbacStatus)
• Required: No

The ABAC status of the general purpose bucket. When ABAC is enabled for the general purpose bucket, you can use tags to manage access to the general purpose buckets as well as for cost tracking purposes. When ABAC is disabled for the general purpose buckets, you can only use tags for cost tracking purposes. For more information, see Using tags with S3 general purpose buckets.

accelerate_configuration

• Type: Struct(AccelerateConfiguration)
• Required: No

Configures the transfer acceleration state for an Amazon S3 bucket. For more information, see Amazon S3 Transfer Acceleration in the Amazon S3 User Guide.

access_control

• Type: Enum (AccessControl)
• Required: No

This is a legacy property, and it is not recommended for most use cases. A majority of modern use cases in Amazon S3 no longer require the use of ACLs, and we recommend that you keep ACLs disabled. For more information, see Controlling object ownership in the Amazon S3 User Guide. A canned access control list (ACL) that grants predefined permissions to the bucket. For more information about canned ACLs, see Canned ACL in the Amazon S3 User Guide. S3 buckets are created with ACLs disabled by default. Therefore, unless you explicitly set the AWS::S3::OwnershipControls property to enable ACLs, your resource will fail to deploy with any value other than Private. Use cases requiring ACLs are uncommon. The majority of access control configurations can be successfully and more easily achieved with bucket policies. For more information, see AWS::S3::BucketPolicy. For examples of common policy configurations, including S3 Server Access Logs buckets and more, see Bucket policy examples in the Amazon S3 User Guide.

analytics_configurations

• Type: List<AnalyticsConfiguration>
• Required: No

Specifies the configuration and any analyses for the analytics filter of an Amazon S3 bucket.

bucket_encryption

• Type: Struct(BucketEncryption)
• Required: No

Specifies default encryption for a bucket using server-side encryption with Amazon S3-managed keys (SSE-S3), AWS KMS-managed keys (SSE-KMS), or dual-layer server-side encryption with KMS-managed keys (DSSE-KMS). For information about the Amazon S3 default encryption feature, see Amazon S3 Default Encryption for S3 Buckets in the Amazon S3 User Guide.

bucket_name

• Type: String
• Required: No

A name for the bucket. If you don’t specify a name, AWS CloudFormation generates a unique ID and uses that ID for the bucket name. The bucket name must contain only lowercase letters, numbers, periods (.), and dashes (-) and must follow Amazon S3 bucket restrictions and limitations. For more information, see Rules for naming Amazon S3 buckets in the Amazon S3 User Guide. If you specify a name, you can’t perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you need to replace the resource, specify a new name.

cors_configuration

• Type: Struct(CorsConfiguration)
• Required: No

Describes the cross-origin access configuration for objects in an Amazon S3 bucket. For more information, see Enabling Cross-Origin Resource Sharing in the Amazon S3 User Guide.

intelligent_tiering_configurations

• Type: List<IntelligentTieringConfiguration>
• Required: No

Defines how Amazon S3 handles Intelligent-Tiering storage.

inventory_configurations

• Type: List<InventoryConfiguration>
• Required: No

Specifies the S3 Inventory configuration for an Amazon S3 bucket. For more information, see GET Bucket inventory in the Amazon S3 API Reference.

lifecycle_configuration

• Type: Struct(LifecycleConfiguration)
• Required: No

Specifies the lifecycle configuration for objects in an Amazon S3 bucket. For more information, see Object Lifecycle Management in the Amazon S3 User Guide.

logging_configuration

• Type: Struct(LoggingConfiguration)
• Required: No

Settings that define where logs are stored.

metadata_configuration

• Type: Struct(MetadataConfiguration)
• Required: No

The S3 Metadata configuration for a general purpose bucket.

metadata_table_configuration

• Type: Struct(MetadataTableConfiguration)
• Required: No

The metadata table configuration of an S3 general purpose bucket.

metrics_configurations

• Type: List<MetricsConfiguration>
• Required: No

Specifies a metrics configuration for the CloudWatch request metrics (specified by the metrics configuration ID) from an Amazon S3 bucket. If you’re updating an existing metrics configuration, note that this is a full replacement of the existing metrics configuration. If you don’t include the elements you want to keep, they are erased. For more information, see PutBucketMetricsConfiguration.

notification_configuration

• Type: Struct(NotificationConfiguration)
• Required: No

Configuration that defines how Amazon S3 handles bucket notifications.

object_lock_configuration

• Type: Struct(ObjectLockConfiguration)
• Required: No

This operation is not supported for directory buckets. Places an Object Lock configuration on the specified bucket. The rule specified in the Object Lock configuration will be applied by default to every new object placed in the specified bucket. For more information, see Locking Objects. + The DefaultRetention settings require both a mode and a period. + The DefaultRetention period can be either Days or Years but you must select one. You cannot specify Days and Years at the same time. + You can enable Object Lock for new or existing buckets. For more information, see Configuring Object Lock. You must URL encode any signed header values that contain spaces. For example, if your header value is my file.txt, containing two spaces after my, you must URL encode this value to my%20%20file.txt.

object_lock_enabled

• Type: Bool
• Required: No

Indicates whether this bucket has an Object Lock configuration enabled. Enable ObjectLockEnabled when you apply ObjectLockConfiguration to a bucket.

ownership_controls

• Type: Struct(OwnershipControls)
• Required: No

Configuration that defines how Amazon S3 handles Object Ownership rules.

public_access_block_configuration

• Type: Struct(PublicAccessBlockConfiguration)
• Required: No

Configuration that defines how Amazon S3 handles public access.

replication_configuration

• Type: Struct(ReplicationConfiguration)
• Required: No

Configuration for replicating objects in an S3 bucket. To enable replication, you must also enable versioning by using the VersioningConfiguration property. Amazon S3 can store replicated objects in a single destination bucket or multiple destination buckets. The destination bucket or buckets must already exist.

tags

• Type: Map
• Required: No

An arbitrary set of tags (key-value pairs) for this S3 bucket.

versioning_configuration

• Type: Struct(VersioningConfiguration)
• Required: No

Enables multiple versions of all objects in this bucket. You might enable versioning to prevent objects from being deleted or overwritten by mistake or to archive objects so that you can retrieve previous versions of them. When you enable versioning on a bucket for the first time, it might take a short amount of time for the change to be fully propagated. We recommend that you wait for 15 minutes after enabling versioning before issuing write operations (PUT or DELETE) on objects in the bucket.

website_configuration

• Type: Struct(WebsiteConfiguration)
• Required: No

Information used to configure the bucket as a static website. For more information, see Hosting Websites on Amazon S3.

Enum Values

abac_status (AbacStatus)

Shorthand formats: Enabled or AbacStatus.Enabled

acceleration_status (AccelerationStatus)

Shorthand formats: Enabled or AccelerationStatus.Enabled

access_control (AccessControl)

Shorthand formats: AuthenticatedRead or AccessControl.AuthenticatedRead

owner (Owner)

Shorthand formats: Destination or Owner.Destination

encryption_type (EncryptionType)

Shorthand formats: NONE or EncryptionType.NONE

allowed_methods (AllowedMethods)

Shorthand formats: GET or AllowedMethods.GET

output_schema_version (OutputSchemaVersion)

Shorthand formats: V_1 or OutputSchemaVersion.V_1

mode (Mode)

Shorthand formats: COMPLIANCE or Mode.COMPLIANCE

status (DeleteMarkerReplicationStatus)

Shorthand formats: Disabled or DeleteMarkerReplicationStatus.Disabled

format (Format)

Shorthand formats: CSV or Format.CSV

status (IntelligentTieringConfigurationStatus)

Shorthand formats: Disabled or IntelligentTieringConfigurationStatus.Disabled

included_object_versions (IncludedObjectVersions)

Shorthand formats: All or IncludedObjectVersions.All

optional_fields (OptionalFields)

Shorthand formats: Size or OptionalFields.Size

schedule_frequency (ScheduleFrequency)

Shorthand formats: Daily or ScheduleFrequency.Daily

configuration_state (ConfigurationState)

Shorthand formats: ENABLED or ConfigurationState.ENABLED

transition_default_minimum_object_size (TransitionDefaultMinimumObjectSize)

Shorthand formats: varies_by_storage_class or TransitionDefaultMinimumObjectSize.varies_by_storage_class

table_bucket_type (TableBucketType)

Shorthand formats: aws or TableBucketType.aws

sse_algorithm (MetadataTableEncryptionConfigurationSseAlgorithm)

Shorthand formats: aws:kms or MetadataTableEncryptionConfigurationSseAlgorithm.aws:kms

status (MetricsStatus)

Shorthand formats: Disabled or MetricsStatus.Disabled

storage_class (NoncurrentVersionTransitionStorageClass)

Shorthand formats: DEEP_ARCHIVE or NoncurrentVersionTransitionStorageClass.DEEP_ARCHIVE

object_lock_enabled (ObjectLockEnabled)

Shorthand formats: Enabled or ObjectLockEnabled.Enabled

object_ownership (ObjectOwnership)

Shorthand formats: ObjectWriter or ObjectOwnership.ObjectWriter

partition_date_source (PartitionDateSource)

Shorthand formats: EventTime or PartitionDateSource.EventTime

expiration (Expiration)

Shorthand formats: ENABLED or Expiration.ENABLED

protocol (Protocol)

Shorthand formats: http or Protocol.http

status (ReplicaModificationsStatus)

Shorthand formats: Enabled or ReplicaModificationsStatus.Enabled

storage_class (ReplicationDestinationStorageClass)

Shorthand formats: DEEP_ARCHIVE or ReplicationDestinationStorageClass.DEEP_ARCHIVE

status (ReplicationRuleStatus)

Shorthand formats: Disabled or ReplicationRuleStatus.Disabled

status (ReplicationTimeStatus)

Shorthand formats: Disabled or ReplicationTimeStatus.Disabled

status (RuleStatus)

Shorthand formats: Enabled or RuleStatus.Enabled

sse_algorithm (ServerSideEncryptionByDefaultSseAlgorithm)

Shorthand formats: aws:kms or ServerSideEncryptionByDefaultSseAlgorithm.aws:kms

status (SseKmsEncryptedObjectsStatus)

Shorthand formats: Disabled or SseKmsEncryptedObjectsStatus.Disabled

access_tier (AccessTier)

Shorthand formats: ARCHIVE_ACCESS or AccessTier.ARCHIVE_ACCESS

storage_class (TransitionStorageClass)

Shorthand formats: DEEP_ARCHIVE or TransitionStorageClass.DEEP_ARCHIVE

status (VersioningConfigurationStatus)

Shorthand formats: Enabled or VersioningConfigurationStatus.Enabled

Struct Definitions

AbortIncompleteMultipartUpload

AccelerateConfiguration

AccessControlTranslation

AnalyticsConfiguration

BlockedEncryptionTypes

BucketEncryption

CorsConfiguration

CorsRule

DataExport

DefaultRetention

DeleteMarkerReplication

Destination

EncryptionConfiguration

EventBridgeConfiguration

FilterRule

IntelligentTieringConfiguration

InventoryConfiguration

InventoryTableConfiguration

JournalTableConfiguration

LambdaConfiguration

LifecycleConfiguration

LoggingConfiguration

MetadataConfiguration

MetadataDestination

MetadataTableConfiguration

MetadataTableEncryptionConfiguration

Metrics

MetricsConfiguration

NoncurrentVersionExpiration

NoncurrentVersionTransition

NotificationConfiguration

NotificationFilter

ObjectLockConfiguration

ObjectLockRule

OwnershipControls

OwnershipControlsRule

PartitionedPrefix

PublicAccessBlockConfiguration

QueueConfiguration

RecordExpiration

RedirectAllRequestsTo

RedirectRule

ReplicaModifications

ReplicationConfiguration

ReplicationDestination

ReplicationRule

ReplicationRuleAndOperator

ReplicationRuleFilter

ReplicationTime

ReplicationTimeValue

RoutingRule

RoutingRuleCondition

Rule

S3KeyFilter

S3TablesDestination

ServerSideEncryptionByDefault

ServerSideEncryptionRule

SourceSelectionCriteria

SseKmsEncryptedObjects

StorageClassAnalysis

TargetObjectKeyFormat

Tiering

TopicConfiguration

Transition

VersioningConfiguration

WebsiteConfiguration

Attribute Reference

arn

• Type: Arn

domain_name

• Type: String

dual_stack_domain_name

• Type: String

regional_domain_name

• Type: String

website_url

• Type: String(uri)

AWS Provider

The aws provider manages AWS resources through native AWS SDK APIs (EC2, S3).

Configuration

provider aws {
  region = aws.Region.ap_northeast_1
}

Usage

Resources are defined using the aws.<resource_type> syntax:

let vpc = aws.ec2_vpc {
  name       = "my-vpc"
  cidr_block = "10.0.0.0/16"
  tags = {
    Environment = "production"
  }
}

Named resources (using let) can be referenced by other resources:

let subnet = aws.ec2_subnet {
  name              = "my-subnet"
  vpc_id            = vpc.vpc_id
  cidr_block        = "10.0.1.0/24"
  availability_zone = "ap-northeast-1a"
}

Enum Values

Some attributes accept enum values. These can be specified in three formats:

• Bare value: instance_tenancy = default
• TypeName.value: instance_tenancy = InstanceTenancy.default
• Full namespace: instance_tenancy = aws.ec2_vpc.InstanceTenancy.default

aws.ec2.internet_gateway

CloudFormation Type: AWS::EC2::InternetGateway

Describes an internet gateway.

Example

let vpc = aws.ec2.vpc {
  cidr_block = "10.0.0.0/16"

  tags = {
    Environment = "example"
  }
}

let igw = aws.ec2.internet_gateway {
  vpc_id = vpc.vpc_id

  tags = {
    Environment = "example"
  }
}

Argument Reference

tags

• Type: Map
• Required: No

The tags for the resource.

Attribute Reference

internet_gateway_id

• Type: internet_gateway_id

aws.ec2.route_table

CloudFormation Type: AWS::EC2::RouteTable

Describes a route table.

Example

let vpc = aws.ec2.vpc {
  cidr_block = "10.0.0.0/16"

  tags = {
    Environment = "example"
  }
}

let rt = aws.ec2.route_table {
  vpc_id = vpc.vpc_id

  tags = {
    Environment = "example"
  }
}

Argument Reference

vpc_id

• Type: VpcId
• Required: Yes

The ID of the VPC.

tags

• Type: Map
• Required: No

The tags for the resource.

Attribute Reference

route_table_id

• Type: route_table_id

aws.ec2.route

CloudFormation Type: AWS::EC2::Route

Describes a route in a route table.

Example

let vpc = aws.ec2.vpc {
  cidr_block = "10.0.0.0/16"

  tags = {
    Environment = "example"
  }
}

let igw = aws.ec2.internet_gateway {
  vpc_id = vpc.vpc_id

  tags = {
    Environment = "example"
  }
}

let rt = aws.ec2.route_table {
  vpc_id = vpc.vpc_id

  tags = {
    Environment = "example"
  }
}

let route = aws.ec2.route {
  route_table_id         = rt.route_table_id
  destination_cidr_block = "0.0.0.0/0"
  gateway_id             = igw.internet_gateway_id
}

Argument Reference

destination_cidr_block

• Type: Ipv4Cidr
• Required: No

The IPv4 CIDR address block used for the destination match. Routing decisions are based on the most specific match. We modify the specified CIDR block to its canonical form; for example, if you specify 100.68.0.18/18, we modify it to 100.68.0.0/18.

gateway_id

• Type: GatewayId
• Required: No

The ID of an internet gateway or virtual private gateway attached to your VPC.

nat_gateway_id

• Type: nat_gateway_id
• Required: No

[IPv4 traffic only] The ID of a NAT gateway.

route_table_id

• Type: route_table_id
• Required: Yes

The ID of the route table for the route.

aws.ec2.security_group_egress

CloudFormation Type: AWS::EC2::SecurityGroupEgress

Describes a security group rule.

Example

let vpc = aws.ec2.vpc {
  cidr_block = "10.0.0.0/16"

  tags = {
    Environment = "example"
  }
}

let sg = aws.ec2.security_group {
  group_name  = "carina-example-sg-egress"
  description = "SG for egress rule example"
  vpc_id      = vpc.vpc_id

  tags = {
    Environment = "example"
  }
}

let egress = aws.ec2.security_group_egress {
  group_id    = sg.group_id
  description = "Allow HTTPS outbound"
  ip_protocol = tcp
  from_port   = 443
  to_port     = 443
  cidr_ip     = "0.0.0.0/0"
}

Argument Reference

cidr_ip

• Type: Ipv4Cidr
• Required: No

Not supported. Use IP permissions instead.

cidr_ipv6

• Type: Ipv6Cidr
• Required: No

The IPv6 CIDR range.

description

• Type: String
• Required: No

The security group rule description.

destination_prefix_list_id

• Type: PrefixListId
• Required: No

The ID of the destination prefix list.

from_port

• Type: Int(-1..=65535)
• Required: No

Not supported. Use IP permissions instead.

group_id

• Type: SecurityGroupId
• Required: Yes

The ID of the security group.

ip_protocol

• Type: Enum (IpProtocol)
• Required: Yes

Not supported. Use IP permissions instead.

source_security_group_name

• Type: String
• Required: No

Not supported. Use IP permissions instead.

source_security_group_owner_id

• Type: AwsAccountId
• Required: No

Not supported. Use IP permissions instead.

to_port

• Type: Int(-1..=65535)
• Required: No

Not supported. Use IP permissions instead.

destination_security_group_id

• Type: SecurityGroupId
• Required: No

The ID of the destination security group.

Enum Values

ip_protocol (IpProtocol)

Shorthand formats: tcp or IpProtocol.tcp

Attribute Reference

security_group_rule_id

• Type: SecurityGroupRuleId

aws.ec2.security_group_ingress

CloudFormation Type: AWS::EC2::SecurityGroupIngress

Describes a security group rule.

Example

let vpc = aws.ec2.vpc {
  cidr_block = "10.0.0.0/16"

  tags = {
    Environment = "example"
  }
}

let sg = aws.ec2.security_group {
  group_name  = "carina-example-sg-ingress"
  description = "SG for ingress rule example"
  vpc_id      = vpc.vpc_id

  tags = {
    Environment = "example"
  }
}

let ingress = aws.ec2.security_group_ingress {
  group_id    = sg.group_id
  description = "Allow HTTPS from VPC"
  ip_protocol = tcp
  from_port   = 443
  to_port     = 443
  cidr_ip     = "10.0.0.0/16"
}

Argument Reference

cidr_ip

• Type: Ipv4Cidr
• Required: No

The IPv4 address range, in CIDR format. Amazon Web Services canonicalizes IPv4 and IPv6 CIDRs. For example, if you specify 100.68.0.18/18 for the CIDR block, Amazon Web Services canonicalizes the CIDR block to 100.68.0.0/18. Any subsequent DescribeSecurityGroups and DescribeSecurityGroupRules calls will return the canonicalized form of the CIDR block. Additionally, if you attempt to add another rule with the non-canonical form of the CIDR (such as 100.68.0.18/18) and there is already a rule for the canonicalized form of the CIDR block (such as 100.68.0.0/18), the API throws an duplicate rule error. To specify an IPv6 address range, use IP permissions instead. To specify multiple rules and descriptions for the rules, use IP permissions instead.

cidr_ipv6

• Type: Ipv6Cidr
• Required: No

The IPv6 CIDR range.

description

• Type: String
• Required: No

The security group rule description.

from_port

• Type: Int(-1..=65535)
• Required: No

If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP, this is the ICMP type or -1 (all ICMP types). To specify multiple rules and descriptions for the rules, use IP permissions instead.

group_id

• Type: SecurityGroupId
• Required: No

The ID of the security group.

group_name

• Type: String
• Required: No

[Default VPC] The name of the security group. For security groups for a default VPC you can specify either the ID or the name of the security group. For security groups for a nondefault VPC, you must specify the ID of the security group.

ip_protocol

• Type: Enum (IpProtocol)
• Required: Yes

The IP protocol name (tcp, udp, icmp) or number (see Protocol Numbers). To specify all protocols, use -1. To specify icmpv6, use IP permissions instead. If you specify a protocol other than one of the supported values, traffic is allowed on all ports, regardless of any ports that you specify. To specify multiple rules and descriptions for the rules, use IP permissions instead.

source_prefix_list_id

• Type: PrefixListId
• Required: No

The ID of the source prefix list.

source_security_group_name

• Type: String
• Required: No

[Default VPC] The name of the source security group. The rule grants full ICMP, UDP, and TCP access. To create a rule with a specific protocol and port range, specify a set of IP permissions instead.

source_security_group_owner_id

• Type: AwsAccountId
• Required: No

The Amazon Web Services account ID for the source security group, if the source security group is in a different account. The rule grants full ICMP, UDP, and TCP access. To create a rule with a specific protocol and port range, use IP permissions instead.

to_port

• Type: Int(-1..=65535)
• Required: No

If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes). To specify multiple rules and descriptions for the rules, use IP permissions instead.

source_security_group_id