A quick guide I put together for myself showing AWS Console parameters and how they map across to CloudFormation properties. This is useful if you’re moving away from using the AWS console and click-ops and starting to use CloudFormation.
Table Legend
Table text in bold – Recommended values to be set
Table text strikethrough – Backward compatibility only (do not use for new implementations)
AWS CloudFormation Documentation
CloudFormation can and does change so refer to the following CloudFormation User guide links for latest info on EC2 and RDS properties:
EC2 – https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_EC2.html
RDS – https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_RDS.html
EC2 CLOUDFORMATION TEMPLATE
AWS::EC2::VPC
Specifies a VPC with the specified IPv4 CIDR block. The smallest VPC you can create uses a /28 netmask (16 IPv4 addresses), and the largest uses a /16 netmask (65,536 IPv4 addresses). For more information about how large to make your VPC, see Your VPC and Subnets in the Amazon Virtual Private Cloud User Guide.
| AWS Console Parameters | Property | Property Type |
|
VPC name (this is a Tag) |
Tags |
List of Tag |
|
IPv4 CIDR block |
CidrBlock |
String |
|
Edit DNS Host Names (Actions menu dropdown) |
EnableDnsHostnames |
Boolean |
|
Edit DNS Resolution (Actions menu dropdown) |
EnableDnsSupport |
Boolean |
| Tenancy[1] | InstanceTenancy | String |
| Name tag – optional | Tags | List of Tag |
AWS::EC2::SUBNET
Specifies a subnet for a VPC. When you create each subnet, you provide the VPC ID and IPv4 CIDR block for the subnet. After you create a subnet, you can’t change its CIDR block. The size of the subnet’s IPv4 CIDR block can be the same as a VPC’s IPv4 CIDR block, or a subset of a VPC’s IPv4 CIDR block. If you create more than one subnet in a VPC, the subnets’ CIDR blocks must not overlap. The smallest IPv4 subnet (and VPC) you can create uses a /28 netmask (16 IPv4 addresses), and the largest uses a /16 netmask (65,536 IPv4 addresses).
| AWS Console Parameters | Property | Property Type |
| Subnet name (this is a Tag) | Tags | List of Tag |
| VPC ID | VpcID | String |
| IPv4 CIDR block | CidrBlock | String |
| IPv6 CIDR block | AssignIpv6AddressOnCreation | Boolean |
| Availability Zone | AvailabilityZone | String |
| Modify auto-assign IP settings (Actions menu dropdown) | MapPublicIpOnLaunch | Boolean |
| Not available in AWS console | OutpostArn | String |
| Name tag – optional | Tags | List of Tag |
AWS::EC2::RouteTable
Specifies a route table for a specified VPC. After you create a route table, you can add routes and associate the table with a subnet. For more information, see Route Tables in the Amazon Virtual Private Cloud User Guide.
| AWS Console Parameters | Property | Property Type |
| Name Tag | Tags | List of Tag |
| VPC ID | VpcID | String |
AWS::EC2::SubnetRouteTableAssociation
Associates a subnet with a route table. The subnet and route table must be in the same VPC. This association causes traffic originating from the subnet to be routed according to the routes in the route table. A route table can be associated with multiple subnets.
| AWS Console Parameters | Property | Property Type |
| Route Table > Subnet Associations > Edit Subnet Associations | RouteTableId | String |
| Select subnets as required from above console location | SubnetId | String |
AWS::EC2::InternetGateway
Allocates an internet gateway for use with a VPC. After creating the Internet gateway, you then attach it to a VPC.
| AWS Console Parameters | Property | Property Type |
| Name Tag (the name of the Internet Gateway) | Tags | List of Tag |
| Name tag – optional | Tags | List of Tag |
AWS::EC2::VPCGatewayAttachment
Attaches an internet gateway, or a virtual private gateway to a VPC, enabling connectivity between the internet and the VPC.
| AWS Console Parameters | Property | Property Type |
| Internet Gateways > Attach to VPC | InternetGatewayID[2] | String |
| VPC ID | VpcID | String |
| Not available in AWS console | VpnGatewayId | String |
AWS::EC2::ROUTE
Specifies a route in a route table within a VPC. You must specify either DestinationCidrBlock or DestinationIpv6CidrBlock, plus the ID of one of the target resources.
| AWS Console Parameters | Property | Property Type |
| Carrier Gateways | CarrierGatewayId | String |
| Route Tables > Edit Routes > Destination | DestinationCidrBlock | String |
| Route Tables > Edit Routes > Target | DestinationIpv6CidrBlock | String |
| Route Tables > Edit Routes > Target | EgressOnlyInternetGatewayId | String |
| Route Tables > Edit Routes > Target | GatewayId | String |
| Route Tables > Edit Routes > Target | InstanceId | String |
| Route Tables > Edit Routes > Target | LocalGatewayId | String |
| Route Tables > Edit Routes > Target | NatGatewayId | String |
| Route Tables > Edit Routes > Target | NetworkInterfaceId | String |
| Route Tables > Edit Routes > Target | RouteTableId | String |
| Route Tables > Edit Routes > Target | TransitGatewayId | String |
| Route Tables > Edit Routes > Target | VpcEndpointId | String |
| Route Tables > Edit Routes > Target | VpcPeeringConnectionId | String |
RDS CLOUDFORMATION TEMPLATE
Mapping of AWS RDS Console parameters to CloudFormation Resources – Property/Property Type. For users new to AWS note that the required VPC the DB instance resides in is not referenced directly, but is referenced through the SubnetIds property within AWS::RDS::DBSubnetGroup.
|
AWS Console Parameters |
Property |
Property Type |
|
Name |
DBSubnetGroupName |
String |
|
Description |
DBSubnetGroupDescription |
String |
|
Subnets |
SubnetIds |
String |
AWS::RDS::DBSubnetGroup
The AWS::RDS::DBSubnetGroup resource creates a database subnet group. Subnet groups must contain at least two subnets in two different Availability Zones in the same region.
AWS::RDS::DBInstance
The AWS::RDS::DBInstance resource creates an Amazon RDS DB instance.
|
AWS Console Parameters |
Property |
Property Type |
|
Engine type |
Engine |
String |
|
Engine version |
EngineVersion |
String |
|
Database instance identifier[3] |
DBInstanceIdentifier |
String |
|
Master username |
MasterUsername |
String |
|
Auto generate a password |
||
|
Master password |
MasterUserPassword |
String |
|
DB Instance class |
DBInstanceClass |
String |
|
Storage type[4] |
StorageType |
String |
|
Allocated Storage (in GiB)[5] |
AllocatedStorage |
String |
|
Provisioned IOPS |
Iops |
Integer |
|
Enable storage autoscaling |
||
|
Maximum storage threshold |
MaxAllocatedStorage |
|
|
Multi-AZ deployment |
MultiAZ |
Boolean |
|
VPC |
||
|
DB Subnet group<[6] |
DBSubnetGroupName |
String |
|
|
|
|
|
Public access |
PubliclyAccessible |
Boolean |
|
VPC security group |
VPCSecurityGroups |
String |
|
Availability Zone |
AvailabilityZone |
String |
|
Database port |
Port |
String |
|
Initial database name[8] |
DBName |
String |
|
DB parameter group – default.mariadb10.4 |
DBParameterGroupName |
String |
|
Option group – default:mariadb-10-4 |
OptionGroupName |
String |
|
Backup – Enable automatic backups |
||
|
Backup retention period |
BackupRetentionPeriod |
Integer |
|
Backup window[9] |
PreferredBackupWindow |
String |
|
Copy tags to snapshots |
CopyTagsToSnapshot |
Boolean |
|
Enable encryption |
StorageEncrypted |
Boolean |
|
Encryption master key (default is aws/rds) |
KmsKeyId |
String |
|
Enable Performance Insights |
||
|
Performance Insights – Retention period |
PerformanceInsightsRetentionPeriod |
Integer |
|
Performance Insights – Master key |
PerformanceInsightsKMSKeyId |
String |
|
Enable Enhanced monitoring[10] |
||
|
Monitoring Granularity[11] |
MonitoringInterval |
Integer |
|
Monitoring Role |
MonitoringRoleArn |
String |
[1] The allowed tenancy of instances launched into the VPC. “default”: An instance launched into the VPC runs on shared hardware by default, unless you explicitly specify a different tenancy during instance launch. “dedicated”: An instance launched into the VPC is a Dedicated Instance by default, unless you explicitly specify a tenancy of host during instance launch. You cannot specify a tenancy of default during instance launch. Allowed values: dedicated | default | host
[2] You must specify either InternetGatewayId or VpnGatewayId, but not both.
[3] Note – This is not the name of the database, but the name of the Database instance
[4] Valid values: standard | gp2 | io1. The standard value is also known as magnetic. If you specify io1, you must also include a value for the Iops parameter. Default: io1 if the Iops parameter is specified, otherwise standard
[5] Constraints to the amount of storage for each storage type are the following – General Purpose (SSD) storage (gp2): Must be an integer from 20 to 65536. Provisioned IOPS storage (io1): Must be an integer from 100 to 65536. Magnetic storage (standard): Must be an integer from 5 to 3072.
[6] A DB subnet group to associate with the DB instance. If you update this value, the new subnet group must be a subnet group in a new VPC. If there’s no DB subnet group, then the DB instance isn’t a VPC DB instance.
[7] The DBSecurityGroups property exists only for backwards compatibility with older regions and is no longer recommended for providing security information to an RDS DB instance. Instead, use VPCSecurityGroups.
[8] The name of the database to create when the DB instance is created. If this parameter is not specified, no database is created in the DB instance.
[9] Must be in the format hh24:mi-hh24:mi. Must be in Universal Coordinated Time (UTC). Must not conflict with the preferred maintenance window. Must be at least 30 minutes.
[10] agent on RDS instance rather than hypervisor, stored in CloudWatch logs $0.50/GB (us-east-1 pricing)
[11] If MonitoringRoleArn is specified, then you must also set MonitoringInterval to a value other than 0. Valid Values: 0, 1, 5, 10, 15, 30, 60.