4. Resources Meta Descriptions - epam/aws-syndicate GitHub Wiki

Navigation:

This guide contains command samples to generate meta, JSON Meta generated by the CLI command and the examples for each type of the supported resources.

Keep in mind that some resources are co-dependent, so pay attention to PRECONDITIONS/LINKED RESOURCES sections below descriptions.

Useful links contain detailed instructions on resource management, so feel free to check them out.

4.1 LAMBDA

Command to generate meta:

syndicate generate lambda

Parameters:

--name (string) [REQUIRED, MULTIPLE] - The lambda function name.
--runtime (java|nodejs|python|dotnet) [REQUIRED] - Lambda's runtime. If multiple lambda names are specified, the runtime will be applied to all lambdas.
--project_path (string) - Path to the project folder. Default value: the one from the current config if it exists. Otherwise - the current working directory.
--tags (KEY1:VALUE1,KEY2:VALUE2) - Resource tags key-value pairs string delimited by comma

Meta structure:

{
    "version": "string",
    "name": "string",
    "lambda_path": "string",
    "func_name": "string",
    "resource_type": "string",
    "iam_arn_role": "string",
    "runtime": "nodejs"|"nodejs4.3"|"nodejs6.10"|"nodejs8.10"|"nodejs10.x"|"nodejs12.x"|"nodejs14.x"|"nodejs16.x"|"java8"|"java8.al2"|"java11"|"python2.7"|"python3.6"|"python3.7"|"python3.8"|"python3.9"|"dotnet8"|"nodejs4.3-edge"|"nodejs18.x"|"python3.10"|"java17"|"python3.11"|"nodejs20.x"|"python3.12"|"java21",
    "memory": 123,
    "timeout": 123,   
    "architectures": ["x86_64"|"arm64"],  
    "logs_expirations": 1|3|5|7|14|30|60|90|120|150|180|365|400|545|731|1827|3653,
    "deployment_package": "string",
    "max_concurrency": 123,
    "provisioned_concurrency": {
        "qualifier": "ALIAS"|"VERSION",
        "value": 123
    },
    "dependencies": [
        {
            "resource_type": "string",
            "resource_name": "string"
        }
    ],
    "event_sources": [
        {
            "resource_type": "s3_trigger",
            "target_bucket": "string",
            "s3_events": [
                "s3:ReducedRedundancyLostObject"|"s3:ObjectCreated:*"|"s3:ObjectCreated:Put"|"s3:ObjectCreated:Post"|"s3:ObjectCreated:Copy"|"s3:ObjectCreated:CompleteMultipartUpload"|"s3:ObjectRemoved:*"|"s3:ObjectRemoved:Delete"|"s3:ObjectRemoved:DeleteMarkerCreated"
            ],
            "filter_rules": [
                {
                  "Name": "prefix"|"suffix",
                  "Value": "string"
                }
            ]
        },
        {
            "resource_type": "sqs_trigger",
            "target_queue": "string",
            "batch_size": 123,
            "batch_window": 123,
            "function_response_types": ["ReportBatchItemFailures"]
        },
        {
            "resource_type": "dynamodb_trigger",
            "target_table": "string",
            "batch_size": 123,
            "function_response_types": ["ReportBatchItemFailures"]
        },
        {
            "resource_type": "cloudwatch_rule_trigger",
            "target_rule": "string"
        },
        {
            "resource_type": "sns_topic_trigger",
            "target_topic": "string",
            "region": "all"|["us-east-1"|"us-east-2"|"us-west-1"|"us-west-2"|"eu-west-1"|"eu-west-2"|"eu-west-3"|"eu-central-1"|"ca-central-1"|"ap-south-1"|"ap-southeast-1"|"ap-southeast-2"|"ap-northeast-1"|"ap-northeast-2"|"eu-north-1"]
        },
        {
            "resource_type": "kinesis_trigger",
            "target_stream": "string",
            "batch_size": 123,
            "starting_position": "LATEST"|"TRIM_HORIZON"|"AT_TIMESTAMP",
            "function_response_types": ["ReportBatchItemFailures"]
        }
    ],
    "env_variables": {
        "string": "string"|{
          "resource_name": "string",
          "resource_type": "string",
          "parameter": "string"
        }
    },
    "subnet_ids": ["string"],
    "security_group_ids": ["string"],
    "tracing_mode": "Active"|"PassThrough",
    "publish_version": true|false,
    "alias": "string",
    "dl_resource_type": "sns"|"sqs",
    "dl_resource_name": "string",
    "layers": ["string"],
    "url_config": {
        "auth_type": "NONE"|"AWS_IAM",
        "cors": {
            "allow_credentials": true|false,
            "allow_headers": ["string"],
            "allow_methods": ["string"],
            "allow_origins": ["string"],
            "expose_headers": ["string"],
            "max_age": 123
        },
        "principal": "string",
        "source_arn": "string"
    },
    "ephemeral_storage": 123,
    "max_retries": 123,
    "platforms": ["string"],
    "tags": {
        "key": "value"
  }
}

version (string) - Lambda version. Is used at artifact build. Required for Python runtime.
name (string) - Name of the Lambda. Required for Python runtime.
lambda_path (string) - The relative path to the Lambda handler within the Python project. Required for Python runtime.
func_name (string) [REQUIRED] - Function handler name.
resource_type (string) [REQUIRED] - Resource type.
iam_arn_role (string) [REQUIRED] - Lambda execution role name.
runtime (string) [REQUIRED] - Lambda executive environment.
memory (int) [REQUIRED] - Lambda memory.
timeout (int) [REQUIRED] - The function execution time at which Lambda should terminate the function.
architectures (list) - The function processor architecture.
logs_expirations (int) - Lambda logs retention in days. In case of this parameter not specified CW log group will not be automatically created.
deployment_package (string) - Name of the artifact. The parameter is required for Java. Example: component.jar
max_concurrency (int) - Maximum number of simultaneous executions for Lambda function.
provisioned_concurrency (dict) - Concurrency configuration applied to Lambda function.
- qualifier (string) - Accepted values:
  - ALIAS - provisioned concurrency configuration will be set to the function alias. Target alias for the configuration will be obtained from field 'alias' of lambda meta.
  - VERSION - provisioned concurrency configuration will be applied to the function version. Target version is published one from the $LATEST.
- value (string) - Value of provisioned concurrency executions that will be applied to the function.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
event_sources (list) - List of dicts that describe Lambda triggers.
- resource_type (string) - Resource type of the trigger. Triggers by types:
  1. DynamoDB trigger
    - resource_type (string) [REQUIRED] - Resource type - dynamodb_trigger.
    - target_table (string) [REQUIRED] - Name of the table to be triggered by.
    - batch_size (int) [REQUIRED] - Count of entities to process during one Lambda call.
    - function_response_types (list) - A list of current response type enums applied to the event source mapping.
  2. CloudWatch Rule trigger
    - resource_type (string) [REQUIRED] - Resource type - cloudwatch_rule_trigger.
    - target_rule (string) [REQUIRED] - CloudWatch rule name.
  3. S3 event trigger
    - resource_type (string) [REQUIRED] - Resource type - s3_trigger.
    - target_bucket (string) [REQUIRED] - Name of the S3 bucket.
    - s3_events (list) [REQUIRED] - List of the s3 events.
    - filter_rules (list) - List of the object key filters by prefix or suffix.
      - Name (string) - Type of the filter.
      - Value (string) - Value of the filter
  4. SNS topic trigger
    - resource_type (string) [REQUIRED] - Resource type - sns_topic_trigger.
    - target_topic (string) [REQUIRED] - The name of the SNS topic to which the Lambda is subscribed.
    - region (string) - The name of the region in which the topic is deployed.
  5. Kinesis stream trigger
    - resource_type (string) [REQUIRED] - Resource type - kinesis_trigger.
    - target_stream (string) [REQUIRED] - Name of the Kinesis stream.
    - batch_size (int) [REQUIRED] - The quantity of the entries processed in one Lambda call.
    - starting_position (string) [REQUIRED] - The position at which the entry processing starts.
    - function_response_types (list) - A list of current response type enums applied to the event source mapping.
  6. SQS trigger
    - resource_type (string) [REQUIRED] - Resource type - sqs_trigger.
    - target_queue (string) [REQUIRED] - Name of the SQS queue.
    - batch_size (int) [REQUIRED] - The quantity of entries, processed during one Lambda call.
    - batch_window (int) - The maximum amount of time, in seconds, that Lambda spends gathering records before invoking the function. For streams and Amazon SQS event sources, when you set batch_size to a value greater than 10, batch_window must be set to at least 1.
    - function_response_types (list) - A list of current response type enums applied to the event source mapping.
env_variables (dict) - Map of the environment variables. Value can be either of string or dict type:
- <variable_name> (str) Static environment variable format
- <variable_name> (dict) - Dynamic environment variable format to extract value from existing resource parameter
  
  Note: Don't forget to include the resource you are getting the value from in the lambda dependencies(if needed).
  - resource_name (str) [REQUIRED] - Resource name
  - resource_type (str) [REQUIRED] - Resource type
  - parameter (str) [REQUIRED] - Resource parameter name
  Examples of dynamic environment variable definition:
  
  Cognito user pool ID as lambda environment variable value:
```
"demo_cup_id": {
    "resource_name": "demo_cup",
    "resource_type": "cognito_idp",
    "parameter": "id"
}
```
  Cognito user pool client ID as lambda environment variable value:
```
"demo_cup_id": {
   "resource_name": "demo_cup",
   "resource_type": "cognito_idp",
   "parameter": "client_id"
}
```
  RDS DB cluster endpoint as lambda environment variable value:
```
"demo_db_endpoint": {
   "resource_name": "demo_cluster",
   "resource_type": "rds_db_cluster",
   "parameter": "endpoint|reader_endpoint"
}
```
  RDS DB cluster master user secret name as lambda environment variable value:
```
"demo_db_endpoint": {
   "resource_name": "demo_cluster",
   "resource_type": "rds_db_cluster",
   "parameter": "master_user_secret_name"
}
```
subnet_ids (list) - A list of VPC subnet IDs. Required parameter to connect lambda function to a VPC.
security_group_ids (list) - A list of VPC security groups IDs. Required parameter to connect lambda function to a VPC.
tracing_mode (string) - Set Mode to Active to sample and trace a subset of incoming requests with X-Ray.
publish_version (boolean) - Publishes the first version of the function during creation if the parameter is set to true.
alias (string) - Alias name that is a pointer to a function version.
dl_resource_type (string) - Set Amazon SQS queue or Amazon SNS topic for a dead-letter queue. Must be specified with the dl_resource_name parameter.
dl_resource_name (string) - SQS queue name or SNS topic name. Must be specified with the dl_resource_type parameter.
layers (list) - A list function layer's names to add to the function's execution environment.
url_config (dict) - Lambda url configuration
- auth_type (string) - The type of authentication that your function URL uses. Set to AWS_IAM if you want to restrict access to authenticated users only. Set to NONE if you want to bypass IAM authentication to create a public endpoint with a function url.
- principal (string) - Required for AWS_IAM auth type. Principal which will be applied to lambda's resource-based-policy.
- source_arn (string) - Required for AWS_IAM auth type. Source ARN which will be applied to lambda's resource-based-policy.
- cors (list) - Contain information about CORS.
  - allow_credentials (boolean) - Whether to allow cookies or other credentials in requests to your function URL. The default is false.
  - allow_headers (list) - The HTTP headers that origins can include in requests to your function URL. For example: Date, Keep-Alive, X-Custom-Header.
  - allow_methods (list) - The HTTP methods that are allowed when calling your function URL. For example: GET, POST, DELETE, or the wildcard character (*).
  - allow_origins (list) - The origins that can access your function URL. You can list any number of specific origins, separated by a comma. For example: https://www.example.com, http://localhost:60905. Alternatively, you can grant access to all origins using the wildcard character (*).
  - expose_headers (list) - The HTTP headers in your function response that you want to expose to origins that call your function URL. For example: Date, Keep-Alive, X-Custom-Header.
  - max_age (int) - The maximum amount of time, in seconds, that web browsers can cache results of a preflight request. By default, this is set to 0, which means that the browser doesn’t cache results.
ephemeral_storage (int) - The size of the function’s /tmp directory in MB. The default value is 512, but can be any whole number between 512 and 10240 MB.
max_retries (int) - The maximum number of times to retry when the asynchronously configured function returns an error. Default value is 2.
platforms (list) - Specific for python runtime - the platforms for which the lambda source code should be compiled. Example: manylinux2014_x86_64. If not specified, the sources will be compiled in accordance with the platform on which the command is executed. The possible platform options should be the same as those specified in the official Python documentation.
tags (dict) - The resource tags.

4.1.1 Lambda layer

Command to generate meta:

syndicate generate lambda_layer

Parameters:

--name (string) [REQUIRED] - Lambda layer name.
--runtime (java|nodejs|python|dotnet) [REQUIRED] - Lambda layer runtime.
--link_with_lambda (string) [REQUIRED, MULTIPLE] - Lambda function name to link the layer with.
--project_path (string) - Path to the project folder. Default value: the one from the current config if it exists. Otherwise - the current working directory.

Meta structure:

{
    "name": "string",
    "resource_type": "lambda_layer",
    "runtimes": ["nodejs"|"nodejs4.3"|"nodejs6.10"|"nodejs8.10"|"nodejs10.x"|"nodejs12.x"|"nodejs14.x"|"nodejs16.x"|"java8"|"java8.al2"|"java11"|"python2.7"|"python3.6"|"python3.7"|"python3.8"|"python3.9"|"dotnet8"|"nodejs4.3-edge"|"nodejs18.x"|"python3.10"|"java17"|"python3.11"|"nodejs20.x"|"python3.12"|"java21"],
    "architectures": ["x86_64"|"arm64"],
    "deployment_package": "string",
    "custom_packages": ["string"]
}

name (string) [REQUIRED] - Name of the layer.
resource_type (string) [REQUIRED] - Resource type - lambda_layer.
runtimes (list) [REQUIRED] - A list of compatible function runtimes.
architectures (list) - A list of compatible instruction set architectures.
deployment_package (string) [REQUIRED] - Deployment package name of the layer. For example: lambda_layer.zip.
custom_packages (string) [Applicable only for runtime dotnet] - A list of file names with the layer custom NuGet packages. Files with custom packages(.nupkg) have to be placed in the layer root directory.

4.2 Dynamo DB

4.2.1 Dynamo DB table

Command to generate meta:

syndicate generate meta dynamodb

Parameters:

--resource_name (string) [REQUIRED] - DynamoDB table name.
--hash_key_name (string) [REQUIRED] - DynamoDB table hash key.
--hash_key_type (S|N|B) [REQUIRED] - DynamoDB hash key type.
--sort_key_name (string) - DynamoDB sort key. If not specified, the table will have only a hash key.
--sort_key_type (S|N|B) - DynamoDB sort key type. Required if sort key name is specified.
--read_capacity (int) - The maximum number of strongly consistent reads that can be performed per second. If not specified, sets the default value to 1.
--write_capacity (int) - The maximum number of writing processes consumed per second. If not specified, sets the default value to 1.
--tags (KEY1:VALUE1,KEY2:VALUE2) - Resource tags key-value pairs string delimited by comma.

Meta structure:

"name": {
    "resource_type": "dynamodb_table",
    "hash_key_name": "string",
    "hash_key_type": "[S|N|B]",
    "sort_key_name": "string",
    "sort_key_type": "[S|N|B]",                   
    "read_capacity": 123,
    "write_capacity": 123,
    "global_indexes": [
        {}, {}
    ],
    “autoscaling”: [ 
        {}, {}
    ],
    "external": true,
    "ttl_attribute_name": "string",
    "stream_view_type": "[NEW_IMAGE|OLD_IMAGE|NEW_AND_OLD_IMAGES|KEYS_ONLY]",
    "dependencies": [
        {
            "resource_type": "string",
            "resource_name": "string"
        }
    ],
    "tags": {
        "key": "value"
  }
}

resource_type (string) [REQUIRED] - Table name.
hash_key_name (string) [REQUIRED] - Table hash key.
hash_key_type (S|N|B) [REQUIRED] - Hash key type.
sort_key_name (string) - Table sort key. If not specified, the table will have only a hash key.
sort_key_type (S|N|B) - Table sort key type.
read_capacity (int) The maximum number of strongly consistent reads that can be performed per second. If not specified, sets the default value to 1.
write_capacity (int) - The maximum number of writing processes consumed per second. If not specified, sets the default value to 1.
global_indexes (list) - Table indexes. May contain several objects.
autoscaling (list) - Table autoscaling configuration.
external (bool) - Mark of an external AWS resource. Syndicate doesn't try to create external resources. Instead, it checks if such resources exist and their metadata match. To force syndicate clean external resources, use --clean_external flag.
ttl_attribute_name (string) - The name of the TTL attribute used to store the expiration time for items in the table.
stream_view_type (NEW_IMAGE|OLD_IMAGE|NEW_AND_OLD_IMAGES|KEYS_ONLY) - The settings for DynamoDB Streams on the table. When an item in the table is modified, stream_view_type determines what information is written to the table’s stream. Valid values are:
- KEYS_ONLY - Only the key attributes of the modified item are written to the stream.
- NEW_IMAGE - The entire item, as it appears after it was modified, is written to the stream.
- OLD_IMAGE - The entire item, as it appeared before it was modified, is written to the stream.
- NEW_AND_OLD_IMAGES - Both the new and the old item images of the item are written to the stream.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.

tags (dict) - The resource tags.

4.2.2 DynamoDB Global Secondary Index

Resource type: DynamoDB Global Secondary Index (for previously generated DynamoDB Table)

Command to generate meta:

syndicate generate meta dynamodb_global_index

Parameters:

--table_name (string) [REQUIRED] - DynamoDB table name to add index to.
--name (string) [REQUIRED] - Index name.
--index_key_name (string) [REQUIRED] - Index hash key.
--index_key_type (S|N|B) [REQUIRED] - Hash key index type.
--index_sort_key_name (string) - Index sort key
--index_sort_key_type (S|N|B) - Sort key type.

Meta structure:

"table_name": { 
    ...
    "global_indexes": [ 
      { 
        "name": "string", 
        "index_key_name": "string", 
        "index_key_type": "[S|N|B]", 
        "index_sort_key_name": "string", 
        "index_sort_key_type": "[S|N|B]"
      } 
    ]
}

name (string) [REQUIRED] - Index name.
index_key_name (string) [REQUIRED] - Index hash key name.
index_key_type (S|N|B) [REQUIRED] - Hash key index type.
index_sort_key_name (string) - Index sort key name.
index_sort_key_type (S|N|B) - Index sort key type.

Linked resources:

dynamodb_table: 4.2.1 Dynamo DB table

4.2.3 DynamoDB Autoscaling

Resource type: DynamoDB Autoscaling (for previously generated DynamoDB Table)

Command to generate meta:

syndicate generate meta dynamodb_autoscaling

Parameters:

--table_name (string) [REQUIRED] - DynamoDB table name to add autoscaling to.
--policy_name (string) [REQUIRED] - Autoscaling policy name.
--min_capacity (int) - Minimum capacity level. If not specified, sets the default value to 1.
--max_capacity (int) - Maximum capacity level. If not specified, sets the default value to 10.
--target_utilization (int) - Target utilization in autoscaling. If not specified, sets the default value to 70%.
--scale_in_cooldown (int) - Scaling policy value of in cooldown in seconds. Is not specified, sets the default value to 60.
--scale_out_cooldown (int) - Scaling policy value of out cooldown in seconds. Is not specified, sets the default value to 60.
--dimension (string) - Autoscaling dimension. If not specified, sets the default value to 'dynamodb: table:ReadCapacityUnits'.
--role_name (string) - The name of the role, which performs autoscaling. If not specified, sets the value to default service linked role: ' AWSServiceRoleForApplicationAutoScaling_DynamoDBTable'.

Meta structure:

"table_name": { 
    ...
    "autoscaling": [ 
      { 
        "resource_name": "string", 
        "role_name": "string", 
        "min_capacity": 123, 
        "max_capacity": 123, 
        "config": { 
          "policy_name": "string", 
          "target_utilization": 123, 
          "scale_in_cooldown": 123, 
          "scale_out_cooldown": 123 
        }, 
        "dimension": "string" 
      } 
    ] 
  }

resource_name (string) [REQUIRED] - The name of the resource that autoscaling works with.
role_name (string) [REQUIRED] - The name of the role, which performs autoscaling.
min_capacity (int) [REQUIRED] - Minimum capacity level.
max_capacity (string) [REQUIRED] - Maximum capacity level.
config (dict) [REQUIRED] - Autoscaling configuration.
- policy_name (string) [REQUIRED] - Autoscaling policy name.
- target_utilization (int) [REQUIRED] - Target utilization in autoscaling.
- scale_in_cooldown (int) [REQUIRED] - Scaling policy value of in cooldown in seconds.
- scale_out_cooldown (int) [REQUIRED] - Scaling policy value of out cooldown in seconds.
dimension (string) [REQUIRED] - Autoscaling dimension.

Linked resources:

dynamodb_table: 4.2.1 DynamoDB table

iam_role: 4.10 IAM Role

Example:

NOTE: Here we have a Dynamo DB table description. "sort_key_name" and " sort_key_type" are not required because a table can be created without a sort key definition.

"example_table": {
    "resource_type": "dynamodb_table",
    "hash_key_name": "n",
    "hash_key_type": "S",
    "read_capacity": 5,
    "write_capacity": 1,
    "global_indexes": [
      {
        "name": "example_index",
        "index_key_name": "ex_idx",
        "index_key_type": "S"
      }
    ],
    "autoscaling": [
      {
        "resource_name": "example_table",
        "min_capacity": 1,
        "max_capacity": 100,
        "role_name": "example_dynamodb_table_role",
        "config": {
          "target_utilization": 75,
          "policy_name": "rcu_ex_table_policy"
        },
        "dimension": "dynamodb:table:ReadCapacityUnits"
      },
      {
        "resource_name": "example_table",
        "min_capacity": 1,
        "max_capacity": 100,
        "role_name": "example_dynamodb_table_role",
        "config":  {
          "policy_name": "wcu_ex_table_policy",
          "target_utilization": 50.0,
          "scale_out_cooldown": 10,
          "scale_in_cooldown": 60
        },
        "dimension": "dynamodb:table:WriteCapacityUnits"
      },
      {
        "resource_name": "example_index",
        "min_capacity": 1,
        "max_capacity": 100,
        "role_name": "example_dynamodb_table_role",
        "config": {
          "target_utilization": 75,
          "policy_name": "rcu_example_index_policy"
        },
        "dimension": "dynamodb:index:ReadCapacityUnits"
      },
      {
        "resource_name": "example_index",
        "min_capacity": 1,
        "max_capacity": 100,
        "role_name": "example_dynamodb_table_role",
        "config":  {
          "policy_name": "wcu_example_index_policy",
          "target_utilization": 50.0
        },
        "dimension": "dynamodb:index:WriteCapacityUnits"
      }
    ],
    "tags": {
        "project": "demo"
    }
 }

4.3 CloudWatch Event Rule

Resource type: CloudWatch Event Rule

Command to generate meta:

syndicate generate meta cloudwatch_event_rule

Parameters:

--resource_name (string) [REQUIRED] - Cloudwatch event rule name.
--rule_type (schedule|ec2|api_call) [REQUIRED] - Cloudwatch event rule type.
--expression (string) - Rule expression (cron schedule). Valuable only if rule_type is 'schedule'.
--aws_service (string) - The name of AWS service which the rule listens to. Required only if rule_type is 'api_call'.
--region (ALL|us-east-1|...|af-south-1) - The region where the rule is deployed. Default value is the one from syndicate config.
--tags (KEY1:VALUE1,KEY2:VALUE2) - Resource tags key-value pairs string delimited by comma.

Meta structure:

"cloudwatch_event_rule_name": { 
    "resource_type": "cloudwatch_rule", 
    "rule_type": "[schedule|ec2|api_call]", 
    "region": "[ALL|us-east-1|...|af-south-1]", 
    "expression": "string",
    "instance_ids": ["string"],
    "instance_states": ["string"],
    "aws_service": "string",
    "operations": [list],
    "dependencies": [
        {
            "resource_type": "string",
            "resource_name": "string"
        }
    ],
    "tags": {
        "key": "value"
  }
}

resource_type (string) [REQUIRED] - Resource type.
rule_type (schedule|ec2|api_call) [REQUIRED] - Rule type.
expression (string) - Rule expression (cron schedule). Valuable only if rule_type is 'schedule'.
region (string|list) - The region where the rule is deployed. If not specified ["region_name1", ..] the default value is taken from syndicate configuration.
instance_ids (list) - The list of EC2 instances, to which the rule is bound. If not specified, the default value is set to 'any'. Valuable only if rule_type is 'ec2'.
instance_states (list) - EC2 instance states, which are monitored by the rule. If not specified, the default value is set to 'any'. Valuable only if rule_type is 'ec2'.
aws_service (string) - The name of the AWS service, which the rule listens to. Valuable only if rule_type is 'api_call'.
operations (list) - The actions monitored by rule. If not specified, the default value is set to 'any'. Valuable only if rule_type is 'api_call'.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.

tags (dict) - The resource tags.

Example:

"weekly_report_event": {
    "rule_type": "schedule",
    "expression": "cron(0 8? * MON *)",
    "resource_type": "cloudwatch_rule"
}

4.4 S3 Bucket

Resource type: S3 Bucket

Command to generate meta:

syndicate generate meta s3_bucket

Parameters:

--resource_name (string) [REQUIRED] - S3 bucket name.
--location (us-east-1|...|af-south-1) - The region where the bucket is created. The default value is the region set in syndicate config.
--acl (private|public-read|public-read-write|authenticated-read) - The channel ACL to be applied to the bucket. If not specified, sets the default value to 'private'.
--block_public_acls (boolean) - Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Default value is True.
--ignore_public_acls (boolean) - Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Default value is True.
--block_public_policy (boolean) - Specifies whether Amazon S3 should block public bucket policies for this bucket. Default value is True.
--restrict_public_buckets (boolean) - Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Default value is True.
--static_website_hosting (boolean) - Specifies whether the S3 bucket should be configured for static website hosting. Default value is False.
--tags (KEY1:VALUE1,KEY2:VALUE2) - Resource tags key-value pairs string delimited by comma. Command to generate meta:

Meta structure:


"s3_bucket_name": { 
    "resource_type": "s3_bucket", 
    "acl": "[private|public-read|public-read-write|authenticated-read]", 
    "location": "string", 
    "cors": ["string"], 
    "policy": {}, 
    "public_access_block": { 
      "block_public_acls": true|false, 
      "ignore_public_acls": true|false, 
      "block_public_policy": true|false, 
      "restrict_public_buckets": true|false 
    },
    "LifecycleConfiguration": {},
    "website_hosting": {},
    "dependencies": [
        {
            "resource_type": "string",
            "resource_name": "string"
        }
    ],
    "tags": {
        "key": "value"
  }
}

resource_type (string) [REQUIRED] - Resource type.
location (string) - The region, where the bucket is created, the default value is the region set in syndicate config.
acl (private|public-read|public-read-write|authenticated-read) -
The canned ACL to be applied to the bucket.
policy (dict) - IAM policy to be attached to the bucket.
LifecycleConfiguration (dict) - S3 Lifecycle configuration.
website_hosting (dict) - S3 bucket static website hosting configuration.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (dict) - The resource tags.

Example:

"${ui_bucket}": {
  "policy": {
    "Version": "2012-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
      {
        "Action": "s3:GetObject",
        "Principal": "*",
        "Resource": "arn:aws:s3:::{bucket_name}/*",
        "Effect": "Allow",
        "Sid": "1"
      }
    ]
  },
  "resource_type": "s3_bucket",
  "acl": "public-read",
  "LifecycleConfiguration": {
    "Rules": [
      {
        "ID": "TestId",
        "Status": "Enabled",
        "Expiration": {
          "Days": 1825
        },
        "Filter": {
          "Prefix": "documents/"
        },
        "Transitions": [
          {
            "Days": 365,
            "StorageClass": "GLACIER"
          }
        ]
      }
    ]
  }
}

4.5 API Gateway

4.5.1 API Gateway

Resource type: API Gateway

Command to generate meta:

syndicate generate meta api_gateway

Parameters:

--resource_name (string) [REQUIRED] - API gateway name.
--deploy_stage (string) [REQUIRED] - The stage to deploy the API.
--minimum_compression_size (int) - Compression size for API gateway. If not specified, compression will be disabled.
--tags (KEY1:VALUE1,KEY2:VALUE2) - Resource tags key-value pairs string delimited by comma.

Meta structure:

"api_gateway_name": { 
    "resource_type": "api_gateway", 
    "deploy_stage": "string", 
    "dependencies": [
        {
            "resource_name": "string",
            "resource_type": "string"
        }
    ], 
    "authorizers": [],
    "resources": {}, 
    "minimum_compression_size": int,
    "cluster_cache_configuration": {
      "policy_statement_singleton": true|false,
      "cache_enabled": true|false,
      "cache_size": float,
      "cache_ttl_sec": int,
      "encrypt_cache_data": true|false
    },
    "cluster_throttling_configuration": {
      "throttling_enabled": true|false,
      "throttling_rate_limit": float,
      "throttling_burst_limit": int
    },
    "logging_configuration": {
      "logging_enabled": true|false,
      "log_level": "INFO|ERROR",
      "data_tracing": true|false,
      "detailed_metrics": true|false
    },
    "tags": {
        "key": "value"
  } 
}

resource_type (string) [REQUIRED] - Resource type.
deploy_stage (string) [REQUIRED] - The stage of the deployed API.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
resources (dict) [REQUIRED] - API Gateway resources configuration
cluster_throttling_configuration (dict) - The stage throttling configuration
cluster_cache_configuration (dict) - The stage cache configuration
logging_configuration (dict) - The stage logging configuration
- logging_enabled (boolean) - Determines whether logging to CloudWatch is enabled
- log_level (INFO|ERROR) - Logging level
- data_tracing (boolean) - Determines whether data trace logging is enabled
- detailed_metrics (boolean) - Determines whether detailed metrics generation is enabled

tags (dict) - The resource tags.

Linked resources:

api_gateway_resource: 4.5.2 API Gateway Resource

4.5.2 API Gateway Authorizer

Resource type: API Gateway Custom Authorizer

Command to generate meta:

syndicate generate meta api_gateway_authorizer

Parameters:

--api_name (string) [REQUIRED] - API gateway name to add authorizer to.
--name (string) [REQUIRED] - Authorizer name.
--type (COGNITO_USER_POOLS|TOKEN|REQUEST) [REQUIRED] - Authorizer type. 'TOKEN' for a Lambda function using a single authorization token submitted in a custom header, 'REQUEST' for a Lambda function using incoming request parameters, and 'COGNITO_USER_POOLS' for using an Amazon Cognito user pool.
--provider_name (string) [REQUIRED] - Identity provider name.

Meta structure:

"authorizers": {
  "authorizer_name": {
    "type": "[COGNITO_USER_POOLS|TOKEN|REQUEST]",
    "identity_source": "string",
    "ttl": int,
    "user_pools": [],
    "lambda_name": "string",
    "lambda_alias": "string"
  }
}

authorizer_name (string) [REQUIRED] - Authorizer name.
type (COGNITO_USER_POOLS|TOKEN|REQUEST) [REQUIRED] - Authorizer type. 'TOKEN' for a Lambda function using a single authorization token submitted in a custom header, 'REQUEST' for a Lambda function using incoming request parameters, and 'COGNITO_USER_POOLS' for using an Amazon Cognito user pool.
identity_source (string) [REQUIRED] - The identity source for which authorization is requested.
ttl (int) - The TTL in seconds of cached authorizer results. If it equals 0, authorization caching is disabled.
user_pools (list) - List of Cognito User Pools name. Applicable if 'type' is ' COGNITO_USER_POOLS'.
lambda_name (string) - The name of the lambda authorizer. Applicable if 'type' is 'TOKEN' or ' REQUEST'.
lambda_alias (string) - The name of the lambda authorizer alias. Applicable if 'type' is 'TOKEN' or ' REQUEST'.

Precondition: API Gateway and Cognito User Pool resources should be previously specified.

Linked resources: api_gateway: 4.5.1 API Gateway, cognito_idp: 4.14.1 Cognito User Pools

4.5.3 API Gateway Resource (path)

Resource type: API Gateway Resource (path)

Command to generate meta:

syndicate generate meta api_gateway_resource

Parameters:

--api_name (string) [REQUIRED] - API gateway name to add resource to.
--path (string) [REQUIRED] - Resource path to create.
--enable_cors (boolean) Enables CORS on the resource method. If not specified, sets the default value to False.

Meta structure:

"resources": { 
  "path": { 
    "enable_cors": true|false 
  } 
}

path (string) - The name of the path.
enable_cors (boolean) - Enables CORS on the resource methods.

4.5.4 API Gateway Resource Method

Resource type: API Gateway Resource Method

Command to generate meta:

syndicate generate meta api_gateway_resource_method

Parameters:

--api_name (string) [REQUIRED] - API gateway name to add method to.
--path (string) [REQUIRED] - Resource path to method to.
--method (POST|GET|DELETE|PUT|HEAD|PATCH|ANY) [REQUIRED] - Resource method to add.
--integration_type (string) - The resource which the method is connected to: [lambda|service|http|mock]. If not specified, sets the default value to 'mock'.
--lambda_name (string) Lambda name. Required if integration type is lambda.
--lambda_region (us-east-1|...|af-south-1) - The region where the lambda is located. If not specified, sets the default value from syndicate config.
--authorization_type (NONE|AWS_IAM|CUSTOM) The method's authorization type. If not specified, sets the default value to 'NONE'.
--authorizer_name (string) - The method's authorizer name can be used only with '--authorization_type' ' CUSTOM'.
--api_key_required (boolean) - Specifies whether the method requires a valid API key. If not specified, the default value is set to False.

Meta structure:

"POST|GET|DELETE|PUT|HEAD|PATCH|ANY": { 
  "authorization_type": "[NONE|AWS_IAM|CUSTOM]", 
  "integration_type": "string", 
  "api_key_required": true|false, 
  "method_request_parameters": {}, 
  "integration_request_body_template": {}, 
  "responses": [], 
  "integration_responses": [], 
  "default_error_pattern": true|false,
  "method_request_models": {},
  "request_validator": {},
  "uri": "string",
  "lambda_name": "string",
  "lambda_region": "string",
  "enable_proxy": true|false,
  "cache_configuration": {
    "cache_ttl_sec": int,
    "encrypt_cache_data": true|false
  },
  "throttling_configuration": {
    "throttling_enabled": true|false,
    "throttling_rate_limit": float,
    "throttling_burst_limit": int
  },
  "logging_configuration": {
    "logging_enabled": true|false,
    "log_level": "INFO|ERROR",
    "data_tracing": true|false,
    "detailed_metrics": true|false
  },
  "binary_media_types": []
}

authorization_type (NONE|AWS_IAM|CUSTOM) - The method's authorization type (default value is 'NONE').
integration_type (string) - The resource to which the method is connected [lambda|service|http|mock].
api_key_required (boolean) - Specifies whether the method required a valid ApiKey (the default value is set to 'false').
method_request_parameters (dict) A key-value map defining required or optional method request parameters that can be accepted by API Gateway. A key defines a method request parameter name matching the pattern method.request.{location}.{name}, where location is query string, path, or header and name is a valid and unique parameter name. The value associated with the key is a Boolean flag indicating whether the parameter is required (true) or optional (false)- not required (is not set).
integration_request_body_template (map) - Represents a map of Velocity templates that are applied on the request payload based on the of the Content-Type header sent by the client (is not set).
responses (list) - Method responses (sets default response with '200' status code).
integration_responses (list) - Integration method responses (sets the default response with '200' status code and without Lambda regex).
default_error_pattern (boolean) - Not required (if you did not specify integration_responses and responses, you can choose default).
method_request_models (map) - Specifies the Model resources used for the request's content type - not required (is not set).
request_validator (map) - A key-value map for creating request validator. If no name is specified, then will be used standard names.
uri (string) - Uniform Resource Identifier (URI) of the integration endpoint. Required if integration type is service.
lambda_name (string) - Lambda name. Required if integration type is lambda.
lambda_region (string) The region, where the lambda is created, the default value is the region set in syndicate config.
enable_proxy (boolean) - If enabled API Gateway directly passes the incoming request from the client as an event object to the Lambda function. Applicable only if integration_type is Lambda.
cache_configuration (map) - The method cache configuration.
throttling_configuration (map) - The method throttling configuration
logging_configuration (map) - The stage logging configuration
- logging_enabled (boolean) - Determines whether logging to CloudWatch is enabled
- log_level (INFO|ERROR) - Logging level
- data_tracing (boolean) - Determines whether data trace logging is enabled
- detailed_metrics (boolean) - Determines whether detailed metrics generation is enabled
binary_media_types (list) - Used to specify a list of MIME types that are treated as binary types by the API Gateway.

Precondition: The API Gateway resources and methods should be specified for the API Gateway deployment

Linked resources:

api_gateway_resource: 4.5.2 API Gateway Resource

api_gateway_resource_method: 4.5.3 API Gateway Resource method

Example of whole resource meta structure:

"api_name": {
    "deploy_stage": "dev",
    "resource_type": "api_gateway,
    "cluster_cache_configuration": {
      "policy_statement_singleton": true|false,
      "cache_enabled": true|false,
      "cache_size": float,
      "cache_ttl_sec": int,
      "encrypt_cache_data": true|false
    },
    "cluster_throttling_configuration": {
      "throttling_enabled": true|false,
      "throttling_rate_limit": float,
      "throttling_burst_limit": int
    },
    "logging_configuration": {
      "logging_enabled": true|false,
      "log_level": "INFO|ERROR",
      "data_tracing": true|false,
      "detailed_metrics": true|false
    },
    "dependencies": [
        {
            "resource_name": "lambda_name",
            "resource_type": "lambda"
        }
        ...
    ],
    "resources": {
        "/path": {
            "enable_cors": true,
            "POST|GET|DELETE|PUT|HEAD|PATCH|ANY":{
                "authorization_type":" AWS_IAM|CUSTOM|COGNITO_USER_POOLS",
                "api_key_required": true|false,
                "method_request_parameters": { 
                    "method.request.querystring.param_name": true|false
                    },
                "method_request_models":{
                    "string": "string"
                    ... 
                },
                "cache_configuration": {
                    "cache_ttl_sec": int,
                    "encrypt_cache_data": true|false
                },
                "throttling_configuration": {
                    "throttling_enabled": true|false,
                    "throttling_rate_limit": float,
                    "throttling_burst_limit": int
                },
                "logging_configuration": {
                    "logging_enabled": true|false,
                    "log_level": "INFO|ERROR",
                    "data_tracing": true|false,
                    "detailed_metrics": true|false
                },
                "request_validator": {
                    "name": "string",
                    "validate_request_body": true|false,
                    "validate_request_parameters": true|false
                }
                "integration_type": "lambda|service|mock|http",
                "uri": "region:subdomain.service|service:path|action/service_api",
                "lambda_name": "name",
                "enable_proxy": true|false,
                "integration_request_body_template": {
                    "application/json": "..",
                }
                "integration_request_parameters": {
                    "integration.request.path|querystring.name": "method.request.path|querystring.param_name",
                    "integration.request.header.name": "..."
                },
                "integration_passthrough_behavior": "WHEN_NO_MATCH|WHEN_NO_TEMPLATES| NEVER"
                "lambda_region": "one_of_the_aws_region",
                "responses": [
                    {
                        "status_code": "status_code"
                        "response_parameters": {
                            "string": "string",
                            ...
                        }
                        "response_models": {
                            "string": "string"
                            ...
                        }
                    },
                    ...
                ]
                integration_responses: [
                    {
                        "status_code": "status_code",
                        "lambda_error_regex": "..",
                        "response_parameters": {
                            "string": "string",
                            ...
                        }
                        "response_templates": {
                            "string": "string",
                            ...
                        }
                    },
                    ...
                ],

            }
        }
    },
    "tags": {
        "key": "value"
  }
}

NOTE: Here we have an API Gateway description. This resource can be described in different deployment_resources.json files, part of API can be in one file, and another part - in another file. The 'resources' field can include not limited amount of resource paths.

Example:

"syndicate-demo-api": {
    "resource_type": "api_gateway",
    "deploy_stage": "dev",
    "cluster_cache_configuration": {
      "policy_statement_singleton": true,
      "cache_enabled": true,
      "cache_size": 0.5,
      "cache_ttl_sec": 300,
      "encrypt_cache_data": true
    },
    "cluster_throttling_configuration": {
      "throttling_enabled": true,
      "throttling_rate_limit": 10000,
      "throttling_burst_limit": 5000
    },
    "dependencies": [
        {
            "resource_name": "put_dynamodb_item",
            "resource_type": "lambda"
        }
    ],
    "resources": {
        "/notifications": {
            "enable_cors": true,
            "POST": {
                "integration_request_body_template": {},
                "authorization_type": "AWS_IAM",
                "integration_type": "lambda",
                "method_request_parameters": {},
                "cache_configuration": {
                    "cache_ttl_sec": 100,
                    "encrypt_cache_data": true
                },
                "throttling_configuration": {
                    "throttling_enabled": false,
                    "throttling_rate_limit": 10002,
                    "throttling_burst_limit": 5002
                }
                "default_error_pattern": true,
                "integration_passthrough_behavior": "WHEN_NO_TEMPLATES",
                "lambda_name": "put_dynamodb_item"
            }
        }
    }
}

Example of Cognito UserPool usage as an authorizer:

"syndicate-demo-api": {
    "resource_type": "api_gateway",
    "deploy_stage": "dev",
    "authorizers": {
      "authorizer": {
        "type": "COGNITO_USER_POOLS",
        "identity_source": "method.request.header.Authorization",
        "user_pools": [
          "cognito_userpool_name"
        ],
        "ttl": 300
      }
    },
    "resources": {
      "/notifications": {
        "enable_cors": false,
        "GET": {
          "enable_proxy": true,
          "authorization_type": "authorizer",
          "integration_type": "lambda",
          "lambda_name": "lambda_name",
          "api_key_required": false,
          "method_request_parameters": {},
          "integration_request_body_template": {},
          "responses": [],
          "integration_responses": [],
          "default_error_pattern": true
        }
      }
    }
}

Example of Lambda function usage as an authorizer:

"syndicate-demo-api": {
    "resource_type": "api_gateway",
    "deploy_stage": "dev",
    "dependencies": [],
    "authorizers": {
      "authorizer": {
        "type": "REQUEST",
        "identity_source": "method.request.querystring.principal_id, method.request.querystring.authorization_token, context.httpMethod, context.resourcePath",
        "lambda_alias": "${lambdas_alias_name}",
        "lambda_name": "lambda_authorizer_name",
        "ttl": 300
      }
    },
    "resources": {
      "/notifications": {
        "enable_cors": true,
        "GET": {
          "integration_type": "lambda",
          "lambda_alias": "${lambdas_alias_name}",
          "authorization_type": "authorizer",
          "integration_request_body_template": {
            "application/json": "#set($allParams = $input.params()){\"method\": \"$context.httpMethod\", \"path\": \"$context.resourcePath\",\"params\": {#foreach($type in $allParams.querystring.keySet())\"$type\": \"$util.escapeJavaScript($allParams.querystring.get($type))\" #if($foreach.hasNext),#end #end}, \"body_json\": $input.json('$')}"
          },
          "lambda_name": "booking-api"
        }
      }
    }
}

4.5.5 Ways to deploy API Gateway to AWS Account with Syndicate

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀Ways to deploy API Gateway to AWS Account with Syndicate

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀	⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
Syndicate	OAS

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀CREATE


Create using Syndicate DSL (deployment resources)	Create using OAS v3 file (Composed manually or via AOSv3 Builders)
	PLEASE NOTE: API Gateway extentions for OPEN API are required in order to configure AWS specific authentication and integration via OAS

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀UPDATE

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀	⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
WARNING: API Gateway can't be updated via Syndicate. The API will be deleted and created from scratch. This may break integrations with API. To redeploy API: update API Gateway meta in Syndicate Deployment Resources `syndicate clean` `syndicate build` `syndicate deploy`	`syndicate export` (once only) update API Gateway meta in OAS file `syndicate build` `syndicate update` PLEASE NOTE: The API will be updated with no recreation.

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀CLEAN

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀	⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
`syndicate clean`	`syndicate clean`

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
Recommended way:
We recommend deploying API Gateway via Syndicate to simplify all integrations with Lambdas and Authorizers. Then, export the OAS file using the `syndicate export` command in order to provide rolling update for your API Gateway
API IMPORT DOC
API IMPORT IMPORTANT NOTES

INITIAL API DEFINING IN A PROJECT & TRANSITION TO OPEN API SPECIFICATION v3

Prerequisites: project is created, syndicate config is generated. 1. Generate Syndicate DSL of API Gateway

syndicate generate meta --resource_type api_gateway

syndicate generate meta --resource_type api_gateway_authorizer

syndicate generate meta --resource_type api_gateway_resource

syndicate generate meta --resource_type api_gateway_resource_method

2. Build Deployment Bundle

syndicate build

3. Deploy Bundle to AWS

syndicate deploy

4. Export OpenApi Specification

syndicate export --resource_type api_gateway --dsl oas_v3

NOTE: AWS API Gateway specific extensions are used to define the API in OAS v3, starting with "x-amazon"

5. Update Syndicate's Deployment Resources:

5.1. Remove the resource of type "api_gateway" from the project deployment_resources.json file

5.2. Add the resource of type "api_gateway_oas_v3" by placing the specification file inside the project directory. The name of the file must end with oas_v3.json

5. Update the OAS File according to the project needs

6. Build Bundle with Updates

syndicate build

7. Update Environment including API via OAS

syndicate update

Congrats, you have migrated the API definition to OAS v3!

DEPLOYING NEW ENVIRONMENT CONTAINING API DEFINITION OASv3

1. Update the OASv3 file:

1.1 In case you have Cognito - API Gateway integration in your software the following security schema must be defined in your OAS document:

{
  "securitySchemes": {
    "authorizer": {
      "type": "apiKey",
      "name": "Authorization",
      "in": "header",
      "x-amazon-apigateway-authtype": "cognito_user_pools",
      "x-amazon-apigateway-authorizer": {
        "providerARNs": [
          "arn:aws:cognito-idp:$region:$account_id:userpool/$user_pool_id"
        ],
        "type": "cognito_user_pools"
      }
    }
  }
}

Security Schema for OAS Document

Please, take a look at the 'x-amazon-apigateway-authorizer' object and it's 'providerARNS' property - it contains the ARN of the target Cognito UserPool.

As you are provisioning the new environment, we consider the Cognito UserPool does not exist yet, and we don't know the actual ARN. The identifier of the User Pool is the combination of the deployment region and a unique ID of the pool. That is why the ARN can't be generated before it is created.

In case the Cognito UserPool is also defined in the Syndicate's deployment resources file, we recommend to replace the 'providerARNs' property with the following one:

"x-syndicate-cognito-userpool-names": ["cognito_userpool_name"]

Here, we're setting up the security rules for the API Gateway when we deploy it from scratch, using an OAS file that Syndicate exported from another environment:

{
  "securitySchemes": {
    "authorizer": {
      "type": "apiKey",
      "name": "Authorization",
      "in": "header",
      "x-amazon-apigateway-authtype": "cognito_user_pools",
      "x-amazon-apigateway-authorizer": {
        "x-syndicate-cognito-userpool-names": [
          "cognito_userpool_name"
        ],
        "type": "cognito_user_pools"
      }
    }
  }
}

During the 'syndicate deploy' command execution the syndicate will create resources in configured AWS Account according to defined priorities: Cognito UserPool will be created before the API Gateway. This allows Syndicate to create the Cognito UserPool, obtain it's ARN and replace the 'x-syndicate-cognito-userpool-names' property with the expected 'providerARNs' and the actual ARN of the UserPool referenced in the value.

1.2 If you have tags, you can specify them in your OAS document by including them as top-level key-value pairs:

{
  "openapi": "3.0.1",
  // ...
  "x-syndicate-openapi-tags": {
    "key1": "value1",
    "key2": "value2"
  }
}

NOTE: Syndicate API Gateway specific extensions are used to define the API in OAS v3, starting with "x-syndicate..." NOTE: The export command: syndicate export --resource_type api_gateway --dsl oas_v3 supports " x-syndicate-openapi-tags"

1.3 Build the bundle

syndicate build

1.4 Deploy the app

syndicate deploy

4.6 SNS Topic

Resource type: SNS Topic

Command to generate meta:

syndicate generate meta sns_topic

Parameters:

--resource_name (string) [REQUIRED] - SNS topic name.
--region (ALL|us-east-1|...|af-south-1) [REQUIRED] - The region where the topic should be deployed.
--tags (KEY1:VALUE1,KEY2:VALUE2) - Resource tags key-value pairs string delimited by comma.

Meta structure:

"topic_name": {
    "resource_type": "sns_topic",
    "region": "string",
    "event_sources": [],
    "dependencies": [
        {
            "resource_type": "string",
            "resource_name": "string"
        }
    ],
    "tags": {
        "key": "value"
  }
}

resource_type (string) [REQUIRED] - Resource type.
region (string) - The region where the rule is deployed. If not specified ["region_name1", ..] the default value is taken from syndicate config.
event_sources (list) - List of event source configurations.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (dict) - The resource tags.

Example:

"stackAuditTopic": {
    "region": "all",
    "resource_type": "sns_topic",
    "event_sources": [
        {
            "target_rule": "rule_name",
            "resource_type": "cloudwatch_rule_trigger"
        }
    ]
}

4.7 CloudWatch Alarm

Resource type: CloudWatch Alarms

Command to generate meta:

syndicate generate meta cloudwatch_alarm

Parameters:

--resource_name (string) [REQUIRED] - Cloudwatch alarm name.
--metric_name (string) [REQUIRED] - The metric's name.
--namespace (string) [REQUIRED] - The namespace for the metric associated with the alarm.
--description (string) - The description for the alarm.
--period (int) - The period in seconds over which the specified statistic is applied. Valid values are 10, 30, and any multiple of 60. Default value is 1200.
--evaluation_periods (int) - The number of periods over which data is compared to the specified threshold. Default value is 1.
--threshold (float) - The value to compare with the specified statistic. Default value is 1.0.
--comparison_operator ( GreaterThanOrEqualToThreshold|GreaterThanThreshold|LessThanThreshold|LessThanOrEqualToThreshold|LessThanLowerOrGreaterThanUpperThreshold|LessThanLowerThreshold|GreaterThanUpperThreshold) - An arithmetic operator to use when comparing the specified statistic and threshold. The specified statistic value is used as the first operand. Default value is 'GreaterThanOrEqualToThreshold'.
--statistic (SampleCount|Average|Sum|Minimum|Maximum) - The statistic for the metric associated with the alarm, other than percentile. For percentile statistic, use 'ExtendedStatistic'. Default value is 'SampleCount'.
--sns_topics (string) [MULTIPLE] - The SNS topics to execute when the alarm goes to an ALARM state from any other state.
--lambdas (string) [MULTIPLE] - The lambdas to execute when the alarm goes to an ALARM state from any other state. Use : after lambda name to specify alias or version.
--ssm_response_plan (string) [MULTIPLE] - The response plan name to execute when the alarm goes to an ALARM state from any other state.
--evaluate_low_sample_count_percentile (evaluate|ignore) - Only for percentiles-based alarms. Use 'ignore' and the alarm state remains unchanged during periods with insufficient data points for statistical significance. If 'evaluate' is specified (or parameter is omitted), the alarm is always assessed and may change state regardless of data point availability.
--datapoints (int) - The number of datapoints that must be breaching to trigger the alarm.
--tags (KEY1:VALUE1,KEY2:VALUE2) - Resource tags key-value pairs string delimited by comma.

Meta structure:

"alarm_name": {
    "metric_name": "string",
    "resource_type": "cloudwatch_alarm",
    "namespace": "string"
    "period": int,
    "evaluation_periods": int,
    "threshold": float,
    "comparison_operator": "[GreaterThanOrEqualToThreshold|GreaterThanThreshold|LessThanThreshold|LessThanOrEqualToThreshold|LessThanLowerOrGreaterThanUpperThreshold|LessThanLowerThreshold|GreaterThanUpperThreshold]",
    "statistic": "[SampleCount|Average|Sum|Minimum|Maximum]",
    "sns_topics": [],
    "lambdas": [],
    "ssm_response_plan": [],
    "description": "string",
    "evaluate_low_sample_count_percentile": "[evaluate|ignore]",
    "datapoints": int,
    "dimensions": [],
    "dependencies": [
        {
            "resource_name": "string",
            "resource_type": "string"
        }
    ], 
    "tags": {
        "key": "value"
  }
}

metric_name (string) [REQUIRED] - The metric name.
resource_type (string) [REQUIRED] - Resource type.
namespace (string) [REQUIRED] - The namespace for the metric associated with the alarm.
period (int) [REQUIRED] - The period, in seconds, over which the specified statistic is applied. Valid values are 10, 30, and any multiple of 60.
evaluation_periods (int) [REQUIRED] - A number of periods over which data is compared to the specified threshold.
threshold (float) [REQUIRED] - The value to compare with the specified statistic.
comparison_operator ( GreaterThanOrEqualToThreshold|GreaterThanThreshold|LessThanThreshold|LessThanOrEqualToThreshold|LessThanLowerOrGreaterThanUpperThreshold|LessThanLowerThreshold|GreaterThanUpperThreshold) [REQUIRED] - An arithmetic operation to use when comparing the specified statistic and threshold. The specified statistic value is us as the first operand.
statistic (SampleCount|Average|Sum|Minimum|Maximum) [REQUIRED] - The statistic for the metric associated with the alarm, other than percentile. For percentile statistics, use ExtendedStatistic.
sns_topics (list) - The actions to execute when this alarm transitions to an ALARM state from any other state. Each action is specified as a name of SNS topics.
lambdas (list) - The actions to execute when this alarm transitions to an ALARM state from any other state. Each action is specified as a name of lambda. Use : after lambda name to specify alias or version.
ssm_response_plan (list) - The actions to execute when this alarm transitions to an ALARM state from any other state. Each action is specified as a name of response plan.
description (string) - The description for the alarm.
evaluate_low_sample_count_percentile (evaluate|ignore) - Only for percentiles-based alarms. Use 'ignore' and the alarm state remains unchanged during periods with insufficient data points for statistical significance. If 'evaluate' is specified (or parameter is omitted), the alarm is always assessed and may change state regardless of data point availability.
datapoints (int) The number of datapoints that must be breaching to trigger the alarm. Must be lower or equal to the evaluation_periods.

dimensions (list) A list of name/value pairs that determine the uniqueness of the metric in metric_name. The limit on the number of parameters is 30. Expected format is:

{
  "dimensions": [
          {
              "Name": "InstanceId",
              "Value": "i-000111aaabbb222cc"
          }
      ]
}

dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (dict) - The resource tags.

Example:

"alarm_name": {
    "metric_name": "db_alarm",
    "resource_type": "cloudwatch_alarm"
    "namespace": "db",
    "period": 1200,
    "evaluation_periods": 1
    "threshold": 1.0,
    "comparison_operator": "GreaterThanOrEqualToThreshold",
    "statistic": "SampleCount",
    "sns_topics": [
        "audit_topic"
    ],
    "dimensions": [
        {
          "Name": "MyDimension",
          "Value": "test"
        }
    ]
}

4.8 Kinesis Stream

Resource type: Kinesis Stream

Command to generate meta:

syndicate generate meta kinesis_stream

Parameters:

--resource_name (string) [REQUIRED] - Kinesis stream name.
--shard_count (int) [REQUIRED] - Number of shards that the stream uses.
--tags (KEY1:VALUE1,KEY2:VALUE2) - Resource tags key-value pairs string delimited by comma.

Meta structure:

"stream_name": {
    "resource_type": "kinesis_stream",
    "shard_count": 2,
    "dependencies": [
        {
            "resource_name": "string",
            "resource_type": "string"
        }
    ], 
    "tags": {
        "key": "value"
  }
}

resource_type (string) [REQUIRED] - Resource type.
shard_count (int) [REQUIRED] - Number of shards that the stream uses.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (dict) - The resource tags.

Example:

"audit_stream": {
    "resource_type": "kinesis_stream",
    "shard_count": 1
}

4.9 IAM Policy

Resource type: IAM Policy

Command to generate meta:

syndicate generate meta iam_policy

Parameters:

--resource_name (string) [REQUIRED] - IAM policy name.
--policy_content (string) - The path to JSON file with IAM policy content. If not specified, template value will be set.
--tags (KEY1:VALUE1,KEY2:VALUE2) - Resource tags key-value pairs string delimited by comma.

Meta structure:

"policy_name": { 
    "resource_type": "iam_policy", 
    "policy_content": {},
    "dependencies": [
        {
            "resource_name": "string",
            "resource_type": "string"
        }
    ], 
    "tags": {
        "key": "value"
    }
}

resource_type (string) [REQUIRED] - Resource type.
policy_content (dict) [REQUIRED] - IAM policy content.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (dict) - The resource tags.

Precondition:

file policy.json should be previously created and put into the current directory. Example of file content:

{ 
    "Statement": [ 
        { 
            "Action": [ 
                "logs:CreateLogGroup", 
                "logs:CreateLogStream", 
                "logs:PutLogEvents" 
            ], 
            "Effect": "Allow", 
            "Resource": "*" 
        } 
    ], 
    "Version": "2012-10-17" 
}

Example:

"AutoscalingDynamoRead": {
    "resource_type": "iam_policy",
    "policy_content": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "dynamodb:DescribeTable",
                    "cloudwatch:GetMetricStatistics",
                    "cloudwatch:DescribeAlarms"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }   
}

4.10 IAM Role

Resource type: Iam Role

Command to generate meta:

syndicate generate meta iam_role

Parameters:

--resource_name (string) [REQUIRED] - IAM role name.
--principal_service (string) [REQUIRED] - The service which will use the role.
--predefined_policies (string)
[MULTIPLE] - Managed IAM policies list.
--custom_policies (string)
[MULTIPLE] - Customer AWS policies names.
--allowed_accounts (string)
[MULTIPLE] - The list of accounts, which can assume the role.
--external_id (string) - External ID in role.
--instance_profile (boolean) - If true, instance profile with role name is created.
--permissions_boundary (string) - The name or the ARN of permissions boundary policy to attach to this role.
--tags (KEY1:VALUE1,KEY2:VALUE2) - Resource tags key-value pairs string delimited by comma.

Meta structure:

"role_name": {
    "resource_type": "iam_role",
    "predefined_policies": [],
    "principal_service": "string",
    "custom_policies": [],
    "allowed_accounts": [],
    "external_id": "string",
    "instance_profile": true|false,
    "trusted_relationships": {},
    "permissions_boundary": "string",
    "dependencies": [
        {
            "resource_name": "string",
            "resource_type": "string"
        }
    ], 
    "tags": {
        "key": "value"
    }
}

resource_type (string) [REQUIRED] - Resource type.
predefined_policies (list) - Managed IAM policies list.
principal_service (string) - Service which uses the role.
custom_policies (list) - Customer AWS policies names.
allowed_accounts (list) - The list of accounts, which can assume the role.
external_id (string) - The role external ID.
instance_profile (boolean) - If true, instance profile with role name is created.
trusted_relationships (map) - The .json-file of the trusted relationships to be attached.
permissions_boundary (string) - The name or the ARN of permissions boundary policy to attach to this role.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (dict) - The resource tags.

Linked resources:

custom_policies : 4.9 IAM Policy

Example:

"lr_run_terraform_template": {
    "predefined_policies": [
        "AmazonSQSFullAccess"
    ],
    "principal_service": "lambda",
    "custom_policies": [
        "LambdaBasicExecution",
        "S3Read",
        "SNSWrite",
        "CloudFormationResourceCreationPolicyWrite"
    ],
    "resource_type": "iam_role",
    "allowed_accounts": [
        "${account_id}"
    ]
}

4.11 Step Functions Activity

Resource type: Step Function Activity

Command to generate meta:

syndicate generate meta step_function_activity

Parameters:

--resource_name (string) [REQUIRED] - Step function activity name.
--tags (KEY1:VALUE1,KEY2:VALUE2) - Resource tags key-value pairs string delimited by comma.

Meta structure:

"activity_name": {
    "resource_type": "state_activity",
    "dependencies": [
        {
            "resource_name": "string",
            "resource_type": "string"
        }
    ], 
    "tags": {
        "key": "value"
    }
}

resource_type (string) [REQUIRED] - Resource type.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (dict) - The resource tags.

Example:

"approval_activity": {
    "resource_type": "state_activity"
}

4.12 SQS Queue

Resource type: SQS Queue

Command to generate meta:

syndicate generate meta sqs_queue

Parameters:

--resource_name (string) [REQUIRED] - SQS queue name.
--region (us-east-1|...|af-south-1) - The region where the queue is deployed. Default value is the one from syndicate config.
--fifo_queue (boolean) - If True, the queue is FIFO. Default value is False.
--visibility_timeout (int) - The visibility timeout for the queue. Default value is 30.
--delay_seconds (int) - The length of time in seconds for which the delivery of all the messages in the queue is delayed. Default value is 0.
--maximum_message_size (int) - The limit of how many bytes a message can contain before Amazon SQS rejects it. Default value is 1024.
--message_retention_period (int) - The length of time in seconds for which Amazon SQS retains a message. Default value is 60.
--receive_message_wait_time_seconds (int) - The length of time in seconds for which a 'ReceiveMessage' action waits for a message to arrive.
--dead_letter_target_arn (string) - ARN of a dead-letter queue Amazon SQS moves messages to after the value of maxReceiveCount is exceeded.
--max_receive_count (int) - The number of times a message is delivered to the source queue before being moved to the dead-letter queue. Required if 'dead_letter_target_arn' is specified.
--kms_master_key_id (string) - The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK.
--kms_data_key_reuse_period_seconds (int) - The length of time in seconds for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again.
--content_based_deduplication (boolean) - Enables content-based deduplication.
--tags (KEY1:VALUE1,KEY2:VALUE2) - Resource tags key-value pairs string delimited by comma.

Meta structure:

"sqs_queue": {
    "resource_type": "sqs_queue",
    "region": "string",
    "fifo_queue": boolean,
    "visibility_timeout": int,
    "delay_seconds": int,                   
    "maximum_message_size": int,
    "message_retention_period": int,
    "policy": {},
    "receive_message_wait_time_seconds": int,
    "redrive_policy": {
        "deadLetterTargetArn": "string",
        "maxReceiveCount": int
    },
    "kms_master_key_id": "string",
    "kms_data_key_reuse_period_seconds": int,
    "content_based_deduplication": boolean,
    "dependencies": [
        {
            "resource_name": "string",
            "resource_type": "string"
        }
    ], 
    "tags": {
        "key": "value"
    }
}

resource_type (string) [REQUIRED] - Resource type.
region (string) - The region, where the queue is deployed (the default value is the region from syndicate config).
fifo_queue (boolean) - If true, the queue is FIFO (the default value is false).
visibility_timeout (int) - The visibility timeout for the queue.
delay_seconds (int) - The length of time, in seconds, for which the delivery of all messages in the queue is delayed.
maximum_message_size (int) - The limit of how many bytes a message can contain before Amazon SQS rejects it.
message_retention_period (int) - The length of time, in seconds, for which Amazon SQS retains a message.
policy (dict) - The queue's policy. A valid AWS policy.
receive_message_wait_time_seconds (string) - The length of time, in seconds, for which a "ReceiveMessage" action waits for a message to arrive.
redrive_policy (dict)
- deadLetterTargetArn (string) [REQUIRED] - The Amazon Resource Name (ARN) of the "arn", dead-letter queue to which Amazon SQS moves messages after the value of maxReceiveCount is exceeded.
- maxReceiveCount (int) [REQUIRED] - The number of times a message is delivered to the source queue before being moved to the dead-letter queue.
kms_master_key_id (string) - The ID of an AWS-managed customer "alias/aws/sqs", master key (CMK) for Amazon SQS or a custom CMK.
kms_data_key_reuse_period_seconds (int) - The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again.
content_based_deduplication (boolean) - Enables content-based.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (dict) - The resource tags.

Example:

"${terraform-queue-name}": {
    "region": "eu-west-1",
    "fifo_queue": true,
    "visibility_timeout": 300,
    "resource_type": "sqs_queue"
}

4.13 Step Functions (State Machine)

Resource type: Step Functions (State machine)

Command to generate meta:

syndicate generate meta step_function

Parameters:

--resource_name (string) [REQUIRED] - Step function name.
--iam_role (string) [REQUIRED] - IAM role to use for this state machine.
--tags (KEY1:VALUE1,KEY2:VALUE2) - Resource tags key-value pairs string delimited by comma.

Meta structure:

"state_machine_collect_reports": {
    "resource_type": "step_functions",
    "definition": {},
    "iam_role": "string",
    "event_sources": [],
    "dependencies": [
        {
            "resource_name": "string",
            "resource_type": "string"
        }
    ], 
    "tags": {
        "key": "value"
    }
}

resource_type (string) [REQUIRED] - Resource type.
definition (dict) [REQUIRED] - The Amazon States Language definition of the state machine.
iam_role (string) [REQUIRED] - IAM role to use for this state machine.
event_sources (list) List of event sources configurations.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (dict) - The resource tags.

Linked resources:

iam_role: 4.10 IAM Role

Useful links: Follow this guide to create an IAM role for your state machine

Example:

"state_machine_collect_nessus_reports": {
    "definition": {
        "States": {
            "GoogleMatchState": {
                "InputPath": "$.lambdaPayload",
                "End": true,
                "Type": "Task",
                "Lambda": "lambda_collect_google_nessus_reports"
                },
                "ChoiceState": {
                    "Default": "DefaultState",
                    "Type": "Choice",
                    "Choices": [
                        {
                            "Variable": "$.cloud",
                            "StringEquals": "AWS",
                            "Next": "AwsMatchState"
                        },
                        {
                            "Variable": "$.cloud",
                            "StringEquals": "Google",
                            "Next": "GoogleMatchState"
                        }
                    ]
                },
                "AwsMatchState": {
                    "InputPath": "$.lambdaPayload",
                    "End": true,
                    "Type": "Task",
                    "Lambda": "lambda_collect_aws_nessus_reports"
                },
                "DefaultState": {
                    "Cause": "No Matches!",
                    "Type": "Fail"
                },
                "WaitState": {
                    "SecondsPath": "$.timeToWaitInSeconds",
                    "Type": "Wait",
                    "Next": "ChoiceState"
                }
            },
            "StartAt": "WaitState"
    },
    "dependencies": [
        {
            "resource_name": "lambda_collect_aws_nessus_reports",
            "resource_type": "lambda"
        },
        {
            "resource_name": "lambda_collect_google_nessus_reports",
            "resource_type": "lambda"
        }
    ],
    "iam_role": "state_machine_role",
    "resource_type": "step_functions"
}

NOTE: If the field 'Lambda' is present, Lambda function is attached to the state ( in the same way the Activity field can be represented).

4.14 COGNITO

4.14.1 Cognito User Pools

Resource type: Cognito User Pools

Command to generate meta:

syndicate generate meta cognito_user_pool

Parameters:

--resource_name (string) [REQUIRED] - Cognito user pool name.
--auto_verified_attributes (phone_number|email) - The attributes to be auto-verified. Default value is email.
--sns_caller_arn (string) - The ARN of the IAM role in your account which Cognito will use to send SMS messages. Required if 'phone_number' in 'auto_verified_attributes' is specified.
--username_attributes (phone_number|email) - Specifies whether email addresses or phone numbers can be specified as usernames when a user signs up. Default value is email.
--custom_attributes (string string) - A list of custom attributes: (name type).
--tags (KEY1:VALUE1,KEY2:VALUE2) - Resource tags key-value pairs string delimited by comma.

Meta structure:

"user_pool_name": { 
    "resource_type": "cognito_idp", 
    "password_policy": { 
      "minimum_length": 123, 
      "require_uppercase": true|false, 
      "require_symbols": true|false, 
      "require_lowercase": true|false, 
      "require_numbers": true|false
    }, 
    "auto_verified_attributes": [], 
    "sms_configuration": { 
      "sns_caller_arn": "string" 
    }, 
    "username_attributes": [], 
    "custom_attributes": [ 
      { 
        "name": "string", 
        "type": "string" 
      }, 
      { 
        "name": "string", 
        "type": "string" 
      } 
    ], 
    "client": {
      "client_name": "string",
      "generate_secret": true|false,
      "explicit_auth_flows": []
    },
    "dependencies": [
        {
            "resource_name": "string",
            "resource_type": "string"
        }
    ], 
    "tags": {
        "key": "value"
    }

resource_type (string) [REQUIRED] - Resource type.
password_policy (dict) - The Cognito User Pool password policy.
auto_verified_attributes (list) - The attributes to be auto-verified.
sms_configuration (dict) - SMS caller configuration.
- sns_caller_arn (string) - The ARN of the sms caller.
username_attributes (list) - Specifies attributes that can be defined as usernames when a user signs up.
custom_attributes (list) - A list of custom attributes.
- name (string) - The attribute name.
- type (string) - The attribute type.
client (dict) - The Cognito User Pool configuration.
- client_name (string) - The name of the client application.
- generate_secret (boolean) - Determines whether to generate a secret for the user pool client being created.
- explicit_auth_flows (list) - The authentication flows that the client can support.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (dict) - The resource tags.

Example:

  "demo-user-pool": { 
    "resource_type": "cognito_idp", 
    "password_policy": { 
      "minimum_length": 8, 
      "require_uppercase": true, 
      "require_symbols": true, 
      "require_lowercase": true, 
      "require_numbers": true 
    }, 
    "auto_verified_attributes": [ 
      "email", 
      "phone_number" 
    ], 
    "sms_configuration": { 
      "sns_caller_arn": "arn:aws:iam::123412341234:role/CognitoSMSRole" 
    }, 
    "username_attributes": [ 
      "email", 
      "phone_number" 
    ], 
    "custom_attributes": [ 
      { 
        "name": "fullname", 
        "type": "String" 
      }, 
      { 
        "name": "birthday", 
        "type": "DateTime" 
      } 
    ], 
    "client": {
      "client_name": "client-app",
      "generate_secret": false,
      "explicit_auth_flows": [
        "ALLOW_ADMIN_USER_PASSWORD_AUTH",
        "ALLOW_CUSTOM_AUTH",
        "ALLOW_USER_SRP_AUTH",
        "ALLOW_REFRESH_TOKEN_AUTH"
      ]
    } 
  }

Preconditions:

CognitoSMSRole should be set in the account.

Linked resources:

iam_role: 4.10 IAM Role

Useful links:

Follow this guide to prepare an IAM role that Amazon Cognito can use to send SMS messages with Amazon SNS

4.14.2 Amazon Cognito Identity Pools

Resource type: Amazon Cognito Identity pools

Command to generate meta:

syndicate generate meta cognito_federated_pool

Parameters:

--resource_name (string) [REQUIRED] - Cognito federated pool name.
--auth_role (string) - IAM role for authorized users.
--unauth_role (string) - IAM role for unauthorized users.
--open_id_providers (string)
[MULTIPLE] - A list of OpenID Connect providers.
--provider_name (string) - Developer provider name.
--tags (KEY1:VALUE1,KEY2:VALUE2) - Resource tags key-value pairs string delimited by comma.

Meta structure:

"cognito_federated_pool_name": {
    "resource_type": "cognito_federated_pool",
    "auth_role": "string",
    "unauth_role": "string",
    "open_id_providers": [
        "string"
    ],
    "provider_name": "string",
    "dependencies": [
        {
            "resource_name": "string",
            "resource_type": "string"
        }
    ], 
    "tags": {
        "key": "value"
    }
 }

resource_type (string) [REQUIRED] - Resource type.
auth_role (string) - IAM role for authorized users.
unauth_role (string) - IAM role for unauthorized users.
open_id_providers (list) - A list of OpendID Connect providers.
provider_name (string) - Developer provider name.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (dict) - The resource tags.

Preconditions:

OpenID Connect provider 'accounts.google.com' should be previously defined in account.

Linked resources:

iam_role: 4.10 IAM Role

Useful links:

Follow this guide to create and manage IAM OIDC identity providers.

Example:

"maestro3_epam_opensource": {
    "auth_role": "cognito_auth",
    "open_id_providers": [
        "accounts.google.com"
    ],
    "provider_name": "login.m3.com",
    "resource_type": "cognito_federated_pool"
}

4.15 SNS Application

Resource type: SNS Application

Command to generate meta:

syndicate generate meta sns_application

Parameters:

--resource_name (string) [REQUIRED] - The name of the SNS application.
--platform (GCM|ADM|APNS|APNS_SANDBOX) [REQUIRED] - SNS application platform.
--region (us-east-1|...|af-south-1) - The region where the application is deployed. Default value is the one from syndicate config.
--attributes (string string) - SNS application attributes.

Meta structure:

"sns_application_name": {
    "resource_type": "sns_application",
    "platform": "string",
    "region": "string",
    "attributes": {
        "attr_name": "attr_value"
    }
}

resource_type (string) [REQUIRED] - Resource type.
platform (GCM|ADM|APNS|APNS_SANDBOX) [REQUIRED] - SNS application platform.
region (string) - Regions name/list, where the application is deployed (if not stated, is deployed only in the region).
attributes (string) SNS application attributes.

Preconditions:

GCM (FCM) API key for PlatformCredential should be previously obtained from Google and specified in the syndicate_aliases.yml file as the google_api_key property

Example:

"mobile-app": {
    "platform": "GCM",
    "region": "eu-central-1",
    "resource_type": "sns_application",
    "attributes": {
    "PlatformCredential": "${google_api_key}"
    }
}

4.16 ELASTIC BEANSTALK

Resource type: Beanstalk Application

Meta structure:

"beanstalk_app_name": {
    "resource_type": "beanstalk_app"
    "deployment_package": "string",
    "env_name": "string",
    "notification_topic": "string",
    "ec2_key_pair": "string",
    "ec2_role": "string",
    "ebs_service_role": "string",
    "tier": {
        "Name": "string",
        "Type": "string"
    },
    "stack": "string",
    "env_settings": [
        {
            "OptionName": "string",
            "ResourceName": "string",
            "Namespace": "string",
            "Value": "string"
        }
    ],
    "dependencies": [
        {
            "resource_name": "string",
            "resource_type": "string"
        }
    ]
}

resource_type (string) [REQUIRED] - Resource type.
deployment_package (string) [REQUIRED] - Application artifact name.
env_name (string) - EBS environment name.
notification_topic (string) - SNS topic name to configure "ebs_notification", notifications.
ec2_key_pair (string) [REQUIRED] - EC2 key to run an instance.
ec2_role (string) [REQUIRED] - EC2 instance role.
ebs_service_role (string) [REQUIRED] - EBS service role.
tier (string) [REQUIRED] - EBS tier.
stack (string) [REQUIRED] - EBS stack.
env_settings (string) - If specified, AWS Elastic Beanstalk sets the specified configuration options to the requested value in the configuration set for the new environment.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.

Example:

{
    "aws_csv_billing": {
        "resource_type": "beanstalk_app",
        "deployment_package": "m3-server-1.0.0.war",
        "env_name": "m3-billing-env",
        "notification_topic": "ebs_notification",
        "ec2_key_pair": "m3_deployment",
        "ec2_role": "ebs_instance_role",
        "ebs_service_role": "ebs_service_role",
        "tier": {
            "Name": "WebServer",
            "Type": "Standard"
        },
        "stack": "64bit Amazon Linux 2017.03 v2.6.3 running Tomcat 8 Java 8",
        "env_settings": [
            {
                "OptionName": "Availability Zones",
                "ResourceName": "AWSEBAutoScalingGroup",
                "Namespace": "aws:autoscaling:asg",
                "Value": "Any"
            },
            {
                "OptionName": "Cooldown",
                "ResourceName": "AWSEBAutoScalingGroup",
                "Namespace": "aws:autoscaling:asg",
                "Value": "360"
            },
            {
                "OptionName": "MaxSize",
                "ResourceName": "AWSEBAutoScalingGroup",
                "Namespace": "aws:autoscaling:asg",
                "Value": "1"
            },
            {
                "OptionName": "MinSize",
                "ResourceName": "AWSEBAutoScalingGroup",
                "Namespace": "aws:autoscaling:asg",
                "Value": "1"
            },
            {
                "OptionName": "ImageId",
                "ResourceName": "AWSEBAutoScalingLaunchConfiguration",
                "Namespace": "aws:autoscaling:launchconfiguration",
                "Value": "ami-ebd02392"
            },
            {
                "OptionName": "InstanceType",
                "Namespace": "aws:autoscaling:launchconfiguration",
                "Value": "t2.micro"
            },
            {
                "OptionName": "MonitoringInterval",
                "ResourceName": "AWSEBAutoScalingLaunchConfiguration",
                "Namespace": "aws:autoscaling:launchconfiguration",
                "Value": "5 minute"
            },
            {
                "OptionName": "RollingUpdateEnabled",
                "ResourceName": "AWSEBAutoScalingGroup",
                "Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
                "Value": "false"
            },
            {
                "OptionName": "RollingUpdateType",
                "ResourceName": "AWSEBAutoScalingGroup",
                "Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
                "Value": "Time"
            },
            {
                "OptionName": "HooksPkgUrl",
                "Namespace": "aws:cloudformation:template:parameter",
                "Value": "https://s3-eu-west-1.amazonaws.com/elasticbeanstalk-envresources-eu-west-1/stalks/eb_tomcat_4.0.1.148.17/lib/hooks.tar.gz"
            },
            {
                "OptionName": "InstancePort",
                "Namespace": "aws:cloudformation:template:parameter",
                "Value": "80"
            },
            {
                "OptionName": "JVMOptions",
                "Namespace": "aws:cloudformation:template:parameter",
                "Value": "XX:MaxPermSize=64m,Xmx=256m,JVM Options=,Xms=256m"
            },
            {
                "OptionName": "Application Healthcheck URL",
                "Namespace": "aws:elasticbeanstalk:application",
                "Value": ""
            },
            {
                "OptionName": "DeleteOnTerminate",
                "Namespace": "aws:elasticbeanstalk:cloudwatch:logs",
                "Value": "false"
            },
            {
                "OptionName": "RetentionInDays",
                "Namespace": "aws:elasticbeanstalk:cloudwatch:logs",
                "Value": "7"
            },
            {
                "OptionName": "StreamLogs",
                "Namespace": "aws:elasticbeanstalk:cloudwatch:logs",
                "Value": "false"
            },
            {
                "OptionName": "BatchSize",
                "Namespace": "aws:elasticbeanstalk:command",
                "Value": "100"
            },
            {
                "OptionName": "BatchSizeType",
                "Namespace": "aws:elasticbeanstalk:command",
                "Value": "Percentage"
            },
            {
                "OptionName": "IgnoreHealthCheck",
                "Namespace": "aws:elasticbeanstalk:command",
                "Value": "false"
            },
            {
                "OptionName": "Timeout",
                "Namespace": "aws:elasticbeanstalk:command",
                "Value": "600"
            },
            {
                "OptionName": "JVM Options",
                "Namespace": "aws:elasticbeanstalk:container:tomcat:jvmoptions",
                "Value": ""
            },
            {
                "OptionName": "XX:MaxPermSize",
                "Namespace": "aws:elasticbeanstalk:container:tomcat:jvmoptions",
                "Value": "64m"
            },
            {
                "OptionName": "Xms",
                "Namespace": "aws:elasticbeanstalk:container:tomcat:jvmoptions",
                "Value": "256m"
            },
            {
                "OptionName": "Xmx",
                "Namespace": "aws:elasticbeanstalk:container:tomcat:jvmoptions",
                "Value": "256m"
            },
            {
                "OptionName": "DefaultSSHPort",
                "Namespace": "aws:elasticbeanstalk:control",
                "Value": "22"
            },
            {
                "OptionName": "LaunchTimeout",
                "Namespace": "aws:elasticbeanstalk:control",
                "Value": "0"
            },
            {
                "OptionName": "LaunchType",
                "Namespace": "aws:elasticbeanstalk:control",
                "Value": "Migration"
            },
            {
                "OptionName": "RollbackLaunchOnFailure",
                "Namespace": "aws:elasticbeanstalk:control",
                "Value": "false"
            },
            {
                "OptionName": "EnvironmentType",
                "Namespace": "aws:elasticbeanstalk:environment",
                "Value": "SingleInstance"
            },
            {
                "OptionName": "GzipCompression",
                "Namespace": "aws:elasticbeanstalk:environment:proxy",
                "Value": "true"
            },
            {
                "OptionName": "ProxyServer",
                "Namespace": "aws:elasticbeanstalk:environment:proxy",
                "Value": "apache"
            },
            {
                "OptionName": "HealthCheckSuccessThreshold",
                "Namespace": "aws:elasticbeanstalk:healthreporting:system",
                "Value": "Ok"
            },
            {
                "OptionName": "SystemType",
                "Namespace": "aws:elasticbeanstalk:healthreporting:system",
                "Value": "enhanced"
            },
            {
                "OptionName": "LogPublicationControl",
                "Namespace": "aws:elasticbeanstalk:hostmanager",
                "Value": "false"
            },
            {
                "OptionName": "ManagedActionsEnabled",
                "Namespace": "aws:elasticbeanstalk:managedactions",
                "Value": "false"
            },
            {
                "OptionName": "InstanceRefreshEnabled",
                "Namespace": "aws:elasticbeanstalk:managedactions:platformupdate",
                "Value": "false"
            },
            {
                "OptionName": "Automatically Terminate Unhealthy Instances",
                "Namespace": "aws:elasticbeanstalk:monitoring",
                "Value": "true"
            },
            {
                "OptionName": "Notification Protocol",
                "Namespace": "aws:elasticbeanstalk:sns:topics",
                "Value": "email"
            },
            {
                "OptionName": "XRayEnabled",
                "Namespace": "aws:elasticbeanstalk:xray",
                "Value": "false"
            },
            {
                "OptionName": "EnvironmentVariables",
                "Namespace": "aws:cloudformation:template:parameter",
                "Value": "HOME_REGION="
            },
            {
                "OptionName": "HOME_REGION",
                "Namespace": "aws:elasticbeanstalk:application:environment",
                "Value": "${billing_home_region}"
            },
            {
                "OptionName": "EnvironmentVariables",
                "Namespace": "aws:cloudformation:template:parameter",
                "Value": "HOME_ACCOUNT_ID="
            },
            {
                "OptionName": "HOME_ACCOUNT_ID",
                "Namespace": "aws:elasticbeanstalk:application:environment",
                "Value": "${billing_home_account_id}"
            }
        ]
    }
}

4.17 EC2 Instance

4.17.1 EC2 Instance

Resource type: EC2 Instance

Command to generate meta:

syndicate generate meta ec2_instance

Parameters:

--resource_name (string) [REQUIRED] - The name of the EC2 instance.
--key_name (string) [REQUIRED] - The name of the SSH key to access the instance.
--image_id (string) [REQUIRED] - AMI ID to create the instance from.
--instance_type (string) - Type of the virtual machine. Default value is t2.micro.
--disable_api_termination (boolean) - API termination protection. Enabled by default.
--security_group_ids (string) [MULTIPLE] - Security group IDs.
--security_group_names (string) [MULTIPLE] - Security group names. If not specified, the default security group will be used.
--availability_zone (string) - Instance Availability Zone. If not specified, will be automatically chosen based on the load balancing criteria for the region.
--subnet_id (string) - Subnet ID to launch the instance into. Required if Availability Zone is set.
--userdata_file (string) - Path to the user data file. Filepath should be a relative path from the directory that is set in the environment variable "SDCT_CONF".
--iam_role (string) - The name of the instance IAM role.
--tags (KEY1:VALUE1,KEY2:VALUE2) - The resource tags.

Meta structure:

{ 
  "demo-instance": { 
    "resource_type": "ec2_instance", 
    "key_name": "string", 
    "image_id": "string", 
    "instance_type": "string", 
    "disableApiTermination": false, 
    "security_group_names": [
        "string"
    ], 
    "security_group_ids": [ 
      "string" 
    ],
    "availability_zone": "string", 
    "subnet_id": "string", 
    "userdata_file": "string", 
    "iam_role": "string", 
    "dependencies": [
        {
            "resource_name": "string",
            "resource_type": "string"
        }
    ],
    "tags": {
        "attr_name": "attr_value"
    }
  } 
}

resource_type (string) [REQUIRED] - Resource type.
key_name (string) [REQUIRED] - SSH key name to access the instance.
image_id (string) [REQUIRED] - AMI ID to create the instance from.
instance_type (string) - Type of the virtual machine. Default value is t2.micro.
disableApiTermination (boolean) - API termination protection. Enabled by default.
security_group_ids (list) - Security group IDs.
security_group_names (list) - Security group names. If not specified, the default security group will be used.
availability_zone (string) - Instance Availability Zone. If not specified, will be chosen automatically.
subnet_id (string) - Subnet ID to launch the instance into. Required if Availability Zone is set.
userdata_file (string) - Path to the user data file. Filepath should be a relative path from the directory that is set in the environment variable "SDCT_CONF".
iam_role (string) - The name of the instance IAM role.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (dict) - The EC2 tags.

Preconditions:

SSH key should be previously set in account;

specified availability zone should be enabled;

security_group_ids should refer to existing group;

image_id should refer to an existing image;

the userdata file should be previously created.

Example of userdata file content:
#!/bin/bash 
yum update -y 
service httpd start 
chkconfig httpd on 
Linked resources:

iam_role: 4.10 IAM Role

Useful links:

Follow this guide to create key pairs

Follow this guide to create, attach, replace and detach an IAM role for an instance.

Example:

{
    "instance": {
        "resource_type": "ec2_instance",
        "key_name": "demo-key",
        "image_id": "ami-03cceb19496c25679", 
        "instance_type": "t2.micro", 
        "availability_zone": "eu-central-1a", 
        "subnet_id": "subnet-0ab65ee0e036f0daa", 
        "userdata_file": "demo-scrypt.sh",
        "iam_role": "DemoEC2Role", 
        "security_group_ids": [
           "sg-0aea18793dd1fa3d9" 
        ],
        "disableApiTermination": true
    }
}

4.17.2 EC2 Launch Template

Resource type: EC2 Launch Template

Command to generate meta:

syndicate generate meta ec2_launch_template

Parameters:

--resource_name (string) [REQUIRED] - The name of the EC2 launch template.
--image_id (string) [REQUIRED] - The ID of the AMI.
--key_name (string) - The name of the key pair.
--instance_type (string) - Instance type.
--security_group_ids (string) [MULTIPLE] - IDs of the security groups.
--security_group_names (string) [MULTIPLE] - Names of the security groups.
--userdata_file (string) - Path to the user data file. Filepath should be a relative path from the directory that is set in the environment variable "SDCT_CONF". .
--iam_role (string) - Instance IAM role.
--imds_version (v1.0|v2.0) - The version of the IMDS.
--version_description (string) - A description for the version of the launch template.
--tags (KEY1:VALUE1,KEY2:VALUE2) - The EC2 launch template tags.
--resource_tags (MAIN_KEY1;SUB_KEY1:VALUE1,SUB_KEY2:VALUE2) - Tags for resources created by EC2 Instance Template. Tags can be specified for the following resources: 'instance', 'volume', 'elastic-gpu', ' network-interface', 'spot-instances-request'. It is possible to tag a resource after its creation.

Meta structure:

{
  "demo-launch_template": {
    "resource_type": "ec2_launch_template",
    "version_description": "string",
    "launch_template_data": {
      "image_id": "string",
      "key_name": "string",
      "instance_type": "string",
      "security_group_ids": [
        "string"
      ],
      "security_group_names": [
        "string"
      ],
      "userdata_file": "string",
      "iam_role": "string",
      "imds_support": "v1.0|v2.0",
      "resource_tags": {
        "instance|volume|...|spot-instances-request": {
          "attr_name": "attr_value"
        }
      }
    },
    "dependencies": [
        {
            "resource_name": "string",
            "resource_type": "string"
        }
    ],
    "tags": {
      "attr_name": "attr_value"
    }
  }
}

resource_type (string) [REQUIRED] - Resource type.
version_description (string) - A description for the version of the launch template.
launch_template_data (dict) - Core information of the launch template configuration.
- image_id (string) [REQUIRED] - The ID of the AMI.
- key_name (string) - The name of the SSH key pair.
- instance_type (string) - Instance type.
- security_group_ids (list) - IDs of the security groups.
- security_group_names (list) - Names of the security groups.
- userdata_file (string) - Path to the user data file. Filepath should be a relative path from the directory that is set in the environment variable "SDCT_CONF". .
- iam_role (string) - Instance IAM role.
- imds_version (v1.0|v2.0) - The version of the IMDS.
- resource_tags (MAIN_KEY1;SUB_KEY1:VALUE1,SUB_KEY2:VALUE2) - Tags for resources created by EC2 Instance Template. Tags can be specified for the following resources: 'instance', 'volume', ' elastic-gpu', 'network-interface', 'spot-instances-request'. It is possible to tag a resource after its creation.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (KEY1:VALUE1,KEY2:VALUE2) - The EC2 launch template tags.

Preconditions:

SSH key should be previously set in account;

security_group_ids should refer to existing group;

image_id should refer to an existing image;

the file 'demo-scrypt.sh' should be previously created.

Example of 'demo-scrypt.sh' file content:
#!/bin/bash 
yum update -y 
service httpd start 
chkconfig httpd on 
Linked resources:

iam_role: 4.10 IAM Role

Useful links:

Follow this guide to create key pairs

Follow this guide to create, attach, replace and detach an IAM role for an instance.

Example:

{
  "demo-launch_template": {
    "resource_type": "ec2_launch_template",
    "version_description": "Version 1 for demo",
    "launch_template_data": {
      "key_name": "demo-key",
      "image_id": "ami-03cceb19496c25679",
      "instance_type": "t2.micro",
      "security_group_ids": [
        "sg-0aea18793dd1fa3d9"
      ],
      "userdata_file": "demo-scrypt.sh",
      "iam_role": "DemoEC2Role",
      "imds_support": "v2.0",
      "resource_tags": {
        "instance": {
          "Name": "WebServer01",
          "Environment": "DEV"
        }
      },
      "volume": {
        "Name": "DBStorage01",
        "Environment": "DEV"
      }
    },
    "tags": {
      "Name": "EC2LaunchTemplate",
      "Environment": "DEV"
    }
  }
}

4.18 Batch Compute Environment

Resource type: AWS Batch Compute environments

Command to generate meta:

syndicate generate meta batch_compenv

Parameters:

--resource_name (string) [REQUIRED] - The name of the Batch compute environment.
--security_group_ids (string) [REQUIRED, MULTIPLE] - The Amazon EC2 security groups associated with instances launched in the compute environment.
--subnets (string) [REQUIRED, MULTIPLE] - The Amazon EC2 security groups associated with instances launched in the compute environment.
--compute_environment_type (MANAGED|UNMANAGED) - The type of compute environment. Default value is MANAGED.
--allocation_strategy ( BEST_FIT|BEST_FIT_PROGRESSIVE|SPOT_CAPACITY_OPTIMIZED) - The allocation strategy to use for the compute resource if not enough instances of the best fitting instance type can be allocated.
--state (ENABLED|DISABLED) - The state of compute environment. Default value is ENABLED.
--service_role (string) - The full Amazon Resource Name (ARN) of the IAM role that allows AWS Batch to make calls to other AWS services on your behalf. If not specified, the AWSBatchServiceRole role will be used if exists; otherwise, it will be created.
--minv_cpus (int) - The minimum number of Amazon EC2 vCPUs that a compute environment should maintain. Default value is 0.
--type (EC2|SPOT|FARGATE|FARGATE_SPOT) - The type of compute environment. Default value is EC2.
--maxv_cpus (int) - The maximum number of Amazon EC2 vCPUs that a compute environment can reach. Default value is 8.
--desiredv_cpus (int) - The desired number of Amazon EC2 vCPUS in the compute environment. Default value is 1.
--instance_types (string) [MULTIPLE] - The instance types that can be launched. Default value is optimal.
--instance_role (string) - The Amazon ECS instance profile applied to Amazon EC2 instances in a compute environment.
--tags (KEY1:VALUE1,KEY2:VALUE2) - The resource tags.

Sample for EC2 type:

syndicate generate meta batch_compenv 
    --resource_name demo-batch-compute-env 
    --compute_environment_type MANAGED 
    --state ENABLED 
    --service_role AWSBatchServiceRole 
    --type EC2 
    --minv_cpus 0 
    --maxv_cpus 2 
    --desiredv_cpus 1 
    --instance_types m3.medium 
    --security_group_ids sg-0aea18793dd1fa3d9 
    --subnets subnet-0ab65ee0e036f0daa 
    --subnets subnet-0189d0206149b0c36 
    --instance_role InstanceRole

Sample for Fargate type:

syndicate generate meta batch_compenv 
    --resource_name demo-batch-compute-env 
    --compute_environment_type MANAGED 
    --state ENABLED 
    --type FARGATE 
    --maxv_cpus 2 
    --security_group_ids sg-0aea18793dd1fa3d9 
    --subnets subnet-0ab65ee0e036f0daa

Meta structure:

{ 
  "demo-batch-compute-env": { 
    "resource_type": "batch_compenv", 
    "compute_environment_type": "string", 
    "state": "string", 
    "service_role": "string", 
    "compute_resources": { 
      "type": "string", 
      "security_group_ids": [ 
        "string" 
      ], 
      "subnets": [ 
        "string"
      ], 
      "allocation_strategy" : "string", 
      "minv_cpus": 123, 
      "maxv_cpus": 123, 
      "desiredv_cpus": 123, 
      "instance_types": [ 
        "string" 
      ], 
      "instance_role": "string" 
    },
    "dependencies": [
        {
            "resource_name": "string",
            "resource_type": "string"
        }
    ],
    "tags": {
        "key": "value"
    }
  } 
}

resource_type (string) [REQUIRED] - Resource type.
compute_environment_type (string) - The type of compute environment. Default value is MANAGED.
state (string) - The state of compute environment. Default value is ENABLED.
service_role (string) - The full Amazon Resource Name (ARN) of the IAM role that allows AWS Batch to make calls to other AWS services on your behalf. If not specified, the AWSBatchServiceRole role will be used if exists; otherwise, it will be created.
compute_resources (dict) [REQUIRED] if compute_environment_type set to MANAGED - Details about the compute resources managed by the compute environment. Should be described as a dict of the following format:
```
{
        "type": "EC2" | "SPOT" | "FARGATE" | "FARGATE_SPOT",
        "allocation_strategy" : "BEST_FIT" | "BEST_FIT_PROGRESSIVE" | "SPOT_CAPACITY_OPTIMIZED",
        "minv_cpus": 123,
        "maxv_cpus": 123,
        "desiredv_сpus": 123,
        "instance_types": [
            "string",
        ],
        "image_id": "string",
        "subnets": [
            "string",
        ],
        "security_group_ids": [
            "string"
        ],
        "ec2_key_pair": "string",
        "instance_role": "string",
        "tags": {
            "string": "string"
        },
        "placement_group": "string",
        "bid_percentage": 123,
        "spot_iam_fleet_role": "string",
        "launch_template":{
          "launch_template_id": "string",
          "launch_template_name": "string",
          "version": "string"
        },
        "ec2_configuration":[
          {
            "image_type": "string",
            "image_id_override": "string"
          },
        ]   
    }
```
- type (string) [REQUIRED] - The type of compute environment. Default value is EC2.
- security_group_ids (list) [REQUIRED] - The Amazon EC2 security groups associated with instances launched in the compute environment.
- subnets (list) [REQUIRED] - The Amazon EC2 security groups associated with instances launched in the compute environment.
- allocation_strategy (string) - The allocation strategy to use for the compute resource if not enough instances of the best fitting instance type can be allocated.
- minv_cpus (int) - The minimum number of Amazon EC2 vCPUs that a compute environment should maintain. Default value is 0.
- maxv_cpus (int) - The maximum number of Amazon EC2 vCPUs that a compute environment can reach. Default value is 8.
- desiredv_cpus (int) - The desired number of Amazon EC2 vCPUS in the compute environment. Default value is 1.
- instance_types (list) - The instance types that can be launched. Default value is optimal.
- instance_role (string) - The Amazon ECS instance profile applied to Amazon EC2 instances in a compute environment.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (dict) - The resource tags.

Linked resources:

iam_role: 4.10 IAM Role

Example:

{
   "some_best_compenv": {
        "resource_type": "batch_compenv",
        "compute_environment_type": "MANAGED",
        "state": "ENABLED",
        "service_role": "AWSServiceRoleForBatch",
        "compute_resources": {
            "type": "EC2",
            "minv_cpus": 1,
            "maxv_cpus": 2,
            "instance_types": [
                "p3"
            ],
            "security_group_ids": [
                "sg-3f7da44f"
            ],
            "subnets": [
                "subnet-2ec5b544",
                "subnet-00f35d7c",
                "subnet-31bc017d"
            ],
            "instance_role": "AmazonEC2ContainerServiceforEC2Role",
            "tags": {
                "name": "my_compenv_related_resource"
            }
        },
        "tags": {
            "name": "my_compenv"
        }
    }
}

4.19 Batch Job Queue

Resource type: Batch Job Queue

Command to generate meta:

syndicate generate meta batch_jobqueue

Parameters:

--resource_name (string) [REQUIRED] - The name of the Batch job queue.
--state (ENABLED|DISABLED) - The state of the job queue. Default value is 'ENABLED'.
--priority (int) - The priority of the job queue. Default value is 1.
--compute_environment_order (integer string) [MULTIPLE] - The set of compute environments mapped to a job queue and their order relative to each other. Example: --compute_environment_order 'order1 compute_env1', --compute_environment_order 'order2 compute_env2'.
--tags (KEY1:VALUE1,KEY2:VALUE2) - The resource tags.

Meta structure:

{ 
  "demo-batch-job-queue": { 
    "resource_type": "batch_jobqueue", 
    "state": "string", 
    "priority": 123, 
    "compute_environment_order": [ 
      { 
        "order": 123, 
        "compute_environment": "string" 
      } 
    ],
    "dependencies": [
        {
            "resource_name": "string",
            "resource_type": "string"
        }
    ],
    "tags": {
        "key": "value"
    } 
  } 
}

resource_type (string) [REQUIRED] - Resource type.
job_queue_name (string) [REQUIRED] - The name of the job queue. Up to 128 letters (uppercase and lowercase), numbers, and underscores are allowed.
state (string) - Should be one of available values: "ENABLED", "DISABLED". The default value is ENABLED.
priority (int) [REQUIRED] - The priority of the job queue. Job queues with a higher priority (or a higher integer value for the priority parameter) are evaluated first when associated with the same compute environment. Priority is determined in descending order.
compute_environment_order (list) - The set of compute environments mapped to a job queue and their order relative to each other. Should be described as a list of dicts with the following format:
```
[
    {
        "order": 123,
        "compute_environment": "string"
    },
    {
        "order": 124,
        "compute_environment": "string"
    }
]
```
- order (int) [REQUIRED] - The order of the compute environment. Compute environments are tried in ascending order.
- compute_environment (string) [REQUIRED] - Name of the compute environment.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (dict) - Key-value pair tags to be applied to the job queue to help you categorize and organize your resources.

Example:

{
  "bestJobQueueEver": {
    "resource_type": "batch_jobqueue",
    "state": "ENABLED",
    "priority": 100,
    "compute_environment_order": [
      {
        "order": 110,
        "compute_environment": "some_best_compenv"
      },
      {
        "order": 150,
        "compute_environment": "some_not_the_best_compenv"
      }
    ],
    "tags": {
      "name": "my_job_queue"
    }
  }
}

4.20 Batch Job Definition

Resource type: AWS Batch Job definition

Command to generate meta:

syndicate generate meta batch_jobdef

Parameters:

--resource_name (string) [REQUIRED] - The name of the Batch job definition. It can be up to 128 letters long. It can contain uppercase and lowercase letters, numbers, hyphens (-), and underscores (_)
--job_definition_type (container|multinode) [REQUIRED] - The type of job definition.
--image (string) - The image used to start a container. Default value is 'alpine'.
--job_role_arn (string) - The ARN of the IAM role that the container can assume for AWS permissions.
--tags (KEY1:VALUE1,KEY2:VALUE2) - The resource tags.

Meta structure:

{ 
  "demo-batch-job": { 
    "resource_type": "batch_jobdef", 
    "job_definition_type": "string", 
    "container_properties": { 
      "image": "string", 
      "vcpus": 123, 
      "memory": 123, 
      "readonly_root_filesystem": true|false, 
      "command": [
        "string"
      ], 
      "job_role_arn": "string" 
    }, 
    "node_properties": {}, 
    "retry_strategy": {},
    "dependencies": [
        {
            "resource_name": "string",
            "resource_type": "string"
        }
    ],
    "tags": {
        "key": "value"
    } 
  } 
}

resource_type (string) [REQUIRED] - Resource type.
job_definition_type (string) [REQUIRED] - Should be one of available values: "container", "multinode".
container_properties (dict) - An object with various properties specific to single-node container-based jobs. If the job definition's type parameter is 'container', then you must specify either 'container_properties' or 'node_properties'.

Should be described as a dict of the following format:
```
{
    "image": "string",
    "vcpus": 123,
    "memory": 123,
    "command": [
        "string",
    ],
    "job_role_arn": "string",
    "execution_role_arn": "string",
    "volumes": [
        {
            "host": {"source_path": "string"},
            "name": "string"
        },
    ],
    "environment": [
        {
            "name": "string",
            "value": "string"
        },
    ],
    "mount_points": [
        {
            "container_path": "string",
            "read_only": true|false,
            "source_volume": "string"
        },
    ],
    "readonly_root_filesystem": true|false,
    "privileged": true|false,
    "ulimits": [
        {
            "hard_limit": 123,
            "name": "string",
            "soft_limit": 123
        },
    ],
    "user": "string",
    "instance_type": "string",
    "resource_requirements": [
        {
            "value": "string",
            "type": "GPU"|"VCPU"|"MEMORY"
        },
    ],
    "linux_parameters": {
        "devices": [
            {
                "host_path": "string",
                "container_path": "string",
                "permissions": [
                    "READ"|"WRITE"|"MKNOD",
                ]
            },
        ],
        "init_process_enabled": true|false,
        "shared_memory_size": 123,
        "tmpfs": [
            {
                "container_path": "string",
                "size": 123,
                "mount_options": [
                    "string",
                ]
            },
        ],
        "max_swap": 123,
        "swappiness": 123
    },
    "log_configuration": {
        "log_driver": "json-file"|"syslog"|"journald"|"gelf"|"fluentd"|"awslogs"|"splunk",
        "options": {
            "string": "string"
        },
        "secret_options": [
            {
                "name": "string",
                "value_from": "string"
            },
        ]
    },
    "secrets": [
        {
            "name": "string",
            "value_from": "string"
        },
    ],
    "network_configuration": {
        "assign_public_ip": "ENABLED"|"DISABLED"
    },
    "fargate_platform_configuration": {
        "platform_version": "string"
    }
}
```
- image (string) - The image used to start a container. This string is passed directly to the Docker daemon. Images in the Docker Hub registry are available by default. Other repositories are specified with repository-url /image :tag.
  - Images in Amazon ECR repositories use the full registry and repository URI (for example, 012345678910.dkr.ecr..amazonaws.com/< repository-name> );
  - Images in official repositories on Docker Hub use a single name (for example, ubuntu or mongo);
  - Images in other repositories on Docker Hub are qualified with an organization name (for example, amazon/amazon-ecs-agent);
  - Images in other online repositories are qualified further by a domain name (for example, quay.io/assemblyline/ubuntu).
- vcpus (int) - The number of vCPUs reserved for the job. Each vCPU is equivalent to 1,024 CPU shares.
- memory (int) - This parameter indicates the memory hard limit (in MiB) for a container. If your container attempts to exceed the specified number, it is terminated. You must specify at least 4 MiB of memory for a job using this parameter.
- command (list) - The command that's passed to the container. This parameter maps to Cmd in the Create a container section of the Docker Remote API and the COMMAND parameter to docker run.
- job_role_arn (string) - The Amazon Resource Name (ARN) of the IAM role that the container can assume for AWS permissions.
- execution_role_arn (string) - The Amazon Resource Name (ARN) of the execution role that AWS Batch can assume. For jobs that run on Fargate resources, you must provide an execution role.
- volumes (list) - A list of data volumes used in a job. Should be described as a list of dicts with the following format:
```
   {
       "volumes": [
         {
             "host": {
                 "source_path": "string"
             },
             "name": "string"
         }
       ]
   }
```
  - host (dict) [REQUIRED] - The contents of the host parameter determine whether your data volume persists on the host container instance and where it is stored.
  - source_path (string) - The path on the host container instance that's presented to the container.
  - name (string) [REQUIRED] - The name of the volume.
- environment (list) - The environment variables to pass to a container. Should be described as a list of dicts with the following format:
```
{
    "environment": [
        {
            "name": "string",
            "value": "string"
        }
    ]
}
```
  - name (string) [REQUIRED] - The name of the environment variable.
  - value (string) [REQUIRED] - The value of the environment variable.
- mount_points (list) - The mount points for data volumes in your container. Should be described as a list of dicts with the following format:
```
{
     "mount_points": [
        {
            "container_path": "string",
            "read_only": true | false,
            "source_volume": "string"
        }
    ]
}
```
  - container_path (string) - The path on the container where the host volume is mounted.
  - read_only (bool) - If this value is true, the container has read-only access to the volume.
  - source_volume (string) - The name of the volume to mount.
- readonly_root_filesystem (bool) - When this parameter is true, the container is given read-only access to its root file system.
- privileged (bool) - When this parameter is true, the container is given elevated permissions on the host container instance (similar to the root user).
- ulimits (list) - A list of ulimits to set in the container. Should be described as a list of dicts with the following format:
```
{
  "ulimits": [
      {
          "hard_limit": 123,
          "name": "string",
          "soft_limit": 123
      }
  ]
}
```
  - hard_limit (int) [REQUIRED] - The hard limit for the ulimit type.
  - name (string) [REQUIRED] - The type of the ulimit.
  - soft_limit (int) [REQUIRED] - The soft limit for the ulimit type.
- user (string) - The username to use inside the container.
- instance_type (string) - The instance type to use for a multi-node parallel job. All node groups in a multi-node parallel job must use the same instance type. This parameter isn't applicable to single-node container jobs or for jobs that run on Fargate resources and shouldn't be provided.
- resource_requirements (list) - The type and amount of resources to assign to a container. Should be described as a list of dicts with the following format:
```
{
"resource_requirements": [
  {
      "value": "string",
      "type": "GPU" | "VCPU" | "MEMORY"
  },
]
}
```
  - value (string) [REQUIRED] - The quantity of the specified resource to reserve for the container. The values vary based on the type specified.
  - type (GPU|VCPU|MEMORY) [REQUIRED] - The type of resource to assign to a container. The supported resources include GPU, MEMORY, and VCPU.
- linuxParameters (dict) - Linux-specific modifications that are applied to the container, such as details for device mappings. Should be described as a dicts of the following format:
```
{
  "linux_parameters": {
    "devices": [
      {
          "host_path": "string",
          "container_path": "string",
          "permissions": ["READ" | "WRITE" | "MKNOD"]
      }
    ],
    "init_process_enabled": true | false,
    "shared_memory_size": 123,
    "tmpfs": [
      {
          "container_path": "string",
          "size": 123,
          "mount_options": ["string"]
      }
    ],
    "max_swap": 123,
    "swappiness": 123
  }
}
```
  - devices (list) - Any host devices to expose to the container. Should be described as a list of dicts.
    - host_path (string) - [REQUIRED] The path for the device on the host container instance.
    - container_path (string) - The path inside the container used to expose the host device. By default, the host_path value is used.
    - permissions (READ|WRITE|MKNOD) - The explicit permissions to provide to the container for the device. By default, the container has permissions for read, write, and mknod for the device.
  - init_process_enabled (bool) - If true, run an init process inside the container that forwards signals and reaps processes.
  - shared_memory_size (int) - The value for the size (in MiB) of the /dev/shm volume.
  - tmpfs (list) - The container path, mount options, and size (in MiB) of the tmpfs mount. This parameter isn't applicable to jobs running on Fargate resources and should not be provided. Should be described as a list of dicts.
    - container_path (string) [REQUIRED] - The absolute file path in the container where the tmpfs volume is mounted.
    - size (int) [REQUIRED] - The size (in MiB) of the tmpfs volume.
    - mount_options (list) - The list of tmpfs volume mount options: defaults, ro, rw, suid, nosuid, dev, nodev, exec, noexec, sync, async, dirsync, remount, mand, nomand, atime, noatime, diratime, nodiratime, bind, rbind, unbindable, runbindable, private, rprivate, shared, rshared, slave, rslave, relatime, norelatime, strictatime, nostrictatime, mode, uid, gid, nr_inodes, nr_blocks, mpol.
  - max_swap (int) - The total amount of swap memory (in MiB) a container can use.
  - swappiness (int) - This allows you to tune a container's memory swappiness behavior. A swappiness value of 0 causes swapping not to happen unless absolutely necessary. A swappiness value of 100 causes pages to be swapped very aggressively. Accepted values are whole numbers between 0 and 100 . If the swappiness parameter isn't specified, a default value of 60 is used.
- log_configuration (dict) - The log configuration specification for the container.
  - log_driver (string) [REQUIRED] - The log driver to use for the container. The valid values listed for this parameter are log drivers that the Amazon ECS container agent can communicate with by default. The supported log drivers are awslogs, fluentd, gelf, json-file, journald, logentries, syslog, and splunk.
  - options (dict) - The configuration options to send to the log driver.
  - secret_options (list) - The secrets to pass to the log configuration. Should be described as a list of dicts.
    - name (string) [REQUIRED] - The name of the secret.
    - value_from (string) [REQUIRED] - The secret to expose to the container. The supported values are either the full ARN of the AWS Secrets Manager secret or the full ARN of the parameter in the AWS Systems Manager Parameter Store.
- secrets (list) - The secrets for the container. Should be described as a list of dicts.
  - name (string) [REQUIRED] - The name of the secret.
  - value_from (string) [REQUIRED] - The secret to expose to the container. The supported values are either the full ARN of the AWS Secrets Manager secret or the full ARN of the parameter in the AWS Systems Manager Parameter Store.
- network_configuration (dict) - The network configuration for jobs running on Fargate resources. Jobs running on EC2 resources must not specify this parameter.
  - assign_public_ip (ENABLED|DISABLED) [REQUIRED] - Indicates whether the job should have a public IP address.
- fargate_platform_configuration (dict) - The platform configuration for jobs running on Fargate resources. Jobs running on EC2 resources must not specify this parameter.
  - platform_version (string) [REQUIRED] - The AWS Fargate platform version where the jobs are running.
node_properties (dict) - An object with various properties specific to multi-node parallel jobs. If you specify node properties for a job, it becomes a multi-node parallel job. Should be described as a dict of the following format:
```
{
    "num_nodes": 123,
    "main_node": 123,
    "node_range_properties": [
        {
          ...
        },     
    ]
}  
```
- num_nodes (int) [REQUIRED] - The number of nodes associated with a multi-node parallel job.
- main_node (int) [REQUIRED] - Specifies the node index for the main node of a multi-node parallel job. This node index value must be fewer than the number of nodes.
- node_range_properties (list) [REQUIRED] - A list of node ranges and their properties associated with a multi-node parallel job.
  
  Should be described as a dict of the following format:
```
{
    "target_nodes": "string",
    "container": {
    ...
    }   
}
```
  - target_nodes (string) [REQUIRED] - The range of nodes, using node index values. A range of 0:3 indicates nodes with index values of 0 through 3 . If the starting range value is omitted (:n ), then 0 is used to start the range. If the ending range value is omitted (n: ), then the highest possible node index is used to end the range. Your accumulative node ranges must account for all nodes (0:n ). You can nest node ranges, for example 0:10 and 4:5 , in which case the 4:5 range properties override the 0: 10 properties.
  - container (dict) [REQUIRED] - The container details for the node range. Describes identically to container_properties parameter of Job Definition
parameters (dict) - Default parameter substitution placeholders to set in the job definition. Parameters are specified as a key-value pair mapping. Parameters in a SubmitJob request override any corresponding parameter defaults from the job definition.

Should be described as a dict of the following format:
```
  {
      "string": "string",
      "string": "string"
  }
```
retryStrategy (dict) - The retry strategy to use for failed jobs that are submitted with this job definition. Any retry strategy that's specified during a SubmitJob operation overrides the retry strategy defined here. If a job is terminated due to a timeout, it isn't retried.

Should be described as a dict of the following format:
```
{
    "attempts": 123,
    "evaluateOnExit": [
        {
            "onStatusReason": "string",
            "onReason": "string",
            "onExitCode": "string",
            "action": "RETRY" | "EXIT"
        }
    ]
}
```
- attempts (int) - The number of times to move a job to the RUNNABLE status. You can specify between 1 and 10 attempts.
- evaluateOnExit (list) - Array of up to 5 objects that specify conditions under which the job should be retried or failed. If this parameter is specified, then the attempts parameter must also be specified. Should be described as a list of dicts with the following keys:
  - on_status_reason (string) - Contains a glob pattern to match against the StatusReason returned for a job.
  - on_reason (string) - Contains a glob pattern to match against the Reason returned for a job.
  - on_exit_code (string) - Contains a glob pattern to match against the decimal representation of the ExitCode returned for a job.
  - action (string) - [REQUIRED] Specifies the action to take if all the specified conditions (onStatusReason, onReason, and onExitCode) are met.
propagate_tags (bool) - Specifies whether to propagate the tags from the job or job definition to the corresponding Amazon ECS task. If no value is specified, the tags are not propagated.
timeout (dict) - The timeout configuration for jobs that are submitted with this job definition, after which AWS Batch terminates your jobs if they have not finished. Should be described as a dict of the following format:
```
{
    "attempt_duration_seconds": 123
}
```
- attempt_duration_seconds (int) - The time duration in seconds (measured from the job attempt's startedAt timestamp) after which AWS Batch terminates your jobs if they have not finished. The minimum value for the timeout is 60 seconds.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (dict) - The tags that you apply to the job definition to help you categorize and organize your resources.
platform_capabilities (list) - The platform capabilities required by the job definition. If no value is specified, it defaults to EC2. To run the job on Fargate resources, specify FARGATE. Should be described as list of strings.

Linked resources:

iam_role: 4.10 IAM Role

Useful links:
Follow this guide to create the execution IAM role.

Example:

{
  "job_definition_to_echo_things": {
    "resource_type": "batch_jobdef",
    "job_definition_type": "container",
    "container_properties": {
      "image": "ubuntu",
      "vcpus": 1,
      "memory": 128,
      "command": [
        "echo 1"
      ],
      "readonly_root_filesystem": false
    },
    "tags": {
      "name": "my_job_definition"
    }
  }
}

4.21 DocumentDB Cluster

Resource type: DocumentDB Cluster

Command to generate meta:

syndicate generate meta documentdb_cluster

Parameters:

--resource_name (string) [REQUIRED] - The name of the DocumentDB cluster.
--master_username (string) [REQUIRED] - DocumentDB login ID for the master user.
--master_password (string) [REQUIRED] - The password for master user.
--port (int) - The port number on which the instances in the cluster accept connections. Default value is 27017.
--vpc_security_group_ids (string) [MULTIPLE] - A list of EC2 VPC security groups to associate with this cluster. If not specified, default security group is used.
--availability_zones (string) [MULTIPLE] - A list of Amazon EC2 Availability Zones that instances in the cluster can be created in. If not specified default is used.
--tags (KEY1:VALUE1,KEY2:VALUE2) - String of the resource tags key-value pairs divided by coma (key1: value1,key2:value2).

Meta structure:

{
    "cluster_name": {
        "resource_type": "documentdb_cluster",
        "master_password": "string",
        "master_username": "string",
        "availability_zones": [
            "string"
        ],
        "vpc_security_group_ids":  [
            "string"
        ],
        "port": 123,
        "dependencies": [
            {
                "resource_name": "string",
                "resource_type": "string"
            }
        ],
        "tags": {
          "string": "string"
        }
    }
}

resource_type (string) [REQUIRED] - Resource type.
cluster_name (string) [REQUIRED] - Name of cluster.
master_password (string) [REQUIRED] - The name of the master user for the cluster.
master_username (string) [REQUIRED] - The password for the master database user.
availability_zones (list) - A list of Availability Zones that instances in the cluster can be created in.
vpc_security_group_ids (list) - A list of VPC security groups to associate with documentDB cluster.
port (int) - The port number on which the instances in the cluster accept connections.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (dict) - The resource tags.

Example:

{
  "Users": {
    "resource_type": "documentdb_cluster",
    "availability_zones": [
      "us-east-1a",
      "eu-central-1a",
      "eu-central-1b"
    ],
    "vpc_security_group_ids": [
      "sg-0aea18793dd1fa3d9"
    ],
    "port": 27017,
    "master_password": "SECURE_password34_#",
    "master_username": "root",
    "tags": {
      "my_tag": "my_cluster"
    }
  }
}

4.22 DocumentDB Instance

Resource type: DocumentDB Instance

Command to generate meta:

syndicate generate meta documentdb_instance

Parameters:

--resource_name (string) [REQUIRED] - The name of the DocumentDB instance.
--cluster_identifier (string) [REQUIRED] - The identifier of the cluster that the instance will belong to.
--instance_class (string) - The compute and memory capacity of the instance. Default value is db.r5.large.
--availability_zone (string) - The Amazon EC2 Availability Zone that the instance is created in. If not specified a random zone it the endpoint's region is set.
--tags (KEY1:VALUE1,KEY2:VALUE2) - String of the resource tags key-value pairs divided by coma (key1:value1,key2:value2).

Meta structure:

{
  "instance_name": {
    "resource_type": "documentdb_instance",
    "cluster_identifier": "string",
    "instance_class": "string",
    "availability_zone": "string",
    "dependencies": [
        {
            "resource_name": "string",
            "resource_type": "string"
        }
    ],
    "tags": {
      "string": "string"
    }
  }
}

resource_type (string) [REQUIRED] - Resource type.
cluster_identifier (string) [REQUIRED] - The cluster identifier that the instance will belong to.
instance_class (string) [REQUIRED] - The compute and memory capacity of the instance (for example db.r5.large, db.r6g.4xlarge, db.t4g.medium etc.
availability_zone (string) - The Amazon EC2 Availability Zone that the instance is created in.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (dict) - The resource tags.

Example:

"new_instance": {
    "resource_type": "documentdb_instance", 
    "cluster_identifier": "Users",
    "instance_class": "db.r4.xlarge",
    "availability_zone": "eu-central-1a",
    "tags": {
        "my_tag": "my_instance"
    }
}

4.23 Firehose

Resource type: Firehose

Command to generate meta:

syndicate generate meta firehose

Parameters:

--resource_name (string) [REQUIRED] - The name of the Kinesis Data Firehose delivery stream.
--stream_type (DirectPut|KinesisStreamAsSource) - The delivery stream type. Default value is DirectPut.
--kinesis_stream_arn (string) [Required if stream_type is 'KinesisStreamAsSource'] - The ARN of the source Kinesis data stream.
--kinesis_stream_role (string) [Required if stream_type is 'KinesisStreamAsSource'] - The role name that provides access to the Kinesis data stream source.
--destination_role (string) [REQUIRED] - The role name that provides access to the Kinesis data stream destination S3 bucket.
--destination_bucket (string) [REQUIRED] - The Kinesis data stream destination S3 bucket name.
--compression_format (UNCOMPRESSED|GZIP|ZIP|Snappy|HADOOP_SNAPPY) - The compression format.
--tags (KEY1:VALUE1,KEY2:VALUE2) - String of the resource tags key-value pairs divided by coma (key1:value1,key2:value2).

Meta structure:

{
    "stream_name": {
      "resource_type": "firehose",
      "stream_type": "DirectPut"|"KinesisStreamAsSource",
      "kinesis_stream_source_configuration": {
            "kinesis_stream_arn": "string",
            "role": "string"
      },
      "s3_destination_configuration": {
            "role": "string",
            "bucket": "string",
            "prefix": "string",
            "error_output_prefix": "string",
            "buffering_hints": {
                "size_in_mbs": 123,
                "interval_in_seconds": 123
            },
            "compression_format": "UNCOMPRESSED"|"GZIP"|"ZIP"|"Snappy"|"HADOOP_SNAPPY"
      },
      "dependencies": [
          {
                "resource_name": "string",
                "resource_type": "string"
          }
      ],
      "tags": {
          "string": "string"
        }
    }
}

resource_type (string) [REQUIRED] - Resource type.
stream_type (DirectPut|KinesisStreamAsSource) - Delivery stream type. Default value is DirectPut.
stream_type (DirectPut|KinesisStreamAsSource) - Delivery stream type. Default value is DirectPut.
kinesis_stream_source_configuration (dict) - If the source for the delivery stream is a Kinesis data stream, this parameter must contain the Kinesis data stream ARN and the role ARN for the source stream.
- kinesis_stream_arn (string) [REQUIRED] - The ARN of the source Kinesis data stream.
- role (string) [REQUIRED] - The role name that grants access to the originating Kinesis data stream.
s3_destination_configuration (dict) - The destination in Amazon S3.
- role (string) [REQUIRED] - The role name that grants access to the S3 bucket.
- bucket (string) [REQUIRED] - The S3 bucket name.
- prefix (string) - The prefix "YYYY/MM/DD/HH" for the time format is automatically applied to files delivered to Amazon S3.
- error_output_prefix (string) - A prefix that Firehose evaluates and adds to failed records before writing them to S3. This prefix appears immediately following the bucket name.
- buffering_hints (dict) - The buffering option. If no value is specified, default values will be used.
  - size_in_mbs (int) - Buffer incoming data up to the specified size in MiBs before delivering it to the destination, with a default of 5. This optional parameter requires a corresponding value for interval_in_seconds, and vice versa.
  - interval_in_seconds (int) - Buffer incoming data for a designated period, in seconds, before delivery to the destination, with a default of 300 seconds. This optional parameter must be set alongside a corresponding value for size_in_mbs, and vice versa.
- compression_format (UNCOMPRESSED|GZIP|ZIP|Snappy|HADOOP_SNAPPY) - The compression format. Default value is UNCOMPRESSED.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (dict) - The resource tags.

Example:

{
  "stream_type": {
    "stream_type": "DirectPut",
    "kinesis_stream_source_configuration": {
      "kinesis_stream_arn": "arn:aws:kinesis:us-east-2:123456789012:stream/mystream",
      "role": "kinesis_role"
    },
    "s3_destination_configuration": {
      "role": "bucket_role",
      "bucket": "mybucket",
      "prefix": "2025/01/01/13",
      "error_output_prefix": "error_prefix",
      "buffering_hints": {
        "size_in_mbs": 123,
        "interval_in_seconds": 123
      },
      "compression_format": "ZIP"
    }
  }
}

4.24 Web-Socket API

Currently only "AWS" and "AWS_PROXY" lambda integration types are supported.

Resource type: Web socket API Gateway

Command to generate meta:

syndicate generate meta web_socket_api_gateway

Parameters:

--resource_name (string) [REQUIRED] - The name of the API Gateway.
--deploy_stage (string) [REQUIRED] - The stage to deploy the API.
--tags (KEY1:VALUE1,KEY2:VALUE2) - String of the resource tags key-value pairs divided by coma (key1: value1,key2:value2).

Meta structure:

{
  "demo-api": {
    "resource_type": "web_socket_api_gateway",
    "deploy_stage": "api",
    "route_selection_expression": "request.body.action",
    "resources": {
      "$connect": {
        "integration_type": "lambda",
        "enable_proxy": true,
        "lambda_alias": "${lambdas_alias_name}",
        "lambda_name": ""
      },
      "$disconnect": {
        "integration_type": "lambda",
        "enable_proxy": true,
        "lambda_alias": "${lambdas_alias_name}",
        "lambda_name": ""
      },
      "$default": {
        "integration_type": "lambda",
        "enable_proxy": true,
        "lambda_alias": "${lambdas_alias_name}",
        "lambda_name": ""
      },
      "example": {
        "integration_type": "lambda",
        "enable_proxy": true,
        "lambda_alias": "${lambdas_alias_name}",
        "lambda_name": ""
      }
    },
    "dependencies": [
        {
            "resource_name": "string",
            "resource_type": "string"
        }
    ]
  }
}

resource_type (string) [REQUIRED] - Resource type.
deploy_stage (string) [REQUIRED] - API deploy stage name.
route_selection_expression (string) [REQUIRED] - JSON path to attribute which is used as a key to select the route.
resources (dict) [REQUIRED] - An object where key is a route (including alpha routes: $connect, $disconnect, $default) and a value is an object with integration_type ( string), enable_proxy (bool), lambda_alias (str), lambda_name ( str), lambda_version (str).
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.

Linked resources:

api_gateway_resource: 4.5.2 API Gateway Resource

lambda: 4.1 LAMBDA

Example:

{
  "demo-api": {
    "resource_type": "web_socket_api_gateway",
    "deploy_stage": "api",
    "route_selection_expression": "request.body.action",
    "resources": {
      "$connect": {
        "integration_type": "lambda",
        "enable_proxy": true,
        "lambda_alias": "${lambdas_alias_name}",
        "lambda_name": "connection_lambda"
      },
      "$disconnect": {
        "integration_type": "lambda",
        "enable_proxy": true,
        "lambda_alias": "${lambdas_alias_name}",
        "lambda_name": "connection_lambda"
      },
      "$default": {
        "integration_type": "lambda",
        "enable_proxy": true,
        "lambda_alias": "${lambdas_alias_name}",
        "lambda_name": "main_lambda"
      },
      "example": {
        "integration_type": "lambda",
        "enable_proxy": true,
        "lambda_alias": "${lambdas_alias_name}",
        "lambda_name": "main_lambda"
      }
    }
  }
}

4.25 EventBridge

4.25.1 EventBridge rule

Resource type: EventBridge Rule

Command to generate meta:

syndicate generate meta eventbridge_rule

Parameters:

--resource_name (string) [REQUIRED] - EventBridge rule name.
--rule_type (schedule|ec2|api_call) [REQUIRED] - EventBridge rule type.
--expression (string) - Rule expression (cron schedule). Valuable only if rule_type is schedule.
--aws_service (string) - The name of AWS service which the rule listens to. Required only if rule_type is api_call.
--region (ALL|us-east-1|...|af-south-1) - The region where the rule is deployed. Default value is the one from syndicate config.
--tags (KEY1:VALUE1,KEY2:VALUE2) - String of the resource tags key-value pairs divided by coma (key1: value1,key2:value2).

Meta structure:

{
  "demo-eventbridge-rule": {
    "resource_type": "eventbridge_rule",
    "rule_type": "string",
    "region": "string",
    "expression": "string",
    "aws_service": "string",
    "dependencies": [
        {
            "resource_name": "string",
            "resource_type": "string"
        }
    ],
    "tags": {
      "string": "string"
    }
  }
}

resource_type (string) [REQUIRED] - Resource type.
rule_type (string) [REQUIRED] - EventBridge rule type.
region (string) [REQUIRED] - The region where the rule is deployed.
expression (string) - Rule expression (cron schedule). Required only if rule_type is schedule.
aws_service (string) - The name of AWS service which the rule listens to. Valuable only if rule_type is api_call.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (dict) - The resource tags.

Example:

{
  "demo-eventbridge-rule": {
    "resource_type": "eventbridge_rule",
    "rule_type": "schedule",
    "region": "eu-central-1",
    "expression": "rate(1 minute)",
    // if "rule_type" == "schedule"
    "aws_service": "lambda",
    // if "rule_type" == "api_call"
    "tags": {
      "my_tag": "my_eb_rule"
    }
  }
}

4.25.2 EventBridge Schedule

Resource type: EventBridge Schedule

Command to generate meta:

syndicate generate meta eventbridge_schedule

Parameters:

--resource_name (string) [REQUIRED] - EventBridge schedule name.
--schedule_expression (string) [REQUIRED] - The expression that defines when the schedule runs. The following formats are supported: at(yyyy-mm-ddThh:mm:ss); rate(value unit); cron(fields).
--target_arn (string) [REQUIRED] - The complete service ARN, including the API operation. Example: arn:aws:scheduler:::aws-sdk:sqs:sendMessage.
--role_arn (string) [REQUIRED] - The execution role ARN you want to use for the target. This role must have the permissions to call the API operation you want your schedule to target.
--mode (OFF|FLEXIBLE) - Determines whether the schedule is invoked within a flexible time window. Default value is OFF.
--maximum_window_in_minutes (int) - The maximum time window during which a schedule can be invoked. Required if --mode is FLEXIBLE.
--description (string) - Schedule description.
--schedule_expression_timezone (string) - The timezone in which the scheduling expression is evaluated.
--group_name (string) - The name of the schedule group to associate with this schedule. By default, the default schedule group is used.
--kms_key_arn (string) - ARN for the customer managed KMS key that scheduler will use to encrypt and decrypt data.
--state (ENABLED|DISABLED) - Specifies whether the schedule is enabled or disabled.
--start_date (string) - A date in ISO 8601 or UTC, after which the schedule can begin invoking its target.
--end_date (string) - A date in ISO 8601 or UTC, before which the schedule can invoke its target.
--dead_letter_arn (string) - SQS queue ARN that will be as the destination for the dead-letter queue.
--tags (KEY1:VALUE1,KEY2:VALUE2) - String of the resource tags key-value pairs divided by coma (key1: value1,key2:value2).

Meta structure:

{
    "schedule_name": {
      "resource_type": "eventbridge_schedule",
      "schedule_content": {
        "client_token": "string",
        "description": "string",
        "flexible_time_window": {
          "maximum_window_in_minutes": 123,
          "mode": "OFF"|"FLEXIBLE"
        },
        "group_name": "string",
        "kms_key_arn": "string",
        "schedule_expression": "string",
        "schedule_expression_timezone": "string",
        "start_date": "string",
        "end_date": "string",
        "state": "ENABLED"|"DISABLED",
        "target": {
            "arn": "string",
            "role_arn": "string",
            "dead_letter_config": {
                "arn": "string"
            },
            "event_bridge_parameters": {
                "detail_type": "string",
                "source": "string"
            },
            "input": "string",
            "kinesis_parameters": {
                "partition_key": "string"
            },
            "retry_policy": {
                "maximum_event_age_in_seconds": 123,
                "maximum_retry_attempts": 123
            },
            "sage_maker_pipeline_parameters": {
                "pipeline_parameter_list": [
                    {
                        "name": "string",
                        "value": "string"
                    }
                ]
            },
            "sqs_parameters": {
                "message_group_id": "string"
            }
        }
      },
      "dependencies": [
        {
            "resource_name": "string",
            "resource_type": "string"
        }
      ],
      "tags": {
        "string": "string"
      }
    }
}

resource_type (string) [REQUIRED] - Resource type.
schedule_content (dict) [REQUIRED] - EventBridge schedule configuration.
- client_token (string) - Unique, case-sensitive identifier you provide to ensure the idempotency of the request. If you do not specify a client token, EventBridge Scheduler uses a randomly generated token for the request to ensure idempotency. This field is autopopulated if not provided.
- description (string) - The description you specify for the schedule.
- flexible_time_window (dict) [REQUIRED] - A time window during which EventBridge Scheduler invokes the schedule.
  - maximum_window_in_minutes (integer) - The maximum time window during which a schedule can be invoked.
  - mode (string) [REQUIRED] - Determines whether the schedule is invoked within a flexible time window. Available options are OFF and FLEXIBLE. Default value is OFF.
- group_name (string) - The name of the schedule group to associate with this schedule. If you omit this, the default schedule group is used.
- kms_key_arn (string) - The Amazon Resource Name (ARN) for the customer managed KMS key that EventBridge Scheduler will use to encrypt and decrypt your data.
- schedule_expression (string) [REQUIRED] - The expression that defines when the schedule runs. The following formats are supported:
  - at expression - at(yyyy-mm-ddThh:mm:ss);
  - rate expression - rate(value unit);
  - cron expression - cron(fields);
  You can use at expressions to create one-time schedules that invoke a target once, at the time and in the time zone, that you specify. You can use rate and cron expressions to create recurring schedules. Rate-based schedules are useful when you want to invoke a target at regular intervals, such as every 15 minutes or every five days. Cron-based schedules are useful when you want to invoke a target periodically at a specific time, such as at 8:00 am (UTC+0) every 1st day of the month.
  
  A cron expression consists of six fields separated by white spaces: (minutes hours day_of_month month day_of_week year).
  
  A rate expression consists of a value as a positive integer, and a unit with the following options: minute | minutes | hour | hours | day | days
  
  For more information and examples, see Schedule types on EventBridge Scheduler in the EventBridge Scheduler User Guide.
- schedule_expression_timezone (string) - The timezone in which the scheduling expression is evaluated.
- start_date (datetime) - A date in ISO 8601 or UTC, after which the schedule can begin invoking its target. Depending on the schedule’s recurrence expression, invocations might occur on, or after, the start_date you specify. EventBridge Scheduler ignores start_date for one-time schedules.
- end_date (datetime) - A date in ISO 8601 or UTC, before which the schedule can invoke its target. Depending on the schedule’s recurrence expression, invocations might stop on, or before, the end_date you specify. EventBridge Scheduler ignores end_date for one-time schedules.
- state (string) - Specifies whether the schedule is enabled or disabled. Valid values are ENABLED and DISABLED.
- target (dict) [REQUIRED] - Target arn subfield can take universal targets - a customizable set of parameters that allows to invoke a wider set of API operation for many AWS services.
  
  To configure a universal target for your schedule using Syndicate you need to specify the following information:
  - arn (string) [REQUIRED] - The complete service ARN, including the API operation you want to target, in the following format: arn:aws:scheduler:::aws-sdk:service:apiAction. For example, for Amazon SQS, the service name you specify is arn:aws:scheduler:::aws-sdk:sqs:sendMessage. For a complete list of task state resources, see Supported services.
  - role_arn (string) [REQUIRED] - The ARN for the execution role you want to use for the target. The execution role you specify must have the permissions to call the API operation you want your schedule to target.
  - dead_letter_config (dict) - An information about an Amazon SQS queue that EventBridge Scheduler uses as a dead-letter queue. If specified, EventBridge Scheduler delivers failed events that could not be successfully delivered to a target to the queue.
    - arn (string) [REQUIRED] - The complete ARN of SQS queue specified as the destination for the dead-letter queue.
  - event_bridge_parameters (dict) - The templated target type for the EventBridge PutEvents API operation.
    - detail_type (string) [REQUIRED] - A string used to decide what fields to expect in the event detail. Maximum length is 128 characters.
    - source (string) [REQUIRED] - The source of the event.
  - input (string) - A well-formed JSON you specify with the request parameters that EventBridge Scheduler sends to the target API. The parameters and shape of the JSON you set in Input are determined by the service API your schedule invokes. To find this information, see the API reference for the service you want to target.
  - kinesis_parameters (dict) - The templated target type for the Amazon Kinesis PutRecord API operation..
    - partition_key (string) [REQUIRED] - Specifies the shard to which EventBridge Scheduler sends the event.
  - retry_policy (dict) - A RetryPolicy object that includes information about the retry policy settings, including the maximum age of an event, and the maximum number of times EventBridge Scheduler will try to deliver the event to a target.
    - maximum_event_age_in_seconds (integer) - The maximum amount of seconds to continue to make retry attempts.
    - maximum_retry_attempts (integer) - The maximum number of retry attempts to make before the request fails. Retry attempts with exponential backoff continue until either the maximum number of attempts is made or until the duration of the MaximumEventAgeInSeconds is reached.
  - sage_maker_pipeline_parameters (dict) - The templated target type for the Amazon SageMaker StartPipelineExecution API operation.
    - pipeline_parameter_list (list) [REQUIRED] - List of parameter names and values to use when executing the SageMaker Model Building Pipeline.
      - name (string) [REQUIRED] - Parameter name to start execution of a SageMaker Model Building Pipeline.
      - value (string) [REQUIRED] - Parameter value to start execution of a SageMaker Model Building Pipeline.
  - sqs_parameters (dict) - The target type template for the Amazon SQS SendMessage API operation includes the message group ID needed for a FIFO queue target. When specifying an Amazon SQS FIFO queue as a target, ensure it has content-based deduplication enabled.
    - message_group_id (string) - The FIFO message group ID.
  For more information see: Using universal targets.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (dict) - The resource tags.

Example:

{
  "schedule_name": {
    "resource_type": "eventbridge_schedule",
    "schedule_content": {
      "client_token": "string",
      "description": "The description you specify for the schedule",
      "end_date": "2023-11-21T12:00:00+00:00",
      "flexible_time_window": {
        "maximum_window_in_minutes": 123,
        "mode": "FLEXIBLE"
      },
      "group_name": "<your_existing_group>",
      "kms_key_arn": "arn:aws:kms:eu-central-1:123456789012:key/12345abcd-12ab-345cd-123456ab",
      "schedule_expression": "rate(24 hour)",
      "schedule_expression_timezone": "UTC",
      "start_date": "2023-11-20T12:00:00+00:00",
      "state": "ENABLED",
      "target": {
        "Arn": "arn:aws:lambda:eu-central-1:123456789012:function:my_lambda",
        "Input": "{\"action\": \"start\", \"instance_ids\": [\"i-05f8afc694738f138\"]}",
        "RoleArn": "arn:aws:iam::123456789012:role/my_role"
      }
    }
  }
}

4.26 DAX Cluster

Resource type: DAX Cluster

Command to generate meta:

syndicate generate meta dax_cluster

Parameters:

--resource_name (string) [REQUIRED] - DAX cluster name.
--node_type (string) [REQUIRED] - The node type for the nodes in the cluster.
--iam_role_name (string) [REQUIRED] - Role name to access DynamoDB tables.
--subnet_group_name (string) [REQUIRED] - The name of the subnet group to be used for the replication group.
--subnet_ids (string) [MULTIPLE] - Subnet ids to create a subnet group from. Do not need in case of using existing subnet group.
--cluster_endpoint_encryption_type (NONE|TLS) - The encryption type of the cluster's endpoint. The default value is TLS.
--parameter_group_name (string) - The parameter group to be associated with the DAX cluster.
--tags (KEY1:VALUE1,KEY2:VALUE2) - String of the resource tags key-value pairs divided by coma (key1: value1,key2:value2).

Meta structure:

{
  "dax_cluster_name": {
    "resource_type": "dax_cluster",
    "node_type": "string",
    "iam_role_name": "string",
    "replication_factor": 123,
    "security_group_ids": [],
    "availability_zones": [],
    "cluster_endpoint_encryption_type": "TLS",
    "subnet_group_name": "string",
    "subnet_ids": [],
    "parameter_group_name": "string",
    "dependencies": [
        {
            "resource_name": "string",
            "resource_type": "string"
        }
    ],
    "tags": {
      "string": "string"
    }
  }
}

resource_type (string) [REQUIRED] - Resource type.
node_type (string) [REQUIRED] - The node type for the nodes in the cluster.
iam_role_name (string) [REQUIRED] - Role name to access DynamoDB tables.
replication_factor (string) [REQUIRED] - The number of nodes in the DAX cluster. A replication factor of 1 will create a single-node cluster, without any read replicas. For additional fault tolerance, you can create a multiple node cluster with one or more read replicas. Default value is 3.
security_group_ids (list) - A list of security group IDs to be assigned to each node in the DAX cluster.
availability_zones (list) - The AZs in which the cluster nodes will reside after the cluster has been created or updated. If provided, the length of this list must equal the replication_factor parameter.
cluster_endpoint_encryption_type (string) - The encryption type of the cluster's endpoint. The default value is TLS.
subnet_group_name (string) - The name of the subnet group to be used for the replication group.
subnet_ids (list) - Subnet IDs to create a subnet group from. Do not need in case of using existing subnet group.
parameter_group_name (string) - The parameter group to be associated with the DAX cluster.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.
tags (dict) - The DAX cluster tags.

Example:

{
  "DemoDAXCluster": {
    "resource_type": "dax_cluster",
    "node_type": "dax.t2.small",
    "iam_role_name": "DAXServiceRoleForDynamoDBAccess",
    "replication_factor": 3,
    "cluster_endpoint_encryption_type": "TLS",
    "subnet_group_name": "demo-dax-cluster-subnet-group",
    "tags": {
      "demo_dax": "my_dax"
    }
  }
}

Linked resources:

iam_role: 4.10 IAM Role

Useful links: Follow this guide to create an IAM service role for DAX to access DynamoDB Follow this guide to create a subnet group for your Amazon DynamoDB Accelerator (DAX).

4.27 Swagger UI

Resource type: swagger_ui

Command to generate meta:

syndicate generate swagger_ui

Parameters:

--name (string) [REQUIRED] - Swagger UI name.
--path_to_spec (string) [REQUIRED] - Path to the OpenAPI specification file. A path that is relative to the project path can be specified.
--target_bucket (string) [REQUIRED] - S3 bucket name for Swagger UI deployment.
--project_path (string) - Path to the project folder. Default value: the one from the current config if it exists. Otherwise, it defaults to the current working directory.

Meta structure:

{
  "demo_swagger_ui_name": {
    "resource_type": "swagger_ui",
    "path_to_spec": "string",
    "target_bucket": "string",
    "dependencies": [
      {
        "resource_name": "string",
        "resource_type": "string"
      }
    ]
  }
}

path_to_spec (string) [REQUIRED] - Path to OpenAPI specification file of the API gateway for which Swagger UI will be deployed (.json)
target_bucket (string) [REQUIRED] - S3 bucket with static website hosting preconfigured. For configuring static website hosting by aws-syndicate you can generate meta for the S3 bucket using the option --static_website_hosting True of the generate meta s3_bucket command.
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.

4.27.1 Server URL resolving

In case you have to delete your old API Gateway and redeploy it, its ID will be changed. If you want to dynamically update the server URL in your OAS document, add the following schema to the OAS document:

{
  // ...
  "x-syndicate-server": {
    "resource_type": "api_gateway",
    "resource_name": "$API_GATEWAY_NAME",
    "parameter_type": "stage_name",
    "parameter_name": "$STAGE_NAME"
  },
  // ...
}

resource_name should be the same name as API Gateway name, and parameter_name should match the stage name. If defined API Gateway is not found, a corresponding warning will be issued in the terminal and log file.

Linked resources: s3_bucket: 4.4 S3 Bucket, api_gateway: 4.5.1 API Gateway

4.28 AppSync

4.28.1 API

Resource type: appsync

Command to generate meta:

syndicate generate appsync api

Parameters:

--name (string) [REQUIRED] - The AppSync API name.
--project_path (string) - Path to the project folder. Default value: the one from the current config if it exists. Otherwise - the current working directory.
--tags (string) -
String of the resource tags key-value pairs divided by coma(key1:value1,key2: value2).

Meta structure:

{
  "name": "string",
  "resource_type": "appsync",
  "primary_auth_type": "API_KEY|AWS_IAM|AWS_LAMBDA|AMAZON_COGNITO_USER_POOLS",
  "lambda_authorizer_config": {
    "authorizer_result_ttl_in_seconds": 123,
    "resource_name": "string",
    "aws_region": "string"
    }
  "user_pool_config": {
    "resource_name": "string",
    "aws_region": "string"
    }
  "api_key_expiration_days": 123,
  "schema_path": "string",
  "data_sources": [
    {
      "name": "string",
      "type": "AMAZON_DYNAMODB|AWS_LAMBDA|NONE",
      "service_role_name": "string",
      "dynamodb_config": {
        "table_name": "string",
        "aws_region": "string"
      },
      "lambda_config": {
        "lambda_name": "string",
        "aws_region": "string"
      }
    }
  ],
  "resolvers": [
    {
      "kind": "UNIT|PIPELINE",
      "type_name": "string",
      "field_name": "string",
      "pipeline_config": {
        "functions": [
          "string"
        ]
      },
      "data_source_name": "string",
      "runtime": "VTL|JS",
      "request_mapping_template_path": "string",
      "response_mapping_template_path": "string",
      "code_path": "string"
    }
  ],
  "functions": [
    {
      "name": "string",
      "description": "string",
      "data_source_name": "string",
      "runtime": "VTL|JS",
      "function_version": "string",
      "request_mapping_template_path": "string",
      "response_mapping_template_path": "string",
      "code_path": "string"
    }
  ],
  "log_config": {
    "logging_enabled": true|false,
    "field_log_level": "NONE|ERROR|ALL",
    "cloud_watch_logs_role_name": "string",
    "exclude_verbose_content": true|false
  },
  "tags": {
    "string": "string"
  },
  "extra_auth_types": [
    {
      "authentication_type": "API_KEY|AWS_IAM|AWS_LAMBDA|AMAZON_COGNITO_USER_POOLS",
      "lambda_authorizer_config": {
         "authorizer_result_ttl_in_seconds": 123,
         "resource_name": "string",
         "aws_region": "string"
      }
      "user_pool_config": {
         "resource_name": "string",
         "aws_region": "string"
      }
    }
  ],
  "dependencies": [
    {
      "resource_name": "string",
      "resource_type": "string"
    }
  ]
}

name (string) - AppSync API name
resource_type (string) - The type of the resource
primary_auth_type ( API_KEY|AWS_IAM|AWS_LAMBDA|AMAZON_COGNITO_USER_POOLS) - The primary authorization type
lambda_authorizer_config (dict) - Configuration for Lambda function authorization
- authorizer_result_ttl_in_seconds (int) - The number of seconds a response should be cached for
- resource_name (string) - The name of the lambda function
- aws_region (string) - The name of the AWS region where the lambda function is located
user_pool_config (dict) - Configuration for the Cognito user pool authorization
- resource_name (string) - The name of the Cognito User Pool
- aws_region (string) - The name of the AWS region where the Cognito User Pool is located
api_key_expiration_days (int) - The number of days after which the API key expires. Makes an effect if the auth type is API_KEY.
schema_path (string) - Path to schema
data_sources (list) - List of the AppSync data sources configurations
- name (string) - The name of the data source
- type (AWS_LAMBDA|AMAZON_DYNAMODB|NONE) - Data source type
- service_role_name (string) - The name of the IAM role to work with the data source resource
- dynamodb_config (dict) - The data source configuration if the type is AMAZON_DYNAMODB
  - table_name (string) - The name of the DynamoDB table
  - aws_region (string) - The name of the AWS region where the DynamoDB table is located
- lambda_config (dict) - The data source configuration if the type is AWS_LAMBDA
  - lambda_name (string) - The name of the lambda function
  - aws_region (string) - The name of the AWS region where the lambda function is located
resolvers (list) - List of the AppSync resolvers configurations
- kind (UNIT|PIPELINE) - The kind of the resolver
- type_name (string) - The name of a type defined in the schema
- field_name (string) - The name of the field defined in the API schema to attach the resolver to
- pipeline_config (dict) - A pipeline configuration in case of PIPELINE resolver's kind
- functions (list) - A list of the resolver's functions names
- data_source_name (string) - The name of the data source to associate the resolver with
- runtime (JS|VTL) - The resolver's runtime
- request_mapping_template_path (string) - A path to the file with the resolver's VTL request mapping template, if runtime is VTL
- response_mapping_template_path (string) - A path to the file with the resolver's VTL response mapping template, if runtime is VTL
- code_path (string) - A path to the file with the resolver's JavaScript code, if runtime is JS
functions (list) - List of the AppSync functions configurations
- name (string) - The name of the function
- description (string) - The function's description
- field_name (string) - The name of the field defined in the API schema to attach the resolver to
- pipeline_config (dict) - A pipeline configuration in case of PIPELINE resolver's kind
  - functions (list) - A list of the resolver's functions names
- data_source_name (string) - The name of the data source to associate the resolver with
- runtime (JS|VTL) - The resolver's runtime
- request_mapping_template_path (string) - A path to the file with the resolver's VTL request mapping template, if runtime is VTL
- response_mapping_template_path (string) - A path to the file with the resolver's VTL response mapping template, if runtime is VTL
- code_path (string) - A path to the file with the resolver's JavaScript code, if runtime is JS
log_config (dict) - The Amazon CloudWatch Logs configuration
- logging_enabled (string) - Defines if logging to CloudWatch is enabled
- field_log_level (string) - The field logging level
- cloud_watch_logs_role_name (string) - The name of the IAM role to work with the CloudWatch logs
- exclude_verbose_content (string) - Set to TRUE to exclude sections that contain information such as headers, context, and evaluated mapping templates, regardless of logging level
tags (dict) - The AppSync tags key-value pairs
extra_auth_types (list) - The list of the AppSync extra authorization's configurations
- authentication_type ( API_KEY|AWS_IAM|AWS_LAMBDA|AMAZON_COGNITO_USER_POOLS) - The authorization type
- lambda_authorizer_config (dict) - Configuration for Lambda function authorization
  - authorizer_result_ttl_in_seconds (int) - The number of seconds a response should be cached for
  - resource_name (string) - The name of the lambda function
  - aws_region (string) - The name of the AWS region where the lambda function is located
- user_pool_config (dict) - Configuration for the Cognito user pool authorization
  - resource_name (string) - The name of the Cognito User Pool
  - aws_region (string) - The name of the AWS region where the Cognito User Pool is located
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.

4.28.2 Data source

Command to generate meta:

syndicate generate appsync data_source

Parameters:

--api_name (string) [REQUIRED] - AppSync API name to add the data source to.
--name (string) [REQUIRED] - Data source name.
--description (string) - Data source description.
--type (AWS_LAMBDA|AMAZON_DYNAMODB|NONE) - Data source type.
--resource_name (string) [REQUIRED if --type is AWS_LAMBDA or AMAZON_DYNAMODB] - Data source resource name.
--region (string) - The region where the resource is located. If not specified, the default value from the syndicate config will be set.
--service_role_name (string) [REQUIRED if --type is AWS_LAMBDA or AMAZON_DYNAMODB] - The name of the role to access the data source resource.

4.28.3 Function

Command to generate meta:

syndicate generate appsync function

Parameters:

--api_name (string) [REQUIRED] - AppSync API name to add the function to.
--name (string) [REQUIRED] - Function name.
--description (string) - Function description.
--data_source_name (string) [REQUIRED] - The name of the data source to associate the function with.
--runtime (JS|VTL) [REQUIRED] - Function runtime.

4.28.4 Resolver

Command to generate meta:

syndicate generate appsync resolver

Parameters:

--api_name (string) [REQUIRED] - AppSync API name to add resolver to.
--kind (UNIT|PIPELINE) [REQUIRED] - The kind of resolver.
--type_name (string) [REQUIRED] - The name of the type defined in the API schema.
--field_name (string) [REQUIRED] - The name of the field defined in the API schema to attach the resolver to.
--data_source_name (string) [REQUIRED if --kind is UNIT] - The name of the data source to associate the resolver with.
--function_name (string) [MULTIPLE] - The name of the function to add to the resolver.
--runtime (JS|VTL) [REQUIRED] - Resolver runtime.

4.28.5 Authorization

Command to generate meta:

syndicate generate appsync authorization

Parameters:

--api_name (string) [REQUIRED] - AppSync API name to add authorization to.
--type (primary|extra) [REQUIRED] - The authorization type.
--auth_type (API_KEY|AWS_IAM|AWS_LAMBDA|AMAZON_COGNITO_USER_POOLS) [REQUIRED] - The authentication type.
--resource_name (string) [REQUIRED if auth_type is AWS_LAMBDA or AMAZON_COGNITO_USER_POOLS] - Authentication provider resource name.
--region (string) - The region where the authentication provider resource is located. If not specified, the default value from the syndicate config will be set.

Example:

{
  "name": "demo_appsync_api",
  "resource_type": "appsync",
  "primary_auth_type": "API_KEY",
  "api_key_expiration_days": 7,
  "schema_path": "schema.graphql",
  "data_sources": [
    {
      "name": "dynamodb",
      "type": "AMAZON_DYNAMODB",
      "service_role_name": "appsync_role",
      "dynamodb_config": {
        "table_name": "appsync_dynamo_db",
        "aws_region": "eu-central-1"
      }
    }
  ],
  "resolvers": [
    {
      "kind": "UNIT",
      "type_name": "Mutation",
      "field_name": "createItem",
      "data_source_name": "dynamodb",
      "runtime": "JS",
      "code_path": "resolvers/mutation/createitem/code.js"
    }
  ],
  "functions": [
    {
      "name": "func1",
      "description": "",
      "data_source_name": "dynamodb",
      "runtime": "VTL",
      "function_version": "2018-05-29",
      "request_mapping_template_path": "functions/func1/req_mapping_template.vtl",
      "response_mapping_template_path": "functions/func1/resp_mapping_template.vtl"
    }
  ],
  "log_config": {
    "logging_enabled": false,
    "field_log_level": "ERROR",
    "cloud_watch_logs_role_name": "",
    "exclude_verbose_content": false
  },
  "tags": {},
  "extra_auth_types": [
    {
      "authentication_type": "AWS_IAM"
    }
  ]
}

Linked resources: dynamodb_table: 4.2 Dynamo DB table

4.29 RDS

4.29.1 DB cluster

Resource type: rds_db_cluster

Command to generate meta:

syndicate generate meta rds_db_cluster

Parameters:

--resource_name (string) [REQUIRED] - The RDS DB cluster name.
--engine (aurora-postgresql|aurora-mysql) - [REQUIRED] - Engine type.
--engine_version (string) - Engine version.
--master_username (string) [REQUIRED] - DB login ID for the master user.
--master_password (string) - The password for master user. Can't be specified if manage_master_password is turned on.
--database_name (string) [REQUIRED] - Database name.
--port (integer) - The port number on which the instances in the cluster accept connections. Default value is 3306 for MySQL and 5432 for PostgreSQL.
--manage_master_password (boolean) - Indicates whether to manage the master user password with AWS Secrets Manager. More details about password management with Amazon Aurora and AWS Secrets Manager
--iam_db_auth (boolean) - Indicates whether to enable IAM Database Authentication.
--vpc_security_group_ids (string) - A list of EC2 VPC security groups to associate with this cluster. If not specified, default security group is used.
--db_subnet_group (string) - A DB subnet group to associate with the DB cluster.
--availability_zones (string) - A list of Amazon EC2 Availability Zones that instances in the cluster can be created in. If not specified default is used.
--tags (string) - String of the resource tags key-value pairs divided by coma(key1:value1,key2: value2).

Meta structure:

{
    "resource_type": "rds_db_cluster",
    "engine": "aurora-postgresql|aurora-mysql",
    "engine_version": "string"
    "master_username": "string",
    "master_user_password": "string",
    "database_name": "string",
    "port": 123,
    "manage_master_user_password": true|false
    "iam_db_auth": true|false,
    "vpc_security_group_ids": ["string"],
    "db_subnet_group_name": "string",
    "availability_zones": ["string"],
    "tags": {},
    "dependencies": [
    {
      "resource_name": "string",
      "resource_type": "string"
    }
  ]
}

resource_type (string) - The type of the resource
engine (aurora-postgresql|aurora-mysql) - The name of the database engine to be used for this DB cluster.
engine_version (string) - The version number of the database engine to use
master_username (string) - The name of the master user for the DB cluster
master_user_password (string) - The password for the master database user.
database_name (string) - The name for your database of up to 64 alphanumeric characters.
port (int) - The port number on which the instances in the DB cluster accept connections.
manage_master_user_password (boolean) - A value that indicates whether to manage the master user password with AWS Secrets Manager. More details about password management with Amazon Aurora and AWS Secrets Manager
iam_db_auth (boolean) - A value that indicates whether to enable mapping of IAM accounts to database accounts.
vpc_security_group_ids (list) - A list of EC2 VPC security groups to associate with this DB cluster.
db_subnet_group_name (string) - A DB subnet group to associate with this DB cluster.
availability_zones (list) - A list of Availability Zones (AZs) where DB instances in the DB cluster can be created.
tags (dict) - The cluster tags key-value pairs
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.

4.29.2 DB instance

Resource type: rds_db_instance

Command to generate meta:

syndicate generate meta rds_db_instance

Parameters:

--resource_name (string) [REQUIRED] - The RDS DB instance name.
--instance_class (string) [REQUIRED] - DB instance class.
--cluster_name (string) - RDS DB cluster name to link the instance with.
--engine (string) - Engine type. Not applicable when the instance is part of a cluster.
--engine_version (string) - Engine version. Not applicable when the instance is part of a cluster.
--master_username (string) - DB login ID for the master user. Not applicable when the instance is part of a cluster.
--master_password (string) - The password for master user. Not applicable when the instance is part of a cluster.
--database_name (string) - Database name. Not applicable when the instance is part of a cluster.
--port (integer) - The port number on which the instances in the cluster accept connections. Default value is 3306 for MySQL and 5432 for PostgreSQL. Not applicable when the instance is part of a cluster.
--publicly_accessible (boolean) - Specifies the accessibility options for the DB instance.
--vpc_security_group_ids (string) - A list of EC2 VPC security groups to associate with this cluster. If not specified, default security group is used. Not applicable when the instance is part of a cluster.
--availability_zones (string) - A list of Amazon EC2 Availability Zones that instances in the cluster can be created in. If not specified default is used. Not applicable when the instance is part of a cluster.
--tags (string) - String of the resource tags key-value pairs divided by coma(key1:value1,key2: value2).

Meta structure:

{
    "resource_type": "rds_db_instance",
    "instance_class": "string",
    "cluster_name": "string",
    "engine": "string",
    "engine_version": "string"
    "master_username": "string",
    "master_user_password": "string",
    "database_name": "string",
    "port": 123,
    "publicly_accessible": true|false,
    "iam_db_auth": true|false,
    "vpc_security_group_ids": ["string"],
    "db_subnet_group_name": "string",
    "availability_zones": ["string"],
    "tags": {},
    "dependencies": [
    {
      "resource_name": "string",
      "resource_type": "string"
    }
  ]
}

resource_type (string) - The type of the resource
instance_class (string) - The compute and memory capacity of the DB instance, for example db.t3.medium.
cluster_name (string) - The identifier of the DB cluster that the instance will belong to.
engine (string) - The name of the database engine to be used for this instance.
engine_version (string) - The version number of the database engine to use.
master_username (string) - The name for the master user.
master_user_password (string) - The password for the master database user.
database_name (string) - The name for your database of up to 64 alphanumeric characters.
port (int) - The port number on which the instances in the DB cluster accept connections.
iam_db_auth (boolean) - A value that indicates whether to enable mapping of IAM accounts to database accounts.
publicly_accessible (boolean) - A value that indicates whether the DB instance is publicly accessible.
vpc_security_group_ids (list) - A list of EC2 VPC security groups to associate with this DB instance.
db_subnet_group_name (string) - A DB subnet group to associate with this DB instance.
availability_zones (list) - A list of Availability Zones (AZs) where DB instances can be created.
tags (dict) - The instance tags key-value pairs
dependencies (list) - List of the resources that should be deployed/updated before the current resource.
- resource_name (string) - The name of the resource.
- resource_type (string) - The resource type.