AWS CloudFormation gives you an easy way to model a collection of related AWS and third-party resources, provision them quickly and consistently, and manage them throughout their lifecycles, by treating infrastructure as code. A CloudFormation template describes your desired resources and their dependencies so you can launch and configure them together as a stack. You can use a template to create, update, and delete an entire stack as a single unit, as often as you need to, instead of managing resources individually. You can manage and provision stacks across multiple AWS accounts and AWS Regions.
Resource type identifiers always take the following form:
service-provider::service-name::data-type-name
You can find updated list here
Pseudo Parameters
AWS::AccountId 12-digit AWS account
AWS::NoValue Use in conditionals
AWS::Region Deployment region
AWS::StackId ARN of the current stack
AWS::StackName Name of the current stack
Common Intrinsic Fn
!FindInMap [ Map, TopLevelKey, SecondLevelKey ] Returns values of keys in 2-level map declared in Mappings section
!GettAtt a.Arn Get Arn attribute of resource a in this stack
!ImportValue a Reference export a from another stack
!Join [':',['a','b']] Produces 'a:b'
!Ref a Get value of parameter or resource a in this stack
!Select ['1',['a','b']] Produces 'b'
!Split [ ':', 'a:b' ] Produces ['a', 'b']
!Sub 'a-${b}' Inject the value of b into a string
You can’t nest the shorthand YAML functions. You must do: Fn::ImportValue: !Sub "${a}-b"
not !ImportValue !Sub "${a}-b"
Search
Resource Type | Ref | GetAtt |
---|---|---|
Alexa::ASK::Skill | Id | |
AWS::AmazonMQ::Broker | Id | AmqpEndpoints, Arn, ConfigurationId, ConfigurationRevision, IpAddresses, MqttEndpoints, OpenWireEndpoints, StompEndpoints, WssEndpoints |
AWS::AmazonMQ::Configuration | Id | Arn, Id, Revision |
AWS::AmazonMQ::ConfigurationAssociation | Id | |
AWS::Amplify::App | – | AppId, AppName, Arn, DefaultDomain |
AWS::Amplify::Branch | – | Arn, BranchName |
AWS::Amplify::Domain | – | Arn, CertificateRecord, DomainName, DomainStatus, StatusReason |
AWS::ApiGateway::Account | Id | |
AWS::ApiGateway::ApiKey | Id | |
AWS::ApiGateway::Authorizer | Id | |
AWS::ApiGateway::BasePathMapping | – | |
AWS::ApiGateway::ClientCertificate | Name | |
AWS::ApiGateway::Deployment | Id | |
AWS::ApiGateway::DocumentationPart | Id | |
AWS::ApiGateway::DocumentationVersion | – | |
AWS::ApiGateway::DomainName | DomainName | DistributionDomainName, DistributionHostedZoneId, RegionalDomainName, RegionalHostedZoneId |
AWS::ApiGateway::GatewayResponse | – | |
AWS::ApiGateway::Method | Id | |
AWS::ApiGateway::Model | Name | |
AWS::ApiGateway::RequestValidator | Id | |
AWS::ApiGateway::Resource | Id | |
AWS::ApiGateway::RestApi | Id | RootResourceId |
AWS::ApiGateway::Stage | Name | |
AWS::ApiGateway::UsagePlan | Id | |
AWS::ApiGateway::UsagePlanKey | – | |
AWS::ApiGateway::VpcLink | Id | |
AWS::ApiGatewayV2::Api | Id | |
AWS::ApiGatewayV2::ApiMapping | Id | |
AWS::ApiGatewayV2::Authorizer | Id | |
AWS::ApiGatewayV2::Deployment | Id | |
AWS::ApiGatewayV2::DomainName | DomainName | RegionalDomainName, RegionalHostedZoneId |
AWS::ApiGatewayV2::Integration | Id | |
AWS::ApiGatewayV2::IntegrationResponse | Id | |
AWS::ApiGatewayV2::Model | Id | |
AWS::ApiGatewayV2::Route | Id | |
AWS::ApiGatewayV2::RouteResponse | Id | |
AWS::ApiGatewayV2::Stage | Name | |
AWS::ApplicationAutoScaling::ScalableTarget | Id | |
AWS::ApplicationAutoScaling::ScalingPolicy | Arn | |
AWS::AppMesh::Mesh | Arn | Arn, MeshName, Uid |
AWS::AppMesh::Route | Arn | Arn, MeshName, Uid, VirtualRouterName |
AWS::AppMesh::VirtualNode | Arn | Arn, MeshName, Uid, VirtualNodeName |
AWS::AppMesh::VirtualRouter | Arn | Arn, MeshName, Uid, VirtualRouterName |
AWS::AppMesh::VirtualService | Arn | Arn, MeshName, Uid, VirtualServiceName |
AWS::AppSync::ApiKey | Arn | ApiKey, Arn |
AWS::AppSync::DataSource | Arn | DataSourceArn, Name |
AWS::AppSync::FunctionConfiguration | Arn | DataSourceName, FunctionArn, FunctionId, Name |
AWS::AppSync::GraphQLApi | Arn | ApiId, Arn, GraphQLUrl |
AWS::AppSync::GraphQLSchema | Id | |
AWS::AppSync::Resolver | Arn | FieldName, ResolverArn, TypeName |
AWS::Athena::NamedQuery | Name | |
AWS::AutoScaling::AutoScalingGroup | Name | |
AWS::AutoScaling::LaunchConfiguration | Name | |
AWS::AutoScaling::LifecycleHook | Name | |
AWS::AutoScaling::ScalingPolicy | Arn | |
AWS::AutoScaling::ScheduledAction | Name | |
AWS::AutoScalingPlans::ScalingPlan | Arn | |
AWS::Backup::BackupPlan | Id | BackupPlanArn, BackupPlanId, VersionId |
AWS::Backup::BackupSelection | Id | BackupPlanId, SelectionId |
AWS::Backup::BackupVault | Name | BackupVaultArn, BackupVaultName |
AWS::Batch::ComputeEnvironment | Arn | |
AWS::Batch::JobDefinition | Arn | |
AWS::Batch::JobQueue | Arn | |
AWS::Budgets::Budget | Name | |
AWS::CertificateManager::Certificate | Arn | |
AWS::CloudFormation::CustomResource | – | |
AWS::CloudFormation::Macro | Name | |
AWS::CloudFormation::Stack | Id | |
AWS::CloudFormation::WaitCondition | Name | Data |
AWS::CloudFormation::WaitConditionHandle | – | |
AWS::CloudFront::CloudFrontOriginAccessIdentity | OriginAccessIdentity | S3CanonicalUserId |
AWS::CloudFront::Distribution | Id | DomainName |
AWS::CloudFront::StreamingDistribution | Id | DomainName |
AWS::CloudTrail::Trail | Name | Arn, SnsTopicArn |
AWS::CloudWatch::Alarm | Name | Arn |
AWS::CloudWatch::AnomalyDetector | – | |
AWS::CloudWatch::Dashboard | Name | |
AWS::CodeBuild::Project | Name | Arn |
AWS::CodeCommit::Repository | Id | Arn, CloneUrlHttp, CloneUrlSsh, Name |
AWS::CodeDeploy::Application | Name | |
AWS::CodeDeploy::DeploymentConfig | Name | |
AWS::CodeDeploy::DeploymentGroup | Name | |
AWS::CodePipeline::CustomActionType | Name | |
AWS::CodePipeline::Pipeline | Name | Version |
AWS::CodePipeline::Webhook | Name | Url |
AWS::Cognito::IdentityPool | Id | Name |
AWS::Cognito::IdentityPoolRoleAttachment | Id | |
AWS::Cognito::UserPool | Id | Arn, ProviderName, ProviderURL |
AWS::Cognito::UserPoolClient | Id | |
AWS::Cognito::UserPoolGroup | Name | |
AWS::Cognito::UserPoolUser | Name | |
AWS::Cognito::UserPoolUserToGroupAttachment | Id | |
AWS::Config::AggregationAuthorization | Arn | |
AWS::Config::ConfigRule | Name | Arn, Compliance.Type, ConfigRuleId |
AWS::Config::ConfigurationAggregator | Name | |
AWS::Config::ConfigurationRecorder | Name | |
AWS::Config::DeliveryChannel | Name | |
AWS::Config::RemediationConfiguration | RemediationAction | |
AWS::DataPipeline::Pipeline | Id | |
AWS::DAX::Cluster | Name | Arn, ClusterDiscoveryEndpoint |
AWS::DAX::ParameterGroup | Name | |
AWS::DAX::SubnetGroup | Name | |
AWS::DLM::LifecyclePolicy | Id | Arn |
AWS::DMS::Certificate | Arn | |
AWS::DMS::Endpoint | Arn | ExternalId |
AWS::DMS::EventSubscription | Name | |
AWS::DMS::ReplicationInstance | Arn | ReplicationInstancePrivateIpAddresses, ReplicationInstancePublicIpAddresses |
AWS::DMS::ReplicationSubnetGroup | Name | |
AWS::DMS::ReplicationTask | Arn | |
AWS::DocDB::DBCluster | DBClusterIdentifier | ClusterResourceId, Endpoint, Port, ReadEndpoint |
AWS::DocDB::DBClusterParameterGroup | Name | |
AWS::DocDB::DBInstance | Name | Endpoint, Port |
AWS::DocDB::DBSubnetGroup | Name | |
AWS::DynamoDB::Table | Name | Arn, StreamArn |
AWS::EC2::CapacityReservation | Id | AvailabilityZone, AvailableInstanceCount, InstanceType, Tenancy, TotalInstanceCount |
AWS::EC2::ClientVpnAuthorizationRule | – | |
AWS::EC2::ClientVpnEndpoint | Id | |
AWS::EC2::ClientVpnRoute | – | |
AWS::EC2::ClientVpnTargetNetworkAssociation | Id | |
AWS::EC2::CustomerGateway | Id | |
AWS::EC2::DHCPOptions | Name | |
AWS::EC2::EC2Fleet | Id | |
AWS::EC2::EgressOnlyInternetGateway | Id | |
AWS::EC2::EIP | ElasticIpAddress | AllocationId |
AWS::EC2::EIPAssociation | Name | |
AWS::EC2::FlowLog | Id | |
AWS::EC2::Host | Id | |
AWS::EC2::Instance | Id | AvailabilityZone, PrivateDnsName, PrivateIp, PublicDnsName, PublicIp |
AWS::EC2::InternetGateway | Name | |
AWS::EC2::LaunchTemplate | Id | DefaultVersionNumber, LatestVersionNumber |
AWS::EC2::NatGateway | Name | |
AWS::EC2::NetworkAcl | Name | |
AWS::EC2::NetworkAclEntry | Name | |
AWS::EC2::NetworkInterface | Name | PrimaryPrivateIpAddress, SecondaryPrivateIpAddresses |
AWS::EC2::NetworkInterfaceAttachment | Name | |
AWS::EC2::NetworkInterfacePermission | Name | |
AWS::EC2::PlacementGroup | Name | |
AWS::EC2::Route | Id | |
AWS::EC2::RouteTable | Id | |
AWS::EC2::SecurityGroup | Name | GroupId, VpcId |
AWS::EC2::SecurityGroupEgress | RuleName | |
AWS::EC2::SecurityGroupIngress | – | |
AWS::EC2::SpotFleet | Id | |
AWS::EC2::Subnet | Id | AvailabilityZone, Ipv6CidrBlocks, NetworkAclAssociationId, VpcId |
AWS::EC2::SubnetCidrBlock | CidrBlock | |
AWS::EC2::SubnetNetworkAclAssociation | Id | AssociationId |
AWS::EC2::SubnetRouteTableAssociation | Id | |
AWS::EC2::TransitGateway | Id | |
AWS::EC2::TransitGatewayAttachment | Name | |
AWS::EC2::TransitGatewayRoute | Name | |
AWS::EC2::TransitGatewayRouteTable | Name | |
AWS::EC2::TransitGatewayRouteTableAssociation | Id | |
AWS::EC2::TransitGatewayRouteTablePropagation | RouteTableId | |
AWS::EC2::Volume | Name | |
AWS::EC2::VolumeAttachment | – | |
AWS::EC2::VPC | Id | CidrBlock, CidrBlockAssociations, DefaultNetworkAcl, DefaultSecurityGroup, Ipv6CidrBlocks |
AWS::EC2::VPCCidrBlock | CidrBlock | |
AWS::EC2::VPCDHCPOptionsAssociation | Id | |
AWS::EC2::VPCEndpoint | Id | CreationTimestamp, DnsEntries, NetworkInterfaceIds |
AWS::EC2::VPCEndpointConnectionNotification | Id | |
AWS::EC2::VPCEndpointService | Id | |
AWS::EC2::VPCEndpointServicePermissions | Id | |
AWS::EC2::VPCGatewayAttachment | Id | |
AWS::EC2::VPCPeeringConnection | Id | |
AWS::EC2::VPNConnection | Id | |
AWS::EC2::VPNConnectionRoute | Id | |
AWS::EC2::VPNGateway | Id | |
AWS::EC2::VPNGatewayRoutePropagation | VpnGatewayId | |
AWS::ECR::Repository | Name | Arn |
AWS::ECS::Cluster | Name | Arn |
AWS::ECS::Service | Arn | Name |
AWS::ECS::TaskDefinition | Arn | |
AWS::EFS::FileSystem | Id | |
AWS::EFS::MountTarget | Id | IpAddress |
AWS::EKS::Cluster | Name | Arn, CertificateAuthorityData, Endpoint |
AWS::ElastiCache::CacheCluster | Name | ConfigurationEndpoint.Address, ConfigurationEndpoint.Port, RedisEndpoint.Address, RedisEndpoint.Port |
AWS::ElastiCache::ParameterGroup | Name | |
AWS::ElastiCache::ReplicationGroup | Name | ConfigurationEndPoint.Address, ConfigurationEndPoint.Port, PrimaryEndPoint.Address, PrimaryEndPoint.Port, ReadEndPoint.Addresses, ReadEndPoint.Addresses.List, ReadEndPoint.Ports, ReadEndPoint.Ports.List |
AWS::ElastiCache::SecurityGroup | Name | |
AWS::ElastiCache::SecurityGroupIngress | Name | |
AWS::ElastiCache::SubnetGroup | Name | |
AWS::ElasticBeanstalk::Application | Name | |
AWS::ElasticBeanstalk::ApplicationVersion | Name | |
AWS::ElasticBeanstalk::ConfigurationTemplate | Name | |
AWS::ElasticBeanstalk::Environment | Name | EndpointURL |
AWS::ElasticLoadBalancing::LoadBalancer | Name | CanonicalHostedZoneName, CanonicalHostedZoneNameID, DNSName, SourceSecurityGroup.GroupName, SourceSecurityGroup.OwnerAlias |
AWS::ElasticLoadBalancingV2::Listener | Arn | |
AWS::ElasticLoadBalancingV2::ListenerCertificate | – | |
AWS::ElasticLoadBalancingV2::ListenerRule | Arn | |
AWS::ElasticLoadBalancingV2::LoadBalancer | Arn | CanonicalHostedZoneID, DNSName, LoadBalancerFullName, LoadBalancerName, SecurityGroups |
AWS::ElasticLoadBalancingV2::TargetGroup | Arn | LoadBalancerArns, TargetGroupFullName, TargetGroupName |
AWS::Elasticsearch::Domain | Name | Arn, DomainArn, DomainEndpoint |
AWS::EMR::Cluster | Id | MasterPublicDNS |
AWS::EMR::InstanceFleetConfig | InstanceFleetId | |
AWS::EMR::InstanceGroupConfig | InstanceGroupId | |
AWS::EMR::SecurityConfiguration | Name | |
AWS::EMR::Step | Id | |
AWS::Events::EventBus | Name | Arn, Name, Policy |
AWS::Events::EventBusPolicy | Id | |
AWS::Events::Rule | Id | Arn |
AWS::Glue::Classifier | Name | |
AWS::Glue::Connection | Name | |
AWS::Glue::Crawler | Name | |
AWS::Glue::Database | Name | |
AWS::Glue::DataCatalogEncryptionSettings | – | |
AWS::Glue::DevEndpoint | Name | |
AWS::Glue::Job | Name | |
AWS::Glue::Partition | Name | |
AWS::Glue::SecurityConfiguration | – | |
AWS::Glue::Table | Name | |
AWS::Glue::Trigger | Name | |
AWS::GuardDuty::Detector | Id | |
AWS::GuardDuty::Filter | Name | |
AWS::GuardDuty::IPSet | Id | |
AWS::GuardDuty::Master | AccountId | |
AWS::GuardDuty::Member | AccountId | |
AWS::GuardDuty::ThreatIntelSet | Id | |
AWS::IAM::AccessKey | AccessKeyId | SecretAccessKey |
AWS::IAM::Group | Name | Arn |
AWS::IAM::InstanceProfile | Name | Arn |
AWS::IAM::ManagedPolicy | Arn | |
AWS::IAM::Policy | Name | |
AWS::IAM::Role | Name | Arn, RoleId |
AWS::IAM::ServiceLinkedRole | – | |
AWS::IAM::User | UserName | Arn |
AWS::IAM::UserToGroupAddition | Name | |
AWS::Inspector::AssessmentTarget | – | Arn |
AWS::Inspector::AssessmentTemplate | – | Arn |
AWS::Inspector::ResourceGroup | – | Arn |
AWS::IoT::Certificate | Id | Arn |
AWS::IoT::Policy | Name | Arn |
AWS::IoT::PolicyPrincipalAttachment | – | |
AWS::IoT::Thing | Name | |
AWS::IoT::ThingPrincipalAttachment | – | |
AWS::IoT::TopicRule | Name | Arn |
AWS::IoT1Click::Device | Arn | Arn, DeviceId, Enabled |
AWS::IoT1Click::Placement | Id | PlacementName, ProjectName |
AWS::IoT1Click::Project | Arn | Arn, ProjectName |
AWS::IoTAnalytics::Channel | – | |
AWS::IoTAnalytics::Dataset | – | |
AWS::IoTAnalytics::Datastore | – | |
AWS::IoTAnalytics::Pipeline | – | |
AWS::IoTEvents::DetectorModel | Name | |
AWS::IoTEvents::Input | Name | |
AWS::IoTThingsGraph::FlowTemplate | Urn | |
AWS::Kinesis::Stream | Name | Arn |
AWS::Kinesis::StreamConsumer | ConsumerArn | ConsumerARN, ConsumerCreationTimestamp, ConsumerName, ConsumerStatus, StreamARN |
AWS::KinesisAnalytics::Application | – | |
AWS::KinesisAnalytics::ApplicationOutput | – | |
AWS::KinesisAnalytics::ApplicationReferenceDataSource | – | |
AWS::KinesisAnalyticsV2::Application | – | |
AWS::KinesisAnalyticsV2::ApplicationCloudWatchLoggingOption | – | |
AWS::KinesisAnalyticsV2::ApplicationOutput | – | |
AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource | – | |
AWS::KinesisFirehose::DeliveryStream | Name | Arn |
AWS::KMS::Alias | Name | |
AWS::KMS::Key | Id | Arn |
AWS::Lambda::Alias | Arn | |
AWS::Lambda::EventSourceMapping | Name | |
AWS::Lambda::Function | Name | Arn |
AWS::Lambda::LayerVersion | Arn | |
AWS::Lambda::LayerVersionPermission | Arn | |
AWS::Lambda::Permission | – | |
AWS::Lambda::Version | Arn | Version |
AWS::Logs::Destination | Name | Arn |
AWS::Logs::LogGroup | Name | Arn |
AWS::Logs::LogStream | Name | |
AWS::Logs::MetricFilter | – | |
AWS::Logs::SubscriptionFilter | Name | |
AWS::RDS::DBCluster | Name | Endpoint.Address, Endpoint.Port, ReadEndpoint.Address |
AWS::RDS::DBClusterParameterGroup | Name | |
AWS::RDS::DBInstance | Name | Endpoint.Address, Endpoint.Port |
AWS::RDS::DBParameterGroup | Name | |
AWS::RDS::DBSecurityGroup | Name | |
AWS::RDS::DBSecurityGroupIngress | DBSecurityGroup | |
AWS::RDS::DBSubnetGroup | Name | |
AWS::RDS::EventSubscription | Name | |
AWS::RDS::OptionGroup | Name | |
AWS::Route53::HealthCheck | HealthCheckId | |
AWS::Route53::HostedZone | HosteadZoneId | NameServers |
AWS::Route53::RecordSet | DomainName | |
AWS::Route53::RecordSetGroup | Name | |
AWS::Route53Resolver::ResolverEndpoint | ResolverEndpoint | Arn, Direction, HostVPCId, IpAddressCount, Name, ResolverEndpointId |
AWS::Route53Resolver::ResolverRule | ResolverRule | Arn, DomainName, ResolverEndpointId, ResolverRuleId, TargetIps |
AWS::Route53Resolver::ResolverRuleAssociation | ResolverRuleAssociationId | Name, ResolverRuleAssociationId, ResolverRuleId, VPCId |
AWS::S3::Bucket | Name | Arn, DomainName, DualStackDomainName, RegionalDomainName, WebsiteURL |
AWS::SageMaker::CodeRepository | Arn | CodeRepositoryName |
AWS::SageMaker::Endpoint | Arn | EndpointName |
AWS::SageMaker::EndpointConfig | Arn | EndpointConfigName |
AWS::SageMaker::Model | Arn | ModelName |
AWS::SageMaker::NotebookInstance | Arn | NotebookInstanceName |
AWS::SageMaker::NotebookInstanceLifecycleConfig | Arn | NotebookInstanceLifecycleConfigName |
AWS::SecretsManager::ResourcePolicy | Arn | |
AWS::SecretsManager::RotationSchedule | Arn | |
AWS::SecretsManager::Secret | Arn | |
AWS::SecretsManager::SecretTargetAttachment | Arn | |
AWS::ServiceDiscovery::HttpNamespace | Id | Arn, Id |
AWS::ServiceDiscovery::Instance | Id | |
AWS::ServiceDiscovery::PrivateDnsNamespace | Id | Arn, Id |
AWS::ServiceDiscovery::PublicDnsNamespace | Id | Arn, Id |
AWS::ServiceDiscovery::Service | Id | Arn, Id, Name |
AWS::SES::ConfigurationSet | Name | |
AWS::SES::ConfigurationSetEventDestination | ||
AWS::SES::ReceiptFilter | ||
AWS::SES::ReceiptRule | Name | |
AWS::SES::ReceiptRuleSet | Name | |
AWS::SES::Template | ||
AWS::SNS::Topic | Arn | TopicName |
AWS::SQS::Queue | QueueURL | Arn, QueueName |
AWS::SSM::Association | ||
AWS::SSM::Document | Name | |
AWS::SSM::MaintenanceWindow | Id | |
AWS::SSM::MaintenanceWindowTarget | Id | |
AWS::SSM::MaintenanceWindowTask | Id | |
AWS::SSM::Parameter | Name | Type, Value |
AWS::SSM::PatchBaseline | Id | |
AWS::SSM::ResourceDataSync | Name | |
AWS::StepFunctions::Activity | Arn | Name |
AWS::StepFunctions::StateMachine | Arn | Name |
AWS::Transfer::Server | Id | Arn, ServerId |
AWS::Transfer::User | UserName | Arn, ServerId, UserName |
AWS::WAF::ByteMatchSet | Id | |
AWS::WAF::IPSet | Id | |
AWS::WAF::Rule | Id | |
AWS::WAF::SizeConstraintSet | Id | |
AWS::WAF::SqlInjectionMatchSet | Id | |
AWS::WAF::WebACL | Name | |
AWS::WAF::XssMatchSet | Id | |
AWS::WAFRegional::ByteMatchSet | Id | |
AWS::WAFRegional::GeoMatchSet | Id | |
AWS::WAFRegional::IPSet | Id | |
AWS::WAFRegional::RateBasedRule | Id | |
AWS::WAFRegional::RegexPatternSet | Id | |
AWS::WAFRegional::Rule | Id | |
AWS::WAFRegional::SizeConstraintSet | Id | |
AWS::WAFRegional::SqlInjectionMatchSet | Id | |
AWS::WAFRegional::WebACL | Name | |
AWS::WAFRegional::WebACLAssociation |