What are the challenges associated with configuring backup retention and scheduling for AWS RDS instances, and how can these be mitigated?

Configuring backup retention and scheduling for AWS RDS instances involves ensuring data availability while balancing storage costs and performance impacts. Challenges include determining the optimal retention period to meet data recovery requirements, scheduling backup windows to avoid interference with peak usage times, and handling potential data inconsistencies during backup operations. These challenges can be mitigated by careful analysis of usage patterns, aligning backup schedules with low-traffic periods, and implementing alerts and monitoring to ensure successful backup completion .

What are the key attributes that are exported when using the AWS DB Cluster Snapshot and why are they important for database management?

The key attributes exported by the AWS DB Cluster Snapshot include allocated_storage, availability_zones, db_cluster_identifier, db_cluster_snapshot_arn, engine_version, engine, id, kms_key_id, license_model, port, snapshot_create_time, source_db_cluster_snapshot_identifier, status, storage_encrypted, and vpc_id. These attributes are crucial because they provide important metadata about the snapshot, such as its location, security properties, and database engine version, all of which are essential for managing database backups, ensuring data integrity, and performing restorations accurately .

Explain the method and advantage of using Terraform for importing existing AWS resources like DB Security Groups or API Gateway Configurations.

Terraform allows importing existing AWS resources such as DB Security Groups or API Gateway Configurations by using their unique names as identifiers. The advantage of importing these resources is that it facilitates infrastructure management by enabling the tracking and management of infrastructure state within Terraform configurations, allowing for improved change management, consistency in deployments, and automated configuration management .

Analyze the implications of choosing to encrypt an AWS DB Cluster snapshot. What are the benefits and potential drawbacks?

Encrypting an AWS DB Cluster snapshot enhances security by ensuring data is protected at rest, which is vital for compliance with data protection regulations. It helps prevent unauthorized data access, but it also requires additional considerations such as managing KMS keys and potential performance overhead associated with encryption operations. Moreover, encrypted snapshots can only be restored to clusters with encryption enabled, which may increase management complexity and limit flexibility .

In the context of AWS API Gateway Integration, what are the roles of 'request_templates' and 'request_parameters', and how do they contribute to the integration process?

In AWS API Gateway Integration, 'request_templates' are used to transform the request payload format before it is sent to the backend, ensuring the data aligns with the backend service's expectations. 'Request_parameters', on the other hand, specify the mapping of incoming request parameters to the backend parameters. Together, these components facilitate the seamless communication and integration of AWS API Gateway with backend services by transforming and mapping data appropriately as per backend requirements .

Describe how AWS Subnet Resources utilize tags and filters to manage and select resources within a VPC and the benefits of this approach.

AWS Subnet Resources utilize tags and filters to manage resources by allowing users to label subnets with key-value pairs that describe attributes associated with each subnet, which can then be used with filters to identify and select subnets based on these metadata criteria. This approach simplifies the management of resources across complex network environments by enabling easy grouping, automation, and querying of subnet resources based on application or environmental needs, contributing to operational efficiency and streamlined network management .

How do 'aws_api_gateway_integration' types impact AWS API performance, and what considerations should be made when selecting an integration type?

The 'aws_api_gateway_integration' types, such as HTTP, AWS, MOCK, and AWS_PROXY, impact API performance by defining how requests are handled and routed to backend services. Choosing the correct integration type depends on factors like expected request/response latency, backend service architecture, and scalability needs. For instance, AWS_PROXY type can directly connect API Gateway with AWS Lambda, reducing overhead and improving performance. Each choice should align with the application’s architecture and performance requirements, optimizing for latency, scalability, and cost-effectiveness .

How does AWS Config utilize IAM roles for security and what are the implications of this on auditing and compliance?

AWS Config utilizes IAM roles to perform read and write operations to collect configuration data across resources and to describe AWS resources within the account. The role's permissions must align with the security policies to ensure compliance with best practices and regulatory standards. The use of IAM roles implies a robust auditing framework, as it enables granular tracking of resource access and actions taken by AWS Config, thereby supporting detailed compliance and security audits .

Evaluate the significance of using VPC Endpoint Services in AWS and its impact on security and efficiency of network traffic.

VPC Endpoint Services in AWS provide a secure and efficient method to connect VPCs to AWS services without crossing the public internet, this reduces the potential attack vectors thereby enhancing security. Endpoint services facilitate efficient network traffic management by routing traffic directly within the AWS network, minimizing latency and improving service performance, which is crucial for mission-critical applications that require high availability and performance .

Examine how AWS Config's recording of configuration changes supports continuous compliance and governance in cloud environments.

AWS Config supports continuous compliance and governance by continuously monitoring and recording configuration changes across AWS resources, providing a detailed configuration history and enabling automated compliance checks against desired configurations. This ongoing surveillance helps identify configuration drifts and non-compliance in real-time, facilitating immediate corrective actions. Utilizing AWS Config’s rules and aggregators paints a cohesive picture of cloud resource states, fostering robust governance and streamlined adherence to security and compliance frameworks .

Open navigation menu

Upload

100% found this document useful (3 votes)

2K views1,531 pages

AWS Provider Configuration Guide

The document describes how to configure the AWS provider in Terraform to authenticate with AWS and access AWS resources. It covers using static credentials, environment variables, shared credentials files, EC2 roles, and assuming roles to provide credentials.

Uploaded by

Tilted Mowa

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (3 votes)

2K views1,531 pages

AWS Provider Configuration Guide

Uploaded by

Tilted Mowa

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

AWS Provider

The Amazon Web Services (AWS) provider is used to interact with the many resources supported by AWS. The provider
needs to be con gured with the proper credentials before it can be used.

Use the navigation to the left to read about the available resources.

Example Usage

provider "aws" {
version = "~> 2.0"
region = "us-east-1"
}

resource "aws_vpc" "example" {

cidr_block = "10.0.0.0/16"
}

Authentication
The AWS provider o ers a exible means of providing credentials for authentication. The following methods are supported,
in this order, and explained below:

Static credentials

Environment variables

Shared credentials le

EC2 Role

Static credentials

Warning: Hard-coding credentials into any Terraform con guration is not recommended, and risks secret leakage
should this le ever be committed to a public version control system.

Static credentials can be provided by adding an access_key and secret_key in-line in the AWS provider block:

Usage:
provider "aws" {
region = "us-west-2"
access_key = "my-access-key"
secret_key = "my-secret-key"
}

Environment variables
You can provide your credentials via the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY , environment variables,
representing your AWS Access Key and AWS Secret Key, respectively. Note that setting your AWS credentials using either
these (or legacy) environment variables will override the use of AWS_SHARED_CREDENTIALS_FILE and AWS_PROFILE . The
AWS_DEFAULT_REGION and AWS_SESSION_TOKEN environment variables are also used, if applicable:

provider "aws" {}

Usage:

$ export AWS_ACCESS_KEY_ID=
= "anaccesskey"
$ export AWS_SECRET_ACCESS_KEY=
= "asecretkey"
$ export AWS_DEFAULT_REGION=
= "us-west-2"
$ terraform plan

Shared Credentials le
You can use an AWS credentials le to specify your credentials. The default location is $HOME/.aws/credentials on Linux
and OS X, or "%USERPROFILE%\.aws\credentials" for Windows users. If we fail to detect credentials inline, or in the
environment, Terraform will check this location. You can optionally specify a di erent location in the con guration by
providing the shared_credentials_file attribute, or in the environment with the AWS_SHARED_CREDENTIALS_FILE
variable. This method also supports a profile con guration and matching AWS_PROFILE environment variable:

Usage:

provider "aws" {
region = "us-west-2"
shared_credentials_file = "/Users/tf_user/.aws/creds"
profile = "customprofile"
}

If specifying the pro le through the AWS_PROFILE environment variable, you may also need to set AWS_SDK_LOAD_CONFIG
to a truthy value (e.g. AWS_SDK_LOAD_CONFIG=1 ) for advanced AWS client con gurations, such as pro les that use the
source_profile or role_arn con gurations.

ECS and CodeBuild Task Roles

If you're running Terraform on ECS or CodeBuild and you have con gured an IAM Task Role
(http://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html), Terraform will use the container's
Task Role. Terraform looks for the presence of the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable that
AWS injects when a Task Role is con gured. If you have not de ned a Task Role for your container or CodeBuild job,
Terraform will continue to use the EC2 Role.

EC2 Role
If you're running Terraform from an EC2 instance with IAM Instance Pro le using IAM Role, Terraform will just ask the
metadata API (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-
security-credentials) endpoint for credentials.

This is a preferred approach over any other when running in EC2 as you can avoid hard coding credentials. Instead these are
leased on-the- y by Terraform which reduces the chance of leakage.

You can provide the custom metadata API endpoint via the AWS_METADATA_URL variable which expects the endpoint URL,
including the version, and defaults to http://169.254.169.254:80/latest .

The default deadline for the EC2 metadata API endpoint is 100 milliseconds, which can be overidden by setting the
AWS_METADATA_TIMEOUT environment variable. The variable expects a positive golang Time.Duration string, which is a
sequence of decimal numbers and a unit su x; valid su xes are ns (nanoseconds), us (microseconds), ms (milliseconds),
s (seconds), m (minutes), and h (hours). Examples of valid inputs: 100ms , 250ms , 1s , 2.5s , 2.5m , 1m30s .

Assume role
If provided with a role ARN, Terraform will attempt to assume this role using the supplied credentials.

Usage:

provider "aws" {
assume_role {
role_arn = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
session_name = "SESSION_NAME"
external_id = "EXTERNAL_ID"
}
}

Argument Reference
In addition to generic provider arguments (https://www.terraform.io/docs/con guration/providers.html) (e.g. alias and
version ), the following arguments are supported in the AWS provider block:

access_key - (Optional) This is the AWS access key. It must be provided, but it can also be sourced from the
AWS_ACCESS_KEY_ID environment variable, or via a shared credentials le if profile is speci ed.

secret_key - (Optional) This is the AWS secret key. It must be provided, but it can also be sourced from the
AWS_SECRET_ACCESS_KEY environment variable, or via a shared credentials le if profile is speci ed.
region - (Required) This is the AWS region. It must be provided, but it can also be sourced from the
AWS_DEFAULT_REGION environment variables, or via a shared credentials le if profile is speci ed.

profile - (Optional) This is the AWS pro le name as set in the shared credentials le.

assume_role - (Optional) An assume_role block (documented below). Only one assume_role block may be in the
con guration.

endpoints - (Optional) Con guration block for customizing service endpoints. See the Custom Service Endpoints
Guide (/docs/providers/aws/guides/custom-service-endpoints.html) for more information about connecting to
alternate AWS endpoints or AWS compatible solutions.

shared_credentials_file = (Optional) This is the path to the shared credentials le. If this is not set and a pro le is
speci ed, ~/.aws/credentials will be used.

token - (Optional) Session token for validating temporary credentials. Typically provided after successful identity
federation or Multi-Factor Authentication (MFA) login. With MFA login, this is the session token provided afterwards,
not the 6 digit MFA code used to get temporary credentials. It can also be sourced from the AWS_SESSION_TOKEN
environment variable.

max_retries - (Optional) This is the maximum number of times an API call is retried, in the case where requests are
being throttled or experiencing transient failures. The delay between the subsequent API calls increases exponentially.

allowed_account_ids - (Optional) List of allowed, white listed, AWS account IDs to prevent you from mistakenly
using an incorrect one (and potentially end up destroying a live environment). Con icts with
forbidden_account_ids .

forbidden_account_ids - (Optional) List of forbidden, blacklisted, AWS account IDs to prevent you mistakenly using
a wrong one (and potentially end up destroying a live environment). Con icts with allowed_account_ids .

insecure - (Optional) Explicitly allow the provider to perform "insecure" SSL requests. If omitted, default value is
false .

skip_credentials_validation - (Optional) Skip the credentials validation via the STS API. Useful for AWS API
implementations that do not have STS available or implemented.

skip_get_ec2_platforms - (Optional) Skip getting the supported EC2 platforms. Used by users that don't have
ec2:DescribeAccountAttributes permissions.

skip_region_validation - (Optional) Skip validation of provided region name. Useful for AWS-like implementations
that use their own region names or to bypass the validation for regions that aren't publicly available yet.

skip_requesting_account_id - (Optional) Skip requesting the account ID. Useful for AWS API implementations that
do not have the IAM, STS API, or metadata API. When set to true and not determined previously, returns an empty
account ID when manually constructing ARN attributes with the following:

aws_api_gateway_deployment resource (/docs/providers/aws/r/api_gateway_deployment.html)

aws_api_gateway_rest_api resource (/docs/providers/aws/r/api_gateway_rest_api.html)

aws_api_gateway_stage resource (/docs/providers/aws/r/api_gateway_stage.html)

aws_budgets_budget resource (/docs/providers/aws/r/budgets_budget.html)

aws_cognito_identity_pool resource (/docs/providers/aws/r/cognito_identity_pool.html)

aws_cognito_user_pool resource (/docs/providers/aws/r/cognito_user_pool.html)

aws_cognito_user_pools data source (/docs/providers/aws/d/cognito_user_pools.html)

aws_dms_replication_subnet_group resource (/docs/providers/aws/r/dms_replication_subnet_group.html)

aws_dx_connection resource (/docs/providers/aws/r/dx_connection.html)

aws_dx_hosted_private_virtual_interface_accepter resource
(/docs/providers/aws/r/dx_hosted_private_virtual_interface_accepter.html)

aws_dx_hosted_private_virtual_interface resource
(/docs/providers/aws/r/dx_hosted_private_virtual_interface.html)

aws_dx_hosted_public_virtual_interface_accepter resource
(/docs/providers/aws/r/dx_hosted_public_virtual_interface_accepter.html)

aws_dx_hosted_public_virtual_interface resource
(/docs/providers/aws/r/dx_hosted_public_virtual_interface.html)

aws_dx_lag resource (/docs/providers/aws/r/dx_lag.html)

aws_dx_private_virtual_interface resource (/docs/providers/aws/r/dx_private_virtual_interface.html)

aws_dx_public_virtual_interface resource (/docs/providers/aws/r/dx_public_virtual_interface.html)

aws_ebs_volume data source (/docs/providers/aws/d/ebs_volume.html)

aws_ecs_cluster resource (import) (/docs/providers/aws/r/ecs_cluster.html)

aws_ecs_service resource (import) (/docs/providers/aws/r/ecs_service.html)

aws_efs_file_system data source (/docs/providers/aws/d/efs_ le_system.html)

aws_efs_file_system resource (/docs/providers/aws/r/efs_ le_system.html)

aws_efs_mount_target data source (/docs/providers/aws/d/efs_mount_target.html)

aws_efs_mount_target resource (/docs/providers/aws/r/efs_mount_target.html)

aws_elasticache_cluster data source (/docs/providers/aws/d/elasticache_cluster.html)

aws_elasticache_cluster resource (/docs/providers/aws/r/elasticache_cluster.html)

aws_elb resource (/docs/providers/aws/r/elb.html)

aws_glue_crawler resource (/docs/providers/aws/r/glue_crawler.html)

aws_instance data source (/docs/providers/aws/d/instance.html)

aws_instance resource (/docs/providers/aws/r/instance.html)

aws_launch_template resource (/docs/providers/aws/r/launch_template.html)

aws_redshift_cluster resource (/docs/providers/aws/r/redshift_cluster.html)

aws_redshift_subnet_group resource (/docs/providers/aws/r/redshift_subnet_group.html)

aws_s3_account_public_access_block resource
(/docs/providers/aws/r/s3_account_public_access_block.html)
aws_ses_domain_identity_verification resource
(/docs/providers/aws/r/ses_domain_identity_veri cation.html)

aws_ses_domain_identity resource (/docs/providers/aws/r/ses_domain_identity.html)

aws_ssm_document resource (/docs/providers/aws/r/ssm_document.html)

aws_ssm_parameter resource (/docs/providers/aws/r/ssm_parameter.html)

aws_vpc data source (/docs/providers/aws/d/vpc.html)

aws_vpc resource (/docs/providers/aws/r/vpc.html)

aws_waf_ipset resource (/docs/providers/aws/r/waf_ipset.html)

aws_wafregional_ipset resource (/docs/providers/aws/r/wafregional_ipset.html)

skip_metadata_api_check - (Optional) Skip the AWS Metadata API check. Useful for AWS API implementations that
do not have a metadata API endpoint. Setting to true prevents Terraform from authenticating via the Metadata API.
You may need to use other authentication methods like static credentials, con guration variables, or environment
variables.

s3_force_path_style - (Optional) Set this to true to force the request to use path-style addressing, i.e.,
http://s3.amazonaws.com/BUCKET/KEY . By default, the S3 client will use virtual hosted bucket addressing,
http://BUCKET.s3.amazonaws.com/KEY , when possible. Speci c to the Amazon S3 service.

The nested assume_role block supports the following:

role_arn - (Required) The ARN of the role to assume.

session_name - (Optional) The session name to use when making the AssumeRole call.

external_id - (Optional) The external ID to use when making the AssumeRole call.

policy - (Optional) A more restrictive policy to apply to the temporary credentials. This gives you a way to further
restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant
permissions that are in excess of those allowed by the access policy of the role that is being assumed.

Getting the Account ID

If you use either allowed_account_ids or forbidden_account_ids , Terraform uses several approaches to get the actual
account ID in order to compare it with allowed or forbidden IDs.

Approaches di er per authentication providers:

EC2 instance w/ IAM Instance Pro le - Metadata API (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-

instance-metadata.html) is always used. Introduced in Terraform 0.6.16 .

All other providers (environment variable, shared credentials le, ...) will try three approaches in the following order
iam:GetUser - Typically useful for IAM Users. It also means that each user needs to be privileged to call
iam:GetUser for themselves.

sts:GetCallerIdentity - Should work for both IAM Users and federated IAM Roles, introduced in Terraform
0.6.16 .
iam:ListRoles - This is speci cally useful for IdP-federated pro les which cannot use iam:GetUser . It also
means that each federated user need to be assuming an IAM role which allows iam:ListRoles . Used in
Terraform 0.6.16+ . There used to be no better way to get account ID out of the API when using federated
account until sts:GetCallerIdentity was introduced.
Data Source: aws_acm_certi cate
Use this data source to get the ARN of a certi cate in AWS Certi cate Manager (ACM), you can reference it by domain
without having to hard code the ARNs as input.

Example Usage

data "aws_acm_certificate" "example" {

domain = "tf.example.com"
statuses = ["ISSUED"]
}

data "aws_acm_certificate" "example" {

domain = "tf.example.com"
types = ["AMAZON_ISSUED"]
most_recent = true
}

data "aws_acm_certificate" "example" {

domain = "tf.example.com"
key_types = ["RSA_4096"]
}

Argument Reference
domain - (Required) The domain of the certi cate to look up. If no certi cate is found with this name, an error will be
returned.

key_types - (Optional) A list of key algorithms to lter certi cates. By default, ACM does not return all certi cate
types when searching. Valid values are RSA_1024 , RSA_2048 , RSA_4096 , EC_prime256v1 , EC_secp384r1 , and
EC_secp521r1 .

statuses - (Optional) A list of statuses on which to lter the returned list. Valid values are PENDING_VALIDATION ,
ISSUED , INACTIVE , EXPIRED , VALIDATION_TIMED_OUT , REVOKED and FAILED . If no value is speci ed, only
certi cates in the ISSUED state are returned.

types - (Optional) A list of types on which to lter the returned list. Valid values are AMAZON_ISSUED and IMPORTED .

most_recent - (Optional) If set to true, it sorts the certi cates matched by previous criteria by the NotBefore eld,
returning only the most recent one. If set to false, it returns an error if more than one certi cate is found. Defaults to
false.

Attributes Reference
arn - Set to the ARN of the found certi cate, suitable for referencing in other resources that support ACM certi cates.
Data Source: aws_acmpca_certi cate_authority
Get information on a AWS Certi cate Manager Private Certi cate Authority (ACM PCA Certi cate Authority).

Example Usage

data "aws_acmpca_certificate_authority" "example" {

arn = "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/12345678-1234-1234-1234-12345678901
2"
}

Argument Reference
The following arguments are supported:

arn - (Required) Amazon Resource Name (ARN) of the certi cate authority.

Attribute Reference
In addition to all arguments above, the following attributes are exported:

id - Amazon Resource Name (ARN) of the certi cate authority.

certificate - Base64-encoded certi cate authority (CA) certi cate. Only available after the certi cate authority
certi cate has been imported.

certificate_chain - Base64-encoded certi cate chain that includes any intermediate certi cates and chains up to
root on-premises certi cate that you used to sign your private CA certi cate. The chain does not include your private
CA certi cate. Only available after the certi cate authority certi cate has been imported.

certificate_signing_request - The base64 PEM-encoded certi cate signing request (CSR) for your private CA
certi cate.

not_after - Date and time after which the certi cate authority is not valid. Only available after the certi cate
authority certi cate has been imported.

not_before - Date and time before which the certi cate authority is not valid. Only available after the certi cate
authority certi cate has been imported.

revocation_configuration - Nested attribute containing revocation con guration.

revocation_configuration.0.crl_configuration - Nested attribute containing con guration of the
certi cate revocation list (CRL), if any, maintained by the certi cate authority.

revocation_configuration.0.crl_configuration.0.custom_cname - Name inserted into the certi cate CRL

Distribution Points extension that enables the use of an alias for the CRL distribution point.

revocation_configuration.0.crl_configuration.0.enabled - Boolean value that speci es whether

certi cate revocation lists (CRLs) are enabled.

revocation_configuration.0.crl_configuration.0.expiration_in_days - Number of days until a

certi cate expires.

revocation_configuration.0.crl_configuration.0.s3_bucket_name - Name of the S3 bucket that

contains the CRL.

serial - Serial number of the certi cate authority. Only available after the certi cate authority certi cate has been
imported.

status - Status of the certi cate authority.

tags - Speci es a key-value map of user-de ned tags that are attached to the certi cate authority.

type - The type of the certi cate authority.

Data Source: aws_ami
Use this data source to get the ID of a registered AMI for use in other resources.

Example Usage

data "aws_ami" "example" {

executable_users = ["self"]
most_recent = true
name_regex = "^myami-\\d{3}"
owners = ["self"]

filter {
name = "name"
values = ["myami-*"]
}

filter {
name = "root-device-type"
values = ["ebs"]
}

filter {
name = "virtualization-type"
values = ["hvm"]
}
}

Argument Reference
owners - (Required) List of AMI owners to limit search. At least 1 value must be speci ed. Valid values: an AWS account
ID, self (the current account), or an AWS owner alias (e.g. amazon , aws-marketplace , microsoft ).

most_recent - (Optional) If more than one result is returned, use the most recent AMI.

executable_users - (Optional) Limit search to users with explicit launch permission on the image. Valid items are the
numeric account ID or self .

filter - (Optional) One or more name/value pairs to lter o of. There are several valid keys, for a full reference,
check out describe-images in the AWS CLI reference (http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-
images.html).

name_regex - (Optional) A regex string to apply to the AMI list returned by AWS. This allows more advanced ltering
not supported from the AWS API. This ltering is done locally on what AWS returns, and could have a performance
impact if the result is large. It is recommended to combine this with other options to narrow down the list AWS
returns.
NOTE: If more or less than a single match is returned by the search, Terraform will fail. Ensure that your search is
speci c enough to return a single AMI ID only, or use most_recent to choose the most recent one. If you want to
match multiple AMIs, use the aws_ami_ids data source instead.

Attributes Reference
id is set to the ID of the found AMI. In addition, the following attributes are exported:

NOTE: Some values are not always set and may not be available for interpolation.

architecture - The OS architecture of the AMI (ie: i386 or x86_64 ).

block_device_mappings - The block device mappings of the AMI.

block_device_mappings.#.device_name - The physical name of the device.

block_device_mappings.#.ebs.delete_on_termination - true if the EBS volume will be deleted on

termination.

block_device_mappings.#.ebs.encrypted - true if the EBS volume is encrypted.

block_device_mappings.#.ebs.iops - 0 if the EBS volume is not a provisioned IOPS image, otherwise the
supported IOPS count.

block_device_mappings.#.ebs.snapshot_id - The ID of the snapshot.

block_device_mappings.#.ebs.volume_size - The size of the volume, in GiB.

block_device_mappings.#.ebs.volume_type - The volume type.

block_device_mappings.#.no_device - Suppresses the speci ed device included in the block device mapping
of the AMI.

block_device_mappings.#.virtual_name - The virtual device name (for instance stores).

creation_date - The date and time the image was created.

description - The description of the AMI that was provided during image creation.

hypervisor - The hypervisor type of the image.

image_id - The ID of the AMI. Should be the same as the resource id .

image_location - The location of the AMI.

image_owner_alias - The AWS account alias (for example, amazon , self ) or the AWS account ID of the AMI owner.

image_type - The type of image.

kernel_id - The kernel associated with the image, if any. Only applicable for machine images.

name - The name of the AMI that was provided during image creation.

owner_id - The AWS account ID of the image owner.

platform - The value is Windows for Windows AMIs; otherwise blank.

product_codes - Any product codes associated with the AMI.

product_codes.#.product_code_id - The product code.

product_codes.#.product_code_type - The type of product code.

public - true if the image has public launch permissions.

ramdisk_id - The RAM disk associated with the image, if any. Only applicable for machine images.

root_device_name - The device name of the root device.

root_device_type - The type of root device (ie: ebs or instance-store ).

root_snapshot_id - The snapshot id associated with the root device, if any (only applies to ebs root devices).

sriov_net_support - Speci es whether enhanced networking is enabled.

state - The current state of the AMI. If the state is available , the image is successfully registered and can be used
to launch an instance.

state_reason - Describes a state change. Fields are UNSET if not available.

state_reason.code - The reason code for the state change.

state_reason.message - The message for the state change.

tags - Any tags assigned to the image.

tags.#.key - The key name of the tag.

tags.#.value - The value of the tag.

virtualization_type - The type of virtualization of the AMI (ie: hvm or paravirtual ).

Data Source: aws_ami_ids
Use this data source to get a list of AMI IDs matching the speci ed criteria.

Example Usage

data "aws_ami_ids" "ubuntu" {

owners = ["099720109477"]

filter {
name = "name"
values = ["ubuntu/images/ubuntu-*-*-amd64-server-*"]
}
}

executable_users - (Optional) Limit search to users with explicit launch permission on the image. Valid items are the
numeric account ID or self .

sort_ascending - (Defaults to false ) Used to sort AMIs by creation time.

Attributes Reference
ids is set to the list of AMI IDs, sorted by creation time according to sort_ascending .
Data Source: aws_api_gateway_api_key
Use this data source to get the name and value of a pre-existing API Key, for example to supply credentials for a dependency
microservice.

Example Usage

data "aws_api_gateway_api_key" "my_api_key" {

id = "ru3mpjgse6"
}

Argument Reference
id - (Required) The ID of the API Key to look up.

Attributes Reference
id - Set to the ID of the API Key.

name - Set to the name of the API Key.

value - Set to the value of the API Key.

Data Source: aws_api_gateway_resource
Use this data source to get the id of a Resource in API Gateway. To fetch the Resource, you must provide the REST API id as
well as the full path.

Example Usage

data "aws_api_gateway_rest_api" "my_rest_api" {

name = "my-rest-api"
}

data "aws_api_gateway_resource" "my_resource" {

rest_api_id = "${data.aws_api_gateway_rest_api.my_rest_api.id}"
path = "/endpoint/path"
}

Argument Reference
rest_api_id - (Required) The REST API id that owns the resource. If no REST API is found, an error will be returned.

path - (Required) The full path of the resource. If no path is found, an error will be returned.

Attributes Reference
id - Set to the ID of the found Resource.

parent_id - Set to the ID of the parent Resource.

path_part - Set to the path relative to the parent Resource.

Data Source: aws_api_gateway_rest_api
Use this data source to get the id and root_resource_id of a REST API in API Gateway. To fetch the REST API you must provide
a name to match against. As there is no unique name constraint on REST APIs this data source will error if there is more
than one match.

Example Usage

data "aws_api_gateway_rest_api" "my_rest_api" {

name = "my-rest-api"
}

Argument Reference
name - (Required) The name of the REST API to look up. If no REST API is found with this name, an error will be
returned. If multiple REST APIs are found with this name, an error will be returned.

Attributes Reference
id - Set to the ID of the found REST API.

root_resource_id - Set to the ID of the API Gateway Resource on the found REST API where the route matches '/'.
Data Source: aws_api_gateway_vpc_link
Use this data source to get the id of a VPC Link in API Gateway. To fetch the VPC Link you must provide a name to match
against. As there is no unique name constraint on API Gateway VPC Links this data source will error if there is more than one
match.

Example Usage

data "aws_api_gateway_vpc_link" "my_api_gateway_vpc_link" {

name = "my-vpc-link"
}

Argument Reference
name - (Required) The name of the API Gateway VPC Link to look up. If no API Gateway VPC Link is found with this
name, an error will be returned. If multiple API Gateway VPC Links are found with this name, an error will be returned.

Attributes Reference
id - Set to the ID of the found API Gateway VPC Link.
Data Source: aws_arn
Parses an Amazon Resource Name (ARN) into its constituent parts.

Example Usage

data "aws_arn" "db_instance" {

arn = "arn:aws:rds:eu-west-1:123456789012:db:mysql-db"
}

Argument Reference
The following arguments are supported:

arn - (Required) The ARN to parse.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

partition - The partition that the resource is in.

service - The service namespace (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-

namespaces.html#genref-aws-service-namespaces) that identi es the AWS product.

region - The region the resource resides in. Note that the ARNs for some resources do not require a region, so this
component might be omitted.

account - The ID (https://docs.aws.amazon.com/general/latest/gr/acct-identi ers.html) of the AWS account that owns

the resource, without the hyphens.

resource - The content of this part of the ARN varies by service. It often includes an indicator of the type of resource
—for example, an IAM user or Amazon RDS database —followed by a slash (/) or a colon (:), followed by the resource
name itself.
Data Source: aws_autoscaling_group
Use this data source to get information on an existing autoscaling group.

Example Usage

data "aws_autoscaling_group" "foo" {

name = "foo"
}

Argument Reference
name - Specify the exact name of the desired autoscaling group.

Attributes Reference

NOTE: Some values are not always set and may not be available for interpolation.

arn - The Amazon Resource Name (ARN) of the Auto Scaling group.

name - The name of the Auto Scaling group.

availability_zones - One or more Availability Zones for the group.

default_cool_down - The amount of time, in seconds, after a scaling activity completes before another scaling
activity can start.

desired_capacity - The desired size of the group.

health_check_grace_period - The amount of time, in seconds, that Amazon EC2 Auto Scaling waits before checking
the health status of an EC2 instance that has come into service.

health_check_type - The service to use for the health checks. The valid values are EC2 and ELB.

launch_configuration - The name of the associated launch con guration.

load_balancers - One or more load balancers associated with the group.

max_size - The maximum size of the group.

min_size - The minimum size of the group.

placement_group - The name of the placement group into which to launch your instances, if any. For more
information, see Placement Groups (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html
(http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html)) in the Amazon Elastic Compute
Cloud User Guide.
service_linked_role_arn - The Amazon Resource Name (ARN) of the service-linked role that the Auto Scaling
group uses to call other AWS services on your behalf.

status - The current state of the group when DeleteAutoScalingGroup is in progress.

target_group_arns - The Amazon Resource Names (ARN) of the target groups for your load balancer.

termination_policies - The termination policies for the group.

vpc_zone_identifier - VPC ID for the group.

Data Source: aws_autoscaling_groups
The Autoscaling Groups data source allows access to the list of AWS ASGs within a speci c region. This will allow you to pass
a list of AutoScaling Groups to other resources.

Example Usage

data "aws_autoscaling_groups" "groups" {

filter {
name = "key"
values = ["Team"]
}

filter {
name = "value"
values = ["Pets"]
}
}

resource "aws_autoscaling_notification" "slack_notifications" {

group_names = ["${data.aws_autoscaling_groups.groups.names}"]

notifications = [
"autoscaling:EC2_INSTANCE_LAUNCH",
"autoscaling:EC2_INSTANCE_TERMINATE",
"autoscaling:EC2_INSTANCE_LAUNCH_ERROR",
"autoscaling:EC2_INSTANCE_TERMINATE_ERROR",
]

topic_arn = "TOPIC ARN"

}

Argument Reference
filter - (Optional) A lter used to scope the list e.g. by tags. See related docs
(http://docs.aws.amazon.com/AutoScaling/latest/APIReference/API_Filter.html).
name - (Required) The name of the lter. The valid values are: auto-scaling-group , key , value , and
propagate-at-launch .

values - (Required) The value of the lter.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

names - A list of the Autoscaling Groups in the current region.

arns - A list of the Autoscaling Groups Arns in the current region.

Data Source: aws_availability_zone
aws_availability_zone provides details about a speci c availability zone (AZ) in the current region.

This can be used both to validate an availability zone given in a variable and to split the AZ name into its component parts of
an AWS region and an AZ identi er letter. The latter may be useful e.g. for implementing a consistent subnet numbering
scheme across several regions by mapping both the region and the subnet letter to network numbers.

This is di erent from the aws_availability_zones (plural) data source, which provides a list of the available zones.

Example Usage
The following example shows how this data source might be used to derive VPC and subnet CIDR pre xes systematically for
an availability zone.
variable "region_number" {

default = {
us-
- east-
-1 = 1
us-
- west-
-1 = 2
us-
- west-
-2 = 3
eu-
- central-
-1 = 4
ap-
- northeast-
-1 = 5
}
}

variable "az_number" {

default = {
a = 1
b = 2
c = 3
d = 4
e = 5
f = 6
}
}

data "aws_availability_zone" "example" {

name = "eu-central-1a"
}

resource "aws_vpc" "example" {

cidr_block = "${cidrsubnet("10.0.
. 0.0/
/ 8", 4, var.region_number[data.aws_availability_zone.example.region
])}"
}

resource "aws_subnet" "example" {

vpc_id = "${aws_vpc.example.id}"
cidr_block = "${cidrsubnet(aws_vpc.example.cidr_block, 4, var.az_number[data.aws_availability_zone.exam
ple.name_suffix])}"
}

Argument Reference
The arguments of this data source act as lters for querying the available availability zones. The given lters must match
exactly one availability zone whose data will be exported as attributes.

name - (Optional) The full name of the availability zone to select.

state - (Optional) A speci c availability zone state to require. May be any of "available" , "information" or
"impaired" .

zone_id - (Optional) The zone ID of the availability zone to select.

All reasonable uses of this data source will specify name , since state alone would match a single AZ only in a region that
itself has only one AZ.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

name - The name of the selected availability zone.

region - The region where the selected availability zone resides. This is always the region selected on the provider,
since this data source searches only within that region.

name_suffix - The part of the AZ name that appears after the region name, uniquely identifying the AZ within its
region.

state - The current state of the AZ.

zone_id - (Optional) The zone ID of the selected availability zone.

Data Source: aws_availability_zones
The Availability Zones data source allows access to the list of AWS Availability Zones which can be accessed by an AWS
account within the region con gured in the provider.

This is di erent from the aws_availability_zone (singular) data source, which provides some details about a speci c
availability zone.

Example Usage

data "aws_availability_zones" "available" {

state = "available"
}

resource "aws_subnet" "primary" {

availability_zone = "${data.aws_availability_zones.available.names[0]}"

resource "aws_subnet" "secondary" {

availability_zone = "${data.aws_availability_zones.available.names[1]}"

Argument Reference
The following arguments are supported:

blacklisted_names - (Optional) List of blacklisted Availability Zone names.

blacklisted_zone_ids - (Optional) List of blacklisted Availability Zone IDs.

state - (Optional) Allows to lter list of Availability Zones based on their current state. Can be either "available" ,
"information" , "impaired" or "unavailable" . By default the list includes a complete set of Availability Zones to
which the underlying AWS account has access, regardless of their state.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

names - A list of the Availability Zone names available to the account.

zone_ids - A list of the Availability Zone IDs available to the account.

Note that the indexes of Availability Zone names and IDs correspond.
Data Source: aws_batch_compute_environment
The Batch Compute Environment data source allows access to details of a speci c compute environment within AWS Batch.

Example Usage

data "aws_batch_compute_environment" "batch-mongo" {

compute_environment_name = "batch-mongo-production"
}

Argument Reference
The following arguments are supported:

compute_environment_name - (Required) The name of the Batch Compute Environment

Attributes Reference
In addition to all arguments above, the following attributes are exported:

arn - The ARN of the compute environment.

ecs_cluster_arn - The ARN of the underlying Amazon ECS cluster used by the compute environment.

service_role - The ARN of the IAM role that allows AWS Batch to make calls to other AWS services on your behalf.

type - The type of the compute environment (for example, MANAGED or UNMANAGED ).

status - The current status of the compute environment (for example, CREATING or VALID ).

status_reason - A short, human-readable string to provide additional details about the current status of the
compute environment.

state - The state of the compute environment (for example, ENABLED or DISABLED ). If the state is ENABLED , then
the compute environment accepts jobs from a queue and can scale out automatically based on queues.
Data Source: aws_batch_job_queue
The Batch Job Queue data source allows access to details of a speci c job queue within AWS Batch.

Example Usage

data "aws_batch_job_queue" "test-queue" {

name = "tf-test-batch-job-queue"
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the job queue.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

arn - The ARN of the job queue.

status - The current status of the job queue (for example, CREATING or VALID ).

status_reason - A short, human-readable string to provide additional details about the current status of the job
queue.

state - Describes the ability of the queue to accept new jobs (for example, ENABLED or DISABLED ).

priority - The priority of the job queue. Job queues with a higher priority are evaluated rst when associated with
the same compute environment.

compute_environment_order - The compute environments that are attached to the job queue and the order in
which job placement is preferred. Compute environments are selected for job placement in ascending order.
compute_environment_order.#.order - The order of the compute environment.

compute_environment_order.#.compute_environment - The ARN of the compute environment.

Data Source: aws_billing_service_account
Use this data source to get the Account ID of the AWS Billing and Cost Management Service Account
(http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-getting-started.html#step-2) for the purpose of
whitelisting in S3 bucket policy.

Example Usage

data "aws_billing_service_account" "main" {}

resource "aws_s3_bucket" "billing_logs" {

bucket = "my-billing-tf-test-bucket"
acl = "private"

policy = <<POLICY
<<
{
"Id": "Policy",
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetBucketAcl", "s3:GetBucketPolicy"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-billing-tf-test-bucket",
"Principal": {
"AWS": [
"${data.aws_billing_service_account.main.arn}"
]
}
},
{
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-billing-tf-test-bucket/*",
"Principal": {
"AWS": [
"${data.aws_billing_service_account.main.arn}"
]
}
}
]
}
POLICY
}

Attributes Reference
id - The ID of the AWS billing service account.
arn - The ARN of the AWS billing service account.
Data Source: aws_caller_identity
Use this data source to get the access to the e ective Account ID, User ID, and ARN in which Terraform is authorized.

Example Usage

data "aws_caller_identity" "current" {}

output "account_id" {
value = "${data.aws_caller_identity.current.account_id}"
}

output "caller_arn" {
value = "${data.aws_caller_identity.current.arn}"
}

output "caller_user" {
value = "${data.aws_caller_identity.current.user_id}"
}

Argument Reference
There are no arguments available for this data source.

Attributes Reference
account_id - The AWS Account ID number of the account that owns or contains the calling entity.

arn - The AWS ARN associated with the calling entity.

user_id - The unique identi er of the calling entity.

Data Source: aws_canonical_user_id
The Canonical User ID data source allows access to the canonical user ID
(http://docs.aws.amazon.com/general/latest/gr/acct-identi ers.html) for the e ective account in which Terraform is working.

Example Usage

data "aws_canonical_user_id" "current" {}

output "canonical_user_id" {
value = "${data.aws_canonical_user_id.current.id}"
}

Argument Reference
There are no arguments available for this data source.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The canonical user ID associated with the AWS account.

display_name - The human-friendly name linked to the canonical user ID. The bucket owner's display name. NOTE:
This value (https://docs.aws.amazon.com/AmazonS3/latest/API/RESTServiceGET.html) is only included in the response
in the US East (N. Virginia), US West (N. California), US West (Oregon), Asia Paci c (Singapore), Asia Paci c (Sydney), Asia
Paci c (Tokyo), EU (Ireland), and South America (São Paulo) regions.
Data Source: aws_cloudformation_export
The CloudFormation Export data source allows access to stack exports speci ed in the Output
(http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html) section of the
Cloudformation Template using the optional Export Property.

Note: If you are trying to use a value from a Cloudformation Stack in the same Terraform run please use normal
interpolation or Cloudformation Outputs.

Example Usage

data "aws_cloudformation_export" "subnet_id" {

name = "mySubnetIdExportName"
}

resource "aws_instance" "web" {

ami = "ami-abb07bcb"
instance_type = "t1.micro"
subnet_id = "${data.aws_cloudformation_export.subnet_id.value}"
}

Argument Reference
name - (Required) The name of the export as it appears in the console or from list-exports
(http://docs.aws.amazon.com/cli/latest/reference/cloudformation/list-exports.html)

Attributes Reference
In addition to all arguments above, the following attributes are exported:

value - The value from Cloudformation export identi ed by the export name found from list-exports
(http://docs.aws.amazon.com/cli/latest/reference/cloudformation/list-exports.html)

exporting_stack_id - The exporting_stack_id (AWS ARNs) equivalent ExportingStackId from list-exports

(http://docs.aws.amazon.com/cli/latest/reference/cloudformation/list-exports.html)
Data Source: aws_cloudformation_stack
The CloudFormation Stack data source allows access to stack outputs and other useful data including the template body.

Example Usage

data "aws_cloudformation_stack" "network" {

name = "my-network-stack"
}

resource "aws_instance" "web" {

ami = "ami-abb07bcb"
instance_type = "t1.micro"
subnet_id = "${data.aws_cloudformation_stack.network.outputs["SubnetId"]}"

tags = {
Name = "HelloWorld"
}
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the stack

Attributes Reference
In addition to all arguments above, the following attributes are exported:

capabilities - A list of capabilities

description - Description of the stack

disable_rollback - Whether the rollback of the stack is disabled when stack creation fails

notification_arns - A list of SNS topic ARNs to publish stack related events

outputs - A map of outputs from the stack.

parameters - A map of parameters that specify input parameters for the stack.

tags - A map of tags associated with this stack.

template_body - Structure containing the template body.

iam_role_arn - The ARN of the IAM role used to create the stack.

timeout_in_minutes - The amount of time that can pass before the stack status becomes CREATE_FAILED
Data Source: aws_cloudhsm_v2_cluster
Use this data source to get information about a CloudHSM v2 cluster

Example Usage

data "aws_cloudhsm_v2_cluster" "cluster" {

cluster_id = "cluster-testclusterid"
}

Argument Reference
The following arguments are supported:

cluster_id - (Required) The id of Cloud HSM v2 cluster.

cluster_state - (Optional) The state of the cluster to be found.

Attributes Reference
The following attributes are exported:

vpc_id - The id of the VPC that the CloudHSM cluster resides in.

security_group_id - The ID of the security group associated with the CloudHSM cluster.

subnet_ids - The IDs of subnets in which cluster operates.

cluster_certificates - The list of cluster certi cates.

cluster_certificates.0.cluster_certificate - The cluster certi cate issued (signed) by the issuing
certi cate authority (CA) of the cluster's owner.

cluster_certificates.0.cluster_csr - The certi cate signing request (CSR). Available only in UNINITIALIZED
state.

cluster_certificates.0.aws_hardware_certificate - The HSM hardware certi cate issued (signed) by AWS

CloudHSM.

cluster_certificates.0.hsm_certificate - The HSM certi cate issued (signed) by the HSM hardware.

cluster_certificates.0.manufacturer_hardware_certificate - The HSM hardware certi cate issued

(signed) by the hardware manufacturer. The number of available cluster certi cates may vary depending on
state of the cluster.
Data Source: aws_cloudtrail_service_account
Use this data source to get the Account ID of the AWS CloudTrail Service Account
(http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-regions.html) in a given region for the
purpose of allowing CloudTrail to store trail data in S3.

Example Usage

data "aws_cloudtrail_service_account" "main" {}

resource "aws_s3_bucket" "bucket" {

bucket = "tf-cloudtrail-logging-test-bucket"
force_destroy = true

policy = <<EOF
<<
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "Put bucket policy needed for trails",
"Effect": "Allow",
"Principal": {
"AWS": "${data.aws_cloudtrail_service_account.main.arn}"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::tf-cloudtrail-logging-test-bucket/*"
},
{
"Sid": "Get bucket policy needed for trails",
"Effect": "Allow",
"Principal": {
"AWS": "${data.aws_cloudtrail_service_account.main.arn}"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::tf-cloudtrail-logging-test-bucket"
}
]
}
EOF
}

Argument Reference
region - (Optional) Name of the region whose AWS CloudTrail account ID is desired. Defaults to the region from the
AWS provider con guration.

Attributes Reference
id - The ID of the AWS CloudTrail service account in the selected region.

arn - The ARN of the AWS CloudTrail service account in the selected region.
Data Source: aws_cloudwatch_log_group
Use this data source to get information about an AWS Cloudwatch Log Group

Example Usage

data "aws_cloudwatch_log_group" "example" {

name = "MyImportantLogs"
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the Cloudwatch log group

Attributes Reference
In addition to all arguments above, the following attributes are exported:

arn - The ARN of the Cloudwatch log group

creation_time - The creation time of the log group, expressed as the number of milliseconds after Jan 1, 1970
00:00:00 UTC.
Data Source: aws_codecommit_repository
The CodeCommit Repository data source allows the ARN, Repository ID, Repository URL for HTTP and Repository URL for
SSH to be retrieved for an CodeCommit repository.

Example Usage

data "aws_codecommit_repository" "test" {

repository_name = "MyTestRepository"
}

Argument Reference
The following arguments are supported:

repository_name - (Required) The name for the repository. This needs to be less than 100 characters.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

repository_id - The ID of the repository

arn - The ARN of the repository

clone_url_http - The URL to use for cloning the repository over HTTPS.

clone_url_ssh - The URL to use for cloning the repository over SSH.
Data Source: aws_cognito_user_pools
Use this data source to get a list of cognito user pools.

Example Usage

data "aws_api_gateway_rest_api" "selected" {

name = "${var.api_gateway_name}"
}

data "aws_cognito_user_pools" "selected" {

name = "${var.cognito_user_pool_name}"
}

resource "aws_api_gateway_authorizer" "cognito" {

name = "cognito"
type = "COGNITO_USER_POOLS"
rest_api_id = "${data.aws_api_gateway_rest_api.selected.id}"
provider_arns = ["${data.aws_cognito_user_pools.selected.arns}"]
}

Argument Reference
name - (required) Name of the cognito user pools. Name is not a unique attribute for cognito user pool, so multiple
pools might be returned with given name.

Attributes Reference
ids - The list of cognito user pool ids.
Data Source: aws_cur_report_de nition
Use this data source to get information on an AWS Cost and Usage Report De nition.

NOTE: The AWS Cost and Usage Report service is only available in us-east-1 currently.

NOTE: If AWS Organizations is enabled, only the master account can use this resource.

Example Usage

data "aws_cur_report_definition" "report_definition" {

report_name = "example"
}

Argument Reference
The following arguments are supported:

report_name - (Required) The name of the report de nition to match.

Attributes Reference
time_unit - The frequency on which report data are measured and displayed.

format - Preferred compression format for report.

compression - Preferred format for report.

additional_schema_elements - A list of schema elements.

s3_bucket - Name of customer S3 bucket.

s3_prefix - Preferred report path pre x.

s3_region - Region of customer S3 bucket.

additional_artifacts - A list of additional artifacts.

Data Source: aws_customer_gateway
Get an existing AWS Customer Gateway.

Example Usage

data "aws_customer_gateway" "foo" {

filter {
name = "tag:Name"
values = ["foo-prod"]
}
}

resource "aws_vpn_gateway" "main" {

vpc_id = "${aws_vpc.main.id}"
amazon_side_asn = 7224
}

resource "aws_vpn_connection" "transit" {

vpn_gateway_id = "${aws_vpn_gateway.main.id}"
customer_gateway_id = "${data.aws_customer_gateway.foo.id}"
type = "${data.aws_customer_gateway.foo.type}"
static_routes_only = false
}

Argument Reference
The following arguments are supported:

id - (Optional) The ID of the gateway.

filter - (Optional) One or more name-value pairs

(https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeCustomerGateways.html) to lter by.

Attribute Reference
In addition to the arguments above, the following attributes are exported:

bgp_asn - (Optional) The gateway's Border Gateway Protocol (BGP) Autonomous System Number (ASN).

ip_address - (Optional) The IP address of the gateway's Internet-routable external interface.

tags - Map of key-value pairs assigned to the gateway.

type - (Optional) The type of customer gateway. The only type AWS supports at this time is "ipsec.1".
Data Source: aws_db_cluster_snapshot
Use this data source to get information about a DB Cluster Snapshot for use when provisioning DB clusters.

NOTE: This data source does not apply to snapshots created on DB Instances. See the aws_db_snapshot data source
(/docs/providers/aws/d/db_snapshot.html) for DB Instance snapshots.

Example Usage

data "aws_db_cluster_snapshot" "development_final_snapshot" {

db_cluster_identifier = "development_cluster"
most_recent = true
}

resource "aws_rds_cluster" "aurora" {

cluster_identifier = "development_cluster"
snapshot_identifier = "${data.aws_db_cluster_snapshot.development_final_snapshot.id}"
db_subnet_group_name = "my_db_subnet_group"

lifecycle {
ignore_changes = ["snapshot_identifier"]
}
}

resource "aws_rds_cluster_instance" "aurora" {

cluster_identifier = "${aws_rds_cluster.aurora.id}"
instance_class = "db.t2.small"
db_subnet_group_name = "my_db_subnet_group"
}

Argument Reference
The following arguments are supported:

most_recent - (Optional) If more than one result is returned, use the most recent Snapshot.

db_cluster_identifier - (Optional) Returns the list of snapshots created by the speci c db_cluster

db_cluster_snapshot_identifier - (Optional) Returns information on a speci c snapshot_id.

snapshot_type - (Optional) The type of snapshots to be returned. If you don't specify a SnapshotType value, then
both automated and manual DB cluster snapshots are returned. Shared and public DB Cluster Snapshots are not
included in the returned results by default. Possible values are, automated , manual , shared and public .

include_shared - (Optional) Set this value to true to include shared manual DB Cluster Snapshots from other AWS
accounts that this AWS account has been given permission to copy or restore, otherwise set this value to false. The
default is false .
include_public - (Optional) Set this value to true to include manual DB Cluster Snapshots that are public and can be
copied or restored by any AWS account, otherwise set this value to false. The default is false .

Attributes Reference
In addition to all arguments above, the following attributes are exported:

allocated_storage - Speci es the allocated storage size in gigabytes (GB).

availability_zones - List of EC2 Availability Zones that instances in the DB cluster snapshot can be restored in.

db_cluster_identifier - Speci es the DB cluster identi er of the DB cluster that this DB cluster snapshot was
created from.

db_cluster_snapshot_arn - The Amazon Resource Name (ARN) for the DB Cluster Snapshot.

engine_version - Version of the database engine for this DB cluster snapshot.

engine - Speci es the name of the database engine.

id - The snapshot ID.

kms_key_id - If storage_encrypted is true, the AWS KMS key identi er for the encrypted DB cluster snapshot.

license_model - License model information for the restored DB cluster.

port - Port that the DB cluster was listening on at the time of the snapshot.

snapshot_create_time - Time when the snapshot was taken, in Universal Coordinated Time (UTC).

source_db_cluster_snapshot_identifier - The DB Cluster Snapshot Arn that the DB Cluster Snapshot was copied
from. It only has value in case of cross customer or cross region copy.

status - The status of this DB Cluster Snapshot.

storage_encrypted - Speci es whether the DB cluster snapshot is encrypted.

vpc_id - The VPC ID associated with the DB cluster snapshot.

Data Source: aws_db_event_categories

Example Usage
List the event categories of all the RDS resources.

data "aws_db_event_categories" "example" {}

output "example" {
value = "${data.aws_db_event_categories.example.event_categories}"
}

List the event categories speci c to the RDS resource db-snapshot .

data "aws_db_event_categories" "example" {

source_type = "db-snapshot"
}

output "example" {
value = "${data.aws_db_event_categories.example.event_categories}"
}

Argument Reference
The following arguments are supported:

source_type - (Optional) The type of source that will be generating the events. Valid options are db-instance, db-
security-group, db-parameter-group, db-snapshot, db-cluster or db-cluster-snapshot.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

event_categories - A list of the event categories.

Data Source: aws_db_instance
Use this data source to get information about an RDS instance

Example Usage

data "aws_db_instance" "database" {

db_instance_identifier = "my-test-database"
}

Argument Reference
The following arguments are supported:

db_instance_identifier - (Required) The name of the RDS instance

Attributes Reference
In addition to all arguments above, the following attributes are exported:

address - The hostname of the RDS instance. See also endpoint and port .

allocated_storage - Speci es the allocated storage size speci ed in gigabytes.

auto_minor_version_upgrade - Indicates that minor version patches are applied automatically.

availability_zone - Speci es the name of the Availability Zone the DB instance is located in.

backup_retention_period - Speci es the number of days for which automatic DB snapshots are retained.

db_cluster_identifier - If the DB instance is a member of a DB cluster, contains the name of the DB cluster that
the DB instance is a member of.

db_instance_arn - The Amazon Resource Name (ARN) for the DB instance.

db_instance_class - Contains the name of the compute and memory capacity class of the DB instance.

db_name - Contains the name of the initial database of this instance that was provided at create time, if one was
speci ed when the DB instance was created. This same name is returned for the life of the DB instance.

db_parameter_groups - Provides the list of DB parameter groups applied to this DB instance.

db_security_groups - Provides List of DB security groups associated to this DB instance.

db_subnet_group - Speci es the name of the subnet group associated with the DB instance.

db_instance_port - Speci es the port that the DB instance listens on.

enabled_cloudwatch_logs_exports - List of log types to export to cloudwatch.

endpoint - The connection endpoint in address:port format.

engine - Provides the name of the database engine to be used for this DB instance.

engine_version - Indicates the database engine version.

hosted_zone_id - The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record).

iops - Speci es the Provisioned IOPS (I/O operations per second) value.

kms_key_id - If StorageEncrypted is true, the KMS key identi er for the encrypted DB instance.

license_model - License model information for this DB instance.

master_username - Contains the master username for the DB instance.

monitoring_interval - The interval, in seconds, between points when Enhanced Monitoring metrics are collected
for the DB instance.

monitoring_role_arn - The ARN for the IAM role that permits RDS to send Enhanced Monitoring metrics to
CloudWatch Logs.

multi_az - Speci es if the DB instance is a Multi-AZ deployment.

option_group_memberships - Provides the list of option group memberships for this DB instance.

port - The database port.

preferred_backup_window - Speci es the daily time range during which automated backups are created.

preferred_maintenance_window - Speci es the weekly time range during which system maintenance can occur in
UTC.

publicly_accessible - Speci es the accessibility options for the DB instance.

resource_id - The RDS Resource ID of this instance.

storage_encrypted - Speci es whether the DB instance is encrypted.

storage_type - Speci es the storage type associated with DB instance.

timezone - The time zone of the DB instance.

vpc_security_groups - Provides a list of VPC security group elements that the DB instance belongs to.

replicate_source_db - The identi er of the source DB that this is a replica of.

ca_cert_identifier - Speci es the identi er of the CA certi cate for the DB instance.
Data Source: aws_db_snapshot
Use this data source to get information about a DB Snapshot for use when provisioning DB instances

NOTE: This data source does not apply to snapshots created on Aurora DB clusters. See the
aws_db_cluster_snapshot data source (/docs/providers/aws/d/db_cluster_snapshot.html) for DB Cluster snapshots.

Example Usage

resource "aws_db_instance" "prod" {

allocated_storage = 10
engine = "mysql"
engine_version = "5.6.17"
instance_class = "db.t2.micro"
name = "mydb"
username = "foo"
password = "bar"
db_subnet_group_name = "my_database_subnet_group"
parameter_group_name = "default.mysql5.6"
}

data "aws_db_snapshot" "latest_prod_snapshot" {

db_instance_identifier = "${aws_db_instance.prod.id}"
most_recent = true
}

resource "aws_db_instance" "dev" {

instance_class = "db.t2.micro"
name = "mydbdev"
snapshot_identifier = "${data.aws_db_snapshot.latest_prod_snapshot.id}"

lifecycle {
ignore_changes = ["snapshot_identifier"]
}
}

Argument Reference

NOTE: One of either db_instance_identifier or db_snapshot_identifier is required.

The following arguments are supported:

most_recent - (Optional) If more than one result is returned, use the most recent Snapshot.

db_instance_identifier - (Optional) Returns the list of snapshots created by the speci c db_instance

db_snapshot_identifier - (Optional) Returns information on a speci c snapshot_id.

snapshot_type - (Optional) The type of snapshots to be returned. If you don't specify a SnapshotType value, then
both automated and manual snapshots are returned. Shared and public DB snapshots are not included in the
returned results by default. Possible values are, automated , manual , shared and public .

include_shared - (Optional) Set this value to true to include shared manual DB snapshots from other AWS accounts
that this AWS account has been given permission to copy or restore, otherwise set this value to false. The default is
false .

include_public - (Optional) Set this value to true to include manual DB snapshots that are public and can be copied
or restored by any AWS account, otherwise set this value to false. The default is false .

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The snapshot ID.

allocated_storage - Speci es the allocated storage size in gigabytes (GB).

availability_zone - Speci es the name of the Availability Zone the DB instance was located in at the time of the DB
snapshot.

db_snapshot_arn - The Amazon Resource Name (ARN) for the DB snapshot.

encrypted - Speci es whether the DB snapshot is encrypted.

engine - Speci es the name of the database engine.

engine_version - Speci es the version of the database engine.

iops - Speci es the Provisioned IOPS (I/O operations per second) value of the DB instance at the time of the
snapshot.

kms_key_id - The ARN for the KMS encryption key.

license_model - License model information for the restored DB instance.

option_group_name - Provides the option group name for the DB snapshot.

source_db_snapshot_identifier - The DB snapshot Arn that the DB snapshot was copied from. It only has value in
case of cross customer or cross region copy.

source_region - The region that the DB snapshot was created in or copied from.

status - Speci es the status of this DB snapshot.

storage_type - Speci es the storage type associated with DB snapshot.

vpc_id - Speci es the ID of the VPC associated with the DB snapshot.

snapshot_create_time - Provides the time when the snapshot was taken, in Universal Coordinated Time (UTC).
Data Source: aws_dx_gateway
Retrieve information about a Direct Connect Gateway.

Example Usage

data "aws_dx_gateway" "example" {

name = "example"
}

Argument Reference
name - (Required) The name of the gateway to retrieve.

Attributes Reference
amazon_side_asn - The ASN on the Amazon side of the connection.

id - The ID of the gateway.

owner_account_id - AWS Account ID of the gateway.

Data Source: aws_dynamodb_table
Provides information about a DynamoDB table.

Example Usage

data "aws_dynamodb_table" "tableName" {

name = "tableName"
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the DynamoDB table.

Attributes Reference
See the DynamoDB Table Resource (/docs/providers/aws/r/dynamodb_table.html) for details on the returned attributes -
they are identical.
Data Source: aws_ebs_default_kms_key
Use this data source to get the default EBS encryption KMS key in the current region.

Example Usage

data "aws_ebs_default_kms_key" "current" { }

resource "aws_ebs_volume" "example" {

availability_zone = "us-west-2a"

encrypted = true
kms_key_id = "${data.aws_ebs_default_kms_key.current.key_id}"

Attributes Reference
The following attributes are exported: * key_arn - Amazon Resource Name (ARN) of the default KMS key uses to encrypt
an EBS volume in this region when no key is speci ed in an API call that creates the volume and encryption by default is
enabled.
Data Source: aws_ebs_encryption_by_default
Provides a way to check whether default EBS encryption is enabled for your AWS account in the current AWS region.

Example Usage

data "aws_ebs_encryption_by_default" "current" { }

Attributes Reference
The following attributes are exported:

enabled - Whether or not default EBS encryption is enabled. Returns as true or false .
Data Source: aws_ebs_snapshot
Use this data source to get information about an EBS Snapshot for use when provisioning EBS Volumes

Example Usage

data "aws_ebs_snapshot" "ebs_volume" {

most_recent = true
owners = ["self"]

filter {
name = "volume-size"
values = ["40"]
}

filter {
name = "tag:Name"
values = ["Example"]
}
}

Argument Reference
The following arguments are supported:

most_recent - (Optional) If more than one result is returned, use the most recent snapshot.

owners - (Optional) Returns the snapshots owned by the speci ed owner id. Multiple owners can be speci ed.

snapshot_ids - (Optional) Returns information on a speci c snapshot_id.

restorable_by_user_ids - (Optional) One or more AWS accounts IDs that can create volumes from the snapshot.

filter - (Optional) One or more name/value pairs to lter o of. There are several valid keys, for a full reference,
check out describe-snapshots in the AWS CLI reference
(http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-snapshots.html).

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The snapshot ID (e.g. snap-59fcb34e).

snapshot_id - The snapshot ID (e.g. snap-59fcb34e).

description - A description for the snapshot

owner_id - The AWS account ID of the EBS snapshot owner.

owner_alias - Value from an Amazon-maintained list ( amazon , aws-marketplace , microsoft ) of snapshot
owners.

volume_id - The volume ID (e.g. vol-59fcb34e).

encrypted - Whether the snapshot is encrypted.

volume_size - The size of the drive in GiBs.

kms_key_id - The ARN for the KMS encryption key.

data_encryption_key_id - The data encryption key identi er for the snapshot.

state - The snapshot state.

tags - A mapping of tags for the resource.

Data Source: aws_ebs_snapshot_ids
Use this data source to get a list of EBS Snapshot IDs matching the speci ed criteria.

Example Usage

data "aws_ebs_snapshot_ids" "ebs_volumes" {

owners = ["self"]

filter {
name = "volume-size"
values = ["40"]
}

filter {
name = "tag:Name"
values = ["Example"]
}
}

Argument Reference
The following arguments are supported:

owners - (Optional) Returns the snapshots owned by the speci ed owner id. Multiple owners can be speci ed.

restorable_by_user_ids - (Optional) One or more AWS accounts IDs that can create volumes from the snapshot.

filter - (Optional) One or more name/value pairs to lter o of. There are several valid keys, for a full reference,
check out describe-volumes in the AWS CLI reference (http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-
snapshots.html).

Attributes Reference
ids is set to the list of EBS snapshot IDs, sorted by creation time in descending order.
Data Source: aws_ebs_volume
Use this data source to get information about an EBS volume for use in other resources.

Example Usage

data "aws_ebs_volume" "ebs_volume" {

most_recent = true

filter {
name = "volume-type"
values = ["gp2"]
}

filter {
name = "tag:Name"
values = ["Example"]
}
}

Argument Reference
The following arguments are supported:

most_recent - (Optional) If more than one result is returned, use the most recent Volume.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The volume ID (e.g. vol-59fcb34e).

volume_id - The volume ID (e.g. vol-59fcb34e).

arn - The volume ARN (e.g. arn:aws:ec2:us-east-1:0123456789012:volume/vol-59fcb34e).

availability_zone - The AZ where the EBS volume exists.

encrypted - Whether the disk is encrypted.

iops - The amount of IOPS for the disk.

size - The size of the drive in GiBs.

snapshot_id - The snapshot_id the EBS volume is based o .

volume_type - The type of EBS volume.

kms_key_id - The ARN for the KMS encryption key.

tags - A mapping of tags for the resource.

Data Source:
aws_ec2_transit_gateway_dx_gateway_attachment
Get information on an EC2 Transit Gateway's attachment to a Direct Connect Gateway.

Example Usage

By Transit Gateway and Direct Connect Gateway Identi ers

data "aws_ec2_transit_gateway_dx_gateway_attachment" "example" {

transit_gateway_id = "${aws_ec2_transit_gateway.example.id}"
dx_gateway_id = "${aws_dx_gateway.example.id}"
}

Argument Reference
The following arguments are supported:

transit_gateway_id - (Required) Identi er of the EC2 Transit Gateway.

dx_gateway_id - (Required) Identi er of the Direct Connect Gateway.

Attribute Reference
In addition to all arguments above, the following attributes are exported:

id - EC2 Transit Gateway Attachment identi er

tags - Key-value tags for the EC2 Transit Gateway Attachment

Data Source: aws_ec2_transit_gateway
Get information on an EC2 Transit Gateway.

Example Usage

By Filter

data "aws_ec2_transit_gateway" "example" {

filter {
name = "options.amazon-side-asn"
values = ["64512"]
}
}

By Identi er

data "aws_ec2_transit_gateway" "example" {

id = "tgw-12345678"
}

Argument Reference
The following arguments are supported:

filter - (Optional) One or more con guration blocks containing name-values lters. Detailed below.

id - (Optional) Identi er of the EC2 Transit Gateway.

lter Argument Reference

name - (Required) Name of the lter.

values - (Required) List of one or more values for the lter.

Attribute Reference
In addition to all arguments above, the following attributes are exported:

amazon_side_asn - Private Autonomous System Number (ASN) for the Amazon side of a BGP session

arn - EC2 Transit Gateway Amazon Resource Name (ARN)

association_default_route_table_id - Identi er of the default association route table

auto_accept_shared_attachments - Whether resource attachment requests are automatically accepted.

default_route_table_association - Whether resource attachments are automatically associated with the default
association route table.

default_route_table_propagation - Whether resource attachments automatically propagate routes to the default

propagation route table.

description - Description of the EC2 Transit Gateway

dns_support - Whether DNS support is enabled.

id - EC2 Transit Gateway identi er

owner_id - Identi er of the AWS account that owns the EC2 Transit Gateway

propagation_default_route_table_id - Identi er of the default propagation route table.

tags - Key-value tags for the EC2 Transit Gateway

vpn_ecmp_support - Whether VPN Equal Cost Multipath Protocol support is enabled.

Data Source: aws_ec2_transit_gateway_route_table
Get information on an EC2 Transit Gateway Route Table.

Example Usage

By Filter

data "aws_ec2_transit_gateway_route_table" "example" {

filter {
name = "default-association-route-table"
values = ["true"]
}

filter {
name = "transit-gateway-id"
values = ["tgw-12345678"]
}
}

By Identi er

data "aws_ec2_transit_gateway_route_table" "example" {

id = "tgw-rtb-12345678"
}

Argument Reference
The following arguments are supported:

filter - (Optional) One or more con guration blocks containing name-values lters. Detailed below.

id - (Optional) Identi er of the EC2 Transit Gateway Route Table.

lter Argument Reference

name - (Required) Name of the lter.

values - (Required) List of one or more values for the lter.

Attribute Reference
In addition to all arguments above, the following attributes are exported:

default_association_route_table - Boolean whether this is the default association route table for the EC2 Transit
Gateway

default_propagation_route_table - Boolean whether this is the default propagation route table for the EC2
Transit Gateway

id - EC2 Transit Gateway Route Table identi er

transit_gateway_id - EC2 Transit Gateway identi er

tags - Key-value tags for the EC2 Transit Gateway Route Table
Data Source: aws_ec2_transit_gateway_vpc_attachment
Get information on an EC2 Transit Gateway VPC Attachment.

Example Usage

By Filter

data "aws_ec2_transit_gateway_vpc_attachment" "example" {

filter {
name = "vpc-id"
values = ["vpc-12345678"]
}
}

By Identi er

data "aws_ec2_transit_gateway_vpc_attachment" "example" {

id = "tgw-attach-12345678"
}

Argument Reference
The following arguments are supported:

filter - (Optional) One or more con guration blocks containing name-values lters. Detailed below.

id - (Optional) Identi er of the EC2 Transit Gateway VPC Attachment.

lter Argument Reference

name - (Required) Name of the lter.

values - (Required) List of one or more values for the lter.

Attribute Reference
In addition to all arguments above, the following attributes are exported:

dns_support - Whether DNS support is enabled.

id - EC2 Transit Gateway VPC Attachment identi er

ipv6_support - Whether IPv6 support is enabled.

subnet_ids - Identi ers of EC2 Subnets.

transit_gateway_id - EC2 Transit Gateway identi er

tags - Key-value tags for the EC2 Transit Gateway VPC Attachment

vpc_id - Identi er of EC2 VPC.

vpc_owner_id - Identi er of the AWS account that owns the EC2 VPC.
Data Source: aws_ec2_transit_gateway_vpn_attachment
Get information on an EC2 Transit Gateway VPN Attachment.

Example Usage

By Transit Gateway and VPN Connection Identi ers

data "aws_ec2_transit_gateway_vpn_attachment" "example" {

transit_gateway_id = "${aws_ec2_transit_gateway.example.id}"
vpn_connection_id = "${aws_vpn_connection.example.id}"
}

Argument Reference
The following arguments are supported:

transit_gateway_id - (Required) Identi er of the EC2 Transit Gateway.

vpn_connection_id - (Required) Identi er of the EC2 VPN Connection.

Attribute Reference
In addition to all arguments above, the following attributes are exported:

id - EC2 Transit Gateway VPN Attachment identi er

tags - Key-value tags for the EC2 Transit Gateway VPN Attachment
Data Source: aws_ecr_image
The ECR Image data source allows the details of an image with a particular tag or digest to be retrieved.

Example Usage

data "aws_ecr_image" "service_image" {

repository_name = "my/service"
image_tag = "latest"
}

Argument Reference
The following arguments are supported:

registry_id - (Optional) The ID of the Registry where the repository resides.

repository_name - (Required) The name of the ECR Repository.

image_digest - (Optional) The sha256 digest of the image manifest. At least one of image_digest or image_tag
must be speci ed.

image_tag - (Optional) The tag associated with this image. At least one of image_digest or image_tag must be
speci ed.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

image_pushed_at - The date and time, expressed as a unix timestamp, at which the current image was pushed to the
repository.

image_size_in_bytes - The size, in bytes, of the image in the repository.

image_tags - The list of tags associated with this image.

Data Source: aws_ecr_repository
The ECR Repository data source allows the ARN, Repository URI and Registry ID to be retrieved for an ECR repository.

Example Usage

data "aws_ecr_repository" "service" {

name = "ecr-repository"
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the ECR Repository.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

arn - Full ARN of the repository.

registry_id - The registry ID where the repository was created.

repository_url - The URL of the repository (in the form

aws_account_id.dkr.ecr.region.amazonaws.com/repositoryName ).

tags - A mapping of tags assigned to the resource.

Data Source: aws_ecs_cluster
The ECS Cluster data source allows access to details of a speci c cluster within an AWS ECS service.

Example Usage

data "aws_ecs_cluster" "ecs-mongo" {

cluster_name = "ecs-mongo-production"
}

Argument Reference
The following arguments are supported:

cluster_name - (Required) The name of the ECS Cluster

Attributes Reference
In addition to all arguments above, the following attributes are exported:

arn - The ARN of the ECS Cluster

status - The status of the ECS Cluster

pending_tasks_count - The number of pending tasks for the ECS Cluster

running_tasks_count - The number of running tasks for the ECS Cluster

registered_container_instances_count - The number of registered container instances for the ECS Cluster

setting - The settings associated with the ECS Cluster.

Data Source: aws_ecs_container_de nition
The ECS container de nition data source allows access to details of a speci c container within an AWS ECS service.

Example Usage

data "aws_ecs_container_definition" "ecs-mongo" {

task_definition = "${aws_ecs_task_definition.mongo.id}"
container_name = "mongodb"
}

Argument Reference
The following arguments are supported:

task_definition - (Required) The ARN of the task de nition which contains the container

container_name - (Required) The name of the container de nition

Attributes Reference
In addition to all arguments above, the following attributes are exported:

image - The docker image in use, including the digest

image_digest - The digest of the docker image in use

cpu - The CPU limit for this container de nition

memory - The memory limit for this container de nition

memory_reservation - The soft limit (in MiB) of memory to reserve for the container. When system memory is under
contention, Docker attempts to keep the container memory to this soft limit

environment - The environment in use

disable_networking - Indicator if networking is disabled

docker_labels - Set docker labels

Data Source: aws_ecs_service
The ECS Service data source allows access to details of a speci c Service within a AWS ECS Cluster.

Example Usage

data "aws_ecs_service" "example" {

service_name = "example"
cluster_arn = "${data.aws_ecs_cluster.example.arn}"
}

Argument Reference
The following arguments are supported:

service_name - (Required) The name of the ECS Service

cluster_arn - (Required) The arn of the ECS Cluster

Attributes Reference
In addition to all arguments above, the following attributes are exported:

arn - The ARN of the ECS Service

desired_count - The number of tasks for the ECS Service

launch_type - The launch type for the ECS Service

scheduling_strategy - The scheduling strategy for the ECS Service

task_definition - The family for the latest ACTIVE revision

Data Source: aws_ecs_task_de nition
The ECS task de nition data source allows access to details of a speci c AWS ECS task de nition.

Example Usage

data "aws_ecs_task_definition" "mongo" {

task_definition = "${aws_ecs_task_definition.mongo.family}"
}

resource "aws_ecs_cluster" "foo" {

name = "foo"
}

resource "aws_ecs_task_definition" "mongo" {

family = "mongodb"

container_definitions = <<DEFINITION
<<
[
{
"cpu": 128,
"environment": [{
"name": "SECRET",
"value": "KEY"
}],
"essential": true,
"image": "mongo:latest",
"memory": 128,
"memoryReservation": 64,
"name": "mongodb"
}
]
DEFINITION
}

resource "aws_ecs_service" "mongo" {

name = "mongo"
cluster = "${aws_ecs_cluster.foo.id}"
desired_count = 2

task_definition = "${aws_ecs_task_definition.mongo.family}:${max("${aws_ecs_task_definition.mongo
mongo.revis
revis
ion}",
ion "${data.aws_ecs_task_definition
aws_ecs_task_definition.mongo
mongo.revision
revision}")}"
}

Argument Reference
The following arguments are supported:

task_definition - (Required) The family for the latest ACTIVE revision, family and revision (family:revision) for a
speci c revision in the family, the ARN of the task de nition to access to.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

family - The family of this task de nition

network_mode - The Docker networking mode to use for the containers in this task.

revision - The revision of this task de nition

status - The status of this task de nition

task_role_arn - The ARN of the IAM role that containers in this task can assume
Data Source: aws_efs_ le_system
Provides information about an Elastic File System (EFS).

Example Usage

variable "file_system_id" {
type = "string"
default = ""
}

data "aws_efs_file_system" "by_id" {

file_system_id = "${var.file_system_id}"
}

Argument Reference
The following arguments are supported:

file_system_id - (Optional) The ID that identi es the le system (e.g. fs-ccfc0d65).

creation_token - (Optional) Restricts the list to the le system with this creation token.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

arn - Amazon Resource Name of the le system.

performance_mode - The PerformanceMode of the le system.

tags - The list of tags assigned to the le system.

encrypted - Whether EFS is encrypted.

kms_key_id - The ARN for the KMS encryption key.

dns_name - The DNS name for the lesystem per documented convention
(http://docs.aws.amazon.com/efs/latest/ug/mounting-fs-mount-cmd-dns-name.html).
Data Source: aws_efs_mount_target
Provides information about an Elastic File System Mount Target (EFS).

Example Usage

variable "mount_target_id" {
type = "string"
default = ""
}

data "aws_efs_mount_target" "by_id" {

mount_target_id = "${var.mount_target_id}"
}

Argument Reference
The following arguments are supported:

mount_target_id - (Required) ID of the mount target that you want to have described

Attributes Reference
In addition to all arguments above, the following attributes are exported:

file_system_arn - Amazon Resource Name of the le system for which the mount target is intended.

file_system_id - ID of the le system for which the mount target is intended.

subnet_id - ID of the mount target's subnet.

ip_address - Address at which the le system may be mounted via the mount target.

security_groups - List of VPC security group IDs attached to the mount target.

dns_name - The DNS name for the given subnet/AZ per documented convention
(http://docs.aws.amazon.com/efs/latest/ug/mounting-fs-mount-cmd-dns-name.html).

network_interface_id - The ID of the network interface that Amazon EFS created when it created the mount target.
Data Source: aws_eip
aws_eip provides details about a speci c Elastic IP.

Example Usage

Search By Allocation ID (VPC only)

data "aws_eip" "by_allocation_id" {

id = "eipalloc-12345678"
}

Search By Filters (EC2-Classic or VPC)

data "aws_eip" "by_filter" {

filter {
name = "tag:Name"
values = ["exampleNameTagValue"]
}
}

Search By Public IP (EC2-Classic or VPC)

data "aws_eip" "by_public_ip" {

public_ip = "1.2.3.4"
}

Search By Tags (EC2-Classic or VPC)

data "aws_eip" "by_tags" {

tags = {
Name = "exampleNameTagValue"
}
}

Argument Reference
The arguments of this data source act as lters for querying the available Elastic IPs in the current region. The given lters
must match exactly one Elastic IP whose data will be exported as attributes.
filter - (Optional) One or more name/value pairs to use as lters. There are several valid keys, for a full reference,
check out the EC2 API Reference
(https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAddresses.html).

id - (Optional) The allocation id of the speci c VPC EIP to retrieve. If a classic EIP is required, do NOT set id , only set
public_ip

public_ip - (Optional) The public IP of the speci c EIP to retrieve.

tags - (Optional) A mapping of tags, each pair of which must exactly match a pair on the desired Elastic IP

Attributes Reference
In addition to all arguments above, the following attributes are exported:

association_id - The ID representing the association of the address with an instance in a VPC.

domain - Indicates whether the address is for use in EC2-Classic (standard) or in a VPC (vpc).

id - If VPC Elastic IP, the allocation identi er. If EC2-Classic Elastic IP, the public IP address.

instance_id - The ID of the instance that the address is associated with (if any).

network_interface_id - The ID of the network interface.

network_interface_owner_id - The ID of the AWS account that owns the network interface.

private_ip - The private IP address associated with the Elastic IP address.

private_dns - The Private DNS associated with the Elastic IP address.

public_ip - Public IP address of Elastic IP.

public_dns - Public DNS associated with the Elastic IP address.

public_ipv4_pool - The ID of an address pool.

tags - Key-value map of tags associated with Elastic IP.

Note: The data source computes the public_dns and private_dns attributes according to the VPC DNS Guide
(https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-hostnames) as they are not available with
the EC2 API.
Data Source: aws_eks_cluster_auth
Get an authentication token to communicate with an EKS cluster.

Uses IAM credentials from the AWS provider to generate a temporary token that is compatible with AWS IAM Authenticator
(https://github.com/kubernetes-sigs/aws-iam-authenticator) authentication. This can be used to authenticate to an EKS
cluster or to a cluster that has the AWS IAM Authenticator server con gured.

Example Usage

data "aws_eks_cluster" "example" {

name = "example"
}

data "aws_eks_cluster_auth" "example" {

name = "example"
}

provider "kubernetes" {
host = "${data.aws_eks_cluster.example.endpoint}"
cluster_ca_certificate = "${base64decode(data.aws_eks_cluster.example.certificate_authority.0.data)}"
token = "${data.aws_eks_cluster_auth.example.token}"
load_config_file = false
}

Argument Reference
name - (Required) The name of the cluster

Attributes Reference
token - The token to use to authenticate with the cluster.
Data Source: aws_eks_cluster
Retrieve information about an EKS Cluster.

Example Usage

data "aws_eks_cluster" "example" {

name = "example"
}

output "endpoint" {
value = "${data.aws_eks_cluster.example.endpoint}"
}

output "kubeconfig-certificate-authority-data" {
value = "${data.aws_eks_cluster.example.certificate_authority.0.data}"
}

output "identity-oidc-issuer" {
value = "${data.aws_eks_cluster.example.identity.0.oidc.0.issuer}"
}

Argument Reference
name - (Required) The name of the cluster

Attributes Reference
id - The name of the cluster

arn - The Amazon Resource Name (ARN) of the cluster.

certificate_authority - Nested attribute containing certificate-authority-data for your cluster.

data - The base64 encoded certi cate data required to communicate with your cluster. Add this to the
certificate-authority-data section of the kubeconfig le for your cluster.

created_at - The Unix epoch time stamp in seconds for when the cluster was created.

enabled_cluster_log_types - The enabled control plane logs.

endpoint - The endpoint for your Kubernetes API server.

identity - Nested attribute containing identity provider information for your cluster. Only available on Kubernetes
version 1.13 and 1.14 clusters created or upgraded on or after September 3, 2019. For an example using this
information to enable IAM Roles for Service Accounts, see the aws_eks_cluster resource documentation
(/docs/providers/aws/r/eks_cluster.html).
oidc - Nested attribute containing OpenID Connect (https://openid.net/connect/) identity provider information
for the cluster.

issuer - Issuer URL for the OpenID Connect identity provider.

platform_version - The platform version for the cluster.

role_arn - The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control
plane to make calls to AWS API operations on your behalf.

status - The status of the EKS cluster. One of CREATING , ACTIVE , DELETING , FAILED .

tags - Key-value mapping of resource tags.

version - The Kubernetes server version for the cluster.

vpc_config - Nested attribute containing VPC con guration for the cluster.
endpoint_private_access - Indicates whether or not the Amazon EKS private API server endpoint is enabled.

endpoint_public_access - Indicates whether or not the Amazon EKS public API server endpoint is enabled.

security_group_ids – List of security group IDs

subnet_ids – List of subnet IDs

vpc_id – The VPC associated with your cluster.

Data Source: aws_elasticache_cluster
Use this data source to get information about an Elasticache Cluster

Example Usage

data "aws_elasticache_cluster" "my_cluster" {

cluster_id = "my-cluster-id"
}

Argument Reference
The following arguments are supported:

cluster_id – (Required) Group identi er.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

node_type – The cluster node type.

num_cache_nodes – The number of cache nodes that the cache cluster has.

engine – Name of the cache engine.

engine_version – Version number of the cache engine.

subnet_group_name – Name of the subnet group associated to the cache cluster.

security_group_names – List of security group names associated with this cache cluster.

security_group_ids – List VPC security groups associated with the cache cluster.

parameter_group_name – Name of the parameter group associated with this cache cluster.

replication_group_id - The replication group to which this cache cluster belongs.

maintenance_window – Speci es the weekly time range for when maintenance on the cache cluster is performed.

snapshot_window - The daily time range (in UTC) during which ElastiCache will begin taking a daily snapshot of the
cache cluster.

snapshot_retention_limit - The number of days for which ElastiCache will retain automatic cache cluster
snapshots before deleting them.

availability_zone - The Availability Zone for the cache cluster.

notification_topic_arn – An Amazon Resource Name (ARN) of an SNS topic that ElastiCache noti cations get sent
to.
port – The port number on which each of the cache nodes will accept connections.

configuration_endpoint - (Memcached only) The con guration endpoint to allow host discovery.

cluster_address - (Memcached only) The DNS name of the cache cluster without the port appended.

cache_nodes - List of node objects including id , address , port and availability_zone . Referenceable e.g. as
${data.aws_elasticache_cluster.bar.cache_nodes.0.address}

tags - The tags assigned to the resource

Data Source: aws_elasticache_replication_group
Use this data source to get information about an Elasticache Replication Group.

Example Usage

data "aws_elasticache_replication_group" "bar" {

replication_group_id = "example"
}

Argument Reference
The following arguments are supported:

replication_group_id – (Required) The identi er for the replication group.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

replication_group_id - The identi er for the replication group.

replication_group_description - The description of the replication group.

auth_token_enabled - A ag that enables using an AuthToken (password) when issuing Redis commands.

automatic_failover_enabled - A ag whether a read-only replica will be automatically promoted to read/write

primary if the existing primary fails.

node_type – The cluster node type.

number_cache_clusters – The number of cache clusters that the replication group has.

member_clusters - The identi ers of all the nodes that are part of this replication group.

snapshot_window - The daily time range (in UTC) during which ElastiCache begins taking a daily snapshot of your
node group (shard).

snapshot_retention_limit - The number of days for which ElastiCache retains automatic cache cluster snapshots
before deleting them.

port – The port number on which the con guration endpoint will accept connections.

configuration_endpoint_address - The con guration endpoint address to allow host discovery.

primary_endpoint_address - The endpoint of the primary node in this node group (shard).
Data Source: aws_elastic_beanstalk_application
Retrieve information about an Elastic Beanstalk Application.

Example Usage

data "aws_elastic_beanstalk_application" "example" {

name = "example"
}

output "arn" {
value = "${data.aws_elastic_beanstalk_application.example.arn}"
}

output "description" {
value = "${data.aws_elastic_beanstalk_application.example.description}"
}

Argument Reference
name - (Required) The name of the application

Attributes Reference
id - The name of the application

arn - The Amazon Resource Name (ARN) of the application.

description - Short description of the application

Application version lifecycle ( appversion_lifecycle ) supports the nested attribute containing.

service_role - The ARN of an IAM service role under which the application version is deleted. Elastic Beanstalk must
have permission to assume this role.

max_count - The maximum number of application versions to retain.

max_age_in_days - The number of days to retain an application version.

delete_source_from_s3 - Speci es whether delete a version's source bundle from S3 when the application version
is deleted.
Data Source: aws_elastic_beanstalk_hosted_zone
Use this data source to get the ID of an elastic beanstalk hosted zone
(http://docs.aws.amazon.com/general/latest/gr/rande.html#elasticbeanstalk_region).

Example Usage

data "aws_elastic_beanstalk_hosted_zone" "current" {}

Argument Reference
region - (Optional) The region you'd like the zone for. By default, fetches the current region.

Attributes Reference
id - The ID of the hosted zone.

region - The region of the hosted zone.

Data Source: aws_elastic_beanstalk_solution_stack
Use this data source to get the name of a elastic beanstalk solution stack.

Example Usage

data "aws_elastic_beanstalk_solution_stack" "multi_docker" {

most_recent = true

name_regex = "^64bit Amazon Linux (.) Multi-container Docker (.)$"

}

Argument Reference
most_recent - (Optional) If more than one result is returned, use the most recent solution stack.

name_regex - A regex string to apply to the solution stack list returned by AWS. See Elastic Beanstalk Supported
Platforms (http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts.platforms.html) from AWS documentation
for reference solution stack names.

NOTE: If more or less than a single match is returned by the search, Terraform will fail. Ensure that your search is
speci c enough to return a single solution stack, or use most_recent to choose the most recent one.

Attributes Reference
name - The name of the solution stack.
Data Source: aws_elasticsearch_domain
Use this data source to get information about an Elasticsearch Domain

Example Usage

data "aws_elasticsearch_domain" "my_domain" {

domain_name = "my-domain-name"
}

Argument Reference
The following arguments are supported:

domain_name – (Required) Name of the domain.

Attributes Reference
The following attributes are exported:

access_policies – The policy document attached to the domain.

advanced_options - Key-value string pairs to specify advanced con guration options.

arn – The Amazon Resource Name (ARN) of the domain.

cluster_config - Cluster con guration of the domain.

instance_type - Instance type of data nodes in the cluster.

instance_count - Number of instances in the cluster.

dedicated_master_enabled - Indicates whether dedicated master nodes are enabled for the cluster.

dedicated_master_type - Instance type of the dedicated master nodes in the cluster.

dedicated_master_count - Number of dedicated master nodes in the cluster.

zone_awareness_enabled - Indicates whether zone awareness is enabled.

zone_awareness_config - Con guration block containing zone awareness settings.

availability_zone_count - Number of availability zones used.

cognito_options - Domain Amazon Cognito Authentication options for Kibana.

enabled - Whether Amazon Cognito Authentication is enabled.

user_pool_id - The Cognito User pool used by the domain.

identity_pool_id - The Cognito Identity pool used by the domain.

role_arn - The IAM Role with the AmazonESCognitoAccess policy attached.

created – Status of the creation of the domain.

deleted – Status of the deletion of the domain.

domain_id – Unique identi er for the domain.

ebs_options - EBS Options for the instances in the domain.

ebs_enabled - Whether EBS volumes are attached to data nodes in the domain.

volume_type - The type of EBS volumes attached to data nodes.

volume_size - The size of EBS volumes attached to data nodes (in GB).

iops - The baseline input/output (I/O) performance of EBS volumes attached to data nodes.

elasticsearch_version – ElasticSearch version for the domain.

encryption_at_rest - Domain encryption at rest related options.

enabled - Whether encryption at rest is enabled in the domain.

kms_key_id - The KMS key id used to encrypt data at rest.

endpoint – Domain-speci c endpoint used to submit index, search, and data upload requests.

kibana_endpoint - Domain-speci c endpoint used to access the Kibana application.

log_publishing_options - Domain log publishing related options.

log_type - The type of Elasticsearch log being published.

cloudwatch_log_group_arn - The CloudWatch Log Group where the logs are published.

enabled - Whether log publishing is enabled.

node_to_node_encryption - Domain in transit encryption related options.

enabled - Whether node to node encryption is enabled.

processing – Status of a con guration change in the domain.

snapshot_options – Domain snapshot related options.

automated_snapshot_start_hour - Hour during which the service takes an automated daily snapshot of the
indices in the domain.

tags - The tags assigned to the domain.

vpc_options - VPC Options for private Elasticsearch domains.

availability_zones - The availability zones used by the domain.

security_group_ids - The security groups used by the domain.

subnet_ids - The subnets used by the domain.

vpc_id - The VPC used by the domain.

Data Source: aws_elb_hosted_zone_id
Use this data source to get the HostedZoneId of the AWS Elastic Load Balancing HostedZoneId in a given region for the
purpose of using in an AWS Route53 Alias.

Example Usage

data "aws_elb_hosted_zone_id" "main" {}

resource "aws_route53_record" "www" {

zone_id = "${aws_route53_zone.primary.zone_id}"
name = "example.com"
type = "A"

alias {
name = "${aws_elb.main.dns_name}"
zone_id = "${data.aws_elb_hosted_zone_id.main.id}"
evaluate_target_health = true
}
}

Argument Reference
region - (Optional) Name of the region whose AWS ELB HostedZoneId is desired. Defaults to the region from the
AWS provider con guration.

Attributes Reference
id - The ID of the AWS ELB HostedZoneId in the selected region.
aws_elb
Provides information about a "classic" Elastic Load Balancer (ELB). See LB Data Source (/docs/providers/aws/d/lb.html) if you
are looking for "v2" Application Load Balancer (ALB) or Network Load Balancer (NLB).

This data source can prove useful when a module accepts an LB as an input variable and needs to, for example, determine
the security groups associated with it, etc.

Example Usage

variable "lb_name" {
type = "string"
default = ""
}

data "aws_elb" "test" {

name = "${var.lb_name}"
}

Argument Reference
The following arguments are supported:

name - (Required) The unique name of the load balancer.

Attributes Reference
See the ELB Resource (/docs/providers/aws/r/elb.html) for details on the returned attributes - they are identical.
Data Source: aws_elb_service_account
Use this data source to get the Account ID of the AWS Elastic Load Balancing Service Account
(http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html#attach-bucket-policy) in a given
region for the purpose of whitelisting in S3 bucket policy.

Example Usage

data "aws_elb_service_account" "main" {}

resource "aws_s3_bucket" "elb_logs" {

bucket = "my-elb-tf-test-bucket"
acl = "private"

policy = <<POLICY
<<
{
"Id": "Policy",
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-elb-tf-test-bucket/AWSLogs/*",
"Principal": {
"AWS": [
"${data.aws_elb_service_account.main.arn}"
]
}
}
]
}
POLICY
}

resource "aws_elb" "bar" {

name = "my-foobar-terraform-elb"
availability_zones = ["us-west-2a"]

access_logs {
bucket = "${aws_s3_bucket.elb_logs.bucket}"
interval = 5
}

listener {
instance_port = 8000
instance_protocol = "http"
lb_port = 80
lb_protocol = "http"
}
}
Argument Reference
region - (Optional) Name of the region whose AWS ELB account ID is desired. Defaults to the region from the AWS
provider con guration.

Attributes Reference
id - The ID of the AWS ELB service account in the selected region.

arn - The ARN of the AWS ELB service account in the selected region.
Data Source: aws_glue_script
Use this data source to generate a Glue script from a Directed Acyclic Graph (DAG).

Example Usage

Generate Python Script

data "aws_glue_script" "example" {

language = "PYTHON"

dag_edge {
source = "datasource0"
target = "applymapping1"
}

dag_edge {
source = "applymapping1"
target = "selectfields2"
}

dag_edge {
source = "selectfields2"
target = "resolvechoice3"
}

dag_edge {
source = "resolvechoice3"
target = "datasink4"
}

dag_node {
id = "datasource0"
node_type = "DataSource"

args {
name = "database"
value = "\"${aws_glue_catalog_database.source.name}\""
}

args {
name = "table_name"
value = "\"${aws_glue_catalog_table.source.name}\""
}
}

dag_node {
id = "applymapping1"
node_type = "ApplyMapping"

args {
name = "mapping"
value = "[(\"column1\", \"string\", \"column1\", \"string\")]"
}
}

dag_node {
id = "selectfields2"
node_type = "SelectFields"

args {
name = "paths"
value = "[\"column1\"]"
}
}

dag_node {
id = "resolvechoice3"
node_type = "ResolveChoice"

args {
name = "choice"
value = "\"MATCH_CATALOG\""
}

args {
name = "database"
value = "\"${aws_glue_catalog_database.destination.name}\""
}

args {
name = "table_name"
value = "\"${aws_glue_catalog_table.destination.name}\""
}
}

dag_node {
id = "datasink4"
node_type = "DataSink"

args {
name = "database"
value = "\"${aws_glue_catalog_database.destination.name}\""
}

args {
name = "table_name"
value = "\"${aws_glue_catalog_table.destination.name}\""
}
}
}

output "python_script" {
value = "${data.aws_glue_script.example.python_script}"
}

Generate Scala Code

data "aws_glue_script" "example" {

language = "SCALA"

dag_edge {
source = "datasource0"
target = "applymapping1"
}

dag_edge {
source = "applymapping1"
target = "selectfields2"
}

dag_edge {
source = "selectfields2"
target = "resolvechoice3"
}

dag_edge {
source = "resolvechoice3"
target = "datasink4"
}

dag_node {
id = "datasource0"
node_type = "DataSource"

args {
name = "database"
value = "\"${aws_glue_catalog_database.source.name}\""
}

args {
name = "table_name"
value = "\"${aws_glue_catalog_table.source.name}\""
}
}

dag_node {
id = "applymapping1"
node_type = "ApplyMapping"

args {
name = "mappings"
value = "[(\"column1\", \"string\", \"column1\", \"string\")]"
}
}

dag_node {
id = "selectfields2"
node_type = "SelectFields"

args {
name = "paths"
value = "[\"column1\"]"
}
}

dag_node {
id = "resolvechoice3"
node_type = "ResolveChoice"
node_type = "ResolveChoice"

args {
name = "choice"
value = "\"MATCH_CATALOG\""
}

args {
name = "database"
value = "\"${aws_glue_catalog_database.destination.name}\""
}

args {
name = "table_name"
value = "\"${aws_glue_catalog_table.destination.name}\""
}
}

dag_node {
id = "datasink4"
node_type = "DataSink"

args {
name = "database"
value = "\"${aws_glue_catalog_database.destination.name}\""
}

args {
name = "table_name"
value = "\"${aws_glue_catalog_table.destination.name}\""
}
}
}

output "scala_code" {
value = "${data.aws_glue_script.example.scala_code}"
}

Argument Reference
dag_edge - (Required) A list of the edges in the DAG. De ned below.

dag_node - (Required) A list of the nodes in the DAG. De ned below.

language - (Optional) The programming language of the resulting code from the DAG. Defaults to PYTHON . Valid
values are PYTHON and SCALA .

dag_edge Argument Reference

source - (Required) The ID of the node at which the edge starts.

target - (Required) The ID of the node at which the edge ends.

target_parameter - (Optional) The target of the edge.

dag_node Argument Reference
args - (Required) Nested con guration an argument or property of a node. De ned below.

id - (Required) A node identi er that is unique within the node's graph.

node_type - (Required) The type of node this is.

line_number - (Optional) The line number of the node.

args Argument Reference

name - (Required) The name of the argument or property.

value - (Required) The value of the argument or property.

param - (Optional) Boolean if the value is used as a parameter. Defaults to false .

Attributes Reference
python_script - The Python script generated from the DAG when the language argument is set to PYTHON .

scala_code - The Scala code generated from the DAG when the language argument is set to SCALA .
Data Source: aws_iam_account_alias
The IAM Account Alias data source allows access to the account alias for the e ective account in which Terraform is working.

Example Usage

data "aws_iam_account_alias" "current" {}

output "account_id" {
value = "${data.aws_iam_account_alias.current.account_alias}"
}

Argument Reference
There are no arguments available for this data source.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

account_alias - The alias associated with the AWS account.

Data Source: aws_iam_group
This data source can be used to fetch information about a speci c IAM group. By using this data source, you can reference
IAM group properties without having to hard code ARNs as input.

Example Usage

data "aws_iam_group" "example" {

group_name = "an_example_group_name"
}

Argument Reference
group_name - (Required) The friendly IAM group name to match.

Attributes Reference
arn - The Amazon Resource Name (ARN) specifying the group.

path - The path to the group.

group_id - The stable and unique string identifying the group.

Data Source: aws_iam_instance_pro le
This data source can be used to fetch information about a speci c IAM instance pro le. By using this data source, you can
reference IAM instance pro le properties without having to hard code ARNs as input.

Example Usage

data "aws_iam_instance_profile" "example" {

name = "an_example_instance_profile_name"
}

Argument Reference
name - (Required) The friendly IAM instance pro le name to match.

Attributes Reference
arn - The Amazon Resource Name (ARN) specifying the instance pro le.

create_date - The string representation of the date the instance pro le was created.

path - The path to the instance pro le.

role_arn - The role arn associated with this instance pro le.

role_id - The role id associated with this instance pro le.

role_name - The role name associated with this instance pro le.
Data Source: aws_iam_policy_document
Generates an IAM policy document in JSON format.

This is a data source which can be used to construct a JSON representation of an IAM policy document, for use with
resources which expect policy documents, such as the aws_iam_policy resource.

For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document
Guide (/docs/providers/aws/guides/iam-policy-documents.html).
data "aws_iam_policy_document" "example" {
statement {
sid = "1"

actions = [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
]

resources = [
"arn:aws:s3:::*",
]
}

statement {
actions = [
"s3:ListBucket",
]

resources = [
"arn:aws:s3:::${var.s3_bucket_name}",
]

condition {
test = "StringLike"
variable = "s3:prefix"

values = [
"",
"home/",
"home/&{aws:username}/",
]
}
}

statement {
actions = [
"s3:*",
]

resources = [
"arn:aws:s3:::${var.s3_bucket_name}/home/&{aws:username}",
"arn:aws:s3:::${var.s3_bucket_name}/home/&{aws:username}/*",
]
}
}

resource "aws_iam_policy" "example" {

name = "example_policy"
path = "/"
policy = "${data.aws_iam_policy_document.example.json}"
}

Using this data source to generate policy documents is optional. It is also valid to use literal JSON strings within your
con guration, or to use the file interpolation function to read a raw JSON policy document from a le.
Argument Reference
The following arguments are supported:

policy_id (Optional) - An ID for the policy document.

source_json (Optional) - An IAM policy document to import as a base for the current policy document. Statements
with non-blank sid s in the current policy document will overwrite statements with the same sid in the source json.
Statements without an sid cannot be overwritten.

override_json (Optional) - An IAM policy document to import and override the current policy document. Statements
with non-blank sid s in the override document will overwrite statements with the same sid in the current document.
Statements without an sid cannot be overwritten.

statement (Optional) - A nested con guration block (described below) con guring one statement to be included in
the policy document.

version (Optional) - IAM policy document version. Valid values: 2008-10-17 , 2012-10-17 . Defaults to 2012-10-
17 . For more information, see the AWS IAM User Guide
(https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html).

Each document con guration may have one or more statement blocks, which each accept the following arguments:

sid (Optional) - An ID for the policy statement.

effect (Optional) - Either "Allow" or "Deny", to specify whether this statement allows or denies the given actions. The
default is "Allow".

actions (Optional) - A list of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"] .

not_actions (Optional) - A list of actions that this statement does not apply to. Used to apply a policy statement to all
actions except those listed.

resources (Optional) - A list of resource ARNs that this statement applies to. This is required by AWS if used for an
IAM policy.

not_resources (Optional) - A list of resource ARNs that this statement does not apply to. Used to apply a policy
statement to all resources except those listed.

principals (Optional) - A nested con guration block (described below) specifying a resource (or resource pattern) to
which this statement applies.

not_principals (Optional) - Like principals except gives resources that the statement does not apply to.

condition (Optional) - A nested con guration block (described below) that de nes a further, possibly-service-speci c
condition that constrains whether this statement applies.

Each policy may have either zero or more principals blocks or zero or more not_principals blocks, both of which each
accept the following arguments:

type (Required) The type of principal. For AWS ARNs this is "AWS". For AWS services (e.g. Lambda), this is "Service".

identifiers (Required) List of identi ers for principals. When type is "AWS", these are IAM user or role ARNs. When
type is "Service", these are AWS Service roles e.g. lambda.amazonaws.com .
Each policy statement may have zero or more condition blocks, which each accept the following arguments:

test (Required) The name of the IAM condition operator

(https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) to
evaluate.

variable (Required) The name of a Context Variable

(http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys) to apply the
condition to. Context variables may either be standard AWS variables starting with aws: , or service-speci c variables
pre xed with the service name.

values (Required) The values to evaluate the condition against. If multiple values are provided, the condition matches
if at least one of them applies. (That is, the tests are combined with the "OR" boolean operation.)

When multiple condition blocks are provided, they must all evaluate to true for the policy statement to apply. (In other
words, the conditions are combined with the "AND" boolean operation.)

Context Variable Interpolation

The IAM policy document format allows context variables to be interpolated into various strings within a statement. The
native IAM policy document format uses ${...} -style syntax that is in con ict with Terraform's interpolation syntax, so this
data source instead uses &{...} syntax for interpolations that should be processed by AWS rather than by Terraform.

Wildcard Principal
In order to de ne wildcard principal (a.k.a. anonymous user) use type = "*" and identifiers = ["*"] . In that case the
rendered json will contain "Principal": "*" . Note, that even though the IAM Documentation
(https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) states that "Principal":
"*" and "Principal": {"AWS": "*"} are equivalent, those principals have di erent behavior for IAM Role Trust Policy.
Therefore Terraform will normalize the principal eld only in above-mentioned case and principals like type = "AWS" and
identifiers = ["*"] will be rendered as "Principal": {"AWS": "*"} .

Attributes Reference
The following attribute is exported:

json - The above arguments serialized as a standard JSON policy document.

Example with Multiple Principals

Showing how you can use this as an assume role policy as well as showing how you can specify multiple principal blocks with
di erent types.
data "aws_iam_policy_document" "event_stream_bucket_role_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]

principals {
type = "Service"
identifiers = ["firehose.amazonaws.com"]
}

principals {
type = "AWS"
identifiers = ["${var.trusted_role_arn}"]
}
}
}

Example with Source and Override

Showing how you can use source_json and override_json
data "aws_iam_policy_document" "source" {
statement {
actions = ["ec2:*"]
resources = ["*"]
}

statement {
sid = "SidToOverwrite"

actions = ["s3:*"]
resources = ["*"]
}
}

data "aws_iam_policy_document" "source_json_example" {

source_json = "${data.aws_iam_policy_document.source.json}"

statement {
sid = "SidToOverwrite"

actions = ["s3:*"]

resources = [
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
]
}
}

data "aws_iam_policy_document" "override" {

statement {
sid = "SidToOverwrite"

actions = ["s3:*"]
resources = ["*"]
}
}

data "aws_iam_policy_document" "override_json_example" {

override_json = "${data.aws_iam_policy_document.override.json}"

statement {
actions = ["ec2:*"]
resources = ["*"]
}

statement {
sid = "SidToOverwrite"

actions = ["s3:*"]

resources = [
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
]
}
}
data.aws_iam_policy_document.source_json_example.json will evaluate to:

{
"Version":
"Version" "2012-10-17",
"Statement":
"Statement" [
{
"Sid":
"Sid" "",
"Effect":
"Effect" "Allow",
"Action":
"Action" "ec2:*",
"Resource":
"Resource" "*"
},
{
"Sid":
"Sid" "SidToOverwrite",
"Effect":
"Effect" "Allow",
"Action":
"Action" "s3:*",
"Resource":
"Resource" [
"arn:aws:s3:::somebucket/*",
"arn:aws:s3:::somebucket"
]
}
]
}

data.aws_iam_policy_document.override_json_example.json will evaluate to:

You can also combine source_json and override_json in the same document.

Example without Statement

Use without a statement :
data "aws_iam_policy_document" "source" {
statement {
sid = "OverridePlaceholder"
actions = ["ec2:DescribeAccountAttributes"]
resources = ["*"]
}
}

data "aws_iam_policy_document" "override" {

statement {
sid = "OverridePlaceholder"
actions = ["s3:GetObject"]
resources = ["*"]
}
}

data "aws_iam_policy_document" "politik" {

source_json = "${data.aws_iam_policy_document.source.json}"
override_json = "${data.aws_iam_policy_document.override.json}"
}

data.aws_iam_policy_document.politik.json will evaluate to:

{
"Version":
"Version" "2012-10-17",
"Statement":
"Statement" [
{
"Sid":
"Sid" "OverridePlaceholder",
"Effect":
"Effect" "Allow",
"Action":
"Action" "s3:GetObject",
"Resource":
"Resource" "*"
}
]
}
aws_iam_policy
This data source can be used to fetch information about a speci c IAM policy.

Example Usage

data "aws_iam_policy" "example" {

arn = "arn:aws:iam::123456789012:policy/UsersManageOwnCredentials"
}

Argument Reference
arn - (Required) ARN of the IAM policy.

Attributes Reference
name - The name of the IAM policy.

arn - The Amazon Resource Name (ARN) specifying the policy.

path - The path to the policy.

description - The description of the policy.

policy - The policy document of the policy.

Data Source: aws_iam_role
This data source can be used to fetch information about a speci c IAM role. By using this data source, you can reference IAM
role properties without having to hard code ARNs as input.

Example Usage

data "aws_iam_role" "example" {

name = "an_example_role_name"
}

Argument Reference
name - (Required) The friendly IAM role name to match.

Attributes Reference
id - The friendly IAM role name to match.

arn - The Amazon Resource Name (ARN) specifying the role.

assume_role_policy - The policy document associated with the role.

create_date - Creation date of the role in RFC 3339 format.

description - Description for the role.

max_session_duration - Maximum session duration.

path - The path to the role.

permissions_boundary - The ARN of the policy that is used to set the permissions boundary for the role.

unique_id - The stable and unique string identifying the role.

Data Source: aws_iam_server_certi cate
Use this data source to lookup information about IAM Server Certi cates.

Example Usage

data "aws_iam_server_certificate" "my-domain" {

name_prefix = "my-domain.org"
latest = true
}

resource "aws_elb" "elb" {

name = "my-domain-elb"

listener {
instance_port = 8000
instance_protocol = "https"
lb_port = 443
lb_protocol = "https"
ssl_certificate_id = "${data.aws_iam_server_certificate.my-domain.arn}"
}
}

Argument Reference
name_prefix - pre x of cert to lter by

path_prefix - pre x of path to lter by

name - exact name of the cert to lookup

latest - sort results by expiration date. returns the certi cate with expiration date in furthest in the future.

Attributes Reference
arn is set to the ARN of the IAM Server Certi cate

path is set to the path of the IAM Server Certi cate

expiration_date is set to the expiration date of the IAM Server Certi cate

upload_date is the date when the server certi cate was uploaded

certificate_body is the public key certi cate (PEM-encoded). This is useful when con guring back-end instance
authentication (http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-
balancer.html) policy for load balancer

certificate_chain is the public key certi cate chain (PEM-encoded) if exists, empty otherwise
Import
The terraform import function will read in certi cate body, certi cate chain (if it exists), id, name, path, and arn. It will not
retrieve the private key which is not available through the AWS API.
Data Source: aws_iam_user
This data source can be used to fetch information about a speci c IAM user. By using this data source, you can reference
IAM user properties without having to hard code ARNs or unique IDs as input.

Example Usage

data "aws_iam_user" "example" {

user_name = "an_example_user_name"
}

Argument Reference
user_name - (Required) The friendly IAM user name to match.

Attributes Reference
arn - The Amazon Resource Name (ARN) assigned by AWS for this user.

path - Path in which this user was created.

permissions_boundary - The ARN of the policy that is used to set the permissions boundary for the user.

user_id - The unique ID assigned by AWS for this user.

user_name - The name associated to this User

Data Source: aws_inspector_rules_packages
The AWS Inspector Rules Packages data source allows access to the list of AWS Inspector Rules Packages which can be used
by AWS Inspector within the region con gured in the provider.

Example Usage

data "aws_inspector_rules_packages" "rules" {}

resource "aws_inspector_resource_group" "group" {

tags = {
test = "test"
}
}

resource "aws_inspector_assessment_target" "assessment" {

name = "test"
resource_group_arn = "${aws_inspector_resource_group.group.arn}"
}

resource "aws_inspector_assessment_template" "assessment" {

name = "Test"
target_arn = "${aws_inspector_assessment_target.assessment.arn}"
duration = "60"

rules_package_arns = ["${data.aws_inspector_rules_packages.rules.arns}"]
}

Attributes Reference
In addition to all arguments above, the following attributes are exported:

arns - A list of the AWS Inspector Rules Packages arns available in the AWS region.
Data Source: aws_instance
Use this data source to get the ID of an Amazon EC2 Instance for use in other resources.

Example Usage

data "aws_instance" "foo" {

instance_id = "i-instanceid"

filter {
name = "image-id"
values = ["ami-xxxxxxxx"]
}

filter {
name = "tag:Name"
values = ["instance-name-tag"]
}
}

Argument Reference
instance_id - (Optional) Specify the exact Instance ID with which to populate the data source.

instance_tags - (Optional) A mapping of tags, each pair of which must exactly match a pair on the desired Instance.

filter - (Optional) One or more name/value pairs to use as lters. There are several valid keys, for a full reference,
check out describe-instances in the AWS CLI reference (http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-
instances.html).

get_password_data - (Optional) If true, wait for password data to become available and retrieve it. Useful for getting
the administrator password for instances running Microsoft Windows. The password data is exported to the
password_data attribute. See GetPasswordData
(https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetPasswordData.html) for more information.

get_user_data - (Optional) Retrieve Base64 encoded User Data contents into the user_data_base64 attribute. A
SHA-1 hash of the User Data contents will always be present in the user_data attribute. Defaults to false .

NOTE: At least one of filter , instance_tags , or instance_id must be speci ed.

NOTE: If anything other than a single match is returned by the search, Terraform will fail. Ensure that your search is
speci c enough to return a single Instance ID only.

Attributes Reference
id is set to the ID of the found Instance. In addition, the following attributes are exported:

NOTE: Some values are not always set and may not be available for interpolation.

ami - The ID of the AMI used to launch the instance.

arn - The ARN of the instance.

associate_public_ip_address - Whether or not the Instance is associated with a public IP address or not (Boolean).

availability_zone - The availability zone of the Instance.

ebs_block_device - The EBS block device mappings of the Instance.

delete_on_termination - If the EBS volume will be deleted on termination.

device_name - The physical name of the device.

encrypted - If the EBS volume is encrypted.

iops - 0 If the EBS volume is not a provisioned IOPS image, otherwise the supported IOPS count.

kms_key_arn - Amazon Resource Name (ARN) of KMS Key, if EBS volume is encrypted.

snapshot_id - The ID of the snapshot.

volume_size - The size of the volume, in GiB.

volume_type - The volume type.

ebs_optimized - Whether the Instance is EBS optimized or not (Boolean).

ephemeral_block_device - The ephemeral block device mappings of the Instance.

device_name - The physical name of the device.

no_device - Whether the speci ed device included in the device mapping was suppressed or not (Boolean).

virtual_name - The virtual device name.

iam_instance_profile - The name of the instance pro le associated with the Instance.

ipv6_addresses - The IPv6 addresses associated to the Instance, if applicable. NOTE: Unlike the IPv4 address, this
doesn't change if you attach an EIP to the instance.

instance_state - The state of the instance. One of: pending , running , shutting-down , terminated ,
stopping , stopped . See Instance Lifecycle (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-
lifecycle.html) for more information.

instance_type - The type of the Instance.

key_name - The key name of the Instance.

monitoring - Whether detailed monitoring is enabled or disabled for the Instance (Boolean).

network_interface_id - The ID of the network interface that was created with the Instance.

password_data - Base-64 encoded encrypted password data for the instance. Useful for getting the administrator
password for instances running Microsoft Windows. This attribute is only exported if get_password_data is true. See
GetPasswordData (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetPasswordData.html) for more
information.

placement_group - The placement group of the Instance.

private_dns - The private DNS name assigned to the Instance. Can only be used inside the Amazon EC2, and only
available if you've enabled DNS hostnames for your VPC.

private_ip - The private IP address assigned to the Instance.

public_dns - The public DNS name assigned to the Instance. For EC2-VPC, this is only available if you've enabled DNS
hostnames for your VPC.

public_ip - The public IP address assigned to the Instance, if applicable. NOTE: If you are using an aws_eip
(/docs/providers/aws/r/eip.html) with your instance, you should refer to the EIP's address directly and not use
public_ip , as this eld will change after the EIP is attached.

root_block_device - The root block device mappings of the Instance

delete_on_termination - If the root block device will be deleted on termination.

encrypted - If the EBS volume is encrypted.

iops - 0 If the volume is not a provisioned IOPS image, otherwise the supported IOPS count.

kms_key_arn - Amazon Resource Name (ARN) of KMS Key, if EBS volume is encrypted.

volume_size - The size of the volume, in GiB.

volume_type - The type of the volume.

security_groups - The associated security groups.

source_dest_check - Whether the network interface performs source/destination checking (Boolean).

subnet_id - The VPC subnet ID.

user_data - SHA-1 hash of User Data supplied to the Instance.

user_data_base64 - Base64 encoded contents of User Data supplied to the Instance. Valid UTF-8 contents can be
decoded with the base64decode function (/docs/con guration/functions/base64decode.html). This attribute is only
exported if get_user_data is true.

tags - A mapping of tags assigned to the Instance.

tenancy - The tenancy of the instance: dedicated , default , host .

host_id - The Id of the dedicated host the instance will be assigned to.

vpc_security_group_ids - The associated security groups in a non-default VPC.

credit_specification - The credit speci cation of the Instance.

Data Source: aws_instances
Use this data source to get IDs or IPs of Amazon EC2 instances to be referenced elsewhere, e.g. to allow easier migration
from another management solution or to make it easier for an operator to connect through bastion host(s).

Note: It's a best practice to expose instance details via outputs

(https://www.terraform.io/docs/con guration/outputs.html) and remote state
(https://www.terraform.io/docs/state/remote.html) and use terraform_remote_state
(https://www.terraform.io/docs/providers/terraform/d/remote_state.html) data source instead if you manage
referenced instances via Terraform.

Note: It's strongly discouraged to use this data source for querying ephemeral instances (e.g. managed via autoscaling
group), as the output may change at any time and you'd need to re-run apply every time an instance comes up or dies.

Example Usage

data "aws_instances" "test" {

instance_tags = {
Role = "HardWorker"
}

filter {
name = "instance.group-id"
values = ["sg-12345678"]
}

instance_state_names = ["running", "stopped"]

}

resource "aws_eip" "test" {

count = "${length(data.aws_instances.test.ids)}"
instance = "${data.aws_instances.test.ids[count.index]}"
}

Argument Reference
instance_tags - (Optional) A mapping of tags, each pair of which must exactly match a pair on desired instances.

instance_state_names - (Optional) A list of instance states that should be applicable to the desired instances. The
permitted values are: pending, running, shutting-down, stopped, stopping, terminated . The default value is
running .

private_ips - Private IP addresses of instances found through the lter

public_ips - Public IP addresses of instances found through the lter

Data Source: aws_internet_gateway
aws_internet_gateway provides details about a speci c Internet Gateway.

Example Usage

variable "vpc_id" {}

data "aws_internet_gateway" "default" {

filter {
name = "attachment.vpc-id"
values = ["${var.vpc_id}"]
}
}

Argument Reference
The arguments of this data source act as lters for querying the available Internet Gateway in the current region. The given
lters must match exactly one Internet Gateway whose data will be exported as attributes.

internet_gateway_id - (Optional) The id of the speci c Internet Gateway to retrieve.

tags - (Optional) A mapping of tags, each pair of which must exactly match a pair on the desired Internet Gateway.

filter - (Optional) Custom lter block as described below.

More complex lters can be expressed using one or more filter sub-blocks, which take the following arguments:

values - (Required) Set of values that are accepted for the given eld. An Internet Gateway will be selected if any one
of the given values matches.

Attributes Reference
All of the argument attributes except filter block are also exported as result attributes. This data source will complete the
data by populating any elds that are not included in the con guration with the data for the selected Internet Gateway.

attachments are also exported with the following attributes, when there are relevants: Each attachement supports the
following:

owner_id - The ID of the AWS account that owns the internet gateway.

state - The current state of the attachment between the gateway and the VPC. Present only if a VPC is attached

vpc_id - The ID of an attached VPC.

Data Source: aws_iot_endpoint
Returns a unique endpoint speci c to the AWS account making the call.

Example Usage

data "aws_iot_endpoint" "example" {}

resource "kubernetes_pod" "agent" {

metadata {
name = "my-device"
}

spec {
container {
image = "gcr.io/my-project/image-name"
name = "image-name"

env = [
{
name = "IOT_ENDPOINT"
value = "${data.aws_iot_endpoint.example.endpoint_address}"
},
]
}
}
}

Argument Reference
endpoint_type - (Optional) Endpoint type. Valid values: iot:CredentialProvider , iot:Data , iot:Data-ATS ,
iot:Job .

Attributes Reference
endpoint_address - The endpoint based on endpoint_type :
No endpoint_type : Either iot:Data or iot:Data-ATS depending on region
(https://aws.amazon.com/blogs/iot/aws-iot-core-ats-endpoints/)

iot:CredentialsProvider : IDENTIFIER.credentials.iot.REGION.amazonaws.com

iot:Data : IDENTIFIER.iot.REGION.amazonaws.com

iot:Data-ATS : IDENTIFIER-ats.iot.REGION.amazonaws.com

iot:Job : IDENTIFIER.jobs.iot.REGION.amazonaws.com
Data Source: aws_ip_ranges
Use this data source to get the IP ranges of various AWS products and services. For more information about the contents of
this data source and required JSON syntax if referencing a custom URL, see the AWS IP Address Ranges documention
(https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html).

Example Usage

data "aws_ip_ranges" "european_ec2" {

regions = ["eu-west-1", "eu-central-1"]
services = ["ec2"]
}

resource "aws_security_group" "from_europe" {

name = "from_europe"

ingress {
from_port = "443"
to_port = "443"
protocol = "tcp"
cidr_blocks = ["${data.aws_ip_ranges.european_ec2.cidr_blocks}"]
ipv6_cidr_blocks = ["${data.aws_ip_ranges.european_ec2.ipv6_cidr_blocks}"]
}

tags = {
CreateDate = "${data.aws_ip_ranges.european_ec2.create_date}"
SyncToken = "${data.aws_ip_ranges.european_ec2.sync_token}"
}
}

Argument Reference
regions - (Optional) Filter IP ranges by regions (or include all regions, if omitted). Valid items are global (for
cloudfront ) as well as all AWS regions (e.g. eu-central-1 )

services - (Required) Filter IP ranges by services. Valid items are amazon (for amazon.com), cloudfront ,
codebuild , ec2 , route53 , route53_healthchecks and S3 .

NOTE: If the speci ed combination of regions and services does not yield any CIDR blocks, Terraform will fail.

url - (Optional) Custom URL for source JSON le. Syntax must match AWS IP Address Ranges documention
(https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html). Defaults to https://ip-
ranges.amazonaws.com/ip-ranges.json .

Attributes Reference
cidr_blocks - The lexically ordered list of CIDR blocks.

ipv6_cidr_blocks - The lexically ordered list of IPv6 CIDR blocks.

create_date - The publication time of the IP ranges (e.g. 2016-08-03-23-46-05 ).

sync_token - The publication time of the IP ranges, in Unix epoch time format (e.g. 1470267965 ).
Data Source: aws_kinesis_stream
Use this data source to get information about a Kinesis Stream for use in other resources.

For more details, see the Amazon Kinesis Documentation (https://aws.amazon.com/documentation/kinesis/).

Example Usage

data "aws_kinesis_stream" "stream" {

name = "stream-name"
}

Argument Reference
name - (Required) The name of the Kinesis Stream.

Attributes Reference
id is set to the Amazon Resource Name (ARN) of the Kinesis Stream. In addition, the following attributes are exported:

arn - The Amazon Resource Name (ARN) of the Kinesis Stream (same as id).

name - The name of the Kinesis Stream.

creation_timestamp - The approximate UNIX timestamp that the stream was created.

status - The current status of the stream. The stream status is one of CREATING, DELETING, ACTIVE, or UPDATING.

retention_period - Length of time (in hours) data records are accessible after they are added to the stream.

open_shards - The list of shard ids in the OPEN state. See Shard State
(https://docs.aws.amazon.com/streams/latest/dev/kinesis-using-sdk-java-after-resharding.html#kinesis-using-sdk-
java-resharding-data-routing) for more.

closed_shards - The list of shard ids in the CLOSED state. See Shard State
(https://docs.aws.amazon.com/streams/latest/dev/kinesis-using-sdk-java-after-resharding.html#kinesis-using-sdk-
java-resharding-data-routing) for more.

shard_level_metrics - A list of shard-level CloudWatch metrics which are enabled for the stream. See Monitoring
with CloudWatch (https://docs.aws.amazon.com/streams/latest/dev/monitoring-with-cloudwatch.html) for more.

tags - A mapping of tags to assigned to the stream.

Data Source: aws_kms_alias
Use this data source to get the ARN of a KMS key alias. By using this data source, you can reference key alias without having
to hard code the ARN as input.

Example Usage

data "aws_kms_alias" "s3" {

name = "alias/aws/s3"
}

Argument Reference
name - (Required) The display name of the alias. The name must start with the word "alias" followed by a forward
slash (alias/)

Attributes Reference
arn - The Amazon Resource Name(ARN) of the key alias.

target_key_id - Key identi er pointed to by the alias.

target_key_arn - ARN pointed to by the alias.

Data Source: aws_kms_ciphertext
The KMS ciphertext data source allows you to encrypt plaintext into ciphertext by using an AWS KMS customer master key.
The value returned by this data source changes every apply. For a stable ciphertext value, see the aws_kms_ciphertext
resource (/docs/providers/aws/r/kms_ciphertext.html).

Note: All arguments including the plaintext be stored in the raw state as plain-text. Read more about sensitive data in
state (/docs/state/sensitive-data.html).

Example Usage

resource "aws_kms_key" "oauth_config" {

description = "oauth config"
is_enabled = true
}

data "aws_kms_ciphertext" "oauth" {

key_id = "${aws_kms_key.oauth_config.key_id}"

plaintext = <<EOF
<<
{
"client_id": "e587dbae22222f55da22",
"client_secret": "8289575d00000ace55e1815ec13673955721b8a5"
}
EOF
}

Argument Reference
The following arguments are supported:

plaintext - (Required) Data to be encrypted. Note that this may show up in logs, and it will be stored in the state le.

key_id - (Required) Globally unique key ID for the customer master key.

context - (Optional) An optional mapping that makes up the encryption context.

Attributes Reference
All of the argument attributes are also exported as result attributes.

ciphertext_blob - Base64 encoded ciphertext

aws_kms_key
Use this data source to get detailed information about the speci ed KMS Key with exible key id input. This can be useful to
reference key alias without having to hard code the ARN as input.

Example Usage

data "aws_kms_key" "foo" {

key_id = "alias/my-key"
}

data "aws_kms_key" "foo" {

key_id = "1234abcd-12ab-34cd-56ef-1234567890ab"
}

data "aws_kms_key" "foo" {

key_id = "arn:aws:kms:us-east-1:111122223333:alias/my-key"
}

data "aws_kms_key" "foo" {

key_id = "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}

Argument Reference
key_id - (Required) Key identi er which can be one of the following format:
Key ID. E.g: 1234abcd-12ab-34cd-56ef-1234567890ab

Key ARN. E.g.: arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

Alias name. E.g.: alias/my-key

Alias ARN: E.g.: arn:aws:kms:us-east-1:111122223333:alias/my-key

grant_tokens - (Optional) List of grant tokens

Attributes Reference
id : The globally unique identi er for the key

arn : The Amazon Resource Name (ARN) of the key

aws_account_id : The twelve-digit account ID of the AWS account that owns the key

creation_date : The date and time when the key was created

deletion_date : The date and time after which AWS KMS deletes the key. This value is present only when key_state
is PendingDeletion , otherwise this value is 0
description : The description of the key.

enabled : Speci es whether the key is enabled. When key_state is Enabled this value is true, otherwise it is false

expiration_model : Speci es whether the Key's key material expires. This value is present only when origin is
EXTERNAL , otherwise this value is empty

key_manager : The key's manager

key_state : The state of the key

key_usage : Currently the only allowed value is ENCRYPT_DECRYPT

origin : When this value is AWS_KMS , AWS KMS created the key material. When this value is EXTERNAL , the key
material was imported from your existing key management infrastructure or the CMK lacks key material

valid_to : The time at which the imported key material expires. This value is present only when origin is
EXTERNAL and whose expiration_model is KEY_MATERIAL_EXPIRES , otherwise this value is 0
Data Source: aws_kms_secret

WARNING: This data source was removed in version 2.0.0 of the Terraform AWS Provider. You can migrate existing
con gurations to the aws_kms_secrets data source (/docs/providers/aws/d/kms_secrets.html) following instructions
available in the Version 2 Upgrade Guide (/docs/providers/aws/guides/version-2-upgrade.html#data-source-
aws_kms_secret).
Data Source: aws_kms_secrets
Decrypt multiple secrets from data encrypted with the AWS KMS service.

NOTE: Using this data provider will allow you to conceal secret data within your resource de nitions but does not take
care of protecting that data in all Terraform logging and state output. Please take care to secure your secret data
beyond just the Terraform con guration.

Example Usage
If you do not already have a CiphertextBlob from encrypting a KMS secret, you can use the below commands to obtain
one using the AWS CLI kms encrypt (https://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html) command. This
requires you to have your AWS CLI setup correctly and replace the --key-id with your own. Alternatively you can use --
plaintext 'password' instead of reading from a le.

If you have a newline character at the end of your le, it will be decrypted with this newline character intact. For most
use cases this is undesirable and leads to incorrect passwords or invalid values, as well as possible changes in the plan.
Be sure to use echo -n if necessary.

$ echo -n 'master-password' > plaintext-password

$ aws kms encrypt --key-id ab123456-c012-4567-890a-deadbeef123 --plaintext fileb://plaintext-password --e
ncryption-context foo=
= bar --output text --query CiphertextBlob
AQECAHgaPa0J8WadplGCqqVAr4HNvDaFSQ+NaiwIBhmm6qDSFwAAAGIwYAYJKoZIhvcNAQcGoFMwUQIBADBMBgkqhkiG9w0BBwEwHgYJY
IZIAWUDBAEuMBEEDI+LoLdvYv8l41OhAAIBEIAfx49FFJCLeYrkfMfAw6XlnxP23MmDBdqP8dPp28OoAQ==
==

That encrypted output can now be inserted into Terraform con gurations without exposing the plaintext secret directly.
data "aws_kms_secrets" "example" {
secret {

name = "master_password"
payload = "AQECAHgaPa0J8WadplGCqqVAr4HNvDaFSQ+NaiwIBhmm6qDSFwAAAGIwYAYJKoZIhvcNAQcGoFMwUQIBADBMBgkqhk
iG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDI+LoLdvYv8l41OhAAIBEIAfx49FFJCLeYrkfMfAw6XlnxP23MmDBdqP8dPp28OoAQ=="

context = {
foo = "bar"
}
}

secret {

name = "master_username"
payload = "AQECAHgaPa0J8WadplGCqqVAr4HNvDaFSQ+NaiwIBhmm6qDSFwAAAGIwYAYJKoZIhvcNAQcGoFMwUQIBADBMBgkqhk
iG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDI+LoLdvYv8l41OhAAIBEIAfx49FFJCLeYrkfMfAw6XlnxP23MmDBdqP8dPp28OoAQ=="
}
}

resource "aws_rds_cluster" "example" {

master_password = "${data.aws_kms_secrets.example.plaintext["master_password"]}"
master_username = "${data.aws_kms_secrets.example.plaintext["master_username"]}"
}

Argument Reference
The following arguments are supported:

secret - (Required) One or more encrypted payload de nitions from the KMS service. See the Secret De nitions
below.

Secret De nitions
Each secret supports the following arguments:

name - (Required) The name to export this secret under in the attributes.

payload - (Required) Base64 encoded payload, as returned from a KMS encrypt operation.

context - (Optional) An optional mapping that makes up the Encryption Context for the secret.

grant_tokens (Optional) An optional list of Grant Tokens for the secret.

For more information on context and grant_tokens see the KMS Concepts
(https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html)

Attributes Reference
In addition to all arguments above, the following attributes are exported:
plaintext - Map containing each secret name as the key with its decrypted plaintext value
aws_lambda_function
Provides information about a Lambda Function.

Example Usage

variable "function_name" {
type = "string"
}

data "aws_lambda_function" "existing" {

function_name = "${var.function_name}"
}

Argument Reference
The following arguments are supported:

function_name - (Required) Name of the lambda function.

qualifier - (Optional) Alias name or version number of the lambda function. e.g. $LATEST , my-alias , or 1

Attributes Reference
In addition to all arguments above, the following attributes are exported:

arn - Unquali ed (no :QUALIFIER or :VERSION su x) Amazon Resource Name (ARN) identifying your Lambda
Function. See also qualified_arn .

dead_letter_config - Con gure the function's dead letter queue.

description - Description of what your Lambda Function does.

environment - The Lambda environment's con guration settings.

handler - The function entrypoint in your code.

invoke_arn - The ARN to be used for invoking Lambda Function from API Gateway.

kms_key_arn - The ARN for the KMS encryption key.

last_modified - The date this resource was last modi ed.

layers - A list of Lambda Layer ARNs attached to your Lambda Function.

memory_size - Amount of memory in MB your Lambda Function can use at runtime.

qualified_arn - Quali ed ( :QUALIFIER or :VERSION su x) Amazon Resource Name (ARN) identifying your
Lambda Function. See also arn .
reserved_concurrent_executions - The amount of reserved concurrent executions for this lambda function or -1
if unreserved.

role - IAM role attached to the Lambda Function.

runtime - The runtime environment for the Lambda function..

source_code_hash - Base64-encoded representation of raw SHA-256 sum of the zip le.

source_code_size - The size in bytes of the function .zip le.

timeout - The function execution time at which Lambda should terminate the function.

tracing_config - Tracing settings of the function.

version - The version of the Lambda function.

vpc_config - VPC con guration associated with your Lambda function.

Data Source: aws_lambda_invocation
Use this data source to invoke custom lambda functions as data source. The lambda function is invoked with
RequestResponse (https://docs.aws.amazon.com/lambda/latest/dg/API_Invoke.html#API_Invoke_RequestSyntax) invocation
type.

Example Usage

data "aws_lambda_invocation" "example" {

function_name = "${aws_lambda_function.lambda_function_test.function_name}"

input = <<JSON
<<
{
"key1": "value1",
"key2": "value2"
}
JSON
}

output "result" {
description = "String result of Lambda execution"
value = "${data.aws_lambda_invocation.example.result}"
}

output "result_entry_tf011" {
value = "${data.aws_lambda_invocation.example.result_map["key1"]}"
}

output "result_entry_tf012" {
value = jsondecode(data.aws_lambda_invocation
aws_lambda_invocation.example
example.result
result)["key1"]
}

Argument Reference
function_name - (Required) The name of the lambda function.

input - (Required) A string in JSON format that is passed as payload to the lambda function.

qualifier - (Optional) The quali er (a.k.a version) of the lambda function. Defaults to $LATEST .

Attributes Reference
result - String result of the lambda function invocation.

result_map - This eld is set only if result is a map of primitive types, where the map is string keys and string values.
In Terraform 0.12 and later, use the jsondecode() function (/docs/con guration/functions/jsondecode.html) with the
result attribute instead to convert the result to all supported native Terraform types.
aws_lambda_layer_version
Provides information about a Lambda Layer Version.

Example Usage

variable "layer_name" {
type = "string"
}

data "aws_lambda_layer_version" "existing" {

layer_name = "${var.layer_name}"
}

Argument Reference
The following arguments are supported:

layer_name - (Required) Name of the lambda layer.

version - (Optional) Speci c layer version. Con icts with compatible_runtime . If omitted, the latest available layer
version will be used.

compatible_runtime (Optional) Speci c runtime the layer version must support. Con icts with version . If
speci ed, the latest available layer version supporting the provided runtime will be used.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

description - Description of the speci c Lambda Layer version.

license_info - License info associated with the speci c Lambda Layer version.

compatible_runtimes - A list of Runtimes

(https://docs.aws.amazon.com/lambda/latest/dg/API_GetLayerVersion.html#SSS-GetLayerVersion-response-
CompatibleRuntimes) the speci c Lambda Layer version is compatible with.

arn - The Amazon Resource Name (ARN) of the Lambda Layer with version.

layer_arn - The Amazon Resource Name (ARN) of the Lambda Layer without version.

created_date - The date this resource was created.

source_code_hash - Base64-encoded representation of raw SHA-256 sum of the zip le.

source_code_size - The size in bytes of the function .zip le.

version - This Lamba Layer version.

Data Source: aws_launch_con guration
Provides information about a Launch Con guration.

Example Usage

data "aws_launch_configuration" "ubuntu" {

name = "test-launch-config"
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the launch con guration.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the launch con guration.

name - The Name of the launch con guration.

image_id - The EC2 Image ID of the instance.

instance_type - The Instance Type of the instance to launch.

iam_instance_profile - The IAM Instance Pro le to associate with launched instances.

key_name - The Key Name that should be used for the instance.

security_groups - A list of associated Security Group IDS.

associate_public_ip_address - Whether a Public IP address is associated with the instance.

vpc_classic_link_id - The ID of a ClassicLink-enabled VPC.

vpc_classic_link_security_groups - The IDs of one or more Security Groups for the speci ed ClassicLink-enabled
VPC.

user_data - The User Data of the instance.

enable_monitoring - Whether Detailed Monitoring is Enabled.

ebs_optimized - Whether the launched EC2 instance will be EBS-optimized.

root_block_device - The Root Block Device of the instance.

ebs_block_device - The EBS Block Devices attached to the instance.

ephemeral_block_device - The Ephemeral volumes on the instance.

spot_price - The Price to use for reserving Spot instances.

placement_tenancy - The Tenancy of the instance.

root_block_device is exported with the following attributes:

delete_on_termination - Whether the EBS Volume will be deleted on instance termination.

encrypted - Whether the volume is Encrypted.

iops - The provisioned IOPs of the volume.

volume_size - The Size of the volume.

volume_type - The Type of the volume.

ebs_block_device is exported with the following attributes:

delete_on_termination - Whether the EBS Volume will be deleted on instance termination.

device_name - The Name of the device.

iops - The provisioned IOPs of the volume.

snapshot_id - The Snapshot ID of the mount.

volume_size - The Size of the volume.

volume_type - The Type of the volume.

encrypted - Whether the volume is Encrypted.

ephemeral_block_device is exported with the following attributes:

device_name - The Name of the device.

virtual_name - The Virtual Name of the device.

Data Source: aws_launch_template
Provides information about a Launch Template.

Example Usage

data "aws_launch_template" "default" {

name = "my-launch-template"
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the launch template.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

arn - Amazon Resource Name (ARN) of the launch template.

id - The ID of the launch template.

default_version - The default version of the launch template.

latest_version - The latest version of the launch template.

description - Description of the launch template.

block_device_mappings - Specify volumes to attach to the instance besides the volumes speci ed by the AMI.

credit_specification - Customize the credit speci cation of the instance. See Credit Speci cation below for more
details.

disable_api_termination - If true , enables EC2 Instance Termination Protection

(https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-
instances.html#Using_ChangingDisableAPITermination)

ebs_optimized - If true , the launched EC2 instance will be EBS-optimized.

elastic_gpu_specifications - The elastic GPU to attach to the instance. See Elastic GPU below for more details.

iam_instance_profile - The IAM Instance Pro le to launch the instance with. See Instance Pro le below for more
details.

image_id - The AMI from which to launch the instance.

instance_initiated_shutdown_behavior - Shutdown behavior for the instance. Can be stop or terminate .

(Default: stop ).

instance_market_options - The market (purchasing) option for the instance. below for details.

instance_type - The type of the instance.

kernel_id - The kernel ID.

key_name - The key name to use for the instance.

monitoring - The monitoring option for the instance.

network_interfaces - Customize network interfaces to be attached at instance boot time. See Network Interfaces
below for more details.

placement - The placement of the instance.

ram_disk_id - The ID of the RAM disk.

security_group_names - A list of security group names to associate with. If you are creating Instances in a VPC, use
vpc_security_group_ids instead.

vpc_security_group_ids - A list of security group IDs to associate with.

tag_specifications - The tags to apply to the resources during launch.

tags - (Optional) A mapping of tags to assign to the launch template.

user_data - The Base64-encoded user data to provide when launching the instance.
Data Source: aws_lb

Note: aws_alb is known as aws_lb . The functionality is identical.

Provides information about a Load Balancer.

This data source can prove useful when a module accepts an LB as an input variable and needs to, for example, determine
the security groups associated with it, etc.

Example Usage

variable "lb_arn" {
type = "string"
default = ""
}

variable "lb_name" {
type = "string"
default = ""
}

data "aws_lb" "test" {

arn = "${var.lb_arn}"
name = "${var.lb_name}"
}

Argument Reference
The following arguments are supported:

arn - (Optional) The full ARN of the load balancer.

name - (Optional) The unique name of the load balancer.

NOTE: When both arn and name are speci ed, arn takes precedence.

Attributes Reference
See the LB Resource (/docs/providers/aws/r/lb.html) for details on the returned attributes - they are identical.
Data Source: aws_lb_listener

Note: aws_alb_listener is known as aws_lb_listener . The functionality is identical.

Provides information about a Load Balancer Listener.

This data source can prove useful when a module accepts an LB Listener as an input variable and needs to know the LB it is
attached to, or other information speci c to the listener in question.

Example Usage

variable "listener_arn" {
type = "string"
}

data "aws_lb_listener" "listener" {

arn = "${var.listener_arn}"
}

data "aws_lb" "selected" {

name = "default-public"
}

data "aws_lb_listener" "selected443" {

load_balancer_arn = "${data.aws_lb.selected.arn}"
port = 443
}

Argument Reference
The following arguments are supported:

arn - (Optional) The arn of the listener. Required if load_balancer_arn and port is not set.

load_balancer_arn - (Optional) The arn of the load balancer. Required if arn is not set.

port - (Optional) The port of the listener. Required if arn is not set.

Attributes Reference
See the LB Listener Resource (/docs/providers/aws/r/lb_listener.html) for details on the returned attributes - they are
identical.
Data Source: aws_lb_target_group

Note: aws_alb_target_group is known as aws_lb_target_group . The functionality is identical.

Provides information about a Load Balancer Target Group.

This data source can prove useful when a module accepts an LB Target Group as an input variable and needs to know its
attributes. It can also be used to get the ARN of an LB Target Group for use in other resources, given LB Target Group name.

Example Usage

variable "lb_tg_arn" {
type = "string"
default = ""
}

variable "lb_tg_name" {
type = "string"
default = ""
}

data "aws_lb_target_group" "test" {

arn = "${var.lb_tg_arn}"
name = "${var.lb_tg_name}"
}

Argument Reference
The following arguments are supported:

arn - (Optional) The full ARN of the target group.

name - (Optional) The unique name of the target group.

NOTE: When both arn and name are speci ed, arn takes precedence.

Attributes Reference
See the LB Target Group Resource (/docs/providers/aws/r/lb_target_group.html) for details on the returned attributes - they
are identical.
Data Source: aws_mq_broker
Provides information about a MQ Broker.

Example Usage

variable "broker_id" {
type = "string"
default = ""
}

variable "broker_name" {
type = "string"
default = ""
}

data "aws_mq_broker" "by_id" {

broker_id = "${var.broker_id}"
}

data "aws_mq_broker" "by_name" {

broker_name = "${var.broker_name}"
}

Argument Reference
The following arguments are supported:

broker_id - (Optional) The unique id of the mq broker.

broker_name - (Optional) The unique name of the mq broker.

Attributes Reference
See the aws_mq_broker resource (/docs/providers/aws/r/mq_broker.html) for details on the returned attributes. They are
identical except for user password, which is not returned when describing broker.
Data Source: aws_msk_cluster
Get information on an Amazon MSK Cluster.

Example Usage

data "aws_msk_cluster" "example" {

cluster_name = "example"
}

Argument Reference
The following arguments are supported:

cluster_name - (Required) Name of the cluster.

Attribute Reference
In addition to all arguments above, the following attributes are exported:

arn - Amazon Resource Name (ARN) of the MSK cluster.

bootstrap_brokers - A comma separated list of one or more hostname:port pairs of Kafka brokers suitable to
boostrap connectivity to the Kafka cluster.

bootstrap_brokers_tls - A comma separated list of one or more DNS names (or IPs) and TLS port pairs kafka
brokers suitable to boostrap connectivity to the kafka cluster.

kafka_version - Apache Kafka version.

number_of_broker_nodes - Number of broker nodes in the cluster.

tags - Map of key-value pairs assigned to the cluster.

zookeeper_connect_string - A comma separated list of one or more IP:port pairs to use to connect to the Apache
Zookeeper cluster.
Data Source: aws_msk_con guration
Get information on an Amazon MSK Con guration.

Example Usage

data "aws_msk_configuration" "example" {

name = "example"
}

Argument Reference
The following arguments are supported:

name - (Required) Name of the con guration.

Attribute Reference
In addition to all arguments above, the following attributes are exported:

arn - Amazon Resource Name (ARN) of the con guration.

latest_revision - Latest revision of the con guration.

description - Description of the con guration.

kafka_versions - List of Apache Kafka versions which can use this con guration.

server_properties - Contents of the server.properties le.

Data Source: aws_nat_gateway
Provides details about a speci c Nat Gateway.

Example Usage

variable "subnet_id" {}

data "aws_nat_gateway" "default" {

subnet_id = "${aws_subnet.public.id}"
}

Usage with tags:

data "aws_nat_gateway" "default" {

subnet_id = "${aws_subnet.public.id}"

tags = {
Name = "gw NAT"
}
}

Argument Reference
The arguments of this data source act as lters for querying the available Nat Gateways in the current region. The given
lters must match exactly one Nat Gateway whose data will be exported as attributes.

id - (Optional) The id of the speci c Nat Gateway to retrieve.

subnet_id - (Optional) The id of subnet that the Nat Gateway resides in.

vpc_id - (Optional) The id of the VPC that the Nat Gateway resides in.

state - (Optional) The state of the NAT gateway (pending | failed | available | deleting | deleted ).

tags - (Optional) A mapping of tags, each pair of which must exactly match a pair on the desired Nat Gateway.

filter - (Optional) Custom lter block as described below.

More complex lters can be expressed using one or more filter sub-blocks, which take the following arguments:

values - (Required) Set of values that are accepted for the given eld. An Nat Gateway will be selected if any one of
the given values matches.

addresses are also exported with the following attributes, when they are relevant: Each attachement supports the
following:

allocation_id - The Id of the EIP allocated to the selected Nat Gateway.

network_interface_id - The Id of the ENI allocated to the selected Nat Gateway.

private_ip - The private Ip address of the selected Nat Gateway.

public_ip - The public Ip (EIP) address of the selected Nat Gateway.

Data Source: aws_network_acls

Example Usage
The following shows outputing all network ACL ids in a vpc.

data "aws_network_acls" "example" {

vpc_id = "${var.vpc_id}"
}

output "example" {
value = "${data.aws_network_acls.example.ids}"
}

The following example retrieves a list of all network ACL ids in a VPC with a custom tag of Tier set to a value of "Private".

data "aws_network_acls" "example" {

vpc_id = "${var.vpc_id}"

tags = {
Tier = "Private"
}
}

The following example retrieves a network ACL id in a VPC which associated with speci c subnet.

data "aws_network_acls" "example" {

vpc_id = "${var.vpc_id}"

filter {
name = "association.subnet-id"
values = ["${aws_subnet.test.id}"]
}
}

Argument Reference
vpc_id - (Optional) The VPC ID that you want to lter from.

tags - (Optional) A mapping of tags, each pair of which must exactly match a pair on the desired network ACLs.

filter - (Optional) Custom lter block as described below.

More complex lters can be expressed using one or more filter sub-blocks, which take the following arguments:

name - (Required) The name of the eld to lter by, as de ned by the underlying AWS API
(https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNetworkAcls.html).
values - (Required) Set of values that are accepted for the given eld. A VPC will be selected if any one of the given
values matches.

Attributes Reference
ids - A list of all the network ACL ids found. This data source will fail if none are found.
aws_network_interface
Use this data source to get information about a Network Interface.

Example Usage

data "aws_network_interface" "bar" {

id = "eni-01234567"
}

Argument Reference
The following arguments are supported:

id – (Optional) The identi er for the network interface.

filter – (Optional) One or more name/value pairs to lter o of. There are several valid keys, for a full reference,
check out describe-network-interfaces (https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-network-
interfaces.html) in the AWS CLI reference.

Attributes Reference
See the Network Interface (/docs/providers/aws/r/network_interface.html) for details on the returned attributes.

Additionally, the following attributes are exported:

association - The association information for an Elastic IP address (IPv4) associated with the network interface. See
supported elds below.

availability_zone - The Availability Zone.

description - Description of the network interface.

interface_type - The type of interface.

ipv6_addresses - List of IPv6 addresses to assign to the ENI.

mac_address - The MAC address.

owner_id - The AWS account ID of the owner of the network interface.

private_dns_name - The private DNS name.

private_ip - The private IPv4 address of the network interface within the subnet.

private_ips - The private IPv4 addresses associated with the network interface.

requester_id - The ID of the entity that launched the instance on your behalf.
security_groups - The list of security groups for the network interface.

subnet_id - The ID of the subnet.

tags - Any tags assigned to the network interface.

vpc_id - The ID of the VPC.

association

allocation_id - The allocation ID.

association_id - The association ID.

ip_owner_id - The ID of the Elastic IP address owner.

public_dns_name - The public DNS name.

public_ip - The address of the Elastic IP address bound to the network interface.

Import
Elastic Network Interfaces can be imported using the id , e.g.

$ terraform import aws_network_interface.test eni-12345

Data Source: aws_network_interfaces

Example Usage
The following shows outputing all network interface ids in a region.

data "aws_network_interfaces" "example" {}

output "example" {
value = "${data.aws_network_interfaces.example.ids}"
}

The following example retrieves a list of all network interface ids with a custom tag of Name set to a value of test .

data "aws_network_interfaces" "example" {

tags = {
Name = "test"
}
}

output "example1" {
value = "${data.aws_network_interfaces.example.ids}"
}

The following example retrieves a network interface ids which associated with speci c subnet.

data "aws_network_interfaces" "example" {

filter {
name = "subnet-id"
values = ["${aws_subnet.test.id}"]
}
}

output "example" {
value = "${data.aws_network_interfaces.example.ids}"
}

Argument Reference
tags - (Optional) A mapping of tags, each pair of which must exactly match a pair on the desired network interfaces.

filter - (Optional) Custom lter block as described below.

More complex lters can be expressed using one or more filter sub-blocks, which take the following arguments:

name - (Required) The name of the eld to lter by, as de ned by the underlying AWS API
(https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNetworkInterfaces.html).
values - (Required) Set of values that are accepted for the given eld.

Attributes Reference
ids - A list of all the network interface ids found. This data source will fail if none are found.
Data Source: aws_organizations_organization
Get information about the organization that the user's account belongs to

Example Usage

List all account IDs for the organization

data "aws_organizations_organization" "example" {}

output "account_ids" {
value = data.aws_organizations_organization
aws_organizations_organization.example
example.accounts
accounts[*
* ].id
id
}

SNS topic that can be interacted by the organization only

data "aws_organizations_organization" "example" {}

resource "aws_sns_topic" "sns_topic" {

name = "my-sns-topic"
}

resource "aws_sns_topic_policy" "sns_topic_policy" {

arn = "${aws_sns_topic.sns_topic.arn}"

policy = "${data.aws_iam_policy_document.sns_topic_policy.json}"
}

data "aws_iam_policy_document" "sns_topic_policy" {

statement {
effect = "Allow"

actions = [
"SNS:Subscribe",
"SNS:Publish",
]

condition {
test = "StringEquals"
variable = "aws:PrincipalOrgID"

values = [
"${data.aws_organizations_organization.example.id}",
]
}

principals {
type = "AWS"
identifiers = ["*"]
}

resources = [
"${aws_sns_topic.sns_topic.arn}",
]
}
}

Argument Reference
There are no arguments available for this data source.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

arn - The Amazon Resource Name (ARN) of the organization.

feature_set - The FeatureSet of the organization.

id - The ID of the organization.

master_account_arn - The Amazon Resource Name (ARN) of the account that is designated as the master account
for the organization.

master_account_email - The email address that is associated with the AWS account that is designated as the master
account for the organization.

master_account_id - The unique identi er (ID) of the master account of an organization.

Master Account Attributes Reference

If the account is the master account for the organization, the following attributes are also exported:

accounts - List of organization accounts including the master account. For a list excluding the master account, see
the non_master_accounts attribute. All elements have these attributes:
arn - ARN of the account

email - Email of the account

id - Identi er of the account

name - Name of the account

aws_service_access_principals - A list of AWS service principal names that have integration enabled with your
organization. Organization must have feature_set set to ALL . For additional information, see the AWS
Organizations User Guide
(https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html).

enabled_policy_types - A list of Organizations policy types that are enabled in the Organization Root. Organization
must have feature_set set to ALL . For additional information about valid policy types (e.g.
SERVICE_CONTROL_POLICY ), see the AWS Organizations API Reference
(https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnablePolicyType.html).

non_master_accounts - List of organization accounts excluding the master account. For a list including the master
account, see the accounts attribute. All elements have these attributes:
arn - ARN of the account

email - Email of the account

id - Identi er of the account

name - Name of the account

roots - List of organization roots. All elements have these attributes:

arn - ARN of the root

id - Identi er of the root

name - Name of the root

policy_types - List of policy types enabled for this root. All elements have these attributes:

name - The name of the policy type

status - The status of the policy type as it relates to the associated root
Data Source: aws_partition
Use this data source to lookup information about the current AWS partition in which Terraform is working.

Example Usage

data "aws_partition" "current" {}

data "aws_iam_policy_document" "s3_policy" {

statement {
sid = "1"

actions = [
"s3:ListBucket",
]

resources = [
"arn:${data.aws_partition.current.partition}:s3:::my-bucket",
]
}
}

Argument Reference
There are no arguments available for this data source.

Attributes Reference
partition is set to the identi er of the current partition.

dns_suffix is set to the base DNS domain name for the current partition (e.g. amazonaws.com in AWS Commercial,
amazonaws.com.cn in AWS China).
Data Source: aws_pre x_list
aws_prefix_list provides details about a speci c pre x list (PL) in the current region.

This can be used both to validate a pre x list given in a variable and to obtain the CIDR blocks (IP address ranges) for the
associated AWS service. The latter may be useful e.g. for adding network ACL rules.

Example Usage

resource "aws_vpc_endpoint" "private_s3" {

vpc_id = "${aws_vpc.foo.id}"
service_name = "com.amazonaws.us-west-2.s3"
}

data "aws_prefix_list" "private_s3" {

prefix_list_id = "${aws_vpc_endpoint.private_s3.prefix_list_id}"
}

resource "aws_network_acl" "bar" {

vpc_id = "${aws_vpc.foo.id}"
}

resource "aws_network_acl_rule" "private_s3" {

network_acl_id = "${aws_network_acl.bar.id}"
rule_number = 200
egress = false
protocol = "tcp"
rule_action = "allow"
cidr_block = "${data.aws_prefix_list.private_s3.cidr_blocks[0]}"
from_port = 443
to_port = 443
}

Argument Reference
The arguments of this data source act as lters for querying the available pre x lists. The given lters must match exactly
one pre x list whose data will be exported as attributes.

prefix_list_id - (Optional) The ID of the pre x list to select.

name - (Optional) The name of the pre x list to select.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the selected pre x list.

name - The name of the selected pre x list.

cidr_blocks - The list of CIDR blocks for the AWS service associated with the pre x list.
Data Source: aws_pricing_product
Use this data source to get the pricing information of all products in AWS. This data source is only available in a us-east-1 or
ap-south-1 provider.

Example Usage

data "aws_pricing_product" "example" {

service_code = "AmazonEC2"

filters {
field = "instanceType"
value = "c5.xlarge"
}

filters {
field = "operatingSystem"
value = "Linux"
}

filters {
field = "location"
value = "US East (N. Virginia)"
}

filters {
field = "preInstalledSw"
value = "NA"
}

filters {
field = "licenseModel"
value = "No License required"
}

filters {
field = "tenancy"
value = "Shared"
}
}
data "aws_pricing_product" "example" {
service_code = "AmazonRedshift"

filters {
field = "instanceType"
value = "ds1.xlarge"
}

filters {
field = "location"
value = "US East (N. Virginia)"
}
}

Argument Reference
service_code - (Required) The code of the service. Available service codes can be fetched using the DescribeServices
pricing API call.

filters - (Required) A list of lters. Passed directly to the API (see GetProducts API reference). These lters must
describe a single product, this resource will fail if more than one product is returned by the API.

lters
field (Required) The product attribute name that you want to lter on.

value (Required) The product attribute value that you want to lter on.

Attributes Reference
result - Set to the product returned from the API.
Data Source: aws_ram_resource_share
aws_ram_resource_share Retrieve information about a RAM Resource Share.

Example Usage

data "aws_ram_resource_share" "example" {

name = "example"
resource_owner = "SELF"
}

Search by lters

data "aws_ram_resource_share" "tag_filter" {

name = "MyResourceName"
resource_owner = "SELF"

filter {
name = "NameOfTag"
values = ["exampleNameTagValue"]
}
}

Argument Reference
The following Arguments are supported

name - (Required) The name of the resource share to retrieve.

resource_owner (Required) The owner of the resource share. Valid values are SELF or OTHER-ACCOUNTS

filter - (Optional) A lter used to scope the list e.g. by tags. See related docs
(https://docs.aws.amazon.com/ram/latest/APIReference/API_TagFilter.html).

name - (Required) The name of the tag key to lter on.

values - (Required) The value of the tag key.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

arn - The Amazon Resource Name (ARN) of the resource share.

id - The Amazon Resource Name (ARN) of the resource share.

status - The Status of the RAM share.

tags - The Tags attached to the RAM share

Data Source: aws_rds_cluster
Provides information about a RDS cluster.

Example Usage

data "aws_rds_cluster" "clusterName" {

cluster_identifier = "clusterName"
}

Argument Reference
The following arguments are supported:

cluster_identifier - (Required) The cluster identi er of the RDS cluster.

Attributes Reference
See the RDS Cluster Resource (/docs/providers/aws/r/rds_cluster.html) for details on the returned attributes - they are
identical.
Data Source: aws_redshift_cluster
Provides details about a speci c redshift cluster.

Example Usage

data "aws_redshift_cluster" "test_cluster" {

cluster_identifier = "test-cluster"
}

resource "aws_kinesis_firehose_delivery_stream" "test_stream" {

name = "terraform-kinesis-firehose-test-stream"
destination = "redshift"

s3_configuration {
role_arn = "${aws_iam_role.firehose_role.arn}"
bucket_arn = "${aws_s3_bucket.bucket.arn}"
buffer_size = 10
buffer_interval = 400
compression_format = "GZIP"
}

redshift_configuration {
role_arn = "${aws_iam_role.firehose_role.arn}"
cluster_jdbcurl = "jdbc:redshift://${data.aws_redshift_cluster.test_cluster.endpoint}/${data.aws_r
edshift_cluster.test_cluster.database_name}"
username = "testuser"
password = "T3stPass"
data_table_name = "test-table"
copy_options = "delimiter '|'"
data_table_columns = "test-col"
}
}

Argument Reference
The following arguments are supported:

cluster_identifier - (Required) The cluster identi er

Attribute Reference
In addition to all arguments above, the following attributes are exported:

allow_version_upgrade - Whether major version upgrades can be applied during maintenance period

automated_snapshot_retention_period - The backup retention period

availability_zone - The availability zone of the cluster

bucket_name - The name of the S3 bucket where the log les are to be stored

cluster_identifier - The cluster identi er

cluster_parameter_group_name - The name of the parameter group to be associated with this cluster

cluster_public_key - The public key for the cluster

cluster_revision_number - The cluster revision number

cluster_security_groups - The security groups associated with the cluster

cluster_subnet_group_name - The name of a cluster subnet group to be associated with this cluster

cluster_type - The cluster type

database_name - The name of the default database in the cluster

elastic_ip - The Elastic IP of the cluster

enable_logging - Whether cluster logging is enabled

encrypted - Whether the cluster data is encrypted

endpoint - The cluster endpoint

enhanced_vpc_routing - Whether enhanced VPC routing is enabled

iam_roles - The IAM roles associated to the cluster

kms_key_id - The KMS encryption key associated to the cluster

master_username - Username for the master DB user

node_type - The cluster node type

number_of_nodes - The number of nodes in the cluster

port - The port the cluster responds on

preferred_maintenance_window - The maintenance window

publicly_accessible - Whether the cluster is publicly accessible

s3_key_prefix - The folder inside the S3 bucket where the log les are stored

tags - The tags associated to the cluster

vpc_id - The VPC Id associated with the cluster

vpc_security_group_ids - The VPC security group Ids associated with the cluster
Data Source: aws_redshift_service_account
Use this data source to get the Account ID of the AWS Redshift Service Account
(http://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html#db-auditing-enable-logging) in a given region for the
purpose of allowing Redshift to store audit data in S3.

Example Usage

data "aws_redshift_service_account" "main" {}

resource "aws_s3_bucket" "bucket" {

bucket = "tf-redshift-logging-test-bucket"
force_destroy = true

policy = <<EOF
<<
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "Put bucket policy needed for audit logging",
"Effect": "Allow",
"Principal": {
"AWS": "${data.aws_redshift_service_account.main.arn}"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::tf-redshift-logging-test-bucket/*"
},
{
"Sid": "Get bucket policy needed for audit logging ",
"Effect": "Allow",
"Principal": {
"AWS": "${data.aws_redshift_service_account.main.arn}"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::tf-redshift-logging-test-bucket"
}
]
}
EOF
}

Argument Reference
region - (Optional) Name of the region whose AWS Redshift account ID is desired. Defaults to the region from the
AWS provider con guration.

Attributes Reference
id - The ID of the AWS Redshift service account in the selected region.

arn - The ARN of the AWS Redshift service account in the selected region.
Data Source: aws_region
aws_region provides details about a speci c AWS region.

As well as validating a given region name this resource can be used to discover the name of the region con gured within the
provider. The latter can be useful in a child module which is inheriting an AWS provider con guration from its parent
module.

Example Usage
The following example shows how the resource might be used to obtain the name of the AWS region con gured on the
provider.

data "aws_region" "current" {}

Argument Reference
The arguments of this data source act as lters for querying the available regions. The given lters must match exactly one
region whose data will be exported as attributes.

name - (Optional) The full name of the region to select.

endpoint - (Optional) The EC2 endpoint of the region to select.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

name - The name of the selected region.

endpoint - The EC2 endpoint for the selected region.

description - The region's description in this format: "Location (Region name)".

Data Source: aws_route53_delegation_set
aws_route53_delegation_set provides details about a speci c Route 53 Delegation Set.

This data source allows to nd a list of name servers associated with a speci c delegation set.

Example Usage
The following example shows how to get a delegation set from its id.

data "aws_route53_delegation_set" "dset" {

id = "MQWGHCBFAKEID"
}

Argument Reference
id - (Required) The Hosted Zone id of the desired delegation set.

The following attribute is additionally exported:

caller_reference - Caller Reference of the delegation set.

name_servers - The list of DNS name servers for the delegation set.
Data Source: aws_route53_resolver_rule
aws_route53_resolver_rule provides details about a speci c Route53 Resolver rule.

Example Usage
The following example shows how to get a Route53 Resolver rule based on its associated domain name and rule type.

data "aws_route53_resolver_rule" "example" {

domain_name = "subdomain.example.com"
rule_type = "SYSTEM"
}

Argument Reference
The arguments of this data source act as lters for querying the available resolver rules in the current region. The given
lters must match exactly one resolver rule whose data will be exported as attributes.

domain_name - (Optional) The domain name the desired resolver rule forwards DNS queries for. Con icts with
resolver_rule_id .

name - (Optional) The friendly name of the desired resolver rule. Con icts with resolver_rule_id .

resolver_endpoint_id (Optional) The ID of the outbound resolver endpoint of the desired resolver rule. Con icts
with resolver_rule_id .

resolver_rule_id (Optional) The ID of the desired resolver rule. Con icts with domain_name , name ,
resolver_endpoint_id and rule_type .

rule_type - (Optional) The rule type of the desired resolver rule. Valid values are FORWARD , SYSTEM and
RECURSIVE . Con icts with resolver_rule_id .

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the resolver rule.

arn - The ARN (Amazon Resource Name) for the resolver rule.

owner_id - When a rule is shared with another AWS account, the account ID of the account that the rule is shared
with.

share_status - Whether the rules is shared and, if so, whether the current account is sharing the rule with another
account, or another account is sharing the rule with the current account. Values are NOT_SHARED , SHARED_BY_ME or
SHARED_WITH_ME

tags - A mapping of tags assigned to the resolver rule.

Data Source: aws_route53_resolver_rules
aws_route53_resolver_rules provides details about a set of Route53 Resolver rules.

Example Usage
The following example shows how to get Route53 Resolver rules based on tags.

data "aws_route53_resolver_rules" "example" {

tags = {
Environment = "dev"
}
}

Argument Reference
The arguments of this data source act as lters for querying the available resolver rules in the current region.

owner_id (Optional) When the desired resolver rules are shared with another AWS account, the account ID of the
account that the rules are shared with.

resolver_endpoint_id (Optional) The ID of the outbound resolver endpoint for the desired resolver rules.

rule_type (Optional) The rule type of the desired resolver rules. Valid values are FORWARD , SYSTEM and
RECURSIVE .

share_status (Optional) Whether the desired resolver rules are shared and, if so, whether the current account is
sharing the rules with another account, or another account is sharing the rules with the current account. Values are
NOT_SHARED , SHARED_BY_ME or SHARED_WITH_ME

Attributes Reference
The following attributes are exported:

resolver_rule_ids - The IDs of the matched resolver rules.

Data Source: aws_route53_zone
aws_route53_zone provides details about a speci c Route 53 Hosted Zone.

This data source allows to nd a Hosted Zone ID given Hosted Zone name and certain search criteria.

Example Usage
The following example shows how to get a Hosted Zone from its name and from this data how to create a Record Set.

data "aws_route53_zone" "selected" {

name = "test.com."
private_zone = true
}

resource "aws_route53_record" "www" {

zone_id = "${data.aws_route53_zone.selected.zone_id}"
name = "www.${data.aws_route53_zone.selected.name}"
type = "A"
ttl = "300"
records = ["10.0.0.1"]
}

Argument Reference
The arguments of this data source act as lters for querying the available Hosted Zone. You have to use zone_id or name ,
not both of them. The given lter must match exactly one Hosted Zone. If you use name eld for private Hosted Zone, you
need to add private_zone eld to true

zone_id - (Optional) The Hosted Zone id of the desired Hosted Zone.

name - (Optional) The Hosted Zone name of the desired Hosted Zone.

private_zone - (Optional) Used with name eld to get a private Hosted Zone.

vpc_id - (Optional) Used with name eld to get a private Hosted Zone associated with the vpc_id (in this case,
private_zone is not mandatory).

tags - (Optional) Used with name eld. A mapping of tags, each pair of which must exactly match a pair on the
desired Hosted Zone.

Attributes Reference
All of the argument attributes are also exported as result attributes. This data source will complete the data by populating
any elds that are not included in the con guration with the data for the selected Hosted Zone.

The following attribute is additionally exported:

caller_reference - Caller Reference of the Hosted Zone.

comment - The comment eld of the Hosted Zone.

name_servers - The list of DNS name servers for the Hosted Zone.

resource_record_set_count - The number of Record Set in the Hosted Zone.

linked_service_principal - The service that created the Hosted Zone (e.g. servicediscovery.amazonaws.com ).

linked_service_description - The description provided by the service that created the Hosted Zone (e.g.
arn:aws:servicediscovery:us-east-1:1234567890:namespace/ns-xxxxxxxxxxxxxxxx ).
Data Source: aws_route
aws_route provides details about a speci c Route.

This resource can prove useful when nding the resource associated with a CIDR. For example, nding the peering
connection associated with a CIDR value.

Example Usage
The following example shows how one might use a CIDR value to nd a network interface id and use this to create a data
source of that network interface.

variable "subnet_id" {}

data "aws_route_table" "selected" {

subnet_id = "${var.subnet_id}"
}

data "aws_route" "route" {

route_table_id = "${aws_route_table.selected.id}"
destination_cidr_block = "10.0.1.0/24"
}

data "aws_network_interface" "interface" {

network_interface_id = "${data.aws_route.route.network_interface_id}"
}

Argument Reference
The arguments of this data source act as lters for querying the available Route in the current region. The given lters must
match exactly one Route whose data will be exported as attributes.

route_table_id - (Required) The id of the speci c Route Table containing the Route entry.

destination_cidr_block - (Optional) The CIDR block of the Route belonging to the Route Table.

destination_ipv6_cidr_block - (Optional) The IPv6 CIDR block of the Route belonging to the Route Table.

egress_only_gateway_id - (Optional) The Egress Only Gateway ID of the Route belonging to the Route Table.

gateway_id - (Optional) The Gateway ID of the Route belonging to the Route Table.

instance_id - (Optional) The Instance ID of the Route belonging to the Route Table.

nat_gateway_id - (Optional) The NAT Gateway ID of the Route belonging to the Route Table.

transit_gateway_id - (Optional) The EC2 Transit Gateway ID of the Route belonging to the Route Table.

vpc_peering_connection_id - (Optional) The VPC Peering Connection ID of the Route belonging to the Route Table.

network_interface_id - (Optional) The Network Interface ID of the Route belonging to the Route Table.
Attributes Reference
All of the argument attributes are also exported as result attributes when there is data available. For example, the
vpc_peering_connection_id eld will be empty when the route is attached to a Network Interface.
Data Source: aws_route_table
aws_route_table provides details about a speci c Route Table.

This resource can prove useful when a module accepts a Subnet id as an input variable and needs to, for example, add a
route in the Route Table.

Example Usage
The following example shows how one might accept a Route Table id as a variable and use this data source to obtain the
data necessary to create a route.

variable "subnet_id" {}

data "aws_route_table" "selected" {

subnet_id = "${var.subnet_id}"
}

resource "aws_route" "route" {

route_table_id = "${data.aws_route_table.selected.id}"
destination_cidr_block = "10.0.1.0/22"
vpc_peering_connection_id = "pcx-45ff3dc1"
}

Argument Reference
The arguments of this data source act as lters for querying the available Route Table in the current region. The given lters
must match exactly one Route Table whose data will be exported as attributes.

filter - (Optional) Custom lter block as described below.

route_table_id - (Optional) The id of the speci c Route Table to retrieve.

tags - (Optional) A mapping of tags, each pair of which must exactly match a pair on the desired Route Table.

vpc_id - (Optional) The id of the VPC that the desired Route Table belongs to.

subnet_id - (Optional) The id of a Subnet which is connected to the Route Table (not be exported if not given in
parameter).

More complex lters can be expressed using one or more filter sub-blocks, which take the following arguments:

name - (Required) The name of the eld to lter by, as de ned by the underlying AWS API
(http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeRouteTables.html).

values - (Required) Set of values that are accepted for the given eld. A Route Table will be selected if any one of the
given values matches.
Attributes Reference
All of the argument attributes except filter and subnet_id blocks are also exported as result attributes. This data
source will complete the data by populating any elds that are not included in the con guration with the data for the
selected Route Table. In addition the following attributes are exported:

owner_id - The ID of the AWS account that owns the route table

routes are also exported with the following attributes, when there are relevants: Each route supports the following:

cidr_block - The CIDR block of the route.

ipv6_cidr_block - The IPv6 CIDR block of the route.

egress_only_gateway_id - The ID of the Egress Only Internet Gateway.

gateway_id - The Internet Gateway ID.

nat_gateway_id - The NAT Gateway ID.

instance_id - The EC2 instance ID.

transit_gateway_id - The EC2 Transit Gateway ID.

vpc_peering_connection_id - The VPC Peering ID.

network_interface_id - The ID of the elastic network interface (eni) to use.

associations are also exported with the following attributes:

route_table_association_id - The Association ID .

route_table_id - The Route Table ID.

subnet_id - The Subnet ID.

main - If the Association due to the Main Route Table.

Data Source: aws_route_tables
This resource can be useful for getting back a list of route table ids to be referenced elsewhere.

Example Usage
The following adds a route for a particular cidr block to every (private kops) route table in a speci ed vpc to use a particular
vpc peering connection.

data "aws_route_tables" "rts" {

vpc_id = "${var.vpc_id}"

filter {
name = "tag:kubernetes.io/kops/role"
values = ["private*"]
}
}

resource "aws_route" "r" {

count = "${length(data.aws_route_tables.rts.ids)}"
route_table_id = "${data.aws_route_tables.rts.ids[count.index]}"
destination_cidr_block = "10.0.1.0/22"
vpc_peering_connection_id = "pcx-0e9a7a9ecd137dc54"
}

Argument Reference
filter - (Optional) Custom lter block as described below.

vpc_id - (Optional) The VPC ID that you want to lter from.

tags - (Optional) A mapping of tags, each pair of which must exactly match a pair on the desired route tables.

More complex lters can be expressed using one or more filter sub-blocks, which take the following arguments:

values - (Required) Set of values that are accepted for the given eld. A Route Table will be selected if any one of the
given values matches.

Attributes Reference
ids - A list of all the route table ids found. This data source will fail if none are found.
Data Source: aws_s3_bucket
Provides details about a speci c S3 bucket.

This resource may prove useful when setting up a Route53 record, or an origin for a CloudFront Distribution.

Example Usage

Route53 Record

data "aws_s3_bucket" "selected" {

bucket = "bucket.test.com"
}

data "aws_route53_zone" "test_zone" {

name = "test.com."
}

resource "aws_route53_record" "example" {

zone_id = "${data.aws_route53_zone.test_zone.id}"
name = "bucket"
type = "A"

alias {
name = "${data.aws_s3_bucket.selected.website_domain}"
zone_id = "${data.aws_s3_bucket.selected.hosted_zone_id}"
}
}

CloudFront Origin

data "aws_s3_bucket" "selected" {

bucket = "a-test-bucket"
}

resource "aws_cloudfront_distribution" "test" {

origin {
domain_name = "${data.aws_s3_bucket.selected.bucket_domain_name}"
origin_id = "s3-selected-bucket"
}
}

Argument Reference
The following arguments are supported:
bucket - (Required) The name of the bucket

Attribute Reference
In addition to all arguments above, the following attributes are exported:

id - The name of the bucket.

arn - The ARN of the bucket. Will be of format arn:aws:s3:::bucketname .

bucket_domain_name - The bucket domain name. Will be of format bucketname.s3.amazonaws.com .

bucket_regional_domain_name - The bucket region-speci c domain name. The bucket domain name including the
region name, please refer here (https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region) for format.
Note: The AWS CloudFront allows specifying S3 region-speci c endpoint when creating S3 origin, it will prevent redirect
issues (https://forums.aws.amazon.com/thread.jspa?threadID=216814) from CloudFront to S3 Origin URL.

hosted_zone_id - The Route 53 Hosted Zone ID

(https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_website_region_endpoints) for this bucket's region.

region - The AWS region this bucket resides in.

website_endpoint - The website endpoint, if the bucket is con gured with a website. If not, this will be an empty
string.

website_domain - The domain of the website endpoint, if the bucket is con gured with a website. If not, this will be
an empty string. This is used to create Route 53 alias records.
Data Source: aws_s3_bucket_object
The S3 object data source allows access to the metadata and optionally (see below) content of an object stored inside S3
bucket.

Note: The content of an object ( body eld) is available only for objects which have a human-readable Content-Type
( text/* and application/json ). This is to prevent printing unsafe characters and potentially downloading large
amount of data which would be thrown away in favour of metadata.

Example Usage
The following example retrieves a text object (which must have a Content-Type value starting with text/ ) and uses it as
the user_data for an EC2 instance:

data "aws_s3_bucket_object" "bootstrap_script" {

bucket = "ourcorp-deploy-config"
key = "ec2-bootstrap-script.sh"
}

resource "aws_instance" "example" {

instance_type = "t2.micro"
ami = "ami-2757f631"
user_data = "${data.aws_s3_bucket_object.bootstrap_script.body}"
}

The following, more-complex example retrieves only the metadata for a zip le stored in S3, which is then used to pass the
most recent version_id to AWS Lambda for use as a function implementation. More information about Lambda functions
is available in the documentation for aws_lambda_function (/docs/providers/aws/r/lambda_function.html).

data "aws_s3_bucket_object" "lambda" {

bucket = "ourcorp-lambda-functions"
key = "hello-world.zip"
}

resource "aws_lambda_function" "test_lambda" {

s3_bucket = "${data.aws_s3_bucket_object.lambda.bucket}"
s3_key = "${data.aws_s3_bucket_object.lambda.key}"
s3_object_version = "${data.aws_s3_bucket_object.lambda.version_id}"
function_name = "lambda_function_name"
role = "${aws_iam_role.iam_for_lambda.arn}"
handler = "exports.test"
}

Argument Reference
The following arguments are supported:
bucket - (Required) The name of the bucket to read the object from

key - (Required) The full path to the object inside the bucket

version_id - (Optional) Speci c version ID of the object returned (defaults to latest version)

Attributes Reference
In addition to all arguments above, the following attributes are exported:

body - Object data (see limitations above to understand cases in which this eld is actually available)

cache_control - Speci es caching behavior along the request/reply chain.

content_disposition - Speci es presentational information for the object.

content_encoding - Speci es what content encodings have been applied to the object and thus what decoding
mechanisms must be applied to obtain the media-type referenced by the Content-Type header eld.

content_language - The language the content is in.

content_length - Size of the body in bytes.

content_type - A standard MIME type describing the format of the object data.

etag - ETag (https://en.wikipedia.org/wiki/HTTP_ETag) generated for the object (an MD5 sum of the object content in
case it's not encrypted)

expiration - If the object expiration is con gured (see object lifecycle management
(http://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html)), the eld includes this header. It
includes the expiry-date and rule-id key value pairs providing object expiration information. The value of the rule-id is
URL encoded.

expires - The date and time at which the object is no longer cacheable.

last_modified - Last modi ed date of the object in RFC1123 format (e.g. Mon, 02 Jan 2006 15:04:05 MST )

metadata - A map of metadata stored with the object in S3

object_lock_legal_hold_status - Indicates whether this object has an active legal hold

(https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-overview.html#object-lock-legal-holds). This eld is
only returned if you have permission to view an object's legal hold status.

object_lock_mode - The object lock retention mode (https://docs.aws.amazon.com/AmazonS3/latest/dev/object-

lock-overview.html#object-lock-retention-modes) currently in place for this object.

object_lock_retain_until_date - The date and time when this object's object lock will expire.

server_side_encryption - If the object is stored using server-side encryption (KMS or Amazon S3-managed
encryption key), this eld includes the chosen encryption and algorithm used.

sse_kms_key_id - If present, speci es the ID of the Key Management Service (KMS) master encryption key that was
used for the object.

storage_class - Storage class (http://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html)

information of the object. Available for all objects except for Standard storage class objects.
version_id - The latest version ID of the object returned.

website_redirect_location - If the bucket is con gured as a website, redirects requests for this object to another
object in the same bucket or to an external URL. Amazon S3 stores the value of this header in the object metadata.

tags - A mapping of tags assigned to the object.

Note: Terraform ignores all leading / s in the object's key and treats multiple / s in the rest of the object's key as a
single / , so values of /index.html and index.html correspond to the same S3 object as do
first//second///third// and first/second/third/ .
Data Source: aws_s3_bucket_objects

NOTE on max_keys : Retrieving very large numbers of keys can adversely a ect Terraform's performance.

The bucket-objects data source returns keys (i.e., le names) and other metadata about objects in an S3 bucket.

Example Usage
The following example retrieves a list of all object keys in an S3 bucket and creates corresponding Terraform object data
sources:

data "aws_s3_bucket_objects" "my_objects" {

bucket = "ourcorp"
}

data "aws_s3_bucket_object" "object_info" {

count = "${length(data.aws_s3_bucket_objects.my_objects.keys)}"
key = "${element(data.aws_s3_bucket_objects.my_objects.keys, count.index)}"
bucket = "${data.aws_s3_bucket_objects.my_objects.bucket}"
}

Argument Reference
The following arguments are supported:

bucket - (Required) Lists object keys in this S3 bucket

prefix - (Optional) Limits results to object keys with this pre x (Default: none)

delimiter - (Optional) A character used to group keys (Default: none)

encoding_type - (Optional) Encodes keys using this method (Default: none; besides none, only "url" can be used)

max_keys - (Optional) Maximum object keys to return (Default: 1000)

start_after - (Optional) Returns key names lexicographically after a speci c object key in your bucket (Default:
none; S3 lists object keys in UTF-8 character encoding in lexicographical order)

fetch_owner - (Optional) Boolean specifying whether to populate the owner list (Default: false)

Attributes Reference
In addition to all arguments above, the following attributes are exported:

keys - List of strings representing object keys

common_prefixes - List of any keys between prefix and the next occurrence of delimiter (i.e., similar to
subdirectories of the prefix "directory"); the list is only returned when you specify delimiter
owners - List of strings representing object owner IDs (see fetch_owner above)
Data Source: aws_secretsmanager_secret
Retrieve metadata information about a Secrets Manager secret. To retrieve a secret value, see the
aws_secretsmanager_secret_version data source (/docs/providers/aws/d/secretsmanager_secret_version.html).

Example Usage

ARN

data "aws_secretsmanager_secret" "by-arn" {

arn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:example-123456"
}

Name

data "aws_secretsmanager_secret" "by-name" {

name = "example"
}

Argument Reference
arn - (Optional) The Amazon Resource Name (ARN) of the secret to retrieve.

name - (Optional) The name of the secret to retrieve.

Attributes Reference
arn - The Amazon Resource Name (ARN) of the secret.

description - A description of the secret.

kms_key_id - The Key Management Service (KMS) Customer Master Key (CMK) associated with the secret.

id - The Amazon Resource Name (ARN) of the secret.

rotation_enabled - Whether rotation is enabled or not.

rotation_lambda_arn - Rotation Lambda function Amazon Resource Name (ARN) if rotation is enabled.

rotation_rules - Rotation rules if rotation is enabled.

tags - Tags of the secret.

policy - The resource-based policy document that's attached to the secret.

Data Source: aws_secretsmanager_secret_version
Retrieve information about a Secrets Manager secret version, including its secret value. To retrieve secret metadata, see the
aws_secretsmanager_secret data source (/docs/providers/aws/d/secretsmanager_secret.html).

Example Usage

Retrieve Current Secret Version

By default, this data sources retrieves information based on the AWSCURRENT staging label.

data "aws_secretsmanager_secret_version" "example" {

secret_id = "${data.aws_secretsmanager_secret.example.id}"
}

Retrieve Speci c Secret Version

data "aws_secretsmanager_secret_version" "by-version-stage" {

secret_id = "${data.aws_secretsmanager_secret.example.id}"
version_stage = "example"
}

Handling Key-Value Secret Strings in JSON

Reading key-value pairs from JSON back into a native Terraform map can be accomplished in Terraform 0.12 and later with
the jsondecode() function (https://www.terraform.io/docs/con guration/functions/jsondecode.html):

output "example" {
value = jsondecode(data.aws_secretsmanager_secret_version
aws_secretsmanager_secret_version.example
example.secret_string
secret_string)["key1"]
}

Argument Reference
secret_id - (Required) Speci es the secret containing the version that you want to retrieve. You can specify either
the Amazon Resource Name (ARN) or the friendly name of the secret.

version_id - (Optional) Speci es the unique identi er of the version of the secret that you want to retrieve.
Overrides version_stage .

version_stage - (Optional) Speci es the secret version that you want to retrieve by the staging label attached to the
version. Defaults to AWSCURRENT .
Attributes Reference
arn - The ARN of the secret.

id - The unique identi er of this version of the secret.

secret_string - The decrypted part of the protected secret information that was originally provided as a string.

secret_binary - The decrypted part of the protected secret information that was originally provided as a binary.
Base64 encoded.

version_id - The unique identi er of this version of the secret.

Data Source: aws_security_group
aws_security_group provides details about a speci c Security Group.

This resource can prove useful when a module accepts a Security Group id as an input variable and needs to, for example,
determine the id of the VPC that the security group belongs to.

Example Usage
The following example shows how one might accept a Security Group id as a variable and use this data source to obtain the
data necessary to create a subnet.

variable "security_group_id" {}

data "aws_security_group" "selected" {

id = "${var.security_group_id}"
}

resource "aws_subnet" "subnet" {

vpc_id = "${data.aws_security_group.selected.vpc_id}"
cidr_block = "10.0.1.0/24"
}

Argument Reference
The arguments of this data source act as lters for querying the available security group in the current region. The given
lters must match exactly one security group whose data will be exported as attributes.

filter - (Optional) Custom lter block as described below.

id - (Optional) The id of the speci c security group to retrieve.

name - (Optional) The name that the desired security group must have.

tags - (Optional) A mapping of tags, each pair of which must exactly match a pair on the desired security group.

vpc_id - (Optional) The id of the VPC that the desired security group belongs to.

More complex lters can be expressed using one or more filter sub-blocks, which take the following arguments:

values - (Required) Set of values that are accepted for the given eld. A Security Group will be selected if any one of
the given values matches.

Attributes Reference
All of the argument attributes except filter blocks are also exported as result attributes. This data source will complete
the data by populating any elds that are not included in the con guration with the data for the selected Security Group.

The following elds are also exported:

description - The description of the security group.

arn - The computed ARN of the security group.

Note: The default security group for a VPC

(http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html#DefaultSecurityGroup) has the
name default .
Data Source: aws_security_groups
Use this data source to get IDs and VPC membership of Security Groups that are created outside of Terraform.

Example Usage

data "aws_security_groups" "test" {

tags = {
Application = "k8s"
Environment = "dev"
}
}

data "aws_security_groups" "test" {

filter {
name = "group-name"
values = ["*nodes*"]
}

filter {
name = "vpc-id"
values = ["${var.vpc_id}"]
}
}

Argument Reference
tags - (Optional) A mapping of tags, each pair of which must exactly match for desired security groups.

filter - (Optional) One or more name/value pairs to use as lters. There are several valid keys, for a full reference,
check out describe-security-groups in the AWS CLI reference
(https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html).

Attributes Reference
ids - IDs of the matches security groups.

vpc_ids - The VPC IDs of the matched security groups. The data source's tag or lter will span VPCs unless the vpc-
id lter is also used.
Data Source: aws_servicequotas_service
Retrieve information about a Service Quotas Service.

Example Usage

data "aws_servicequotas_service" "example" {

service_name = "Amazon Virtual Private Cloud (Amazon VPC)"
}

Argument Reference
service_name - (Required) Service name to lookup within Service Quotas. Available values can be found with the AWS
CLI service-quotas list-services command (https://docs.aws.amazon.com/cli/latest/reference/service-quotas/list-
services.html).

Attributes Reference
id - Code of the service.

service_code - Code of the service.

Data Source: aws_servicequotas_service_quota
Retrieve information about a Service Quota.

Example Usage

data "aws_servicequotas_service_quota" "by_quota_code" {

quota_code = "L-F678F1CE"
service_code = "vpc"
}

data "aws_servicequotas_service_quota" "by_quota_name" {

quota_name = "VPCs per Region"
service_code = "vpc"
}

Argument Reference

NOTE: Either quota_code or quota_name must be con gured.

service_code - (Required) Service code for the quota. Available values can be found with the
aws_servicequotas_service data source (/docs/providers/aws/d/servicequotas_service.html) or AWS CLI service-
quotas list-services command (https://docs.aws.amazon.com/cli/latest/reference/service-quotas/list-services.html).

quota_code - (Optional) Quota code within the service. When con gured, the data source directly looks up the service
quota. Available values can be found with the AWS CLI service-quotas list-service-quotas command
(https://docs.aws.amazon.com/cli/latest/reference/service-quotas/list-service-quotas.html).

quota_name - (Optional) Quota name within the service. When con gured, the data source searches through all
service quotas to nd the matching quota name. Available values can be found with the AWS CLI service-quotas list-
service-quotas command (https://docs.aws.amazon.com/cli/latest/reference/service-quotas/list-service-quotas.html).

Attributes Reference
In addition to all arguments above, the following attributes are exported:

adjustable - Whether the service quota is adjustable.

arn - Amazon Resource Name (ARN) of the service quota.

default_value - Default value of the service quota.

global_quota - Whether the service quota is global for the AWS account.

id - Amazon Resource Name (ARN) of the service quota.

service_name - Name of the service.

value - Current value of the service quota.
Data Source: aws_sns_topic
Use this data source to get the ARN of a topic in AWS Simple Noti cation Service (SNS). By using this data source, you can
reference SNS topics without having to hard code the ARNs as input.

Example Usage

data "aws_sns_topic" "example" {

name = "an_example_topic"
}

Argument Reference
name - (Required) The friendly name of the topic to match.

Attributes Reference
arn - Set to the ARN of the found topic, suitable for referencing in other resources that support SNS topics.
Data Source: aws_sqs_queue
Use this data source to get the ARN and URL of queue in AWS Simple Queue Service (SQS). By using this data source, you can
reference SQS queues without having to hardcode the ARNs as input.

Example Usage

data "aws_sqs_queue" "example" {

name = "queue"
}

Argument Reference
name - (Required) The name of the queue to match.

Attributes Reference
arn - The Amazon Resource Name (ARN) of the queue.

url - The URL of the queue.

Data Source: aws_ssm_document
Gets the contents of the speci ed Systems Manager document.

Example Usage
To get the contents of the document owned by AWS.

data "aws_ssm_document" "foo" {

name = "AWS-GatherSoftwareInventory"
document_format = "YAML"
}

output "content" {
value = "${data.aws_ssm_document.foo.content}"
}

To get the contents of the custom document.

data "aws_ssm_document" "test" {

name = "${aws_ssm_document.test.name}"
document_format = "JSON"
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the Systems Manager document.

document_format - (Optional) Returns the document in the speci ed format. The document format can be either
JSON or YAML. JSON is the default format.

document_version - (Optional) The document version for which you want information.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

arn - The ARN of the document.

content - The contents of the document.

document_type - The type of the document.

Data Source: aws_ssm_parameter
Provides an SSM Parameter data source.

Example Usage

data "aws_ssm_parameter" "foo" {

name = "foo"
}

Note: The unencrypted value of a SecureString will be stored in the raw state as plain-text. Read more about sensitive
data in state (/docs/state/sensitive-data.html).

Note: The data source is currently following the behavior of the SSM API (https://docs.aws.amazon.com/sdk-for-
go/api/service/ssm/#Parameter) to return a string value, regardless of parameter type. For type StringList , we can
use the built-in split() (https://www.terraform.io/docs/con guration/functions/split.html) function to get values in a list.
Example: split(",", data.aws_ssm_parameter.subnets.value)

Argument Reference
The following arguments are supported:

name - (Required) The name of the parameter.

with_decryption - (Optional) Whether to return decrypted SecureString value. Defaults to true .

In addition to all arguments above, the following attributes are exported:

arn - The ARN of the parameter.

name - The name of the parameter.

type - The type of the parameter. Valid types are String , StringList and SecureString .

value - The value of the parameter.

version - The version of the parameter.

Data Source: aws_storagegateway_local_disk
Retrieve information about a Storage Gateway local disk. The disk identi er is useful for adding the disk as a cache or
upload bu er to a gateway.

Example Usage

data "aws_storagegateway_local_disk" "test" {

disk_path = "${aws_volume_attachment.test.device_name}"
gateway_arn = "${aws_storagegateway_gateway.test.arn}"
}

Argument Reference
gateway_arn - (Required) The Amazon Resource Name (ARN) of the gateway.

disk_node - (Optional) The device node of the local disk to retrieve. For example, /dev/sdb .

disk_path - (Optional) The device path of the local disk to retrieve. For example, /dev/xvdb or /dev/nvme1n1 .

Attributes Reference
In addition to all arguments above, the following attributes are exported:

disk_id - The disk identi er. e.g. pci-0000:03:00.0-scsi-0:0:0:0

id - The disk identi er. e.g. pci-0000:03:00.0-scsi-0:0:0:0

Data Source: aws_subnet
aws_subnet provides details about a speci c VPC subnet.

This resource can prove useful when a module accepts a subnet id as an input variable and needs to, for example, determine
the id of the VPC that the subnet belongs to.

Example Usage
The following example shows how one might accept a subnet id as a variable and use this data source to obtain the data
necessary to create a security group that allows connections from hosts in that subnet.

variable "subnet_id" {}

data "aws_subnet" "selected" {

id = "${var.subnet_id}"
}

resource "aws_security_group" "subnet" {

vpc_id = "${data.aws_subnet.selected.vpc_id}"

ingress {
cidr_blocks = ["${data.aws_subnet.selected.cidr_block}"]
from_port = 80
to_port = 80
protocol = "tcp"
}
}

Argument Reference
The arguments of this data source act as lters for querying the available subnets in the current region. The given lters
must match exactly one subnet whose data will be exported as attributes.

availability_zone - (Optional) The availability zone where the subnet must reside.

availability_zone_id - (Optional) The ID of the Availability Zone for the subnet.

cidr_block - (Optional) The cidr block of the desired subnet.

ipv6_cidr_block - (Optional) The Ipv6 cidr block of the desired subnet

default_for_az - (Optional) Boolean constraint for whether the desired subnet must be the default subnet for its
associated availability zone.

filter - (Optional) Custom lter block as described below.

id - (Optional) The id of the speci c subnet to retrieve.

state - (Optional) The state that the desired subnet must have.
tags - (Optional) A mapping of tags, each pair of which must exactly match a pair on the desired subnet.

vpc_id - (Optional) The id of the VPC that the desired subnet belongs to.

More complex lters can be expressed using one or more filter sub-blocks, which take the following arguments:

data "aws_subnet" "selected" {

filter {
name = "tag:Name"
values = [""]
}
}

values - (Required) Set of values that are accepted for the given eld. A subnet will be selected if any one of the given
values matches.

In addition the following attributes are exported:

arn - The ARN of the subnet.

owner_id - The ID of the AWS account that owns the subnet.

Data Source: aws_subnet_ids
aws_subnet_ids provides a list of ids for a vpc_id

This resource can be useful for getting back a list of subnet ids for a vpc.

Example Usage
The following shows outputing all cidr blocks for every subnet id in a vpc.

data "aws_subnet_ids" "example" {

vpc_id = "${var.vpc_id}"
}

data "aws_subnet" "example" {

count = "${length(data.aws_subnet_ids.example.ids)}"
id = "${data.aws_subnet_ids.example.ids[count.index]}"
}

output "subnet_cidr_blocks" {
value = ["${data.aws_subnet.example.*.cidr_block}"]
}

The following example retrieves a list of all subnets in a VPC with a custom tag of Tier set to a value of "Private" so that the
aws_instance resource can loop through the subnets, putting instances across availability zones.

data "aws_subnet_ids" "private" {

vpc_id = "${var.vpc_id}"

tags = {
Tier = "Private"
}
}

resource "aws_instance" "app" {

count = "3"
ami = "${var.ami}"
instance_type = "t2.micro"
subnet_id = "${element(data.aws_subnet_ids.private.ids, count.index)}"
}

Argument Reference
vpc_id - (Required) The VPC ID that you want to lter from.

filter - (Optional) Custom lter block as described below.

tags - (Optional) A mapping of tags, each pair of which must exactly match a pair on the desired subnets.

More complex lters can be expressed using one or more filter sub-blocks, which take the following arguments:
name - (Required) The name of the eld to lter by, as de ned by the underlying AWS API
(http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSubnets.html). For example, if matching
against tag Name , use:

data "aws_subnet_ids" "selected" {

filter {
name = "tag:Name"
values = [""]
}
}

values - (Required) Set of values that are accepted for the given eld. Subnet IDs will be selected if any one of the
given values match.

Attributes Reference
ids - A set of all the subnet ids found. This data source will fail if none are found.
Data Source: aws_transfer_server
Use this data source to get the ARN of an AWS Transfer Server for use in other resources.

Example Usage

data "aws_transfer_server" "example" {

server_id = "s-1234567"
}

Argument Reference
server_id - (Required) ID for an SFTP server.

Attributes Reference
arn - Amazon Resource Name (ARN) of Transfer Server

endpoint - The endpoint of the Transfer Server (e.g. s-12345678.server.transfer.REGION.amazonaws.com )

id - The Server ID of the Transfer Server (e.g. s-12345678 )

identity_provider_type - The mode of authentication enabled for this service. The default value is
SERVICE_MANAGED , which allows you to store and access SFTP user credentials within the service. API_GATEWAY
indicates that user authentication requires a call to an API Gateway endpoint URL provided by you to integrate an
identity provider of your choice.

invocation_role - Amazon Resource Name (ARN) of the IAM role used to authenticate the user account with an
identity_provider_type of API_GATEWAY .

logging_role - Amazon Resource Name (ARN) of an IAM role that allows the service to write your SFTP users’ activity
to your Amazon CloudWatch logs for monitoring and auditing purposes.

url - URL of the service endpoint used to authenticate users with an identity_provider_type of API_GATEWAY .
Data Source: aws_vpc_dhcp_options
Retrieve information about an EC2 DHCP Options con guration.

Example Usage

Lookup by DHCP Options ID

data "aws_vpc_dhcp_options" "example" {

dhcp_options_id = "dopts-12345678"
}

Lookup by Filter

data "aws_vpc_dhcp_options" "example" {

filter {
name = "key"
values = ["domain-name"]
}

filter {
name = "value"
values = ["example.com"]
}
}

Argument Reference
dhcp_options_id - (Optional) The EC2 DHCP Options ID.

filter - (Optional) List of custom lters as described below.

lter
For more information about ltering, see the EC2 API documentation
(https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeDhcpOptions.html).

name - (Required) The name of the eld to lter.

values - (Required) Set of values for ltering.

Attributes Reference
dhcp_options_id - EC2 DHCP Options ID

domain_name - The su x domain name to used when resolving non Fully Quali ed Domain Names. e.g. the search
value in the /etc/resolv.conf le.

domain_name_servers - List of name servers.

id - EC2 DHCP Options ID

netbios_name_servers - List of NETBIOS name servers.

netbios_node_type - The NetBIOS node type (1, 2, 4, or 8). For more information about these node types, see RFC
2132 (http://www.ietf.org/rfc/rfc2132.txt).

ntp_servers - List of NTP servers.

tags - A mapping of tags assigned to the resource.

owner_id - The ID of the AWS account that owns the DHCP options set.
Data Source: aws_vpc_endpoint
The VPC Endpoint data source provides details about a speci c VPC endpoint.

Example Usage

data "aws_vpc_endpoint" "s3" {

vpc_id = "${aws_vpc.foo.id}"
service_name = "com.amazonaws.us-west-2.s3"
}

resource "aws_vpc_endpoint_route_table_association" "private_s3" {

vpc_endpoint_id = "${data.aws_vpc_endpoint.s3.id}"
route_table_id = "${aws_route_table.private.id}"
}

Argument Reference
The arguments of this data source act as lters for querying the available VPC endpoints. The given lters must match
exactly one VPC endpoint whose data will be exported as attributes.

id - (Optional) The ID of the speci c VPC Endpoint to retrieve.

service_name - (Optional) The AWS service name of the speci c VPC Endpoint to retrieve.

state - (Optional) The state of the speci c VPC Endpoint to retrieve.

vpc_id - (Optional) The ID of the VPC in which the speci c VPC Endpoint is used.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

cidr_blocks - The list of CIDR blocks for the exposed AWS service. Applicable for endpoints of type Gateway .

dns_entry - The DNS entries for the VPC Endpoint. Applicable for endpoints of type Interface . DNS blocks are
documented below.

network_interface_ids - One or more network interfaces for the VPC Endpoint. Applicable for endpoints of type
Interface .

owner_id - The ID of the AWS account that owns the VPC endpoint.

policy - The policy document associated with the VPC Endpoint. Applicable for endpoints of type Gateway .

prefix_list_id - The pre x list ID of the exposed AWS service. Applicable for endpoints of type Gateway .

private_dns_enabled - Whether or not the VPC is associated with a private hosted zone - true or false .
Applicable for endpoints of type Interface .

requester_managed - Whether or not the VPC Endpoint is being managed by its service - true or false .

route_table_ids - One or more route tables associated with the VPC Endpoint. Applicable for endpoints of type
Gateway .

security_group_ids - One or more security groups associated with the network interfaces. Applicable for endpoints
of type Interface .

subnet_ids - One or more subnets in which the VPC Endpoint is located. Applicable for endpoints of type
Interface .

tags - A mapping of tags assigned to the resource.

vpc_endpoint_type - The VPC Endpoint type, Gateway or Interface .

DNS blocks (for dns_entry ) support the following attributes:

dns_name - The DNS name.

hosted_zone_id - The ID of the private hosted zone.

Data Source: aws_vpc_endpoint_service
The VPC Endpoint Service data source details about a speci c service that can be speci ed when creating a VPC endpoint
within the region con gured in the provider.

Example Usage
AWS service usage:

data "aws_vpc_endpoint_service" "s3" {

service = "s3"
}

resource "aws_vpc" "foo" {

cidr_block = "10.0.0.0/16"
}

resource "aws_vpc_endpoint" "ep" {

vpc_id = "${aws_vpc.foo.id}"
service_name = "${data.aws_vpc_endpoint_service.s3.service_name}"
}

Non-AWS service usage:

data "aws_vpc_endpoint_service" "custome" {

service_name = "com.amazonaws.vpce.us-west-2.vpce-svc-0e87519c997c63cd8"
}

Argument Reference
The arguments of this data source act as lters for querying the available VPC endpoint services. The given lters must
match exactly one VPC endpoint service whose data will be exported as attributes.

service - (Optional) The common name of an AWS service (e.g. s3 ).

service_name - (Optional) The service name that can be speci ed when creating a VPC endpoint.

NOTE: One of service or service_name must be speci ed.

Attributes Reference
In addition to all arguments above, the following attributes are exported:
acceptance_required - Whether or not VPC endpoint connection requests to the service must be accepted by the
service owner - true or false .

availability_zones - The Availability Zones in which the service is available.

base_endpoint_dns_names - The DNS names for the service.

manages_vpc_endpoints - Whether or not the service manages its VPC endpoints - true or false .

owner - The AWS account ID of the service owner or amazon .

private_dns_name - The private DNS name for the service.

service_id - The ID of the endpoint service.

service_type - The service type, Gateway or Interface .

tags - A mapping of tags assigned to the resource.

vpc_endpoint_policy_supported - Whether or not the service supports endpoint policies - true or false .
Data Source: aws_vpc
aws_vpc provides details about a speci c VPC.

This resource can prove useful when a module accepts a vpc id as an input variable and needs to, for example, determine
the CIDR block of that VPC.

Example Usage
The following example shows how one might accept a VPC id as a variable and use this data source to obtain the data
necessary to create a subnet within it.

variable "vpc_id" {}

data "aws_vpc" "selected" {

id = "${var.vpc_id}"
}

resource "aws_subnet" "example" {

vpc_id = "${data.aws_vpc.selected.id}"
availability_zone = "us-west-2a"
cidr_block = "${cidrsubnet(data.aws_vpc.selected.cidr_block, 4, 1)}"
}

Argument Reference
The arguments of this data source act as lters for querying the available VPCs in the current region. The given lters must
match exactly one VPC whose data will be exported as attributes.

cidr_block - (Optional) The cidr block of the desired VPC.

dhcp_options_id - (Optional) The DHCP options id of the desired VPC.

default - (Optional) Boolean constraint on whether the desired VPC is the default VPC for the region.

filter - (Optional) Custom lter block as described below.

id - (Optional) The id of the speci c VPC to retrieve.

state - (Optional) The current state of the desired VPC. Can be either "pending" or "available" .

tags - (Optional) A mapping of tags, each pair of which must exactly match a pair on the desired VPC.

More complex lters can be expressed using one or more filter sub-blocks, which take the following arguments:

values - (Required) Set of values that are accepted for the given eld. A VPC will be selected if any one of the given
values matches.
Attributes Reference
All of the argument attributes except filter blocks are also exported as result attributes. This data source will complete
the data by populating any elds that are not included in the con guration with the data for the selected VPC.

The following attribute is additionally exported:

arn - Amazon Resource Name (ARN) of VPC

enable_dns_support - Whether or not the VPC has DNS support

enable_dns_hostnames - Whether or not the VPC has DNS hostname support

instance_tenancy - The allowed tenancy of instances launched into the selected VPC. May be any of "default" ,
"dedicated" , or "host" .

ipv6_association_id - The association ID for the IPv6 CIDR block.

ipv6_cidr_block - The IPv6 CIDR block.

main_route_table_id - The ID of the main route table associated with this VPC.

owner_id - The ID of the AWS account that owns the VPC.

cidr_block_associations is also exported with the following attributes:

association_id - The association ID for the the IPv4 CIDR block.

cidr_block - The CIDR block for the association.

state - The State of the association.

Data Source: aws_vpc_peering_connection
The VPC Peering Connection data source provides details about a speci c VPC peering connection.

Example Usage

data "aws_vpc_peering_connection" "pc" {

vpc_id = "${aws_vpc.foo.id}"
peer_cidr_block = "10.0.1.0/22"
}

resource "aws_route_table" "rt" {

vpc_id = "${aws_vpc.foo.id}"
}

resource "aws_route" "r" {

route_table_id = "${aws_route_table.rt.id}"
destination_cidr_block = "${data.aws_vpc_peering_connection.pc.peer_cidr_block}"
vpc_peering_connection_id = "${data.aws_vpc_peering_connection.pc.id}"
}

Argument Reference
The arguments of this data source act as lters for querying the available VPC peering connection. The given lters must
match exactly one VPC peering connection whose data will be exported as attributes.

id - (Optional) The ID of the speci c VPC Peering Connection to retrieve.

status - (Optional) The status of the speci c VPC Peering Connection to retrieve.

vpc_id - (Optional) The ID of the requester VPC of the speci c VPC Peering Connection to retrieve.

owner_id - (Optional) The AWS account ID of the owner of the requester VPC of the speci c VPC Peering Connection
to retrieve.

cidr_block - (Optional) The CIDR block of the requester VPC of the speci c VPC Peering Connection to retrieve.

region - (Optional) The region of the requester VPC of the speci c VPC Peering Connection to retrieve.

peer_vpc_id - (Optional) The ID of the accepter VPC of the speci c VPC Peering Connection to retrieve.

peer_owner_id - (Optional) The AWS account ID of the owner of the accepter VPC of the speci c VPC Peering
Connection to retrieve.

peer_cidr_block - (Optional) The CIDR block of the accepter VPC of the speci c VPC Peering Connection to retrieve.

peer_region - (Optional) The region of the accepter VPC of the speci c VPC Peering Connection to retrieve.
filter - (Optional) Custom lter block as described below.

tags - (Optional) A mapping of tags, each pair of which must exactly match a pair on the desired VPC Peering
Connection.

More complex lters can be expressed using one or more filter sub-blocks, which take the following arguments:

values - (Required) Set of values that are accepted for the given eld. A VPC Peering Connection will be selected if
any one of the given values matches.

Attributes Reference
All of the argument attributes except filter are also exported as result attributes.

accepter - A con guration block that describes VPC Peering Connection

requester - A con guration block that describes VPC Peering Connection

Accepter and Requester Attributes Reference

allow_remote_vpc_dns_resolution - Indicates whether a local VPC can resolve public DNS hostnames to private IP
addresses when queried from instances in a peer VPC.

allow_classic_link_to_remote_vpc - Indicates whether a local ClassicLink connection can communicate with the
peer VPC over the VPC peering connection.

allow_vpc_to_remote_classic_link - Indicates whether a local VPC can communicate with a ClassicLink connection
in the peer VPC over the VPC peering connection.
Data Source: aws_vpcs
This resource can be useful for getting back a list of VPC Ids for a region.

The following example retrieves a list of VPC Ids with a custom tag of service set to a value of "production".

Example Usage
The following shows outputing all VPC Ids.

data "aws_vpcs" "foo" {

tags = {
service = "production"
}
}

output "foo" {
value = "${data.aws_vpcs.foo.ids}"
}

An example use case would be interpolate the aws_vpcs output into count of an aws_ ow_log resource.

data "aws_vpcs" "foo" {}

resource "aws_flow_log" "test_flow_log" {

count = "${length(data.aws_vpcs.foo.ids)}"

vpc_id = "${element(data.aws_vpcs.foo.ids, count.index)}"

output "foo" {
value = "${data.aws_vpcs.foo.ids}"
}

Argument Reference
tags - (Optional) A mapping of tags, each pair of which must exactly match a pair on the desired vpcs.

filter - (Optional) Custom lter block as described below.

More complex lters can be expressed using one or more filter sub-blocks, which take the following arguments:

values - (Required) Set of values that are accepted for the given eld. A VPC will be selected if any one of the given
values matches.
Attributes Reference
ids - A list of all the VPC Ids found. This data source will fail if none are found.
Data Source: aws_vpn_gateway
The VPN Gateway data source provides details about a speci c VPN gateway.

Example Usage

data "aws_vpn_gateway" "selected" {

filter {
name = "tag:Name"
values = ["vpn-gw"]
}
}

output "vpn_gateway_id" {
value = "${data.aws_vpn_gateway.selected.id}"
}

Argument Reference
The arguments of this data source act as lters for querying the available VPN gateways. The given lters must match exactly
one VPN gateway whose data will be exported as attributes.

id - (Optional) The ID of the speci c VPN Gateway to retrieve.

state - (Optional) The state of the speci c VPN Gateway to retrieve.

availability_zone - (Optional) The Availability Zone of the speci c VPN Gateway to retrieve.

attached_vpc_id - (Optional) The ID of a VPC attached to the speci c VPN Gateway to retrieve.

filter - (Optional) Custom lter block as described below.

tags - (Optional) A mapping of tags, each pair of which must exactly match a pair on the desired VPN Gateway.

amazon_side_asn - (Optional) The Autonomous System Number (ASN) for the Amazon side of the speci c VPN
Gateway to retrieve.

More complex lters can be expressed using one or more filter sub-blocks, which take the following arguments:

values - (Required) Set of values that are accepted for the given eld. A VPN Gateway will be selected if any one of
the given values matches.

Attributes Reference
All of the argument attributes are also exported as result attributes.
Data Source: aws_waf_ipset
aws_waf_ipset Retrieves a WAF IP Set Resource Id.

Example Usage

data "aws_waf_ipset" "example" {

name = "tfWAFIPSet"
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the WAF IP set.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the WAF IP set.

Data Source: aws_waf_rate_based_rule
aws_waf_rate_based_rule Retrieves a WAF Rate Based Rule Resource Id.

Example Usage

data "aws_waf_rate_based_rule" "example" {

name = "tfWAFRateBasedRule"
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the WAF rate based rule.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the WAF rate based rule.

Data Source: aws_wafregional_ipset
aws_wafregional_ipset Retrieves a WAF Regional IP Set Resource Id.

Example Usage

data "aws_wafregional_ipset" "example" {

name = "tfWAFRegionalIPSet"
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the WAF Regional IP set.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the WAF Regional IP set.

Data Source: aws_wafregional_rate_based_rule
aws_wafregional_rate_based_rule Retrieves a WAF Regional Rate Based Rule Resource Id.

Example Usage

data "aws_wafregional_rate_based_rule" "example" {

name = "tfWAFRegionalRateBasedRule"
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the WAF Regional rate based rule.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the WAF Regional rate based rule.

Data Source: aws_waf_rule
aws_wafregional_rule Retrieves a WAF Regional Rule Resource Id.

Example Usage

data "aws_wafregional_rule" "example" {

name = "tfWAFRule"
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the WAF rule.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the WAF Regional rule.

Data Source: aws_wafregional_web_acl
aws_wafregional_web_acl Retrieves a WAF Regional Web ACL Resource Id.

Example Usage

data "aws_wafregional_web_acl" "example" {

name = "tfWAFRule"
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the WAF Web ACL.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the WAF Regional WebACL.

Data Source: aws_waf_rule
aws_waf_rule Retrieves a WAF Rule Resource Id.

Example Usage

data "aws_waf_rule" "example" {

name = "tfWAFRule"
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the WAF rule.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the WAF rule.

Data Source: aws_waf_rule
aws_waf_rule Retrieves a WAF Web ACL Resource Id.

Example Usage

data "aws_waf_web_acl" "example" {

name = "tfWAFRule"
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the WAF Web ACL.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the WAF WebACL.

Data Source: aws_workspaces_bundle
Use this data source to get information about a Workspaces Bundle.

Example Usage

data "aws_workspaces_bundle" "example" {

bundle_id = "wsb-b0s22j3d7"
}

Argument Reference
The following arguments are supported:

bundle_id – (Required) The ID of the bundle.

Attributes Reference
The following attributes are exported:

description – The description of the bundle.

name – The name of the bundle.

owner – The owner of the bundle.

compute_type – The compute type. See supported elds below.

root_storage – The root volume. See supported elds below.

user_storage – The user storage. See supported elds below.

compute_type

name - The name of the compute type.

root_storage

capacity - The size of the root volume.

user_storage

capacity - The size of the user storage.

Custom Service Endpoint Con guration
The Terraform AWS Provider con guration can be customized to connect to non-default AWS service endpoints and AWS
compatible solutions. This may be useful for environments with speci c compliance requirements, such as using AWS FIPS
140-2 endpoints (https://aws.amazon.com/compliance/ ps/), connecting to AWS Snowball, SC2S, or C2S environments, or
local testing.

This guide outlines how to get started with customizing endpoints, the available endpoint con gurations, and o ers
example con gurations for working with certain local development and testing solutions.

NOTE: Support for connecting the Terraform AWS Provider with custom endpoints and AWS compatible solutions is
o ered as best e ort. Individual Terraform resources may require compatibility updates to work in certain
environments. Integration testing by HashiCorp during provider changes is exclusively done against default AWS
endpoints at this time.

Getting Started with Custom Endpoints

Available Endpoint Customizations

Connecting to Local AWS Compatible Solutions

DynamoDB Local

LocalStack

Getting Started with Custom Endpoints

To con gure the Terraform AWS Provider to use customized endpoints, it can be done within provider declarations using
the endpoints con guration block, e.g.

provider "aws" {

endpoints {
dynamodb = "http://localhost:4569"
s3 = "http://localhost:4572"
}
}

If multiple, di erent Terraform AWS Provider con gurations are required, see the Terraform documentation on multiple
provider instances (https://www.terraform.io/docs/con guration/providers.html#alias-multiple-provider-instances) for
additional information about the alias provider con guration and its usage.

Available Endpoint Customizations

The Terraform AWS Provider allows the following endpoints to be customized:

acm
acmpca

amplify

apigateway

applicationautoscaling

applicationinsights

appmesh

appstream

appsync

athena

autoscaling

autoscalingplans

backup

batch

budgets

cloud9

cloudformation

cloudfront

cloudhsm

cloudsearch

cloudtrail

cloudwatch

cloudwatchevents

cloudwatchlogs

codebuild

codecommit

codedeploy

codepipeline

cognitoidentity

cognitoidp

configservice

cur
datapipeline

datasync

dax

devicefarm

directconnect

dlm

dms

docdb

dynamodb

ec2

ecr

ecs

efs

eks

elasticache

elasticbeanstalk

elastictranscoder

elb

emr

firehose

fms

forecast

fsx

gamelift

glacier

globalaccelerator

glue

guardduty

iam
inspector

iot

iotanalytics

iotevents

kafka

kinesis_analytics (DEPRECATED Use kinesisanalytics instead)

kinesis

kinesisanalytics

kinesisvideo

kms

lakeformation

lambda

lexmodels

licensemanager

lightsail

macie

managedblockchain

mediaconnect

mediaconvert

medialive

mediapackage

mediastore

mediastoredata

neptune

opsworks

organizations

personalize

pinpoint

pricing

qldb
quicksight

r53 (DEPRECATED Use route53 instead)

ram

rds

redshift

resourcegroups

route53

route53resolver

s3control

sagemaker

sdb

secretsmanager

securityhub

serverlessrepo

servicecatalog

servicediscovery

servicequotas

ses

shield

sns

sqs

ssm

stepfunctions

storagegateway

sts

swf

transfer

waf

wafregional

worklink
workspaces

xray

Connecting to Local AWS Compatible Solutions

NOTE: This information is not intended to be exhaustive for all local AWS compatible solutions or necessarily
authoritative con gurations for those documented. Check the documentation for each of these solutions for the most
up to date information.

DynamoDB Local
The Amazon DynamoDB service o ers a downloadable version for writing and testing applications without accessing the
DynamoDB web service. For more information about this solution, see the DynamoDB Local documentation in the Amazon
DynamoDB Developer Guide
(https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DynamoDBLocal.html).

An example provider con guration:

provider "aws" {
access_key = "mock_access_key"
region = "us-east-1"
secret_key = "mock_secret_key"
skip_credentials_validation = true
skip_metadata_api_check = true
skip_requesting_account_id = true

endpoints {
dynamodb = "http://localhost:8000"
}
}

LocalStack
LocalStack (https://localstack.cloud/) provides an easy-to-use test/mocking framework for developing Cloud applications.

An example provider con guration:

provider "aws" {
access_key = "mock_access_key"
region = "us-east-1"
s3_force_path_style = true
secret_key = "mock_secret_key"
skip_credentials_validation = true
skip_metadata_api_check = true
skip_requesting_account_id = true

endpoints {
apigateway = "http://localhost:4567"
cloudformation = "http://localhost:4581"
cloudwatch = "http://localhost:4582"
dynamodb = "http://localhost:4569"
es = "http://localhost:4578"
firehose = "http://localhost:4573"
iam = "http://localhost:4593"
kinesis = "http://localhost:4568"
lambda = "http://localhost:4574"
route53 = "http://localhost:4580"
redshift = "http://localhost:4577"
s3 = "http://localhost:4572"
secretsmanager = "http://localhost:4584"
ses = "http://localhost:4579"
sns = "http://localhost:4575"
sqs = "http://localhost:4576"
ssm = "http://localhost:4583"
stepfunctions = "http://localhost:4585"
sts = "http://localhost:4592"
}
}
Getting Started with AWS EKS
The Amazon Web Services EKS service allows for simpli ed management of Kubernetes (https://kubernetes.io/) servers.
While the service itself is quite simple from an operator perspective, understanding how it interconnects with other pieces of
the AWS service universe and how to con gure local Kubernetes clients to manage clusters can be helpful.

While the EKS User Guide (https://docs.aws.amazon.com/eks/latest/userguide/) provides much of the up-to-date
information about getting started with the service from a generic standpoint, this guide provides a Terraform con guration
based introduction.

This guide will show how to deploy a sample architecture using Terraform. The guide assumes some basic familiarity with
Kubernetes but does not assume any pre-existing deployment. It also assumes that you are familiar with the usual
Terraform plan/apply work ow; if you're new to Terraform itself, refer rst to the Getting Started guide (/intro/getting-
started/install.html).

It is worth noting that there are other valid ways to use these services and resources that make di erent tradeo s. We
encourage readers to consult the o cial documentation for the respective services and resources for additional context and
best-practices. This guide can still serve as an introduction to the main resources associated with these services, even if you
choose a di erent architecture.

Guide Overview

Preparation

Create Sample Architecture in AWS

Cluster Name Variable

Base VPC Networking

Kubernetes Masters
EKS Master Cluster IAM Role

EKS Master Cluster Security Group

EKS Master Cluster

Con guring kubectl for EKS

Kubernetes Worker Nodes

Worker Node IAM Role and Instance Pro le

Worker Node Security Group

Worker Node Access to EKS Master Cluster

Worker Node AutoScaling Group

Required Kubernetes Con guration to Join Worker Nodes

Destroy Sample Architecture in AWS

Guide Overview
Warning: Following this guide will create objects in your AWS account that will cost you money against your AWS bill.

The sample architecture introduced here includes the following resources:

EKS Cluster: AWS managed Kubernetes cluster of master servers

AutoScaling Group containing 2 m4.large instances based on the latest EKS Amazon Linux 2 AMI: Operator managed
Kubernetes worker nodes for running Kubernetes service deployments

Associated VPC, Internet Gateway, Security Groups, and Subnets: Operator managed networking resources for the EKS
Cluster and worker node instances

Associated IAM Roles and Policies: Operator managed access resources for EKS and worker node instances

Preparation
In order to follow this guide you will need an AWS account and to have Terraform installed. Con gure your credentials
(/docs/providers/aws/index.html#authentication) so that Terraform is able to act on your behalf.

For simplicity here, we will assume you are already using a set of IAM credentials with suitable access to create AutoScaling,
EC2, EKS, and IAM resources. If you are not sure and are working in an AWS account used only for development, the
simplest approach to get started is to use credentials with full administrative access to the target AWS account.

If you are planning to locally use the standard Kubernetes client, kubectl , it must be at least version 1.10 to support exec
authentication with usage of aws-iam-authenticator . For additional information about installation and con guration of
these applications, see their o cial documentation.

Relevant Links:

Kubernetes Client Install Guide (https://kubernetes.io/docs/tasks/tools/install-kubectl/)

AWS IAM Authenticator (https://github.com/kubernetes-sigs/aws-iam-authenticator)

Create Sample Architecture in AWS

NOTE: We recommend using this guide to build a separate Terraform con guration (for easy tear down) and more
importantly running it in a separate AWS account as your production infrastructure. While it is self-contained and
should not a ect existing infrastructure, its always best to be cautious!

NOTE: If you would rather see the full sample Terraform con guration for this guide rather than the individual pieces, it
can be found at: https://github.com/terraform-providers/terraform-provider-aws/tree/master/examples/eks-getting-
started (https://github.com/terraform-providers/terraform-provider-aws/tree/master/examples/eks-getting-started)

Cluster Name Variable

The below sample Terraform con gurations reference a variable called cluster-name ( var.cluster-name ) which is used
for consistency. Feel free to substitute your own cluster name or create the variable con guration:

variable "cluster-name" {
default = "terraform-eks-demo"
type = "string"
}

Base VPC Networking

EKS requires the usage of Virtual Private Cloud (https://aws.amazon.com/vpc/) to provide the base for its networking
con guration.

NOTE: The usage of the speci c kubernetes.io/cluster/* resource tags below are required for EKS and Kubernetes
to discover and manage networking resources.

The below will create a 10.0.0.0/16 VPC, two 10.0.X.0/24 subnets, an internet gateway, and setup the subnet routing to route
external tra c through the internet gateway:
data "aws_availability_zones" "available" {}

resource "aws_vpc" "demo" {

cidr_block = "10.0.0.0/16"

tags = "${
map(
"Name", "terraform-
- eks-
- demo-
- node",
"kubernetes.io
io/
/ cluster/
/ ${var.cluster
cluster-
- name}", "shared",
)
}"
}

resource "aws_subnet" "demo" {

count = 2

availability_zone = "${data.aws_availability_zones.available.names[count.index]}"
cidr_block = "10.0.${count.index}.0/24"
vpc_id = "${aws_vpc.demo.id}"

tags = "${
map(
"Name", "terraform-
- eks-
- demo-
- node",
"kubernetes.io
io/
/ cluster/
/ ${var.cluster
cluster-
- name}", "shared",
)
}"
}

resource "aws_internet_gateway" "demo" {

vpc_id = "${aws_vpc.demo.id}"

tags = {
Name = "terraform-eks-demo"
}
}

resource "aws_route_table" "demo" {

vpc_id = "${aws_vpc.demo.id}"

route {
cidr_block = "0.0.0.0/0"
gateway_id = "${aws_internet_gateway.demo.id}"
}
}

resource "aws_route_table_association" "demo" {

count = 2

subnet_id = "${aws_subnet.demo.*.id[count.index]}"
route_table_id = "${aws_route_table.demo.id}"
}

Kubernetes Masters
This is where the EKS service comes into play. It requires a few operator managed resources beforehand so that Kubernetes
can properly manage other AWS services as well as allow inbound networking communication from your local workstation (if
desired) and worker nodes.

EKS Master Cluster IAM Role

The below is an example IAM role and policy to allow the EKS service to manage or retrieve data from other AWS services. It
is also possible to create these policies with the aws_iam_policy_document data source
(/docs/providers/aws/d/iam_policy_document.html)

For the latest required policy, see the EKS User Guide (https://docs.aws.amazon.com/eks/latest/userguide/).

resource "aws_iam_role" "demo-cluster" {

name = "terraform-eks-demo-cluster"

assume_role_policy = <<POLICY
<<
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY
}

resource "aws_iam_role_policy_attachment" "demo-cluster-AmazonEKSClusterPolicy" {

policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
role = "${aws_iam_role.demo-cluster.name}"
}

resource "aws_iam_role_policy_attachment" "demo-cluster-AmazonEKSServicePolicy" {

policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
role = "${aws_iam_role.demo-cluster.name}"
}

EKS Master Cluster Security Group

This security group controls networking access to the Kubernetes masters. We will later con gure this with an ingress rule to
allow tra c from the worker nodes.
resource "aws_security_group" "demo-cluster" {
name = "terraform-eks-demo-cluster"
description = "Cluster communication with worker nodes"
vpc_id = "${aws_vpc.demo.id}"

egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}

tags = {
Name = "terraform-eks-demo"
}
}

resource "aws_security_group_rule" "demo-cluster-ingress-workstation-https" {

cidr_blocks = ["A.B.C.D/32"]
description = "Allow workstation to communicate with the cluster API Server"
from_port = 443
protocol = "tcp"
security_group_id = "${aws_security_group.demo-cluster.id}"
to_port = 443
type = "ingress"
}

EKS Master Cluster

This resource is the actual Kubernetes master cluster. It can take a few minutes to provision in AWS.

resource "aws_eks_cluster" "demo" {

name = "${var.cluster-name}"
role_arn = "${aws_iam_role.demo-cluster.arn}"

vpc_config {
security_group_ids = ["${aws_security_group.demo-cluster.id}"]
subnet_ids = ["${aws_subnet.demo.*.id}"]
}

depends_on = [
"aws_iam_role_policy_attachment.demo-cluster-AmazonEKSClusterPolicy",
"aws_iam_role_policy_attachment.demo-cluster-AmazonEKSServicePolicy",
]
}

Con guring kubectl for EKS

This section only provides some example methods for con guring kubectl to communicate with EKS servers.
Managing Kubernetes clients and con gurations is outside the scope of this guide.

If you are planning on using kubectl to manage the Kubernetes cluster, now might be a great time to con gure your client.
After con guration, you can verify cluster access via kubectl version displaying server version information in addition to
local client version information.

The AWS CLI eks update-kubeconfig (https://docs.aws.amazon.com/cli/latest/reference/eks/update-kubecon g.html)

command provides a simple method to create or update con guration les.

If you would rather update your con guration manually, the below Terraform output generates a sample kubectl
con guration to connect to your cluster. This can be placed into a Kubernetes con guration le, e.g. ~/.kube/config

locals {
kubeconfig = <<KUBECONFIG
<<

apiVersion: v1
clusters:
- cluster:
server: ${aws_eks_cluster.demo.endpoint}
certificate-authority-data: ${aws_eks_cluster.demo.certificate_authority.0.data}
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: aws
name: aws
current-context: aws
kind: Config
preferences: {}
users:
- name: aws
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: aws-iam-authenticator
args:
- "token"
- "-i"
- "${var.cluster-name}"
KUBECONFIG
}

output "kubeconfig" {
value = "${local.kubeconfig}"
}

Kubernetes Worker Nodes

The EKS service does not currently provide managed resources for running worker nodes. Here we will create a few
operator managed resources so that Kubernetes can properly manage other AWS services, networking access, and nally a
con guration that allows automatic scaling of worker nodes.
Worker Node IAM Role and Instance Pro le

The below is an example IAM role and policy to allow the worker nodes to manage or retrieve data from other AWS services.
It is used by Kubernetes to allow worker nodes to join the cluster. It is also possible to create these policies with the
aws_iam_policy_document data source (/docs/providers/aws/d/iam_policy_document.html)

For the latest required policy, see the EKS User Guide (https://docs.aws.amazon.com/eks/latest/userguide/).

resource "aws_iam_role" "demo-node" {

name = "terraform-eks-demo-node"

assume_role_policy = <<POLICY
<<
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY
}

resource "aws_iam_role_policy_attachment" "demo-node-AmazonEKSWorkerNodePolicy" {

policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
role = "${aws_iam_role.demo-node.name}"
}

resource "aws_iam_role_policy_attachment" "demo-node-AmazonEKS_CNI_Policy" {

policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
role = "${aws_iam_role.demo-node.name}"
}

resource "aws_iam_role_policy_attachment" "demo-node-AmazonEC2ContainerRegistryReadOnly" {

policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
role = "${aws_iam_role.demo-node.name}"
}

resource "aws_iam_instance_profile" "demo-node" {

name = "terraform-eks-demo"
role = "${aws_iam_role.demo-node.name}"
}

Worker Node Security Group

This security group controls networking access to the Kubernetes worker nodes.
resource "aws_security_group" "demo-node" {
name = "terraform-eks-demo-node"
description = "Security group for all nodes in the cluster"
vpc_id = "${aws_vpc.demo.id}"

egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}

tags = "${
map(
"Name", "terraform-
- eks-
- demo-
- node",
"kubernetes.io
io/
/ cluster/
/ ${var.cluster
cluster-
- name}", "owned",
)
}"
}

resource "aws_security_group_rule" "demo-node-ingress-self" {

description = "Allow node to communicate with each other"
from_port = 0
protocol = "-1"
security_group_id = "${aws_security_group.demo-node.id}"
source_security_group_id = "${aws_security_group.demo-node.id}"
to_port = 65535
type = "ingress"
}

resource "aws_security_group_rule" "demo-node-ingress-cluster-https" {

description = "Allow worker Kubelets and pods to receive communication from the cluster co
ntrol plane"
from_port = 443
protocol = "tcp"
security_group_id = "${aws_security_group.demo-node.id}"
source_security_group_id = "${aws_security_group.demo-cluster.id}"
to_port = 443
type = "ingress"
}

resource "aws_security_group_rule" "demo-node-ingress-cluster-others" {

description = "Allow worker Kubelets and pods to receive communication from the cluster co
ntrol plane"
from_port = 1025
protocol = "tcp"
security_group_id = "${aws_security_group.demo-node.id}"
source_security_group_id = "${aws_security_group.demo-cluster.id}"
to_port = 65535
type = "ingress"
}

Worker Node Access to EKS Master Cluster

Now that we have a way to know where tra c from the worker nodes is coming from, we can allow the worker nodes
networking access to the EKS master cluster.
resource "aws_security_group_rule" "demo-cluster-ingress-node-https" {
description = "Allow pods to communicate with the cluster API Server"
from_port = 443
protocol = "tcp"
security_group_id = "${aws_security_group.demo-cluster.id}"
source_security_group_id = "${aws_security_group.demo-node.id}"
to_port = 443
type = "ingress"
}

Worker Node AutoScaling Group

Now we have everything in place to create and manage EC2 instances that will serve as our worker nodes in the Kubernetes
cluster. This setup utilizes an EC2 AutoScaling Group (ASG) rather than manually working with EC2 instances. This o ers
exibility to scale up and down the worker nodes on demand when used in conjunction with AutoScaling policies (not
implemented here).

First, let us create a data source to fetch the latest Amazon Machine Image (AMI) that Amazon provides with an EKS
compatible Kubernetes baked in. It will lter for and select an AMI compatible with the speci c Kubernetes version being
deployed.

data "aws_ami" "eks-worker" {

filter {
name = "name"
values = ["amazon-eks-node-${aws_eks_cluster.demo.version}-v*"]
}

most_recent = true
owners = ["602401143452"]
}

Next, lets create an AutoScaling Launch Con guration that uses all our prerequisite resources to de ne how to create EC2
instances using them.
data "aws_region" "current" {}

locals {
demo-
- node-
- userdata = <<USERDATA
<<
#!/bin/bash
set -o xtrace
/etc/eks/bootstrap.sh --apiserver-endpoint '${aws_eks_cluster.demo.endpoint}' --b64-cluster-ca '${aws_eks
_cluster.demo.certificate_authority.0.data}' '${var.cluster-name}'
USERDATA
}

resource "aws_launch_configuration" "demo" {

associate_public_ip_address = true
iam_instance_profile = "${aws_iam_instance_profile.demo-node.name}"
image_id = "${data.aws_ami.eks-worker.id}"
instance_type = "m4.large"
name_prefix = "terraform-eks-demo"
security_groups = ["${aws_security_group.demo-node.id}"]
user_data_base64 = "${base64encode(local.demo-node-userdata)}"

lifecycle {
create_before_destroy = true
}
}

Finally, we create an AutoScaling Group that actually launches EC2 instances based on the AutoScaling Launch Con guration.

NOTE: The usage of the speci c kubernetes.io/cluster/* resource tag below is required for EKS and Kubernetes to
discover and manage compute resources.
resource "aws_autoscaling_group" "demo" {
desired_capacity = 2
launch_configuration = "${aws_launch_configuration.demo.id}"
max_size = 2
min_size = 1
name = "terraform-eks-demo"
vpc_zone_identifier = ["${aws_subnet.demo.*.id}"]

tag {
key = "Name"
value = "terraform-eks-demo"
propagate_at_launch = true
}

tag {
key = "kubernetes.io/cluster/${var.cluster-name}"
value = "owned"
propagate_at_launch = true
}
}

NOTE: At this point, your Kubernetes cluster will have running masters and worker nodes, however, the worker nodes
will not be able to join the Kubernetes cluster quite yet. The next section has the required Kubernetes con guration to
enable the worker nodes to join the cluster.

Required Kubernetes Con guration to Join Worker Nodes

While managing Kubernetes cluster and client con gurations are beyond the scope of this guide, we provide an
example of how to apply the required Kubernetes ConfigMap (http://kubernetes.io/docs/user-guide/con gmap/) via
kubectl below for completeness. See also the Con guring kubectl for EKS section.

The EKS service does not provide a cluster-level API parameter or resource to automatically con gure the underlying
Kubernetes cluster to allow worker nodes to join the cluster via AWS IAM role authentication.

To output an example IAM Role authentication ConfigMap from your Terraform con guration:
locals {
config_map_aws_auth = <<CONFIGMAPAWSAUTH
<<

apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: ${aws_iam_role.demo-node.arn}
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
CONFIGMAPAWSAUTH
}

output "config_map_aws_auth" {
value = "${local.config_map_aws_auth}"
}

Run terraform output config_map_aws_auth and save the con guration into a le, e.g.
config_map_aws_auth.yaml

Run kubectl apply -f config_map_aws_auth.yaml

You can verify the worker nodes are joining the cluster via: kubectl get nodes --watch

At this point, you should be able to utilize Kubernetes as expected!

Destroy Sample Architecture in AWS

Assuming you have built the sample architecture in a separate con guration, simply use terraform destroy to tear down
all associated resources with this guide.
AWS IAM Policy Documents with Terraform
AWS leverages a standard JSON Identity and Access Management (IAM) policy document format across many services to
control authorization to resources and API actions. This guide is designed to highlight some recommended con guration
patterns with how Terraform and the AWS provider can build these policy documents.

The example policy documents and resources in this guide are for illustrative purposes only. Full documentation about the
IAM policy format and supported elements can be found in the AWS IAM User Guide
(https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html).

NOTE: Some AWS services only allow a subset of the policy elements or policy variables. For more information, see the
AWS User Guide for the service you are con guring.

NOTE: IAM policy variables (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html), e.g.

${aws:username} , use the same con guration syntax ( ${...} ) as Terraform interpolation. When implementing IAM
policy documents with these IAM variables, you may receive syntax errors from Terraform. You can escape the dollar
character within your Terraform con gration to prevent the error, e.g. $${aws:username} .

Choosing a Con guration Method

Recommended Con guration Method Examples

aws_iam_policy_document Data Source

Multiple Line Heredoc Syntax

Other Con guration Method Examples

Single Line String Syntax

le() Interpolation Function

template_ le Data Source

Choosing a Con guration Method

Terraform o ers exibility when creating con gurations to match the architectural structure of teams and infrastructure. In
most situations, using native functionality within Terraform and its providers will be the simplest to understand, eliminating
context switching with other tooling, le sprawl, or di ering le formats. Con guration examples of the available methods
can be found later in the guide.

The recommended approach to building AWS IAM policy documents within Terraform is the highly customizable
aws_iam_policy_document data source. A short list of bene ts over other methods include:

Native Terraform con guration - no need to worry about JSON formatting or syntax

Policy layering - create policy documents that combine and/or overwrite other policy documents

Built-in policy error checking

Otherwise in simple cases, such as a statically de ned assume role policy for an IAM role
(https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html), Terraform's multiple line
heredoc syntax allows the easiest formatting without any indirection of a separate data source con guration or le.

Additional methods are available, such single line string syntax, the le() interpolation function, and the template_ le data
source, however their usage is discouraged due to their complexity.

Recommended Con guration Method Examples

These con guration methods are the simplest and most powerful within Terraform.

aws_iam_policy_document Data Source

For complete implementation information and examples, see the aws_iam_policy_document data source
documentation (/docs/providers/aws/d/iam_policy_document.html).

data "aws_iam_policy_document" "example" {

statement {
actions = ["*"]
resources = ["*"]
}
}

resource "aws_iam_policy" "example" {

policy = "${data.aws_iam_policy_document.example.json}"
}

Multiple Line Heredoc Syntax

Interpolation is available within the heredoc string if necessary.

For example:

resource "aws_iam_policy" "example" {

policy = <<POLICY
<<
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
}
POLICY
}
Other Con guration Method Examples
These other con guration methods are provided only for reference and not meant to be an authoritative source of
information.

Single Line String Syntax

Single line IAM policy documents can be constructed with regular string syntax. Interpolation is available within the string if
necessary. Since the double quotes within the IAM policy JSON con ict with Terraform's double quotes for declaring a string,
they need to be escaped ( \" ).

For example:

resource "aws_iam_policy" "example" {

policy = "{\"Version\": \"2012-10-17\", \"Statement\": {\"Effect\": \"Allow\", \"Action\": \"*\", \"Re

source\": \"*\"}}"
}

le() Interpolation Function

To decouple the IAM policy JSON from the Terraform con guration, Terraform has a built-in file() function
(https://www.terraform.io/docs/con guration/functions/ le.html), which can read the contents of a local le into the
con guration.

For example, creating a le called policy.json with the contents:

{
"Version":
"Version" "2012-10-17",
"Statement":
"Statement" {
"Effect":
"Effect" "Allow",
"Action":
"Action" "*",
"Resource":
"Resource" "*"
}
}

Those contents can be read into the Terraform con guration via:

resource "aws_iam_policy" "example" {

policy = "${file("policy.json
json")}"
}

template_ le Data Source

To enable interpolation in decoupled les, the template_file data source (/docs/providers/template/d/ le.html) is
available.

For example, creating a le called policy.json.tpl with the contents:

{
"Version":
"Version" "2012-10-17",
"Statement":
"Statement" {
"Effect":
"Effect" "Allow",
"Action":
"Action" "*",
"Resource":
"Resource" "${resource}"
}
}

Those contents can be read and interpolated into the Terraform con guration via:

data "template_file" "example" {

template = "${file("policy.json
json.tpl
tpl")}"

vars = {
resource = "${aws_vpc.example.arn}"
}
}

resource "aws_iam_policy" "example" {

policy = "${data.template_file.example.rendered}"
}
Serverless Applications with AWS Lambda and API
Gateway
Serverless computing is a cloud computing model in which a cloud provider automatically manages the provisioning and
allocation of compute resources. This contrasts with traditional cloud computing where the user is responsible for directly
managing virtual servers.

A popular approach to running "serverless" web applications is to implement the application functionality as one or more
functions in AWS Lambda (https://aws.amazon.com/lambda/) and then expose these for public consumption using Amazon
API Gateway (https://aws.amazon.com/api-gateway/).

This guide will show how to deploy such an architecture using Terraform. The guide assumes some basic familiarity with
Lambda and API Gateway but does not assume any pre-existing deployment. It also assumes that you are familiar with the
usual Terraform plan/apply work ow; if you're new to Terraform itself, refer rst to the Getting Started guide (/intro/getting-
started/install.html).

This is a slightly-opinionated guide, which chooses to ignore the built-in versioning and staged deployment mechanisms in
AWS Lambda and API Gateway. In many cases these features are not necessary when using Terraform because changes can
be tracked and deployed by keeping the Terraform con guration in a version-control repository. It also uses API Gateway in
a very simple way, proxying all requests to a single AWS Lambda function that is expected to contain its own request routing
logic.

As usual, there are other valid ways to use these services that make di erent tradeo s. We encourage readers to consult the
o cial documentation for the respective services for additional context and best-practices. This guide can still serve as an
introduction to the main resources associated with these services, even if you choose a di erent architecture.

For simplicity here we will assume you are already using a set of IAM credentials with suitable access to create Lambda
functions and work with API Gateway. If you aren't sure and are working in an AWS account used only for development, the
simplest approach to get started is to use credentials with full administrative access to the target AWS account.

In the following section we will manually emulate an automatic build process using the zip command line tool and the AWS
CLI (https://aws.amazon.com/cli/). The latter must also have access to your AWS credentials, and the easiest way to achieve
this is to provide them via environment variables so that they can be used by both the AWS CLI and Terraform.

Warning: Following this tutorial will create objects in your AWS account that will cost you money against your AWS bill.

Building the Lambda Function Package

AWS Lambda expects a function's implementation to be provided as an archive containing the function source code and any
other static les needed to execute the function.
Terraform is not a build tool, so the zip le must be prepared using a separate build process prior to deploying it with
Terraform. For a real application we recommend automating your build via a CI system, whose job is to run any necessary
build actions (library installation, compilation, etc), produce the deployment zip le as a build artifact, and then upload that
artifact into an Amazon S3 bucket from which it will be read for deployment.

For the sake of this tutorial we will perform these build steps manually and build a very simple AWS Lambda function. Start
by creating a new directory called example that will be used to create the archive, and place in it a single source le. We will
use the JavaScript runtime in this example, so our le is called main.js and will contain the following source code:

'use strict';

exports.handler = function (event, context, callback) {

var response = {
statusCode: 200,
headers: {
'Content-Type': 'text/html; charset=utf-8',
},
body: "Hello world!",
};
callback(null
null, response);
};

The above is the simplest possible Lambda function for use with API Gateway, returning a hard-coded "Hello world!"
response in the object structure that API Gateway expects.

From your command prompt, change to the directory containing that le and add it to a zip le in the parent directory:

$ cd example
$ zip ../example.zip main.js
adding: main.js (deflated 33%)
$ cd ..

In a real build and deploy scenario we would have an S3 bucket set aside for staging our archive and would use this to "hand
o " these artifacts between the build and deploy process. For the sake of this tutorial we will create a temporary S3 bucket
using the AWS CLI. S3 bucket names are globally unique, so you may need to change the --bucket= argument in the
following example and substitute your new bucket name throughout the rest of this tutorial.

$ aws s3api create-bucket --bucket=terraform-serverless-example --region=us-east-1

You can now upload your build artifact into this S3 bucket:

$ aws s3 cp example.zip s3://terraform-serverless-example/v1.0.0/example.zip

A version number is included in the object path to identify this build. Later we will demonstrate deploying a new version,
which will create another separate object.

Creating the Lambda Function

With the source code artifact built and uploaded to S3, we can now write our Terraform con guration to deploy it. In a new
directory, create a le named lambda.tf containing the following con guration:

provider "aws" {
region = "us-east-1"
}

resource "aws_lambda_function" "example" {

function_name = "ServerlessExample"

s3_bucket = "terraform-serverless-example"
s3_key = "v1.0.0/example.zip"

handler = "main.handler"
runtime = "nodejs8.10"

role = "${aws_iam_role.lambda_exec.arn}"
}

resource "aws_iam_role" "lambda_exec" {

name = "serverless_example_lambda"

assume_role_policy = <<EOF
<<
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}

Each Lambda function must have an associated IAM role which dictates what access it has to other AWS services. The above
con guration speci es a role with no access policy, e ectively giving the function no access to any AWS services, since our
example application requires no such access.

Before you can work with a new con guration directory, it must be initialized using terraform init , which in this case will
install the AWS provider:
$ terraform init

Initializing provider plugins...

- Checking for available provider plugins on https://releases.hashicorp.com...
- Downloading plugin for provider "aws" (1.9.0)...

# ...

Terraform has been successfully initialized!

# ...

Now apply the con guration as usual:

$ terraform apply

# ....

aws_iam_role.lambda_exec: Creating...
arn: "" => "<computed>"
assume_role_policy: "" => "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Act
ion\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"lambda.amazonaws.com\"\n
},\n \"Effect\": \"Allow\",\n \"Sid\": \"\"\n }\n ]\n}\n"
create_date: "" => "<computed>"
force_detach_policies: "" => "false"
name: "" => "serverless_example_lambda"
path: "" => "/"
unique_id: "" => "<computed>"
aws_iam_role.lambda_exec: Creation complete after 1s (ID: serverless_example_lambda)
aws_lambda_function.example: Creating...
arn: "" => "<computed>"
function_name: "" => "ServerlessExample"
handler: "" => "main.handler"
invoke_arn: "" => "<computed>"
last_modified: "" => "<computed>"
memory_size: "" => "128"
publish: "" => "false"
qualified_arn: "" => "<computed>"
role: "" => "arn:aws:iam::123456:role/serverless_example_lambda"
runtime: "" => "nodejs8.10"
s3_bucket: "" => "terraform-serverless-example"
s3_key: "" => "v1.0.0/example.zip"
source_code_hash: "" => "<computed>"
timeout: "" => "3"
tracing_config.#: "" => "<computed>"
version: "" => "<computed>"
aws_lambda_function.example: Still creating... (10s elapsed)
aws_lambda_function.example: Creation complete after 11s (ID: ServerlessExample)

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

After the function is created successfully, try invoking it using the AWS CLI:
$ aws lambda invoke --region=us-east-1 --function-name=ServerlessExample output.txt
{"StatusCode": 200}
$ cat output.txt
{
"statusCode":200,
"headers":{
"Content-Type":"text/html; charset=utf-8"
},
"body":"Hello world!"
}

With the function working as expected, the next step is to create the API Gateway REST API that will provide access to it.

Con guring API Gateway

API Gateway's name re ects its original purpose as a public-facing frontend for REST APIs, but it was later extended with
features that make it easy to expose an entire web application based on AWS Lambda. These later features will be used in
this tutorial. The term "REST API" is thus used loosely here, since API Gateway is serving as a generic HTTP frontend rather
than necessarily serving an API.

Create a new le api_gateway.tf in the same directory as our lambda.tf from the previous step. First, con gure the
root "REST API" object, as follows:

resource "aws_api_gateway_rest_api" "example" {

name = "ServerlessExample"
description = "Terraform Serverless Application Example"
}

The "REST API" is the container for all of the other API Gateway objects we will create.

All incoming requests to API Gateway must match with a con gured resource and method in order to be handled. Append
the following to the lambda.tf le to de ne a single proxy resource:

resource "aws_api_gateway_resource" "proxy" {

rest_api_id = "${aws_api_gateway_rest_api.example.id}"
parent_id = "${aws_api_gateway_rest_api.example.root_resource_id}"
path_part = "{proxy+}"
}

resource "aws_api_gateway_method" "proxy" {

rest_api_id = "${aws_api_gateway_rest_api.example.id}"
resource_id = "${aws_api_gateway_resource.proxy.id}"
http_method = "ANY"
authorization = "NONE"
}

The special path_part value "{proxy+}" activates proxy behavior, which means that this resource will match any request
path. Similarly, the aws_api_gateway_method block uses a http_method of "ANY" , which allows any request method to
be used. Taken together, this means that all incoming requests will match this resource.

Each method on an API gateway resource has an integration which speci es where incoming requests are routed. Add the
following con guration to specify that requests to this method should be sent to the Lambda function de ned earlier:

resource "aws_api_gateway_integration" "lambda" {

rest_api_id = "${aws_api_gateway_rest_api.example.id}"
resource_id = "${aws_api_gateway_method.proxy.resource_id}"
http_method = "${aws_api_gateway_method.proxy.http_method}"

integration_http_method = "POST"
type = "AWS_PROXY"
uri = "${aws_lambda_function.example.invoke_arn}"
}

The AWS_PROXY integration type causes API gateway to call into the API of another AWS service. In this case, it will call the
AWS Lambda API to create an "invocation" of the Lambda function.

Unfortunately the proxy resource cannot match an empty path at the root of the API. To handle that, a similar con guration
must be applied to the root resource that is built in to the REST API object:

resource "aws_api_gateway_method" "proxy_root" {

rest_api_id = "${aws_api_gateway_rest_api.example.id}"
resource_id = "${aws_api_gateway_rest_api.example.root_resource_id}"
http_method = "ANY"
authorization = "NONE"
}

resource "aws_api_gateway_integration" "lambda_root" {

rest_api_id = "${aws_api_gateway_rest_api.example.id}"
resource_id = "${aws_api_gateway_method.proxy_root.resource_id}"
http_method = "${aws_api_gateway_method.proxy_root.http_method}"

integration_http_method = "POST"
type = "AWS_PROXY"
uri = "${aws_lambda_function.example.invoke_arn}"
}

Finally, you need to create an API Gateway "deployment" in order to activate the con guration and expose the API at a URL
that can be used for testing:

resource "aws_api_gateway_deployment" "example" {

depends_on = [
"aws_api_gateway_integration.lambda",
"aws_api_gateway_integration.lambda_root",
]

rest_api_id = "${aws_api_gateway_rest_api.example.id}"
stage_name = "test"
}

With all of the above con guration changes in place, run terraform apply again to create these new objects:
$ terraform apply

# ...

aws_api_gateway_rest_api.example: Creating...
created_date: "" => "<computed>"
description: "" => "Terraform Serverless Application Example"
name: "" => "ServerlessExample"
root_resource_id: "" => "<computed>"
aws_api_gateway_rest_api.example: Creation complete after 1s (ID: bkqhuuz8r8)

# ...etc, etc...

Apply complete! Resources: 5 added, 0 changed, 0 destroyed.

After the creation steps are complete, the new objects will be visible in the API Gateway console
(https://console.aws.amazon.com/apigateway/home?region=us-east-1).

The integration with the Lambda function is not functional yet because API Gateway does not have the necessary access to
invoke the function. The next step will address this, making the application fully-functional.

Allowing API Gateway to Access Lambda

By default any two AWS services have no access to one another, until access is explicitly granted. For Lambda functions,
access is granted using the aws_lambda_permission resource, which should be added to the lambda.tf le created in an
earlier step:

resource "aws_lambda_permission" "apigw" {

statement_id = "AllowAPIGatewayInvoke"
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.example.function_name}"
principal = "apigateway.amazonaws.com"

source_arn = "${aws_api_gateway_rest_api.example.execution_arn}/*/*"
}

In order to test the created API you will need to access its test URL. To make this easier to access, add the following output to
api_gateway.tf :

output "base_url" {
value = "${aws_api_gateway_deployment.example.invoke_url}"
}

Apply the latest changes with terraform apply :

$ terraform apply

# ...

aws_lambda_permission.apigw: Creating...
statement_id: "" => "AllowAPIGatewayInvoke"
action: "" => "lambda:InvokeFunction"
function_name: "" => "ServerlessExample"
# ...
aws_lambda_permission.apigw: Creation complete after 1s

Apply complete! Resources: 1 added, 0 changed, 1 destroyed.

Outputs:

base_url = https://bkqhuuz8r8.execute-api.us-east-1.amazonaws.com/test

Load the URL given in the output from your run in your favorite web browser. If everything has worked, you will see the text
"Hello world!". This message is being returned from the Lambda function code uploaded earlier, via the API Gateway
endpoint.

This is a good milestone! The rst version of the application is deployed and accessible. Next we will see how to deploy a
new version of the application.

A New Version of the Lambda Function

For any real application there will inevitably be changes to the application code over time, which must then be deployed to
AWS Lambda in place of the previous version.

Returning to the example directory containing the main.js from earlier, update the source code to change the message.
For example:

'use strict';

exports.handler = function (event, context, callback) {

var response = {
statusCode: 200,
headers: {
'Content-Type': 'text/html; charset=utf-8',
},
body: "Bonjour au monde!",
};
callback(null
null, response);
};

Update the zip le and upload a new version to the artifact S3 bucket:
$ cd example
$ zip ../example.zip main.js
updating: main.js (deflated 33%)
$ cd ..
$ aws s3 cp example.zip s3://terraform-serverless-example/v1.0.1/example.zip

Notice that a di erent version number was used in the S3 object path, so the previous archive is retained. In order to allow
easy switching between versions you can de ne a variable to allow the version number to be chosen dynamically. Add the
following to lambda.tf :

variable "app_version" {
}

Then locate the aws_lambda_function resource de ned earlier and change its s3_key argument to include the version
variable:

resource "aws_lambda_function" "example" {

function_name = "ServerlessExample"

s3_bucket = "terraform-serverless-example"
s3_key = "v${var.app_version}/example.zip"

The terraform apply command now requires a version number to be provided:

$ terraform apply -var="app_version=1.0.1"

# ...

Terraform will perform the following actions:

~ aws_lambda_function.example
s3_key: "v1.0.0/example.zip" => "v1.0.1/example.zip"

Plan: 0 to add, 1 to change, 0 to destroy.

# ...

After the change has been applied, visit again the test URL and you should see the updated greeting message.

Rolling Back to an Older Version

Sometimes new code doesn't work as expected and the simplest path is to return to the previous version. Because all of the
historical versions of the artifact are preserved on S3, the original version can be restored with a single command:
$ terraform apply -var="app_version=1.0.0"

After this apply completes, the test URL will return the original message again.

Conclusion
In this guide you created an AWS Lambda function that produces a result compatible with Amazon API Gateway proxy
resources and then con gured API Gateway.

Although the AWS Lambda function used in this guide is very simple, in more practical applications it is possible to use
helper libraries to map API Gateway proxy requests to standard HTTP application APIs in various languages, such as Python's
WSGI (https://pypi.python.org/pypi/aws-wsgi/0.0.6) or the NodeJS Express Framework (https://github.com/awslabs/aws-
serverless-express).

When combined with an automated build process running in a CI system, Terraform can help to deploy applications as AWS
Lambda functions, with suitable IAM policies to connect with other AWS services for persistent storage, access to secrets,
etc.

Cleaning Up
Once you are nished with this guide, you can destroy the example objects with Terraform. Since our con guration requires
a version number as an input variable, provide a placeholder value to destroy:

$ terraform destroy -var="app_version=0.0.0"

Since the artifact zip les and the S3 bucket itself were created outside of Terraform, they must also be cleaned up outside
of Terraform. This can be done via the S3 console (https://s3.console.aws.amazon.com/s3/home). Note that all of the objects
in the bucket must be deleted before the bucket itself can be deleted.

Further Reading
The following Terraform resource types are used in this tutorial:

aws_lambda_function (/docs/providers/aws/r/lambda_function.html)

aws_lambda_permission (/docs/providers/aws/r/lambda_permission.html)

aws_api_gateway_rest_api (/docs/providers/aws/r/api_gateway_rest_api.html)

aws_api_gateway_resource (/docs/providers/aws/r/api_gateway_resource.html)

aws_api_gateway_method (/docs/providers/aws/r/api_gateway_method.html)

aws_api_gateway_integration (/docs/providers/aws/r/api_gateway_integration.html)

aws_iam_role (/docs/providers/aws/r/iam_role.html)

The reference page for each resource type provides full details on all of its supported arguments and exported attributes.
Custom Domain Names and TLS Certi cates
For the sake of example, this guide uses the test URLs o ered by default by API Gateway. In practice, most applications will
be deployed at a custom hostname.

To use a custom domain name you must rst register that domain and con gure DNS hosting for it. You must also either
create an Amazon Certi cate Manager (https://aws.amazon.com/certi cate-manager/) certi cate or register a TLS certi cate
with a third-party certi cate authority.

Con guring the domain name is beyond the scope of this tutorial, but if you already have a hostname and TLS certi cate
you wish to use then you can register it with API Gateway using the aws_api_gateway_domain_name
(/docs/providers/aws/r/api_gateway_domain_name.html) resource type.

A registered domain name is then mapped to a particular "REST API" object using aws_api_gateway_base_path_mapping
(/docs/providers/aws/r/api_gateway_base_path_mapping.html). The con gured domain name then becomes an alias for a
particular deployment stage.

Making Changes to the API Gateway Con guration

This guide creates a very simple API Gateway Con guration with a single resource that passes through all requests to a
single destination. The upgrade steps then modify only the AWS Lambda function, leaving the API Gateway con guration
unchanged.

Due to API Gateway's staged deployment model, if you do need to make changes to the API Gateway con guration you must
explicitly request that it be re-deployed by "tainting" the deployment resource:

$ terraform taint aws_api_gateway_deployment.example

This command ags that this object must be re-created in the next Terraform plan, so a subsequent terraform apply will
then replace the deployment and thus activate the latest con guration changes.

Please note that this "re-deployment" will cause some downtime, since Terraform will need to delete the stage and
associated deployment before re-creating it. Downtime can be avoided by triggering the deployment action via the API
Gateway console, outside of Terraform. The approach covered in this guide intentionally minimizes the need to amend the
API Gateway con guration over time to mitigate this limitation. Better support for this work ow will be added to Terraform's
AWS provider in a future release.
Terraform AWS Provider Version 2 Upgrade Guide
Version 2.0.0 of the AWS provider for Terraform is a major release and includes some changes that you will need to consider
when upgrading. This guide is intended to help with that process and focuses only on changes from version 1.60.0 to version
2.0.0.

Most of the changes outlined in this guide have been previously marked as deprecated in the Terraform plan/apply output
throughout previous provider releases. These changes, such as deprecation notices, can always be found in the Terraform
AWS Provider CHANGELOG (https://github.com/terraform-providers/terraform-provider-aws/blob/master/CHANGELOG.md).

Upgrade topics:

Provider Version Con guration

Provider: Con guration

Data Source: aws_ami

Data Source: aws_ami_ids

Data Source: aws_iam_role

Data Source: aws_kms_secret

Data Source: aws_lambda_function

Data Source: aws_region

Resource: aws_api_gateway_api_key

Resource: aws_api_gateway_integration

Resource: aws_api_gateway_integration_response

Resource: aws_api_gateway_method

Resource: aws_api_gateway_method_response

Resource: aws_appautoscaling_policy

Resource: aws_autoscaling_policy

Resource: aws_batch_compute_environment

Resource: aws_cloudfront_distribution

Resource: aws_cognito_user_pool

Resource: aws_dx_lag

Resource: aws_ecs_service

Resource: aws_efs_ le_system

Resource: aws_elasticache_cluster

Resource: aws_iam_user_login_pro le

Resource: aws_instance
Resource: aws_lambda_function

Resource: aws_lambda_layer_version

Resource: aws_network_acl

Resource: aws_redshift_cluster

Resource: aws_route_table

Resource: aws_route53_record

Resource: aws_route53_zone

Resource: aws_wafregional_byte_match_set

Provider Version Con guration

Before upgrading to version 2.0.0 or later, it is recommended to upgrade to the most recent 1.X version of the provider
(version 1.60.0) and ensure that your environment successfully runs terraform plan
(https://www.terraform.io/docs/commands/plan.html) without unexpected changes or deprecation notices.

It is recommended to use version constraints when con guring Terraform providers

(https://www.terraform.io/docs/con guration/providers.html#provider-versions). If you are following that recommendation,
update the version constraints in your Terraform con guration and run terraform init
(https://www.terraform.io/docs/commands/init.html) to download the new version.

Update to latest 1.X version:

provider "aws" {

version = "~> 1.60"

}

Update to latest 2.X version:

provider "aws" {

version = "~> 2.0"

}

Provider: Con guration

skip_requesting_account_id Argument Now Required to Skip Account ID Lookup Errors

If the provider is unable to determine the AWS account ID from a provider assume role con guration or the STS
GetCallerIdentity call used to verify the credentials (if skip_credentials_validation = false ), it will attempt to lookup
the AWS account ID via EC2 metadata, IAM GetUser, IAM ListRoles, and STS GetCallerIdentity. Previously, the provider would
silently allow the failure of all the above methods.

The provider will now return an error to ensure operators understand the implications of the missing AWS account ID in the
provider.

If necessary, the AWS account ID lookup logic can be skipped via:

provider "aws" {

skip_requesting_account_id = true
}

Data Source: aws_ami

owners Argument Now Required

The owners argument is now required. Specifying owner-id or owner-alias under filter does not satisfy this
requirement.

Data Source: aws_ami_ids

owners Argument Now Required

The owners argument is now required. Specifying owner-id or owner-alias under filter does not satisfy this
requirement.

Data Source: aws_iam_role

assume_role_policy_document Attribute Removal

Switch your attribute references to the assume_role_policy attribute instead.

role_id Attribute Removal

Switch your attribute references to the unique_id attribute instead.

role_name Argument Removal

Switch your Terraform con guration to the name argument instead.

Data Source: aws_kms_secret

Data Source Removal and Migrating to aws_kms_secrets Data Source

The implementation of the aws_kms_secret data source, prior to Terraform AWS provider version 2.0.0, used dynamic
attribute behavior which is not supported with Terraform 0.12 and beyond (full details available in this GitHub issue
(https://github.com/terraform-providers/terraform-provider-aws/issues/5144)).

Terraform con guration migration steps:

Change the data source type from aws_kms_secret to aws_kms_secrets

Change any attribute reference (e.g. "${data.aws_kms_secret.example.ATTRIBUTE}" ) from .ATTRIBUTE to

.plaintext["ATTRIBUTE"]

As an example, lets take the below sample con guration and migrate it.

data "aws_kms_secret" "example" {

secret {

name = "master_password"
payload = "AQEC..."
}

secret {

name = "master_username"
payload = "AQEC..."
}
}

resource "aws_rds_cluster" "example" {

master_password = "${data.aws_kms_secret.example.master_password}"
master_username = "${data.aws_kms_secret.example.master_username}"
}

Notice that the aws_kms_secret data source previously was taking the two secret con guration block name arguments
and generating those as attribute names ( master_password and master_username in this case). To remove the
incompatible behavior, this updated version of the data source provides the decrypted value of each of those secret
con guration block name arguments within a map attribute named plaintext .

Updating the sample con guration from above:

data "aws_kms_secrets" "example" {
secret {

name = "master_password"
payload = "AQEC..."
}

secret {

name = "master_username"
payload = "AQEC..."
}
}

resource "aws_rds_cluster" "example" {

master_password = "${data.aws_kms_secrets.example.plaintext["master_password"]}"
master_username = "${data.aws_kms_secrets.example.plaintext["master_username"]}"
}

Data Source: aws_lambda_function

arn and quali ed_arn Attribute Behavior Changes

The arn attribute now always returns the unquali ed (no :QUALIFIER or :VERSION su x) Amazon Resource Name (ARN)
value and the qualified_arn attribute now always returns the quali ed (includes :QUALIFIER or :VERSION su x) ARN
value. Previously by default, the arn attribute included :$LATEST su x when not setting the optional qualifier
argument, which was not compatible with many other resources. To restore the previous default behavior, set the
qualifier argument to $LATEST and reference the qualified_arn attribute.

Data Source: aws_region

current Argument Removal

Simply remove current = true from your Terraform con guration. The data source defaults to the current provider
region if no other ltering is enabled.

Resource: aws_api_gateway_api_key

stage_key Argument Removal

Since the API Gateway usage plans feature was launched on August 11, 2016, usage plans are now required to associate an
API key with an API stage. To migrate your Terraform con guration, the AWS provider implements support for usage plans
with the following resources:

aws_api_gateway_usage_plan (/docs/providers/aws/r/api_gateway_usage_plan.html)

aws_api_gateway_usage_plan_key (/docs/providers/aws/r/api_gateway_usage_plan_key.html)

For example, given this previous con guration:

resource "aws_api_gateway_rest_api" "example" {

name = "example"
}

resource "aws_api_gateway_deployment" "example" {

rest_api_id = "${aws_api_gateway_rest_api.example.id}"
stage_name = "example"
}

resource "aws_api_gateway_api_key" "example" {

name = "example"

stage_key {
rest_api_id = "${aws_api_gateway_rest_api.example.id}"
stage_name = "${aws_api_gateway_deployment.example.stage_name}"
}
}

An updated con guration:

resource "aws_api_gateway_rest_api" "example" {
name = "example"
}

resource "aws_api_gateway_deployment" "example" {

rest_api_id = "${aws_api_gateway_rest_api.example.id}"
stage_name = "example"
}

resource "aws_api_gateway_api_key" "example" {

name = "example"
}

resource "aws_api_gateway_usage_plan" "example" {

name = "example"

api_stages {
api_id = "${aws_api_gateway_rest_api.example.id}"
stage = "${aws_api_gateway_deployment.example.stage_name}"
}
}

resource "aws_api_gateway_usage_plan_key" "example" {

key_id = "${aws_api_gateway_api_key.example.id}"
key_type = "API_KEY"
usage_plan_id = "${aws_api_gateway_usage_plan.example.id}"
}

Resource: aws_api_gateway_integration

request_parameters_in_json Argument Removal

Switch your Terraform con guration to the request_parameters argument instead.

For example, given this previous con guration:

resource "aws_api_gateway_integration" "example" {

request_parameters_in_json = <<PARAMS
<<
{
"integration.request.header.X-Authorization": "'static'"
}
PARAMS
}

An updated con guration:

resource "aws_api_gateway_integration" "example" {

request_parameters = {
"integration.request.header.X-Authorization" = "'static'"
}
}

Resource: aws_api_gateway_integration_response

response_parameters_in_json Argument Removal

Switch your Terraform con guration to the response_parameters argument instead.

For example, given this previous con guration:

resource "aws_api_gateway_integration_response" "example" {

response_parameters_in_json = <<PARAMS
<<
{
"method.response.header.Content-Type": "integration.response.body.type"
}
PARAMS
}

An updated con guration:

resource "aws_api_gateway_integration_response" "example" {

response_parameters = {
"method.response.header.Content-Type" = "integration.response.body.type"
}
}

Resource: aws_api_gateway_method

request_parameters_in_json Argument Removal

Switch your Terraform con guration to the request_parameters argument instead.

For example, given this previous con guration:

resource "aws_api_gateway_method" "example" {

request_parameters_in_json = <<PARAMS
<<
{
"method.request.header.Content-Type": false,
"method.request.querystring.page": true
}
PARAMS
}

An updated con guration:

resource "aws_api_gateway_method" "example" {

request_parameters = {
"method.request.header.Content-Type" = false
"method.request.querystring.page" = true
}
}

Resource: aws_api_gateway_method_response

response_parameters_in_json Argument Removal

Switch your Terraform con guration to the response_parameters argument instead.

For example, given this previous con guration:

resource "aws_api_gateway_method_response" "example" {

response_parameters_in_json = <<PARAMS
<<
{
"method.response.header.Content-Type": true
}
PARAMS
}

An updated con guration:

resource "aws_api_gateway_method_response" "example" {

response_parameters = {
"method.response.header.Content-Type" = true
}
}

Resource: aws_appautoscaling_policy

Argument Removals
The following arguments have been moved into a nested argument named step_scaling_policy_configuration :

adjustment_type

cooldown

metric_aggregation_type

min_adjustment_magnitude

step_adjustment

For example, given this previous con guration:

resource "aws_appautoscaling_policy" "example" {

adjustment_type = "ChangeInCapacity"
cooldown = 60
metric_aggregation_type = "Maximum"

step_adjustment {
metric_interval_upper_bound = 0
scaling_adjustment = -1
}
}

An updated con guration:

resource "aws_appautoscaling_policy" "example" {

step_scaling_policy_configuration {
adjustment_type = "ChangeInCapacity"
cooldown = 60
metric_aggregation_type = "Maximum"

step_adjustment {
metric_interval_upper_bound = 0
scaling_adjustment = -1
}
}
}

Resource: aws_autoscaling_policy

min_adjustment_step Argument Removal

Switch your Terraform con guration to the min_adjustment_magnitude argument instead.

For example, given this previous con guration:

resource "aws_autoscaling_policy" "example" {

min_adjustment_step = 2
}

An updated con guration:

resource "aws_autoscaling_policy" "example" {

min_adjustment_magnitude = 2
}

Resource: aws_batch_compute_environment

ecc_cluster_arn Attribute Removal

Switch your attribute references to the ecs_cluster_arn attribute instead.

Resource: aws_cloudfront_distribution
cache_behavior Argument Removal
Switch your Terraform con guration to the ordered_cache_behavior argument instead. It behaves similar to the previous
cache_behavior argument, however the ordering of the con gurations in Terraform is now re ected in the distribution
where previously it was indeterminate.

For example, given this previous con guration:

resource "aws_cloudfront_distribution" "example" {

cache_behavior {

}
}

An updated con guration:

resource "aws_cloudfront_distribution" "example" {

ordered_cache_behavior {

}
}

Resource: aws_cognito_user_pool

email_veri cation_subject Argument Now Con icts With

veri cation_message_template Con guration Block email_subject Argument
Choose one argument or the other. These arguments update the same underlying information in Cognito and the selection
is indeterminate if di ering values are provided.

email_veri cation_message Argument Now Con icts With

veri cation_message_template Con guration Block email_message Argument
Choose one argument or the other. These arguments update the same underlying information in Cognito and the selection
is indeterminate if di ering values are provided.

sms_veri cation_message Argument Now Con icts With

veri cation_message_template Con guration Block sms_message Argument
Choose one argument or the other. These arguments update the same underlying information in Cognito and the selection
is indeterminate if di ering values are provided.

Resource: aws_dx_lag

number_of_connections Argument Removal

Default connections have been removed as part of LAG creation. To migrate your Terraform con guration, the AWS provider
implements the following resources:

aws_dx_connection (/docs/providers/aws/r/dx_connection.html)

aws_dx_connection_association (/docs/providers/aws/r/dx_connection_association.html)

For example, given this previous con guration:

resource "aws_dx_lag" "example" {

name = "example"
connections_bandwidth = "1Gbps"
location = "EqSe2"
number_of_connections = 1
}

An updated con guration:

resource "aws_dx_connection" "example" {

name = "example"
bandwidth = "1Gbps"
location = "EqSe2"
}

resource "aws_dx_lag" "example" {

name = "example"
connections_bandwidth = "1Gbps"
location = "EqSe2"
}

resource "aws_dx_connection_association" "example" {

connection_id = "${aws_dx_connection.example.id}"
lag_id = "${aws_dx_lag.example.id}"
}
Resource: aws_ecs_service

placement_strategy Argument Removal

Switch your Terraform con guration to the ordered_placement_strategy argument instead. It behaves similar to the
previous placement_strategy argument, however the ordering of the con gurations in Terraform is now re ected in the
distribution where previously it was indeterminate.

For example, given this previous con guration:

resource "aws_ecs_service" "example" {

placement_strategy {

}
}

An updated con guration:

resource "aws_ecs_service" "example" {

ordered_placement_strategy {

}
}

Resource: aws_efs_ le_system

reference_name Argument Removal

Switch your Terraform con guration to the creation_token argument instead.

For example, given this previous con guration:

resource "aws_efs_file_system" "example" {

reference_name = "example"
}

An updated con guration:

resource "aws_efs_file_system" "example" {

creation_token = "example"
}

Resource: aws_elasticache_cluster

availability_zones Argument Removal

Switch your Terraform con guration to the preferred_availability_zones argument instead. The argument is still
optional and the API will continue to automatically choose Availability Zones for nodes if not speci ed. The new argument
will also continue to match the APIs required behavior that the length of the list must be the same as num_cache_nodes .

For example, given this previous con guration:

resource "aws_elasticache_cluster" "example" {

availability_zones = ["us-west-2a", "us-west-2b"]

}

An updated con guration:

resource "aws_elasticache_cluster" "example" {

preferred_availability_zones = ["us-west-2a", "us-west-2b"]

}

Resource: aws_iam_user_login_pro le

Import Now Required For Existing Infrastructure

When attempting to bring existing IAM User Login Pro les under Terraform management, terraform import is now
required. See the aws_iam_user_login_profile resource documentation
(https://www.terraform.io/docs/providers/aws/r/iam_user_login_pro le.html) for more information.

Resource: aws_instance

network_interface_id Attribute Removal

Switch your attribute references to the primary_network_interface_id attribute instead.

Resource: aws_lambda_function

reserved_concurrent_executions Argument Behavior Change

Setting reserved_concurrent_executions to 0 will now disable Lambda Function invocations, causing downtime for the
Lambda Function.

Previously reserved_concurrent_executions accepted 0 and below for unreserved concurrency, which means it was
not previously possible to disable invocations. The argument now di erentiates between a new value for unreserved
concurrency ( -1 ) and disabling Lambda invocations ( 0 ). If previously con guring this value to 0 for unreserved
concurrency, update the con gured value to -1 or the resource will disable Lambda Function invocations on update. If
previously uncon gured, the argument does not require any changes.

See the Lambda User Guide (https://docs.aws.amazon.com/lambda/latest/dg/concurrent-executions.html) for more

information about concurrency.

Resource: aws_lambda_layer_version

arn and layer_arn Attribute Value Swap

Switch your arn attribute references to the layer_arn attribute instead and vice-versa.

Resource: aws_network_acl

subnet_id Argument Removal

Switch your Terraform con guration to the subnet_ids argument instead.

For example, given this previous con guration:

resource "aws_network_acl" "example" {

subnet_id = "subnet-12345678"
}

An updated con guration:

resource "aws_network_acl" "example" {

subnet_ids = ["subnet-12345678"]
}

Resource: aws_redshift_cluster

Argument Removals
The following arguments have been moved into a nested argument named logging :

bucket_name

enable_logging (also renamed to just enable )

s3_key_prefix

For example, given this previous con guration:

resource "aws_redshift_cluster" "example" {

bucket_name = "example"
enable_logging = true
s3_key_prefix = "example"
}

An updated con guration:

resource "aws_redshift_cluster" "example" {

logging {
bucket_name = "example"
enable = true
s3_key_prefix = "example"
}
}
Resource: aws_route_table

Import Change
Previously, importing this resource resulted in an aws_route resource for each route, in addition to the aws_route_table ,
in the Terraform state. Support for importing aws_route resources has been added and importing this resource only adds
the aws_route_table resource, with in-line routes, to the state.

Resource: aws_route53_record

allow_overwrite Default Value Change

The resource now requires existing Route 53 Records to be imported into the Terraform state for management unless the
allow_overwrite argument is enabled.

For example, if the www.example.com Route 53 Record in the example.com Route 53 Hosted Zone existed previously and
this new Terraform con guration was introduced:

resource "aws_route53_record" "www" {

name = "www.example.com"
}

During resource creation in version 1.X and prior, it would silently perform an UPSERT changeset to the existing Route 53
Record and not report back an error. In version 2.0.0 of the Terraform AWS Provider, the resource now performs a CREATE
changeset, which will error for existing Route 53 Records.

The allow_overwrite argument provides a workaround to keep the old behavior, but most existing work ows should be
updated to perform a terraform import command like the following instead:

$ terraform import aws_route53_record.www ZONEID_www.example.com_TYPE

More information can be found in the aws_route53_record resource documentation

(https://www.terraform.io/docs/providers/aws/r/route53_record.html#import).

Resource: aws_route53_zone

vpc_id and vpc_region Argument Removal

Switch your Terraform con guration to vpc con guration block(s) instead.

For example, given this previous con guration:

resource "aws_route53_zone" "example" {

vpc_id = "..."
}

An updated con guration:

resource "aws_route53_zone" "example" {

vpc {
vpc_id = "..."
}
}

Resource: aws_wafregional_byte_match_set

byte_match_tuple Argument Removal

Switch your Terraform con guration to the byte_match_tuples argument instead.

For example, given this previous con guration:

resource "aws_wafregional_byte_match_set" "example" {

byte_match_tuple {

}
}

An updated con guration:

resource "aws_wafregional_byte_match_set" "example" {

byte_match_tuples {

}
}
Terraform AWS Provider Version 3 Upgrade Guide

NOTE: This upgrade guide is a work in progress and will not be completed until the release of version 3.0.0 of the
provider in the coming months. Many of the topics discussed, except for the actual provider upgrade, can be performed
using the most recent 2.X version of the provider.

Version 3.0.0 of the AWS provider for Terraform is a major release and includes some changes that you will need to consider
when upgrading. This guide is intended to help with that process and focuses only on changes from version 1.X to version
3.0.0.

Upgrade topics:

Provider Version Con guration

Resource: aws_emr_cluster

Provider Version Con guration

WARNING: This topic is placeholder documentation until version 3.0.0 is released in the coming months.

Before upgrading to version 3.0.0, it is recommended to upgrade to the most recent 2.X version of the provider and
ensure that your environment successfully runs terraform plan
(https://www.terraform.io/docs/commands/plan.html) without unexpected changes or deprecation notices.

It is recommended to use version constraints when con guring Terraform providers

For example, given this previous con guration:

provider "aws" {

version = "~> 2.8"

}

Update to latest 3.X version:

provider "aws" {

version = "~> 3.0"

}

Resource: aws_emr_cluster

core_instance_count Argument Removal

Switch your Terraform con guration to the core_instance_group con guration block instead.

For example, given this previous con guration:

resource "aws_emr_cluster" "example" {

core_instance_count = 2
}

An updated con guration:

resource "aws_emr_cluster" "example" {

core_instance_group {

instance_count = 2
}
}

core_instance_type Argument Removal

Switch your Terraform con guration to the core_instance_group con guration block instead.

For example, given this previous con guration:

resource "aws_emr_cluster" "example" {

core_instance_type = "m4.large"
}

An updated con guration:

resource "aws_emr_cluster" "example" {

core_instance_group {
instance_type = "m4.large"
}
}

instance_group Con guration Block Removal

Switch your Terraform con guration to the master_instance_group and core_instance_group con guration blocks
instead. For any task instance groups, use the aws_emr_instance_group resource.

For example, given this previous con guration:

resource "aws_emr_cluster" "example" {

instance_group {
instance_role = "MASTER"
instance_type = "m4.large"
}

instance_group {
instance_count = 1
instance_role = "CORE"
instance_type = "c4.large"
}

instance_group {
instance_count = 2
instance_role = "TASK"
instance_type = "c4.xlarge"
}
}

An updated con guration:

resource "aws_emr_cluster" "example" {

master_instance_group {
instance_type = "m4.large"
}

core_instance_group {
instance_count = 1
instance_type = "c4.large"
}
}

resource "aws_emr_instance_group" "example" {

cluster_id = "${aws_emr_cluster.example.id}"
instance_count = 2
instance_type = "c4.xlarge"
}

master_instance_type Argument Removal

Switch your Terraform con guration to the master_instance_group con guration block instead.

For example, given this previous con guration:

resource "aws_emr_cluster" "example" {

master_instance_type = "m4.large"
}

An updated con guration:

resource "aws_emr_cluster" "example" {

master_instance_group {
instance_type = "m4.large"
}
}
Resource: aws_acm_certi cate
The ACM certi cate resource allows requesting and management of certi cates from the Amazon Certi cate Manager.

It deals with requesting certi cates and managing their attributes and life-cycle. This resource does not deal with validation
of a certi cate but can provide inputs for other resources implementing the validation. It does not wait for a certi cate to be
issued. Use a aws_acm_certificate_validation (/docs/providers/aws/r/acm_certi cate_validation.html) resource for this.

Most commonly, this resource is used to together with aws_route53_record (/docs/providers/aws/r/route53_record.html)

and aws_acm_certificate_validation (/docs/providers/aws/r/acm_certi cate_validation.html) to request a DNS
validated certi cate, deploy the required validation records and wait for validation to complete.

Domain validation through E-Mail is also supported but should be avoided as it requires a manual step outside of Terraform.

It's recommended to specify create_before_destroy = true in a lifecycle (/docs/con guration/resources.html#lifecycle)

block to replace a certi cate which is currently in use (eg, by aws_lb_listener (/docs/providers/aws/r/lb_listener.html)).

Example Usage

Certi cate creation

resource "aws_acm_certificate" "cert" {

domain_name = "example.com"
validation_method = "DNS"

tags = {
Environment = "test"
}

lifecycle {
create_before_destroy = true
}
}

Importation of existing certi cate

resource "tls_private_key" "example" {
algorithm = "RSA"
}

resource "tls_self_signed_cert" "example" {

key_algorithm = "RSA"
private_key_pem = "${tls_private_key.example.private_key_pem}"

subject {
common_name = "example.com"
organization = "ACME Examples, Inc"
}

validity_period_hours = 12

allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
}

resource "aws_acm_certificate" "cert" {

private_key = "${tls_private_key.example.private_key_pem}"
certificate_body = "${tls_self_signed_cert.example.cert_pem}"
}

Argument Reference
The following arguments are supported:

Creating an amazon issued certi cate

domain_name - (Required) A domain name for which the certi cate should be issued

subject_alternative_names - (Optional) A list of domains that should be SANs in the issued certi cate

validation_method - (Required) Which method to use for validation. DNS or EMAIL are valid, NONE can be
used for certi cates that were imported into ACM and then into Terraform.

options - (Optional) Con guration block used to set certi cate options. Detailed below.

Importing an existing certi cate

private_key - (Required) The certi cate's PEM-formatted private key

certificate_body - (Required) The certi cate's PEM-formatted public key

certificate_chain - (Optional) The certi cate's PEM-formatted chain

Creating a private CA issued certi cate

domain_name - (Required) A domain name for which the certi cate should be issued

certificate_authority_arn - (Required) ARN of an ACMPCA

subject_alternative_names - (Optional) A list of domains that should be SANs in the issued certi cate
tags - (Optional) A mapping of tags to assign to the resource.

options Con guration Block

Supported nested arguments for the options con guration block:

certificate_transparency_logging_preference - (Optional) Speci es whether certi cate details should be added

to a certi cate transparency log. Valid values are ENABLED or DISABLED . See
https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-transparency
(https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-transparency) for more details.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ARN of the certi cate

arn - The ARN of the certi cate

domain_name - The domain name for which the certi cate is issued

domain_validation_options - A list of attributes to feed into other resources to complete certi cate validation. Can
have more than one element, e.g. if SANs are de ned. Only set if DNS -validation was used.

validation_emails - A list of addresses that received a validation E-Mail. Only set if EMAIL -validation was used.

Domain validation objects export the following attributes:

domain_name - The domain to be validated

resource_record_name - The name of the DNS record to create to validate the certi cate

resource_record_type - The type of DNS record to create

resource_record_value - The value the DNS record needs to have

Import
Certi cates can be imported using their ARN, e.g.

$ terraform import aws_acm_certificate.cert arn:aws:acm:eu-central-1:123456789012:certificate/7e7a28d2-16

3f-4b8f-b9cd-822f96c08d6a
Resource: aws_acm_certi cate_validation
This resource represents a successful validation of an ACM certi cate in concert with other resources.

Most commonly, this resource is used together with aws_route53_record (/docs/providers/aws/r/route53_record.html)

and aws_acm_certificate (/docs/providers/aws/r/acm_certi cate.html) to request a DNS validated certi cate, deploy the
required validation records and wait for validation to complete.

WARNING: This resource implements a part of the validation work ow. It does not represent a real-world entity in AWS,
therefore changing or deleting this resource on its own has no immediate e ect.

Example Usage

DNS Validation with Route 53

resource "aws_acm_certificate" "cert" {

domain_name = "example.com"
validation_method = "DNS"
}

data "aws_route53_zone" "zone" {

name = "example.com."
private_zone = false
}

resource "aws_route53_record" "cert_validation" {

name = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}"
type = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}"
zone_id = "${data.aws_route53_zone.zone.id}"
records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"]
ttl = 60
}

resource "aws_acm_certificate_validation" "cert" {

certificate_arn = "${aws_acm_certificate.cert.arn}"
validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]
}

resource "aws_lb_listener" "front_end" {

certificate_arn = "${aws_acm_certificate_validation.cert.certificate_arn}"
}

Alternative Domains DNS Validation with Route 53

resource "aws_acm_certificate" "cert" {
domain_name = "example.com"
subject_alternative_names = ["www.example.com", "example.org"]
validation_method = "DNS"
}

data "aws_route53_zone" "zone" {

name = "example.com."
private_zone = false
}

data "aws_route53_zone" "zone_alt" {

name = "example.org."
private_zone = false
}

resource "aws_route53_record" "cert_validation" {

resource "aws_route53_record" "cert_validation_alt1" {

name = "${aws_acm_certificate.cert.domain_validation_options.1.resource_record_name}"
type = "${aws_acm_certificate.cert.domain_validation_options.1.resource_record_type}"
zone_id = "${data.aws_route53_zone.zone.id}"
records = ["${aws_acm_certificate.cert.domain_validation_options.1.resource_record_value}"]
ttl = 60
}

resource "aws_route53_record" "cert_validation_alt2" {

name = "${aws_acm_certificate.cert.domain_validation_options.2.resource_record_name}"
type = "${aws_acm_certificate.cert.domain_validation_options.2.resource_record_type}"
zone_id = "${data.aws_route53_zone.zone_alt.id}"
records = ["${aws_acm_certificate.cert.domain_validation_options.2.resource_record_value}"]
ttl = 60
}

resource "aws_acm_certificate_validation" "cert" {

certificate_arn = "${aws_acm_certificate.cert.arn}"

validation_record_fqdns = [
"${aws_route53_record.cert_validation.fqdn}",
"${aws_route53_record.cert_validation_alt1.fqdn}",
"${aws_route53_record.cert_validation_alt2.fqdn}",
]
}

resource "aws_lb_listener" "front_end" {

certificate_arn = "${aws_acm_certificate_validation.cert.certificate_arn}"
}
Email Validation
In this situation, the resource is simply a waiter for manual email approval of ACM certi cates.

resource "aws_acm_certificate" "cert" {

domain_name = "example.com"
validation_method = "EMAIL"
}

resource "aws_acm_certificate_validation" "cert" {

certificate_arn = "${aws_acm_certificate.cert.arn}"
}

Argument Reference
The following arguments are supported:

certificate_arn - (Required) The ARN of the certi cate that is being validated.

validation_record_fqdns - (Optional) List of FQDNs that implement the validation. Only valid for DNS validation
method ACM certi cates. If this is set, the resource can implement additional sanity checks and has an explicit
dependency on the resource that is implementing the validation

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The time at which the certi cate was issued

Timeouts
acm_certificate_validation provides the following Timeouts (/docs/con guration/resources.html#timeouts)
con guration options:

create - (Default 45m ) How long to wait for a certi cate to be issued.
Resource: aws_acmpca_certi cate_authority
Provides a resource to manage AWS Certi cate Manager Private Certi cate Authorities (ACM PCA Certi cate Authorities).

NOTE: Creating this resource will leave the certi cate authority in a PENDING_CERTIFICATE status, which means it
cannot yet issue certi cates. To complete this setup, you must fully sign the certi cate authority CSR available in the
certificate_signing_request attribute and import the signed certi cate outside of Terraform. Terraform can
support another resource to manage that work ow automatically in the future.

Example Usage

Basic

resource "aws_acmpca_certificate_authority" "example" {

certificate_authority_configuration {
key_algorithm = "RSA_4096"
signing_algorithm = "SHA512WITHRSA"

subject {
common_name = "example.com"
}
}

permanent_deletion_time_in_days = 7
}

Enable Certi cate Revocation List

resource "aws_s3_bucket" "example" {
bucket = "example"
}

data "aws_iam_policy_document" "acmpca_bucket_access" {

statement {
actions = [
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:PutObjectAcl",
]

resources = [
"${aws_s3_bucket.example.arn}",
"${aws_s3_bucket.example.arn}/*",
]

principals {
identifiers = ["acm-pca.amazonaws.com"]
type = "Service"
}
}
}

resource "aws_s3_bucket_policy" "example" {

bucket = "${aws_s3_bucket.example.id}"
policy = "${data.aws_iam_policy_document.acmpca_bucket_access.json}"
}

resource "aws_acmpca_certificate_authority" "example" {

certificate_authority_configuration {
key_algorithm = "RSA_4096"
signing_algorithm = "SHA512WITHRSA"

subject {
common_name = "example.com"
}
}

revocation_configuration {
crl_configuration {
custom_cname = "crl.example.com"
enabled = true
expiration_in_days = 7
s3_bucket_name = "${aws_s3_bucket.example.id}"
}
}

depends_on = ["aws_s3_bucket_policy.example"]
}

Argument Reference
The following arguments are supported:
certificate_authority_configuration - (Required) Nested argument containing algorithms and certi cate
subject information. De ned below.

enabled - (Optional) Whether the certi cate authority is enabled or disabled. Defaults to true .

revocation_configuration - (Optional) Nested argument containing revocation con guration. De ned below.

tags - (Optional) Speci es a key-value map of user-de ned tags that are attached to the certi cate authority.

type - (Optional) The type of the certi cate authority. Defaults to SUBORDINATE . Valid values: ROOT and
SUBORDINATE .

permanent_deletion_time_in_days - (Optional) The number of days to make a CA restorable after it has been
deleted, must be between 7 to 30 days, with default to 30 days.

certi cate_authority_con guration

key_algorithm - (Required) Type of the public key algorithm and size, in bits, of the key pair that your key pair
creates when it issues a certi cate. Valid values can be found in the ACM PCA Documentation
(https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_Certi cateAuthorityCon guration.html).

signing_algorithm - (Required) Name of the algorithm your private CA uses to sign certi cate requests. Valid values
can be found in the ACM PCA Documentation (https://docs.aws.amazon.com/acm-
pca/latest/APIReference/API_Certi cateAuthorityCon guration.html).

subject - (Required) Nested argument that contains X.500 distinguished name information. At least one nested
attribute must be speci ed.

subject

Contains information about the certi cate subject. Identi es the entity that owns or controls the public key in the certi cate.
The entity can be a user, computer, device, or service.

common_name - (Optional) Fully quali ed domain name (FQDN) associated with the certi cate subject.

country - (Optional) Two digit code that speci es the country in which the certi cate subject located.

distinguished_name_qualifier - (Optional) Disambiguating information for the certi cate subject.

generation_qualifier - (Optional) Typically a quali er appended to the name of an individual. Examples include Jr.
for junior, Sr. for senior, and III for third.

given_name - (Optional) First name.

initials - (Optional) Concatenation that typically contains the rst letter of the given_name , the rst letter of the
middle name if one exists, and the rst letter of the surname .

locality - (Optional) The locality (such as a city or town) in which the certi cate subject is located.

organization - (Optional) Legal name of the organization with which the certi cate subject is a liated.

organizational_unit - (Optional) A subdivision or unit of the organization (such as sales or nance) with which the
certi cate subject is a liated.
pseudonym - (Optional) Typically a shortened version of a longer given_name . For example, Jonathan is often
shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza.

state - (Optional) State in which the subject of the certi cate is located.

surname - (Optional) Family name. In the US and the UK for example, the surname of an individual is ordered last. In
Asian cultures the surname is typically ordered rst.

title - (Optional) A title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certi cate
subject.

revocation_con guration
crl_configuration - (Optional) Nested argument containing con guration of the certi cate revocation list (CRL), if
any, maintained by the certi cate authority. De ned below.

crl_con guration

custom_cname - (Optional) Name inserted into the certi cate CRL Distribution Points extension that enables the use
of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public.

enabled - (Optional) Boolean value that speci es whether certi cate revocation lists (CRLs) are enabled. Defaults to
false .

expiration_in_days - (Required) Number of days until a certi cate expires. Must be between 1 and 5000.

s3_bucket_name - (Optional) Name of the S3 bucket that contains the CRL. If you do not provide a value for the
custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the
issued certi cate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket.

Attribute Reference
In addition to all arguments above, the following attributes are exported:

id - Amazon Resource Name (ARN) of the certi cate authority.

arn - Amazon Resource Name (ARN) of the certi cate authority.

certificate - Base64-encoded certi cate authority (CA) certi cate. Only available after the certi cate authority
certi cate has been imported.

certificate_signing_request - The base64 PEM-encoded certi cate signing request (CSR) for your private CA
certi cate.

not_after - Date and time after which the certi cate authority is not valid. Only available after the certi cate
authority certi cate has been imported.

not_before - Date and time before which the certi cate authority is not valid. Only available after the certi cate
authority certi cate has been imported.

serial - Serial number of the certi cate authority. Only available after the certi cate authority certi cate has been
imported.

status - Status of the certi cate authority.

Timeouts
aws_acmpca_certificate_authority provides the following Timeouts (/docs/con guration/resources.html#timeouts)
con guration options:

create - (Default 1m ) How long to wait for a certi cate authority to be created.

Import
aws_acmpca_certificate_authority can be imported by using the certi cate authority Amazon Resource Name (ARN),
e.g.

$ terraform import aws_acmpca_certificate_authority.example arn:aws:acm-pca:us-east-1:123456789012:certif

icate-authority/12345678-1234-1234-1234-123456789012
Resource: aws_ami_copy
The "AMI copy" resource allows duplication of an Amazon Machine Image (AMI), including cross-region copies.

If the source AMI has associated EBS snapshots, those will also be duplicated along with the AMI.

This is useful for taking a single AMI provisioned in one region and making it available in another for a multi-region
deployment.

Copying an AMI can take several minutes. The creation of this resource will block until the new AMI is available for use on
new instances.

Example Usage

resource "aws_ami_copy" "example" {

name = "terraform-example"
description = "A copy of ami-xxxxxxxx"
source_ami_id = "ami-xxxxxxxx"
source_ami_region = "us-west-1"

tags = {
Name = "HelloWorld"
}
}

Argument Reference
The following arguments are supported:

name - (Required) A region-unique name for the AMI.

source_ami_id - (Required) The id of the AMI to copy. This id must be valid in the region given by
source_ami_region .

source_ami_region - (Required) The region from which the AMI will be copied. This may be the same as the AWS
provider region in order to create a copy within the same region.

encrypted - (Optional) Speci es whether the destination snapshots of the copied image should be encrypted.
Defaults to false

kms_key_id - (Optional) The full ARN of the KMS Key to use when encrypting the snapshots of an image during a copy
operation. If not speci ed, then the default AWS KMS Key will be used

tags - (Optional) A mapping of tags to assign to the resource.

This resource also exposes the full set of arguments from the aws_ami (/docs/providers/aws/r/ami.html) resource.

Timeouts
The timeouts block allows you to specify timeouts
(https://www.terraform.io/docs/con guration/resources.html#timeouts) for certain actions:

create - (Defaults to 40 mins) Used when creating the AMI

update - (Defaults to 40 mins) Used when updating the AMI

delete - (Defaults to 90 mins) Used when deregistering the AMI

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the created AMI.

This resource also exports a full set of attributes corresponding to the arguments of the aws_ami
(/docs/providers/aws/r/ami.html) resource, allowing the properties of the created AMI to be used elsewhere in the
con guration.
Resource: aws_ami_from_instance
The "AMI from instance" resource allows the creation of an Amazon Machine Image (AMI) modelled after an existing EBS-
backed EC2 instance.

The created AMI will refer to implicitly-created snapshots of the instance's EBS volumes and mimick its assigned block device
con guration at the time the resource is created.

This resource is best applied to an instance that is stopped when this instance is created, so that the contents of the created
image are predictable. When applied to an instance that is running, the instance will be stopped before taking the snapshots
and then started back up again, resulting in a period of downtime.

Note that the source instance is inspected only at the initial creation of this resource. Ongoing updates to the referenced
instance will not be propagated into the generated AMI. Users may taint or otherwise recreate the resource in order to
produce a fresh snapshot.

Example Usage

resource "aws_ami_from_instance" "example" {

name = "terraform-example"
source_instance_id = "i-xxxxxxxx"
}

Argument Reference
The following arguments are supported:

name - (Required) A region-unique name for the AMI.

source_instance_id - (Required) The id of the instance to use as the basis of the AMI.

snapshot_without_reboot - (Optional) Boolean that overrides the behavior of stopping the instance before
snapshotting. This is risky since it may cause a snapshot of an inconsistent lesystem state, but can be used to avoid
downtime if the user otherwise guarantees that no lesystem writes will be underway at the time of snapshot.

tags - (Optional) A mapping of tags to assign to the resource.

create - (Defaults to 40 mins) Used when creating the AMI

update - (Defaults to 40 mins) Used when updating the AMI

delete - (Defaults to 90 mins) Used when deregistering the AMI

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the created AMI.

This resource also exports a full set of attributes corresponding to the arguments of the aws_ami resource, allowing the
properties of the created AMI to be used elsewhere in the con guration.
Resource: aws_ami
The AMI resource allows the creation and management of a completely-custom Amazon Machine Image (AMI).

If you just want to duplicate an existing AMI, possibly copying it to another region, it's better to use aws_ami_copy instead.

If you just want to share an existing AMI with another AWS account, it's better to use aws_ami_launch_permission instead.

Example Usage

resource "aws_ami" "example" {

name = "terraform-example"
virtualization_type = "hvm"
root_device_name = "/dev/xvda"

ebs_block_device {
device_name = "/dev/xvda"
snapshot_id = "snap-xxxxxxxx"
volume_size = 8
}
}

Argument Reference
The following arguments are supported:

name - (Required) A region-unique name for the AMI.

description - (Optional) A longer, human-readable description for the AMI.

ena_support - (Optional) Speci es whether enhanced networking with ENA is enabled. Defaults to false .

root_device_name - (Optional) The name of the root device (for example, /dev/sda1 , or /dev/xvda ).

virtualization_type - (Optional) Keyword to choose what virtualization mode created instances will use. Can be
either "paravirtual" (the default) or "hvm". The choice of virtualization type changes the set of further arguments that
are required, as described below.

architecture - (Optional) Machine architecture for created instances. Defaults to "x86_64".

ebs_block_device - (Optional) Nested block describing an EBS block device that should be attached to created
instances. The structure of this block is described below.

ephemeral_block_device - (Optional) Nested block describing an ephemeral block device that should be attached to
created instances. The structure of this block is described below.

tags - (Optional) A mapping of tags to assign to the resource.

When virtualization_type is "paravirtual" the following additional arguments apply:

image_location - (Required) Path to an S3 object containing an image manifest, e.g. created by the ec2-upload-
bundle command in the EC2 command line tools.

kernel_id - (Required) The id of the kernel image (AKI) that will be used as the paravirtual kernel in created
instances.

ramdisk_id - (Optional) The id of an initrd image (ARI) that will be used when booting the created instances.

When virtualization_type is "hvm" the following additional arguments apply:

sriov_net_support - (Optional) When set to "simple" (the default), enables enhanced networking for created
instances. No other value is supported at this time.

Nested ebs_block_device blocks have the following structure:

device_name - (Required) The path at which the device is exposed to created instances.

delete_on_termination - (Optional) Boolean controlling whether the EBS volumes created to support each created
instance will be deleted once that instance is terminated.

encrypted - (Optional) Boolean controlling whether the created EBS volumes will be encrypted. Can't be used with
snapshot_id .

iops - (Required only when volume_type is "io1") Number of I/O operations per second the created volumes will
support.

snapshot_id - (Optional) The id of an EBS snapshot that will be used to initialize the created EBS volumes. If set, the
volume_size attribute must be at least as large as the referenced snapshot.

volume_size - (Required unless snapshot_id is set) The size of created volumes in GiB. If snapshot_id is set and
volume_size is omitted then the volume will have the same size as the selected snapshot.

volume_type - (Optional) The type of EBS volume to create. Can be one of "standard" (the default), "io1" or "gp2".

kms_key_id - (Optional) The full ARN of the AWS Key Management Service (AWS KMS) CMK to use when encrypting
the snapshots of an image during a copy operation. This parameter is only required if you want to use a non-default
CMK; if this parameter is not speci ed, the default CMK for EBS is used

Note: You can specify encrypted or snapshot_id but not both.

Nested ephemeral_block_device blocks have the following structure:

device_name - (Required) The path at which the device is exposed to created instances.

virtual_name - (Required) A name for the ephemeral device, of the form "ephemeralN" where N is a volume number
starting from zero.

create - (Defaults to 40 mins) Used when creating the AMI

update - (Defaults to 40 mins) Used when updating the AMI

delete - (Defaults to 90 mins) Used when deregistering the AMI

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the created AMI.

root_snapshot_id - The Snapshot ID for the root volume (for EBS-backed AMIs)

Import
aws_ami can be imported using the ID of the AMI, e.g.

$ terraform import aws_ami.example ami-12345678

Resource: aws_ami_launch_permission
Adds launch permission to Amazon Machine Image (AMI) from another AWS account.

Example Usage

resource "aws_ami_launch_permission" "example" {

image_id = "ami-12345678"
account_id = "123456789012"
}

Argument Reference
The following arguments are supported:

image_id - (required) A region-unique name for the AMI.

account_id - (required) An AWS Account ID to add launch permissions.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - A combination of " image_id - account_id ".

Resource: aws_api_gateway_account
Provides a settings of an API Gateway Account. Settings is applied region-wide per provider block.

Note: As there is no API method for deleting account settings or resetting it to defaults, destroying this resource will
keep your account settings intact

Example Usage
resource "aws_api_gateway_account" "demo" {
cloudwatch_role_arn = "${aws_iam_role.cloudwatch.arn}"
}

resource "aws_iam_role" "cloudwatch" {

name = "api_gateway_cloudwatch_global"

assume_role_policy = <<EOF
<<
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}

resource "aws_iam_role_policy" "cloudwatch" {

name = "default"
role = "${aws_iam_role.cloudwatch.id}"

policy = <<EOF
<<
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Resource": "*"
}
]
}
EOF
}

Argument Reference
The following argument is supported:

cloudwatch_role_arn - (Optional) The ARN of an IAM role for CloudWatch (to allow logging & monitoring). See more
in AWS Docs (https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-stage-settings.html#how-to-
stage-settings-console). Logging & monitoring can be enabled/disabled and otherwise tuned on the API Gateway Stage
level.

Attribute Reference
The following attribute is exported:

throttle_settings - Account-Level throttle settings. See exported elds below.

throttle_settings block exports the following:

burst_limit - The absolute maximum number of times API Gateway allows the API to be called per second (RPS).

rate_limit - The number of times API Gateway allows the API to be called per second on average (RPS).

Import
API Gateway Accounts can be imported using the word api-gateway-account , e.g.

$ terraform import aws_api_gateway_account.demo api-gateway-account

Resource: aws_api_gateway_api_key
Provides an API Gateway API Key.

NOTE: Since the API Gateway usage plans feature was launched on August 11, 2016, usage plans are now required to
associate an API key with an API stage.

Example Usage

resource "aws_api_gateway_api_key" "MyDemoApiKey" {

name = "demo"
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the API key

description - (Optional) The API key description. Defaults to "Managed by Terraform".

enabled - (Optional) Speci es whether the API key can be used by callers. Defaults to true .

value - (Optional) The value of the API key. If not speci ed, it will be automatically generated by AWS on creation.

Attribute Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the API key

created_date - The creation date of the API key

last_updated_date - The last update date of the API key

value - The value of the API key

Import
API Gateway Keys can be imported using the id , e.g.

$ terraform import aws_api_gateway_api_key.my_demo_key 8bklk8bl1k3sB38D9B3l0enyWT8c09B30lkq0blk

Resource: aws_api_gateway_authorizer
Provides an API Gateway Authorizer.

Example Usage

resource "aws_api_gateway_authorizer" "demo" {

name = "demo"
rest_api_id = "${aws_api_gateway_rest_api.demo.id}"
authorizer_uri = "${aws_lambda_function.authorizer.invoke_arn}"
authorizer_credentials = "${aws_iam_role.invocation_role.arn}"
}

resource "aws_api_gateway_rest_api" "demo" {

name = "auth-demo"
}

resource "aws_iam_role" "invocation_role" {

name = "api_gateway_auth_invocation"
path = "/"

assume_role_policy = <<EOF
<<
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}

resource "aws_iam_role_policy" "invocation_policy" {

name = "default"
role = "${aws_iam_role.invocation_role.id}"

policy = <<EOF
<<
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": "${aws_lambda_function.authorizer.arn}"
}
]
}
EOF
}

resource "aws_iam_role" "lambda" {

name = "demo-lambda"

assume_role_policy = <<EOF
<<
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}

resource "aws_lambda_function" "authorizer" {

filename = "lambda-function.zip"
function_name = "api_gateway_authorizer"
role = "${aws_iam_role.lambda.arn}"
handler = "exports.example"

source_code_hash = "${filebase64sha256("lambda-
- function.zip
zip")}"
}

Argument Reference
The following arguments are supported:

authorizer_uri - (Optional, required for type TOKEN / REQUEST ) The authorizer's Uniform Resource Identi er (URI). This must be a well-formed
Lambda function URI in the form of arn:aws:apigateway:{region}:lambda:path/{service_api} , e.g. arn:aws:apigateway:us-west-
2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:012345678912:function:my-function/invocations

name - (Required) The name of the authorizer

rest_api_id - (Required) The ID of the associated REST API

identity_source - (Optional) The source of the identity in an incoming request. Defaults to method.request.header.Authorization . For
REQUEST type, this may be a comma-separated list of values, including headers, query string parameters and stage variables - e.g.
"method.request.header.SomeHeaderName,method.request.querystring.SomeQueryStringName,stageVariables.SomeStageVariableName"

type - (Optional) The type of the authorizer. Possible values are TOKEN for a Lambda function using a single authorization token submitted in a
custom header, REQUEST for a Lambda function using incoming request parameters, or COGNITO_USER_POOLS for using an Amazon Cognito user
pool. Defaults to TOKEN .

authorizer_credentials - (Optional) The credentials required for the authorizer. To specify an IAM Role for API Gateway to assume, use the
IAM Role ARN.

authorizer_result_ttl_in_seconds - (Optional) The TTL of cached authorizer results in seconds. Defaults to 300 .

identity_validation_expression - (Optional) A validation expression for the incoming identity. For TOKEN type, this value should be a regular
expression. The incoming token from the client is matched against this expression, and will proceed if the token matches. If the token doesn't
match, the client receives a 401 Unauthorized response.

provider_arns - (Optional, required for type COGNITO_USER_POOLS ) A list of the Amazon Cognito user pool ARNs. Each element is of this
format: arn:aws:cognito-idp:{region}:{account_id}:userpool/{user_pool_id} .
Resource: aws_api_gateway_base_path_mapping
Connects a custom domain name registered via aws_api_gateway_domain_name with a deployed API so that its methods
can be called via the custom domain name.

Example Usage

resource "aws_api_gateway_deployment" "example" {

rest_api_id = "${aws_api_gateway_rest_api.MyDemoAPI.id}"
stage_name = "live"
}

resource "aws_api_gateway_domain_name" "example" {

domain_name = "example.com"

certificate_name = "example-api"
certificate_body = "${file("${path.module
module}/
/ example.com
com/
/ example.crt
crt")}"
certificate_chain = "${file("${path.module
module}/
/ example.com
com/
/ ca.crt
crt")}"
certificate_private_key = "${file("${path.module
module}/
/ example.com
com/
/ example.key
key")}"
}

resource "aws_api_gateway_base_path_mapping" "test" {

api_id = "${aws_api_gateway_rest_api.MyDemoAPI.id}"
stage_name = "${aws_api_gateway_deployment.example.stage_name}"
domain_name = "${aws_api_gateway_domain_name.example.domain_name}"
}

Argument Reference
The following arguments are supported:

domain_name - (Required) The already-registered domain name to connect the API to.

api_id - (Required) The id of the API to connect.

stage_name - (Optional) The name of a speci c deployment stage to expose at the given path. If omitted, callers may
select any stage by including its name as a path element after the base path.

base_path - (Optional) Path segment that must be prepended to the path when accessing the API via this mapping. If
omitted, the API is exposed at the root of the given domain.

Import
aws_api_gateway_base_path_mapping can be imported by using the domain name and base path, e.g.

For empty base_path (e.g. root path ( / )):

$ terraform import aws_api_gateway_base_path_mapping.example example.com/

Otherwise:

$ terraform import aws_api_gateway_base_path_mapping.example example.com/base-path

Resource: aws_api_gateway_client_certi cate
Provides an API Gateway Client Certi cate.

Example Usage

resource "aws_api_gateway_client_certificate" "demo" {

description = "My client certificate"
}

Argument Reference
The following arguments are supported:

description - (Optional) The description of the client certi cate.

Attribute Reference
In addition to all arguments above, the following attributes are exported:

id - The identi er of the client certi cate.

created_date - The date when the client certi cate was created.

expiration_date - The date when the client certi cate will expire.

pem_encoded_certificate - The PEM-encoded public key of the client certi cate.

Import
API Gateway Client Certi cates can be imported using the id, e.g.

$ terraform import aws_api_gateway_client_certificate.demo ab1cqe

Resource: aws_api_gateway_deployment
Provides an API Gateway Deployment.

Note: Depends on having aws_api_gateway_integration inside your rest api (which in turn depends on
aws_api_gateway_method ). To avoid race conditions you might need to add an explicit depends_on =
["aws_api_gateway_integration.name"] .

Example Usage

resource "aws_api_gateway_rest_api" "MyDemoAPI" {

name = "MyDemoAPI"
description = "This is my API for demonstration purposes"
}

resource "aws_api_gateway_resource" "MyDemoResource" {

rest_api_id = "${aws_api_gateway_rest_api.MyDemoAPI.id}"
parent_id = "${aws_api_gateway_rest_api.MyDemoAPI.root_resource_id}"
path_part = "test"
}

resource "aws_api_gateway_method" "MyDemoMethod" {

rest_api_id = "${aws_api_gateway_rest_api.MyDemoAPI.id}"
resource_id = "${aws_api_gateway_resource.MyDemoResource.id}"
http_method = "GET"
authorization = "NONE"
}

resource "aws_api_gateway_integration" "MyDemoIntegration" {

resource "aws_api_gateway_deployment" "MyDemoDeployment" {

depends_on = ["aws_api_gateway_integration.MyDemoIntegration"]

rest_api_id = "${aws_api_gateway_rest_api.MyDemoAPI.id}"
stage_name = "test"

variables = {
"answer" = "42"
}
}

Argument Reference
The following arguments are supported:
rest_api_id - (Required) The ID of the associated REST API

stage_name - (Optional) The name of the stage. If the speci ed stage already exists, it will be updated to point to the
new deployment. If the stage does not exist, a new one will be created and point to this deployment.

description - (Optional) The description of the deployment

stage_description - (Optional) The description of the stage

variables - (Optional) A map that de nes variables for the stage

Attribute Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the deployment

invoke_url - The URL to invoke the API pointing to the stage, e.g. https://z4675bid1j.execute-api.eu-west-
2.amazonaws.com/prod

execution_arn - The execution ARN to be used in lambda_permission

(/docs/providers/aws/r/lambda_permission.html)'s source_arn when allowing API Gateway to invoke a Lambda
function, e.g. arn:aws:execute-api:eu-west-2:123456789012:z4675bid1j/prod

created_date - The creation date of the deployment

Resource: aws_api_gateway_documentation_part
Provides a settings of an API Gateway Documentation Part.

Example Usage

resource "aws_api_gateway_documentation_part" "example" {

location {
type = "METHOD"
method = "GET"
path = "/example"
}

properties = "{\"description\":\"Example description\"}"

rest_api_id = "${aws_api_gateway_rest_api.example.id}"
}

resource "aws_api_gateway_rest_api" "example" {

name = "example_api"
}

Argument Reference
The following argument is supported:

location - (Required) The location of the targeted API entity of the to-be-created documentation part. See below.

properties - (Required) A content map of API-speci c key-value pairs describing the targeted API entity. The map
must be encoded as a JSON string, e.g., "{ \"description\": \"The API does ...\" }". Only Swagger-compliant key-value
pairs can be exported and, hence, published.

rest_api_id - (Required) The ID of the associated Rest API

Nested elds

location

See supported entity types for each eld in the o cial docs (https://docs.aws.amazon.com/apigateway/api-
reference/resource/documentation-part/).

method - (Optional) The HTTP verb of a method. The default value is * for any method.

name - (Optional) The name of the targeted API entity.

path - (Optional) The URL path of the target. The default value is / for the root resource.

status_code - (Optional) The HTTP status code of a response. The default value is * for any status code.
type - (Required) The type of API entity to which the documentation content applies. e.g. API , METHOD or
REQUEST_BODY

Attribute Reference
The following attribute is exported in addition to the arguments listed above:

id - The unique ID of the Documentation Part

Import
API Gateway documentation_parts can be imported using REST-API-ID/DOC-PART-ID , e.g.

$ terraform import aws_api_gateway_documentation_part.example 5i4e1ko720/3oyy3t

Resource: aws_api_gateway_documentation_version
Provides a resource to manage an API Gateway Documentation Version.

Example Usage

resource "aws_api_gateway_documentation_version" "example" {

version = "example_version"
rest_api_id = "${aws_api_gateway_rest_api.example.id}"
description = "Example description"
depends_on = ["aws_api_gateway_documentation_part.example"]
}

resource "aws_api_gateway_rest_api" "example" {

name = "example_api"
}

resource "aws_api_gateway_documentation_part" "example" {

location {
type = "API"
}

properties = "{\"description\":\"Example\"}"
rest_api_id = "${aws_api_gateway_rest_api.example.id}"
}

Argument Reference
The following argument is supported:

version - (Required) The version identi er of the API documentation snapshot.

rest_api_id - (Required) The ID of the associated Rest API

description - (Optional) The description of the API documentation version.

Attribute Reference
The arguments listed above are all exported as attributes.

Import
API Gateway documentation versions can be imported using REST-API-ID/VERSION , e.g.

$ terraform import aws_api_gateway_documentation_version.example 5i4e1ko720/example-version

Resource: aws_api_gateway_domain_name
Registers a custom domain name for use with AWS API Gateway. Additional information about this functionality can be
found in the API Gateway Developer Guide (https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-
custom-domains.html).

This resource just establishes ownership of and the TLS settings for a particular domain name. An API can be attached to a
particular path under the registered domain name using the aws_api_gateway_base_path_mapping resource
(/docs/providers/aws/r/api_gateway_base_path_mapping.html).

API Gateway domains can be de ned as either 'edge-optimized' or 'regional'. In an edge-optimized con guration, API
Gateway internally creates and manages a CloudFront distribution to route requests on the given hostname. In addition to
this resource it's necessary to create a DNS record corresponding to the given domain name which is an alias (either
Route53 alias or traditional CNAME) to the Cloudfront domain name exported in the cloudfront_domain_name attribute.

In a regional con guration, API Gateway does not create a CloudFront distribution to route requests to the API, though a
distribution can be created if needed. In either case, it is necessary to create a DNS record corresponding to the given
domain name which is an alias (either Route53 alias or traditional CNAME) to the regional domain name exported in the
regional_domain_name attribute.

Note: API Gateway requires the use of AWS Certi cate Manager (ACM) certi cates instead of Identity and Access
Management (IAM) certi cates in regions that support ACM. Regions that support ACM can be found in the Regions and
Endpoints Documentation (https://docs.aws.amazon.com/general/latest/gr/rande.html#acm_region). To import an
existing private key and certi cate into ACM or request an ACM certi cate, see the aws_acm_certificate resource
(/docs/providers/aws/r/acm_certi cate.html).

Note: All arguments including the private key will be stored in the raw state as plain-text. Read more about sensitive
data in state (/docs/state/sensitive-data.html).

Example Usage

Edge Optimized (ACM Certi cate)

resource "aws_api_gateway_domain_name" "example" {
certificate_arn = "${aws_acm_certificate_validation.example.certificate_arn}"
domain_name = "api.example.com"
}

resource "aws_route53_record" "example" {

name = "${aws_api_gateway_domain_name.example.domain_name}"
type = "A"
zone_id = "${aws_route53_zone.example.id}"

alias {
evaluate_target_health = true
name = "${aws_api_gateway_domain_name.example.cloudfront_domain_name}"
zone_id = "${aws_api_gateway_domain_name.example.cloudfront_zone_id}"
}
}

Edge Optimized (IAM Certi cate)

resource "aws_api_gateway_domain_name" "example" {

domain_name = "api.example.com"

resource "aws_route53_record" "example" {

zone_id = "${aws_route53_zone.example.id}"

name = "${aws_api_gateway_domain_name.example.domain_name}"
type = "A"

alias {
name = "${aws_api_gateway_domain_name.example.cloudfront_domain_name}"
zone_id = "${aws_api_gateway_domain_name.example.cloudfront_zone_id}"
evaluate_target_health = true
}
}

Regional (ACM Certi cate)

resource "aws_api_gateway_domain_name" "example" {
domain_name = "api.example.com"
regional_certificate_arn = "${aws_acm_certificate_validation.example.certificate_arn}"

endpoint_configuration {
types = ["REGIONAL"]
}
}

resource "aws_route53_record" "example" {

name = "${aws_api_gateway_domain_name.example.domain_name}"
type = "A"
zone_id = "${aws_route53_zone.example.id}"

alias {
evaluate_target_health = true
name = "${aws_api_gateway_domain_name.example.regional_domain_name}"
zone_id = "${aws_api_gateway_domain_name.example.regional_zone_id}"
}
}

Regional (IAM Certi cate)

resource "aws_api_gateway_domain_name" "example" {

certificate_body = "${file("${path.module
module}/
/ example.com
com/
/ example.crt
crt")}"
certificate_chain = "${file("${path.module
module}/
/ example.com
com/
/ ca.crt
crt")}"
certificate_private_key = "${file("${path.module
module}/
/ example.com
com/
/ example.key
key")}"
domain_name = "api.example.com"
regional_certificate_name = "example-api"

endpoint_configuration {
types = ["REGIONAL"]
}
}

resource "aws_route53_record" "example" {

name = "${aws_api_gateway_domain_name.example.domain_name}"
type = "A"
zone_id = "${aws_route53_zone.example.id}"

alias {
evaluate_target_health = true
name = "${aws_api_gateway_domain_name.example.regional_domain_name}"
zone_id = "${aws_api_gateway_domain_name.example.regional_zone_id}"
}
}
Argument Reference
The following arguments are supported:

domain_name - (Required) The fully-quali ed domain name to register

endpoint_configuration - (Optional) Con guration block de ning API endpoint information including type. De ned
below.

security_policy - (Optional) The Transport Layer Security (TLS) version + cipher suite for this DomainName. The
valid values are TLS_1_0 and TLS_1_2 . Must be con gured to perform drift detection.

When referencing an AWS-managed certi cate, the following arguments are supported:

certificate_arn - (Optional) The ARN for an AWS-managed certi cate. AWS Certi cate Manager is the only
supported source. Used when an edge-optimized domain name is desired. Con icts with certificate_name ,
certificate_body , certificate_chain , certificate_private_key , regional_certificate_arn , and
regional_certificate_name .

regional_certificate_arn - (Optional) The ARN for an AWS-managed certi cate. AWS Certi cate Manager is the
only supported source. Used when a regional domain name is desired. Con icts with certificate_arn ,
certificate_name , certificate_body , certificate_chain , and certificate_private_key .

When uploading a certi cate, the following arguments are supported:

certificate_name - (Optional) The unique name to use when registering this certi cate as an IAM server certi cate.
Con icts with certificate_arn , regional_certificate_arn , and regional_certificate_name . Required if
certificate_arn is not set.

certificate_body - (Optional) The certi cate issued for the domain name being registered, in PEM format. Only
valid for EDGE endpoint con guration type. Con icts with certificate_arn , regional_certificate_arn , and
regional_certificate_name .

certificate_chain - (Optional) The certi cate for the CA that issued the certi cate, along with any intermediate CA
certi cates required to create an unbroken chain to a certi cate trusted by the intended API clients. Only valid for
EDGE endpoint con guration type. Con icts with certificate_arn , regional_certificate_arn , and
regional_certificate_name .

certificate_private_key - (Optional) The private key associated with the domain certi cate given in
certificate_body . Only valid for EDGE endpoint con guration type. Con icts with certificate_arn ,
regional_certificate_arn , and regional_certificate_name .

regional_certificate_name - (Optional) The user-friendly name of the certi cate that will be used by regional
endpoint for this domain name. Con icts with certificate_arn , certificate_name , certificate_body ,
certificate_chain , and certificate_private_key .

endpoint_con guration
types - (Required) A list of endpoint types. This resource currently only supports managing a single value. Valid
values: EDGE or REGIONAL . If unspeci ed, defaults to EDGE . Must be declared as REGIONAL in non-Commercial
partitions. Refer to the documentation (https://docs.aws.amazon.com/apigateway/latest/developerguide/create-
regional-api.html) for more information on the di erence between edge-optimized and regional APIs.
Attributes Reference
In addition to the arguments, the following attributes are exported:

id - The internal id assigned to this domain name by API Gateway.

certificate_upload_date - The upload date associated with the domain certi cate.

cloudfront_domain_name - The hostname created by Cloudfront to represent the distribution that implements this
domain name mapping.

cloudfront_zone_id - For convenience, the hosted zone ID ( Z2FDTNDATAQYW2 ) that can be used to create a Route53
alias record for the distribution.

regional_domain_name - The hostname for the custom domain's regional endpoint.

regional_zone_id - The hosted zone ID that can be used to create a Route53 alias record for the regional endpoint.

Import
API Gateway domain names can be imported using their name , e.g.

$ terraform import aws_api_gateway_domain_name.example dev.example.com

Resource: aws_api_gateway_gateway_response
Provides an API Gateway Gateway Response for a REST API Gateway.

Example Usage

resource "aws_api_gateway_rest_api" "main" {

name = "MyDemoAPI"
}

resource "aws_api_gateway_gateway_response" "test" {

rest_api_id = "${aws_api_gateway_rest_api.main.id}"
status_code = "401"
response_type = "UNAUTHORIZED"

response_templates = {
"application/json" = "{'message':$context.error.messageString}"
}

response_parameters = {
"gatewayresponse.header.Authorization" = "'Basic'"
}
}

Argument Reference
The following arguments are supported:

rest_api_id - (Required) The string identi er of the associated REST API.

response_type - (Required) The response type of the associated GatewayResponse.

status_code - (Optional) The HTTP status code of the Gateway Response.

response_templates - (Optional) A map specifying the templates used to transform the response body.

response_parameters - (Optional) A map specifying the parameters (paths, query strings and headers) of the
Gateway Response.

Import
aws_api_gateway_gateway_response can be imported using REST-API-ID/RESPONSE-TYPE , e.g.

$ terraform import aws_api_gateway_gateway_response.example 12345abcde/UNAUTHORIZED

Resource: aws_api_gateway_integration
Provides an HTTP Method Integration for an API Gateway Integration.

Example Usage

resource "aws_api_gateway_rest_api" "MyDemoAPI" {

name = "MyDemoAPI"
description = "This is my API for demonstration purposes"
}

resource "aws_api_gateway_resource" "MyDemoResource" {

rest_api_id = "${aws_api_gateway_rest_api.MyDemoAPI.id}"
parent_id = "${aws_api_gateway_rest_api.MyDemoAPI.root_resource_id}"
path_part = "mydemoresource"
}

resource "aws_api_gateway_method" "MyDemoMethod" {

rest_api_id = "${aws_api_gateway_rest_api.MyDemoAPI.id}"
resource_id = "${aws_api_gateway_resource.MyDemoResource.id}"
http_method = "GET"
authorization = "NONE"
}

resource "aws_api_gateway_integration" "MyDemoIntegration" {

rest_api_id = "${aws_api_gateway_rest_api.MyDemoAPI.id}"
resource_id = "${aws_api_gateway_resource.MyDemoResource.id}"
http_method = "${aws_api_gateway_method.MyDemoMethod.http_method}"
type = "MOCK"
cache_key_parameters = ["method.request.path.param"]
cache_namespace = "foobar"
timeout_milliseconds = 29000

request_parameters = {
"integration.request.header.X-Authorization" = "'static'"
}

request_templates = {
"application/xml" = <<EOF
<<
{
"body" : $input.json('$')
}
EOF
}
}

Lambda integration

variable "myregion" {}
variable "myregion" {}

variable "accountId" {}

resource "aws_api_gateway_rest_api" "api" {

name = "myapi"
}

resource "aws_api_gateway_resource" "resource" {

path_part = "resource"
parent_id = "${aws_api_gateway_rest_api.api.root_resource_id}"
rest_api_id = "${aws_api_gateway_rest_api.api.id}"
}

resource "aws_api_gateway_method" "method" {

rest_api_id = "${aws_api_gateway_rest_api.api.id}"
resource_id = "${aws_api_gateway_resource.resource.id}"
http_method = "GET"
authorization = "NONE"
}

resource "aws_api_gateway_integration" "integration" {

rest_api_id = "${aws_api_gateway_rest_api.api.id}"
resource_id = "${aws_api_gateway_resource.resource.id}"
http_method = "${aws_api_gateway_method.method.http_method}"
integration_http_method = "POST"
type = "AWS_PROXY"
uri = "${aws_lambda_function.lambda.invoke_arn}"
}

resource "aws_lambda_permission" "apigw_lambda" {

statement_id = "AllowExecutionFromAPIGateway"
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.lambda.function_name}"
principal = "apigateway.amazonaws.com"

source_arn = "arn:aws:execute-api:${var.myregion}:${var.accountId}:${aws_api_gateway_rest_api.api.id}/*
/${aws_api_gateway_method.method.http_method}${aws_api_gateway_resource.resource.path}"
}

resource "aws_lambda_function" "lambda" {

filename = "lambda.zip"
function_name = "mylambda"
role = "${aws_iam_role.role.arn}"
handler = "lambda.lambda_handler"
runtime = "python2.7"

source_code_hash = "${filebase64sha256("lambda.zip
zip")}"
}

resource "aws_iam_role" "role" {

name = "myrole"
assume_role_policy = <<POLICY
<<
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
POLICY
}

VPC Link

variable "name" {}
variable "subnet_id" {}

resource "aws_lb" "test" {

name = "${var.name}"
internal = true
load_balancer_type = "network"
subnets = ["${var.subnet_id}"]
}

resource "aws_api_gateway_vpc_link" "test" {

name = "${var.name}"
target_arns = ["${aws_lb.test.arn}"]
}

resource "aws_api_gateway_rest_api" "test" {

name = "${var.name}"
}

resource "aws_api_gateway_resource" "test" {

rest_api_id = "${aws_api_gateway_rest_api.test.id}"
parent_id = "${aws_api_gateway_rest_api.test.root_resource_id}"
path_part = "test"
}

resource "aws_api_gateway_method" "test" {

rest_api_id = "${aws_api_gateway_rest_api.test.id}"
resource_id = "${aws_api_gateway_resource.test.id}"
http_method = "GET"
authorization = "NONE"

request_models = {
"application/json" = "Error"
}
}
resource "aws_api_gateway_integration" "test" {
rest_api_id = "${aws_api_gateway_rest_api.test.id}"
resource_id = "${aws_api_gateway_resource.test.id}"
http_method = "${aws_api_gateway_method.test.http_method}"

request_templates = {
"application/json" = ""
"application/xml" = "#set($inputRoot = $input.path('$'))\n{ }"
}

request_parameters = {
"integration.request.header.X-Authorization" = "'static'"
"integration.request.header.X-Foo" = "'Bar'"
}

type = "HTTP"
uri = "https://www.google.de"
integration_http_method = "GET"
passthrough_behavior = "WHEN_NO_MATCH"
content_handling = "CONVERT_TO_TEXT"

connection_type = "VPC_LINK"
connection_id = "${aws_api_gateway_vpc_link.test.id}"
}

Argument Reference
The following arguments are supported:

rest_api_id - (Required) The ID of the associated REST API.

resource_id - (Required) The API resource ID.

http_method - (Required) The HTTP method ( GET , POST , PUT , DELETE , HEAD , OPTION , ANY ) when calling the
associated resource.

integration_http_method - (Optional) The integration HTTP method ( GET , POST , PUT , DELETE , HEAD , OPTIONs ,
ANY , PATCH ) specifying how API Gateway will interact with the back end. Required if type is AWS , AWS_PROXY ,
HTTP or HTTP_PROXY . Not all methods are compatible with all AWS integrations. e.g. Lambda function can only be
invoked (https://github.com/awslabs/aws-apigateway-importer/issues/9#issuecomment-129651005) via POST .

type - (Required) The integration input's type (https://docs.aws.amazon.com/apigateway/api-

reference/resource/integration/). Valid values are HTTP (for HTTP backends), MOCK (not calling any real backend),
AWS (for AWS services), AWS_PROXY (for Lambda proxy integration) and HTTP_PROXY (for HTTP proxy integration). An
HTTP or HTTP_PROXY integration with a connection_type of VPC_LINK is referred to as a private integration and
uses a VpcLink to connect API Gateway to a network load balancer of a VPC.

connection_type - (Optional) The integration input's connectionType (https://docs.aws.amazon.com/apigateway/api-

reference/resource/integration/#connectionType). Valid values are INTERNET (default for connections through the
public routable internet), and VPC_LINK (for private connections between API Gateway and a network load balancer in
a VPC).

connection_id - (Optional) The id of the VpcLink used for the integration. Required if connection_type is
VPC_LINK

uri - (Optional) The input's URI. Required if type is AWS , AWS_PROXY , HTTP or HTTP_PROXY . For HTTP
integrations, the URI must be a fully formed, encoded HTTP(S) URL according to the RFC-3986 speci cation . For AWS
integrations, the URI should be of the form arn:aws:apigateway:{region}:{subdomain.service|service}:
{path|action}/{service_api} . region , subdomain and service are used to determine the right endpoint. e.g.
arn:aws:apigateway:eu-west-1:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-
1:012345678901:function:my-func/invocations

credentials - (Optional) The credentials required for the integration. For AWS integrations, 2 options are available.
To specify an IAM Role for Amazon API Gateway to assume, use the role's ARN. To require that the caller's identity be
passed through from the request, specify the string arn:aws:iam::\*:user/\* .

request_templates - (Optional) A map of the integration's request templates.

request_parameters - (Optional) A map of request query string parameters and headers that should be passed to
the backend responder. For example: request_parameters = { "integration.request.header.X-Some-Other-
Header" = "method.request.header.X-Some-Header" }

passthrough_behavior - (Optional) The integration passthrough behavior ( WHEN_NO_MATCH , WHEN_NO_TEMPLATES ,

NEVER ). Required if request_templates is used.

cache_key_parameters - (Optional) A list of cache key parameters for the integration.

cache_namespace - (Optional) The integration's cache namespace.

content_handling - (Optional) Speci es how to handle request payload content type conversions. Supported values
are CONVERT_TO_BINARY and CONVERT_TO_TEXT . If this property is not de ned, the request payload will be passed
through from the method request to integration request without modi cation, provided that the
passthroughBehaviors is con gured to support payload pass-through.

timeout_milliseconds - (Optional) Custom timeout between 50 and 29,000 milliseconds. The default value is 29,000
milliseconds.

Import
aws_api_gateway_integration can be imported using REST-API-ID/RESOURCE-ID/HTTP-METHOD , e.g.

$ terraform import aws_api_gateway_integration.example 12345abcde/67890fghij/GET

Resource: aws_api_gateway_integration_response
Provides an HTTP Method Integration Response for an API Gateway Resource.

Note: Depends on having aws_api_gateway_integration inside your rest api. To ensure this you might need to add
an explicit depends_on for clean runs.

Example Usage
resource "aws_api_gateway_rest_api" "MyDemoAPI" {
name = "MyDemoAPI"
description = "This is my API for demonstration purposes"
}

resource "aws_api_gateway_resource" "MyDemoResource" {

rest_api_id = "${aws_api_gateway_rest_api.MyDemoAPI.id}"
parent_id = "${aws_api_gateway_rest_api.MyDemoAPI.root_resource_id}"
path_part = "mydemoresource"
}

resource "aws_api_gateway_method" "MyDemoMethod" {

rest_api_id = "${aws_api_gateway_rest_api.MyDemoAPI.id}"
resource_id = "${aws_api_gateway_resource.MyDemoResource.id}"
http_method = "GET"
authorization = "NONE"
}

resource "aws_api_gateway_integration" "MyDemoIntegration" {

resource "aws_api_gateway_method_response" "response_200" {

resource "aws_api_gateway_integration_response" "MyDemoIntegrationResponse" {

rest_api_id = "${aws_api_gateway_rest_api.MyDemoAPI.id}"
resource_id = "${aws_api_gateway_resource.MyDemoResource.id}"
http_method = "${aws_api_gateway_method.MyDemoMethod.http_method}"
status_code = "${aws_api_gateway_method_response.response_200.status_code}"

response_templates {
"application/xml" = <<EOF
<<
#set($inputRoot = $input.path('$'))
<?xml version="1.0" encoding="UTF-8"?>
<message>
$inputRoot.body
</message>
EOF
}
}

Argument Reference
The following arguments are supported:

rest_api_id - (Required) The ID of the associated REST API

resource_id - (Required) The API resource ID

http_method - (Required) The HTTP method ( GET , POST , PUT , DELETE , HEAD , OPTIONS , ANY )

status_code - (Required) The HTTP status code

selection_pattern - (Optional) Speci es the regular expression pattern used to choose an integration response
based on the response from the backend. Setting this to - makes the integration the default one. If the backend is an
AWS Lambda function, the AWS Lambda function error header is matched. For all other HTTP and AWS backends, the
HTTP status code is matched.

response_templates - (Optional) A map specifying the templates used to transform the integration response body

response_parameters - (Optional) A map of response parameters that can be read from the backend response. For
example: response_parameters = { "method.response.header.X-Some-Header" =
"integration.response.header.X-Some-Other-Header" }

content_handling - (Optional) Speci es how to handle request payload content type conversions. Supported values
are CONVERT_TO_BINARY and CONVERT_TO_TEXT . If this property is not de ned, the response payload will be passed
through from the integration response to the method response without modi cation.

Import
aws_api_gateway_integration_response can be imported using REST-API-ID/RESOURCE-ID/HTTP-METHOD/STATUS-
CODE , e.g.

$ terraform import aws_api_gateway_integration_response.example 12345abcde/67890fghij/GET/200

Resource: aws_api_gateway_method
Provides a HTTP Method for an API Gateway Resource.

Example Usage

resource "aws_api_gateway_rest_api" "MyDemoAPI" {

name = "MyDemoAPI"
description = "This is my API for demonstration purposes"
}

resource "aws_api_gateway_resource" "MyDemoResource" {

rest_api_id = "${aws_api_gateway_rest_api.MyDemoAPI.id}"
parent_id = "${aws_api_gateway_rest_api.MyDemoAPI.root_resource_id}"
path_part = "mydemoresource"
}

resource "aws_api_gateway_method" "MyDemoMethod" {

rest_api_id = "${aws_api_gateway_rest_api.MyDemoAPI.id}"
resource_id = "${aws_api_gateway_resource.MyDemoResource.id}"
http_method = "GET"
authorization = "NONE"
}

Usage with Cognito User Pool Authorizer

variable "cognito_user_pool_name" {}

data "aws_cognito_user_pools" "this" {

name = "${var.cognito_user_pool_name}"
}

resource "aws_api_gateway_rest_api" "this" {

name = "with-authorizer"
}

resource "aws_api_gateway_resource" "this" {

rest_api_id = "${aws_api_gateway_rest_api.this.id}"
parent_id = "${aws_api_gateway_rest_api.this.root_resource_id}"
path_part = "{proxy+}"
}

resource "aws_api_gateway_authorizer" "this" {

name = "CognitoUserPoolAuthorizer"
type = "COGNITO_USER_POOLS"
rest_api_id = "${aws_api_gateway_rest_api.this.id}"
provider_arns = ["${data.aws_cognito_user_pools.this.arns}"]
}

resource "aws_api_gateway_method" "any" {

rest_api_id = "${aws_api_gateway_rest_api.this.id}"
resource_id = "${aws_api_gateway_resource.this.id}"
http_method = "ANY"
authorization = "COGNITO_USER_POOLS"
authorizer_id = "${aws_api_gateway_authorizer.this.id}"

request_parameters = {
"method.request.path.proxy" = true
}
}

Argument Reference
The following arguments are supported:

rest_api_id - (Required) The ID of the associated REST API

resource_id - (Required) The API resource ID

http_method - (Required) The HTTP Method ( GET , POST , PUT , DELETE , HEAD , OPTIONS , ANY )

authorization - (Required) The type of authorization used for the method ( NONE , CUSTOM , AWS_IAM ,
COGNITO_USER_POOLS )

authorizer_id - (Optional) The authorizer id to be used when the authorization is CUSTOM or COGNITO_USER_POOLS

authorization_scopes - (Optional) The authorization scopes used when the authorization is COGNITO_USER_POOLS

api_key_required - (Optional) Specify if the method requires an API key

request_models - (Optional) A map of the API models used for the request's content type where key is the content
type (e.g. application/json ) and value is either Error , Empty (built-in models) or aws_api_gateway_model 's
name .

request_validator_id - (Optional) The ID of a aws_api_gateway_request_validator

request_parameters - (Optional) A map of request parameters (from the path, query string and headers) that should
be passed to the integration. The boolean value indicates whether the parameter is required ( true ) or optional
( false ). For example: request_parameters = {"method.request.header.X-Some-Header" = true
"method.request.querystring.some-query-param" = true} would de ne that the header X-Some-Header and
the query string some-query-param must be provided in the request.

Import
aws_api_gateway_method can be imported using REST-API-ID/RESOURCE-ID/HTTP-METHOD , e.g.

$ terraform import aws_api_gateway_method.example 12345abcde/67890fghij/GET

Resource: aws_api_gateway_method_response
Provides an HTTP Method Response for an API Gateway Resource.

Example Usage

resource "aws_api_gateway_rest_api" "MyDemoAPI" {

name = "MyDemoAPI"
description = "This is my API for demonstration purposes"
}

resource "aws_api_gateway_resource" "MyDemoResource" {

rest_api_id = "${aws_api_gateway_rest_api.MyDemoAPI.id}"
parent_id = "${aws_api_gateway_rest_api.MyDemoAPI.root_resource_id}"
path_part = "mydemoresource"
}

resource "aws_api_gateway_method" "MyDemoMethod" {

rest_api_id = "${aws_api_gateway_rest_api.MyDemoAPI.id}"
resource_id = "${aws_api_gateway_resource.MyDemoResource.id}"
http_method = "GET"
authorization = "NONE"
}

resource "aws_api_gateway_integration" "MyDemoIntegration" {

resource "aws_api_gateway_method_response" "response_200" {

Argument Reference
The following arguments are supported:

rest_api_id - (Required) The ID of the associated REST API

resource_id - (Required) The API resource ID

http_method - (Required) The HTTP Method ( GET , POST , PUT , DELETE , HEAD , OPTIONS , ANY )

status_code - (Required) The HTTP status code

response_models - (Optional) A map of the API models used for the response's content type
response_parameters - (Optional) A map of response parameters that can be sent to the caller. For example:
response_parameters = { "method.response.header.X-Some-Header" = true } would de ne that the header
X-Some-Header can be provided on the response.

Import
aws_api_gateway_method_response can be imported using REST-API-ID/RESOURCE-ID/HTTP-METHOD/STATUS-CODE , e.g.

$ terraform import aws_api_gateway_method_response.example 12345abcde/67890fghij/GET/200

Resource: aws_api_gateway_method_settings
Provides an API Gateway Method Settings, e.g. logging or monitoring.

Example Usage
resource "aws_api_gateway_method_settings" "s" {
rest_api_id = "${aws_api_gateway_rest_api.test.id}"
stage_name = "${aws_api_gateway_stage.test.stage_name}"
method_path = "${aws_api_gateway_resource.test.path_part}/${aws_api_gateway_method.test.http_method}"

settings {
metrics_enabled = true
logging_level = "INFO"
}
}

resource "aws_api_gateway_rest_api" "test" {

name = "MyDemoAPI"
description = "This is my API for demonstration purposes"
}

resource "aws_api_gateway_deployment" "test" {

depends_on = ["aws_api_gateway_integration.test"]
rest_api_id = "${aws_api_gateway_rest_api.test.id}"
stage_name = "dev"
}

resource "aws_api_gateway_stage" "test" {

stage_name = "prod"
rest_api_id = "${aws_api_gateway_rest_api.test.id}"
deployment_id = "${aws_api_gateway_deployment.test.id}"
}

resource "aws_api_gateway_resource" "test" {

rest_api_id = "${aws_api_gateway_rest_api.test.id}"
parent_id = "${aws_api_gateway_rest_api.test.root_resource_id}"
path_part = "mytestresource"
}

resource "aws_api_gateway_method" "test" {

rest_api_id = "${aws_api_gateway_rest_api.test.id}"
resource_id = "${aws_api_gateway_resource.test.id}"
http_method = "GET"
authorization = "NONE"
}

resource "aws_api_gateway_integration" "test" {

rest_api_id = "${aws_api_gateway_rest_api.test.id}"
resource_id = "${aws_api_gateway_resource.test.id}"
http_method = "${aws_api_gateway_method.test.http_method}"
type = "MOCK"

request_templates = {
"application/xml" = <<EOF
<<
{
"body" : $input.json('$')
}
EOF
}
}
Argument Reference
The following arguments are supported:

rest_api_id - (Required) The ID of the REST API

stage_name - (Required) The name of the stage

method_path - (Required) Method path de ned as {resource_path}/{http_method} for an individual method

override, or */* for overriding all methods in the stage.

settings - (Required) The settings block, see below.

settings

metrics_enabled - (Optional) Speci es whether Amazon CloudWatch metrics are enabled for this method.

logging_level - (Optional) Speci es the logging level for this method, which e ects the log entries pushed to
Amazon CloudWatch Logs. The available levels are OFF , ERROR , and INFO .

data_trace_enabled - (Optional) Speci es whether data trace logging is enabled for this method, which e ects the
log entries pushed to Amazon CloudWatch Logs.

throttling_burst_limit - (Optional) Speci es the throttling burst limit.

throttling_rate_limit - (Optional) Speci es the throttling rate limit.

caching_enabled - (Optional) Speci es whether responses should be cached and returned for requests. A cache
cluster must be enabled on the stage for responses to be cached.

cache_ttl_in_seconds - (Optional) Speci es the time to live (TTL), in seconds, for cached responses. The higher the
TTL, the longer the response will be cached.

cache_data_encrypted - (Optional) Speci es whether the cached responses are encrypted.

require_authorization_for_cache_control - (Optional) Speci es whether authorization is required for a cache

invalidation request.

unauthorized_cache_control_header_strategy - (Optional) Speci es how to handle unauthorized requests for

cache invalidation. The available values are FAIL_WITH_403 , SUCCEED_WITH_RESPONSE_HEADER ,
SUCCEED_WITHOUT_RESPONSE_HEADER .
Resource: aws_api_gateway_model
Provides a Model for a API Gateway.

Example Usage

resource "aws_api_gateway_rest_api" "MyDemoAPI" {

name = "MyDemoAPI"
description = "This is my API for demonstration purposes"
}

resource "aws_api_gateway_model" "MyDemoModel" {

rest_api_id = "${aws_api_gateway_rest_api.MyDemoAPI.id}"
name = "user"
description = "a JSON schema"
content_type = "application/json"

schema = <<EOF
<<
{
"type": "object"
}
EOF
}

Argument Reference
The following arguments are supported:

rest_api_id - (Required) The ID of the associated REST API

name - (Required) The name of the model

description - (Optional) The description of the model

content_type - (Required) The content type of the model

schema - (Required) The schema of the model in a JSON form

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the model

Import
aws_api_gateway_model can be imported using REST-API-ID/NAME , e.g.
$ terraform import aws_api_gateway_model.example 12345abcde/example
Resource: aws_api_gateway_request_validator
Manages an API Gateway Request Validator.

Example Usage

resource "aws_api_gateway_request_validator" "example" {

name = "example"
rest_api_id = "${aws_api_gateway_rest_api.example.id}"
validate_request_body = true
validate_request_parameters = true
}

Argument Reference
The following argument is supported:

name - (Required) The name of the request validator

rest_api_id - (Required) The ID of the associated Rest API

validate_request_body - (Optional) Boolean whether to validate request body. Defaults to false .

validate_request_parameters - (Optional) Boolean whether to validate request parameters. Defaults to false .

Attribute Reference
The following attribute is exported in addition to the arguments listed above:

id - The unique ID of the request validator

Import
aws_api_gateway_request_validator can be imported using REST-API-ID/REQUEST-VALIDATOR-ID , e.g.

$ terraform import aws_api_gateway_request_validator.example 12345abcde/67890fghij

Resource: aws_api_gateway_resource
Provides an API Gateway Resource.

Example Usage

resource "aws_api_gateway_rest_api" "MyDemoAPI" {

name = "MyDemoAPI"
description = "This is my API for demonstration purposes"
}

resource "aws_api_gateway_resource" "MyDemoResource" {

rest_api_id = "${aws_api_gateway_rest_api.MyDemoAPI.id}"
parent_id = "${aws_api_gateway_rest_api.MyDemoAPI.root_resource_id}"
path_part = "mydemoresource"
}

Argument Reference
The following arguments are supported:

rest_api_id - (Required) The ID of the associated REST API

parent_id - (Required) The ID of the parent API resource

path_part - (Required) The last path segment of this API resource.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The resource's identi er.

path - The complete path for this API resource, including all parent paths.

Import
aws_api_gateway_resource can be imported using REST-API-ID/RESOURCE-ID , e.g.

$ terraform import aws_api_gateway_resource.example 12345abcde/67890fghij

Resource: aws_api_gateway_rest_api
Provides an API Gateway REST API.

Example Usage

Basic

resource "aws_api_gateway_rest_api" "MyDemoAPI" {

name = "MyDemoAPI"
description = "This is my API for demonstration purposes"
}

Regional Endpoint Type

resource "aws_api_gateway_rest_api" "example" {

name = "regional-example"

endpoint_configuration {
types = ["REGIONAL"]
}
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the REST API

description - (Optional) The description of the REST API

endpoint_configuration - (Optional) Nested argument de ning API endpoint con guration including endpoint type.
De ned below.

binary_media_types - (Optional) The list of binary media types supported by the RestApi. By default, the RestApi
supports only UTF-8-encoded text payloads.

minimum_compression_size - (Optional) Minimum response size to compress for the REST API. Integer between -1
and 10485760 (10MB). Setting a value greater than -1 will enable compression, -1 disables compression (default).

body - (Optional) An OpenAPI speci cation that de nes the set of routes and integrations to create as part of the
REST API.

policy - (Optional) JSON formatted policy document that controls access to the API Gateway. For more information
about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide
(/docs/providers/aws/guides/iam-policy-documents.html)

api_key_source - (Optional) The source of the API key for requests. Valid values are HEADER (default) and
AUTHORIZER.

Note: If the body argument is provided, the OpenAPI speci cation will be used to con gure the resources, methods and
integrations for the Rest API. If this argument is provided, the following resources should not be managed as separate ones,
as updates may cause manual resource updates to be overwritten:

aws_api_gateway_resource

aws_api_gateway_method

aws_api_gateway_method_response

aws_api_gateway_method_settings

aws_api_gateway_integration

aws_api_gateway_integration_response

aws_api_gateway_gateway_response

aws_api_gateway_model

endpoint_con guration
types - (Required) A list of endpoint types. This resource currently only supports managing a single value. Valid
values: EDGE , REGIONAL or PRIVATE . If unspeci ed, defaults to EDGE . Must be declared as REGIONAL in non-
Commercial partitions. Refer to the documentation
(https://docs.aws.amazon.com/apigateway/latest/developerguide/create-regional-api.html) for more information on
the di erence between edge-optimized and regional APIs.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the REST API

root_resource_id - The resource ID of the REST API's root

created_date - The creation date of the REST API

execution_arn - The execution ARN part to be used in lambda_permission

(/docs/providers/aws/r/lambda_permission.html)'s source_arn when allowing API Gateway to invoke a Lambda
function, e.g. arn:aws:execute-api:eu-west-2:123456789012:z4675bid1j , which can be concatenated with
allowed stage, method and resource path.

Import
aws_api_gateway_rest_api can be imported by using the REST API ID, e.g.
$ terraform import aws_api_gateway_rest_api.example 12345abcde

NOTE: Resource import does not currently support the body attribute.
Resource: aws_api_gateway_stage
Provides an API Gateway Stage.

Example Usage

resource "aws_api_gateway_stage" "test" {

stage_name = "prod"
rest_api_id = "${aws_api_gateway_rest_api.test.id}"
deployment_id = "${aws_api_gateway_deployment.test.id}"
}

resource "aws_api_gateway_rest_api" "test" {

name = "MyDemoAPI"
description = "This is my API for demonstration purposes"
}

resource "aws_api_gateway_deployment" "test" {

depends_on = ["aws_api_gateway_integration.test"]
rest_api_id = "${aws_api_gateway_rest_api.test.id}"
stage_name = "dev"
}

resource "aws_api_gateway_resource" "test" {

rest_api_id = "${aws_api_gateway_rest_api.test.id}"
parent_id = "${aws_api_gateway_rest_api.test.root_resource_id}"
path_part = "mytestresource"
}

resource "aws_api_gateway_method" "test" {

rest_api_id = "${aws_api_gateway_rest_api.test.id}"
resource_id = "${aws_api_gateway_resource.test.id}"
http_method = "GET"
authorization = "NONE"
}

resource "aws_api_gateway_method_settings" "s" {

rest_api_id = "${aws_api_gateway_rest_api.test.id}"
stage_name = "${aws_api_gateway_stage.test.stage_name}"
method_path = "${aws_api_gateway_resource.test.path_part}/${aws_api_gateway_method.test.http_method}"

settings {
metrics_enabled = true
logging_level = "INFO"
}
}

resource "aws_api_gateway_integration" "test" {

rest_api_id = "${aws_api_gateway_rest_api.test.id}"
resource_id = "${aws_api_gateway_resource.test.id}"
http_method = "${aws_api_gateway_method.test.http_method}"
type = "MOCK"
}
Managing the API Logging CloudWatch Log Group
API Gateway provides the ability to enable CloudWatch API logging
(https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html). To manage the CloudWatch Log
Group when this feature is enabled, the aws_cloudwatch_log_group resource
(/docs/providers/aws/r/cloudwatch_log_group.html) can be used where the name matches the API Gateway naming
convention. If the CloudWatch Log Group previously exists, the aws_cloudwatch_log_group resource can be imported into
Terraform (/docs/providers/aws/r/cloudwatch_log_group.html#import) as a one time operation and recreation of the
environment can occur without import.

The below con guration uses depends_on (/docs/con guration/resources.html#depends_on-explicit-resource-

dependencies) to prevent ordering issues with API Gateway automatically creating the log group rst and a variable for
naming consistency. Other ordering and naming methodologies may be more appropriate for your environment.

variable "stage_name" {
default = "example"
type = "string"
}

resource "aws_api_gateway_rest_api" "example" {

resource "aws_api_gateway_stage" "example" {

depends_on = ["aws_cloudwatch_log_group.example"]

name = "${var.stage_name}"

resource "aws_cloudwatch_log_group" "example" {

name = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.example.id}/${var.stage_name
}"
retention_in_days = 7

Argument Reference
The following arguments are supported:

rest_api_id - (Required) The ID of the associated REST API

stage_name - (Required) The name of the stage

deployment_id - (Required) The ID of the deployment that the stage points to

access_log_settings - (Optional) Enables access logs for the API stage. Detailed below.

cache_cluster_enabled - (Optional) Speci es whether a cache cluster is enabled for the stage
cache_cluster_size - (Optional) The size of the cache cluster for the stage, if enabled. Allowed values include 0.5 ,
1.6 , 6.1 , 13.5 , 28.4 , 58.2 , 118 and 237 .

client_certificate_id - (Optional) The identi er of a client certi cate for the stage.

description - (Optional) The description of the stage

documentation_version - (Optional) The version of the associated API documentation

variables - (Optional) A map that de nes the stage variables

tags - (Optional) A mapping of tags to assign to the resource.

xray_tracing_enabled - (Optional) Whether active tracing with X-ray is enabled. Defaults to false .

Nested Blocks

access_log_settings

destination_arn - (Required) ARN of the log group to send the logs to. Automatically removes trailing :* if present.

format - (Required) The formatting and values recorded in the logs. For more information on con guring the log
format rules visit the AWS documentation (https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-
logging.html)

Attribute Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the stage

invoke_url - The URL to invoke the API pointing to the stage, e.g. https://z4675bid1j.execute-api.eu-west-
2.amazonaws.com/prod

execution_arn - The execution ARN to be used in lambda_permission

(/docs/providers/aws/r/lambda_permission.html)'s source_arn when allowing API Gateway to invoke a Lambda
function, e.g. arn:aws:execute-api:eu-west-2:123456789012:z4675bid1j/prod

Import
aws_api_gateway_stage can be imported using REST-API-ID/STAGE-NAME , e.g.

$ terraform import aws_api_gateway_stage.example 12345abcde/example

Resource: aws_api_gateway_usage_plan
Provides an API Gateway Usage Plan.

Example Usage

resource "aws_api_gateway_rest_api" "myapi" {

name = "MyDemoAPI"
}

resource "aws_api_gateway_deployment" "dev" {

rest_api_id = "${aws_api_gateway_rest_api.myapi.id}"
stage_name = "dev"
}

resource "aws_api_gateway_deployment" "prod" {

rest_api_id = "${aws_api_gateway_rest_api.myapi.id}"
stage_name = "prod"
}

resource "aws_api_gateway_usage_plan" "MyUsagePlan" {

name = "my-usage-plan"
description = "my description"
product_code = "MYCODE"

api_stages {
api_id = "${aws_api_gateway_rest_api.myapi.id}"
stage = "${aws_api_gateway_deployment.dev.stage_name}"
}

api_stages {
api_id = "${aws_api_gateway_rest_api.myapi.id}"
stage = "${aws_api_gateway_deployment.prod.stage_name}"
}

quota_settings {
limit = 20
offset = 2
period = "WEEK"
}

throttle_settings {
burst_limit = 5
rate_limit = 10
}
}

Argument Reference
The API Gateway Usage Plan argument layout is a structure composed of several sub-resources - these resources are laid
out below.

Top-Level Arguments
name - (Required) The name of the usage plan.

description - (Optional) The description of a usage plan.

api_stages - (Optional) The associated API stages of the usage plan.

quota_settings - (Optional) The quota settings of the usage plan.

throttle_settings - (Optional) The throttling limits of the usage plan.

product_code - (Optional) The AWS Markeplace product identi er to associate with the usage plan as a SaaS product
on AWS Marketplace.

Api Stages arguments

api_id (Required) - API Id of the associated API stage in a usage plan.

stage (Required) - API stage name of the associated API stage in a usage plan.

Quota Settings Arguments

limit (Optional) - The maximum number of requests that can be made in a given time period.

offset (Optional) - The number of requests subtracted from the given limit in the initial time period.

period (Optional) - The time period in which the limit applies. Valid values are "DAY", "WEEK" or "MONTH".

Throttling Settings Arguments

burst_limit (Optional) - The API request burst limit, the maximum rate limit over a time ranging from one to a few
seconds, depending upon whether the underlying token bucket is at its full capacity.

rate_limit (Optional) - The API request steady-state rate limit.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the API resource

name - The name of the usage plan.

description - The description of a usage plan.

api_stages - The associated API stages of the usage plan.

quota_settings - The quota of the usage plan.

throttle_settings - The throttling limits of the usage plan.

product_code - The AWS Markeplace product identi er to associate with the usage plan as a SaaS product on AWS
Marketplace.

Import
AWS API Gateway Usage Plan can be imported using the id , e.g.

$ terraform import aws_api_gateway_usage_plan.myusageplan <usage_plan_id>

Resource: aws_api_gateway_usage_plan_key
Provides an API Gateway Usage Plan Key.

Example Usage

resource "aws_api_gateway_rest_api" "test" {

name = "MyDemoAPI"
}

resource "aws_api_gateway_usage_plan" "myusageplan" {

name = "my_usage_plan"

api_stages {
api_id = "${aws_api_gateway_rest_api.test.id}"
stage = "${aws_api_gateway_deployment.foo.stage_name}"
}
}

resource "aws_api_gateway_api_key" "mykey" {

name = "my_key"
}

resource "aws_api_gateway_usage_plan_key" "main" {

key_id = "${aws_api_gateway_api_key.mykey.id}"
key_type = "API_KEY"
usage_plan_id = "${aws_api_gateway_usage_plan.myusageplan.id}"
}

Argument Reference
The following arguments are supported:

key_id - (Required) The identi er of the API key resource.

key_type - (Required) The type of the API key resource. Currently, the valid key type is API_KEY.

usage_plan_id - (Required) The Id of the usage plan resource representing to associate the key to.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The Id of a usage plan key.

key_id - The identi er of the API gateway key resource.

key_type - The type of a usage plan key. Currently, the valid key type is API_KEY.

usage_plan_id - The ID of the API resource

name - The name of a usage plan key.

value - The value of a usage plan key.

Resource: aws_api_gateway_vpc_link
Provides an API Gateway VPC Link.

Example Usage

resource "aws_lb" "example" {

name = "example"
internal = true
load_balancer_type = "network"

subnet_mapping {
subnet_id = "12345"
}
}

resource "aws_api_gateway_vpc_link" "example" {

name = "example"
description = "example description"
target_arns = ["${aws_lb.example.arn}"]
}

Argument Reference
The following arguments are supported:

name - (Required) The name used to label and identify the VPC link.

description - (Optional) The description of the VPC link.

target_arns - (Required, ForceNew) The list of network load balancer arns in the VPC targeted by the VPC link.
Currently AWS only supports 1 target.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The identi er of the VpcLink.

Import
API Gateway VPC Link can be imported using the id , e.g.

$ terraform import aws_api_gateway_vpc_link.example <vpc_link_id>

Resource: aws_appautoscaling_policy
Provides an Application AutoScaling Policy resource.

Example Usage

DynamoDB Table Autoscaling

resource "aws_appautoscaling_target" "dynamodb_table_read_target" {

max_capacity = 100
min_capacity = 5
resource_id = "table/tableName"
role_arn = "${data.aws_iam_role.DynamoDBAutoscaleRole.arn}"
scalable_dimension = "dynamodb:table:ReadCapacityUnits"
service_namespace = "dynamodb"
}

resource "aws_appautoscaling_policy" "dynamodb_table_read_policy" {

name = "DynamoDBReadCapacityUtilization:${aws_appautoscaling_target.dynamodb_table_read_target.resource_id}"
policy_type = "TargetTrackingScaling"
resource_id = "${aws_appautoscaling_target.dynamodb_table_read_target.resource_id}"
scalable_dimension = "${aws_appautoscaling_target.dynamodb_table_read_target.scalable_dimension}"
service_namespace = "${aws_appautoscaling_target.dynamodb_table_read_target.service_namespace}"

target_tracking_scaling_policy_configuration {
predefined_metric_specification {
predefined_metric_type = "DynamoDBReadCapacityUtilization"
}

target_value = 70
}
}

ECS Service Autoscaling

resource "aws_appautoscaling_target" "ecs_target" {

max_capacity = 4
min_capacity = 1
resource_id = "service/clusterName/serviceName"
role_arn = "${var.ecs_iam_role}"
scalable_dimension = "ecs:service:DesiredCount"
service_namespace = "ecs"
}

resource "aws_appautoscaling_policy" "ecs_policy" {

name = "scale-down"
policy_type = "StepScaling"
resource_id = "${aws_appautoscaling_target.ecs_target.resource_id}"
scalable_dimension = "${aws_appautoscaling_target.ecs_target.scalable_dimension}"
service_namespace = "${aws_appautoscaling_target.ecs_target.service_namespace}"

step_scaling_policy_configuration {
adjustment_type = "ChangeInCapacity"
cooldown = 60
metric_aggregation_type = "Maximum"

step_adjustment {
metric_interval_upper_bound = 0
scaling_adjustment = -1
}
}
}
Preserve desired count when updating an autoscaled ECS Service

resource "aws_ecs_service" "ecs_service" {

name = "serviceName"
cluster = "clusterName"
task_definition = "taskDefinitionFamily:1"
desired_count = 2

lifecycle {
ignore_changes = ["desired_count"]
}
}

Aurora Read Replica Autoscaling

resource "aws_appautoscaling_target" "replicas" {

service_namespace = "rds"
scalable_dimension = "rds:cluster:ReadReplicaCount"
resource_id = "cluster:${aws_rds_cluster.example.id}"
min_capacity = 1
max_capacity = 15
}

resource "aws_appautoscaling_policy" "replicas" {

name = "cpu-auto-scaling"
service_namespace = "${aws_appautoscaling_target.replicas.service_namespace}"
scalable_dimension = "${aws_appautoscaling_target.replicas.scalable_dimension}"
resource_id = "${aws_appautoscaling_target.replicas.resource_id}"
policy_type = "TargetTrackingScaling"

target_tracking_scaling_policy_configuration {
predefined_metric_specification {
predefined_metric_type = "RDSReaderAverageCPUUtilization"
}

target_value = 75
scale_in_cooldown = 300
scale_out_cooldown = 300
}
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the policy.

policy_type - (Optional) For DynamoDB, only TargetTrackingScaling is supported. For Amazon ECS, Spot Fleet, and Amazon RDS, both
StepScaling and TargetTrackingScaling are supported. For any other service, only StepScaling is supported. Defaults to StepScaling .

resource_id - (Required) The resource type and unique identi er string for the resource associated with the scaling policy. Documentation can be found
in the ResourceId parameter at: AWS Application Auto Scaling API Reference
(http://docs.aws.amazon.com/ApplicationAutoScaling/latest/APIReference/API_RegisterScalableTarget.html#API_RegisterScalableTarget_RequestParameters)

scalable_dimension - (Required) The scalable dimension of the scalable target. Documentation can be found in the ScalableDimension parameter at:
AWS Application Auto Scaling API Reference
(http://docs.aws.amazon.com/ApplicationAutoScaling/latest/APIReference/API_RegisterScalableTarget.html#API_RegisterScalableTarget_RequestParameters)

service_namespace - (Required) The AWS service namespace of the scalable target. Documentation can be found in the ServiceNamespace parameter
at: AWS Application Auto Scaling API Reference
(http://docs.aws.amazon.com/ApplicationAutoScaling/latest/APIReference/API_RegisterScalableTarget.html#API_RegisterScalableTarget_RequestParameters)

step_scaling_policy_configuration - (Optional) Step scaling policy con guration, requires policy_type = "StepScaling" (default). See supported
elds below.

target_tracking_scaling_policy_configuration - (Optional) A target tracking policy, requires policy_type = "TargetTrackingScaling" . See

supported elds below.

Nested elds

step_scaling_policy_configuration
adjustment_type - (Required) Speci es whether the adjustment is an absolute number or a percentage of the current capacity. Valid values are
ChangeInCapacity , ExactCapacity , and PercentChangeInCapacity .

cooldown - (Required) The amount of time, in seconds, after a scaling activity completes and before the next scaling activity can start.

metric_aggregation_type - (Optional) The aggregation type for the policy's metrics. Valid values are "Minimum", "Maximum", and "Average". Without a
value, AWS will treat the aggregation type as "Average".

min_adjustment_magnitude - (Optional) The minimum number to adjust your scalable dimension as a result of a scaling activity. If the adjustment type
is PercentChangeInCapacity, the scaling policy changes the scalable dimension of the scalable target by this amount.

step_adjustment - (Optional) A set of adjustments that manage scaling. These have the following structure:

resource "aws_appautoscaling_policy" "ecs_policy" {

step_scaling_policy_configuration {

step_adjustment {
metric_interval_lower_bound = 1.0
metric_interval_upper_bound = 2.0
scaling_adjustment = -1
}

step_adjustment {
metric_interval_lower_bound = 2.0
metric_interval_upper_bound = 3.0
scaling_adjustment = 1
}
}
}

metric_interval_lower_bound - (Optional) The lower bound for the di erence between the alarm threshold and the CloudWatch metric. Without a
value, AWS will treat this bound as negative in nity.

metric_interval_upper_bound - (Optional) The upper bound for the di erence between the alarm threshold and the CloudWatch metric. Without a
value, AWS will treat this bound as in nity. The upper bound must be greater than the lower bound.

scaling_adjustment - (Required) The number of members by which to scale, when the adjustment bounds are breached. A positive value scales up. A
negative value scales down.

target_tracking_scaling_policy_configuration

target_value - (Required) The target value for the metric.

disable_scale_in - (Optional) Indicates whether scale in by the target tracking policy is disabled. If the value is true, scale in is disabled and the target
tracking policy won't remove capacity from the scalable resource. Otherwise, scale in is enabled and the target tracking policy can remove capacity from
the scalable resource. The default value is false .

scale_in_cooldown - (Optional) The amount of time, in seconds, after a scale in activity completes before another scale in activity can start.

scale_out_cooldown - (Optional) The amount of time, in seconds, after a scale out activity completes before another scale out activity can start.

customized_metric_specification - (Optional) A custom CloudWatch metric. Documentation can be found at: AWS Customized Metric Speci cation
(https://docs.aws.amazon.com/autoscaling/ec2/APIReference/API_CustomizedMetricSpeci cation.html). See supported elds below.

predefined_metric_specification - (Optional) A prede ned metric. See supported elds below.

customized_metric_specification

dimensions - (Optional) The dimensions of the metric.

metric_name - (Required) The name of the metric.

namespace - (Required) The namespace of the metric.

statistic - (Required) The statistic of the metric.

unit - (Optional) The unit of the metric.

predefined_metric_specification
predefined_metric_type - (Required) The metric type.

resource_label - (Optional) Reserved for future use.

Attribute Reference
arn - The ARN assigned by AWS to the scaling policy.

name - The scaling policy's name.

policy_type - The scaling policy's type.

Import
Application AutoScaling Policy can be imported using the service-namespace , resource-id , scalable-dimension and policy-name separated by / .

$ terraform import aws_appautoscaling_policy.test-policy service-namespace/resource-id/scalable-dimension/policy-name

Resource: aws_appautoscaling_scheduled_action
Provides an Application AutoScaling ScheduledAction resource.

Example Usage

DynamoDB Table Autoscaling

resource "aws_appautoscaling_target" "dynamodb" {

resource "aws_appautoscaling_scheduled_action" "dynamodb" {

name = "dynamodb"
service_namespace = "${aws_appautoscaling_target.dynamodb.service_namespace}"
resource_id = "${aws_appautoscaling_target.dynamodb.resource_id}"
scalable_dimension = "${aws_appautoscaling_target.dynamodb.scalable_dimension}"
schedule = "at(2006-01-02T15:04:05)"

scalable_target_action {
min_capacity = 1
max_capacity = 200
}
}

ECS Service Autoscaling

resource "aws_appautoscaling_target" "ecs" {
max_capacity = 4
min_capacity = 1
resource_id = "service/clusterName/serviceName"
role_arn = "${var.ecs_iam_role}"
scalable_dimension = "ecs:service:DesiredCount"
service_namespace = "ecs"
}

resource "aws_appautoscaling_scheduled_action" "ecs" {

name = "ecs"
service_namespace = "${aws_appautoscaling_target.ecs.service_namespace}"
resource_id = "${aws_appautoscaling_target.ecs.resource_id}"
scalable_dimension = "${aws_appautoscaling_target.ecs.scalable_dimension}"
schedule = "at(2006-01-02T15:04:05)"

scalable_target_action {
min_capacity = 1
max_capacity = 10
}
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the scheduled action.

service_namespace - (Required) The namespace of the AWS service. Documentation can be found in the parameter at: AWS
Application Auto Scaling API Reference
(https://docs.aws.amazon.com/ApplicationAutoScaling/latest/APIReference/API_PutScheduledAction.html#ApplicationAutoScaling-
PutScheduledAction-request-ServiceNamespace) Example: ecs

resource_id - (Required) The identi er of the resource associated with the scheduled action. Documentation can be found in
the parameter at: AWS Application Auto Scaling API Reference
(https://docs.aws.amazon.com/ApplicationAutoScaling/latest/APIReference/API_PutScheduledAction.html#ApplicationAutoScaling-
PutScheduledAction-request-ResourceId)

scalable_dimension - (Optional) The scalable dimension. Documentation can be found in the parameter at: AWS Application
Auto Scaling API Reference
(https://docs.aws.amazon.com/ApplicationAutoScaling/latest/APIReference/API_PutScheduledAction.html#ApplicationAutoScaling-
PutScheduledAction-request-ScalableDimension) Example: ecs:service:DesiredCount

scalable_target_action - (Optional) The new minimum and maximum capacity. You can set both values or just one. See
below

schedule - (Optional) The schedule for this action. The following formats are supported: At expressions - at(yyyy-mm-
ddThh:mm:ss), Rate expressions - rate(valueunit), Cron expressions - cron( elds). In UTC. Documentation can be found in the
parameter at: AWS Application Auto Scaling API Reference
(https://docs.aws.amazon.com/ApplicationAutoScaling/latest/APIReference/API_PutScheduledAction.html#ApplicationAutoScaling-
PutScheduledAction-request-Schedule)

start_time - (Optional) The date and time for the scheduled action to start. Specify the following format: 2006-01-
02T15:04:05Z

end_time - (Optional) The date and time for the scheduled action to end. Specify the following format: 2006-01-02T15:04:05Z
Scalable Target Action Arguments
max_capacity - (Optional) The maximum capacity.

min_capacity - (Optional) The minimum capacity.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

arn - The Amazon Resource Name (ARN) of the scheduled action.

Resource: aws_appautoscaling_target
Provides an Application AutoScaling ScalableTarget resource. To manage policies which get attached to the target, see the aws_appautoscaling_policy
resource (/docs/providers/aws/r/appautoscaling_policy.html).

Example Usage

DynamoDB Table Autoscaling

resource "aws_appautoscaling_target" "dynamodb_table_read_target" {

max_capacity = 100
min_capacity = 5
resource_id = "table/${aws_dynamodb_table.example.name}"
role_arn = "${data.aws_iam_role.DynamoDBAutoscaleRole.arn}"
scalable_dimension = "dynamodb:table:ReadCapacityUnits"
service_namespace = "dynamodb"
}

DynamoDB Index Autoscaling

resource "aws_appautoscaling_target" "dynamodb_index_read_target" {

max_capacity = 100
min_capacity = 5
resource_id = "table/${aws_dynamodb_table.example.name}/index/${var.index_name}"
role_arn = "${data.aws_iam_role.DynamoDBAutoscaleRole.arn}"
scalable_dimension = "dynamodb:index:ReadCapacityUnits"
service_namespace = "dynamodb"
}

ECS Service Autoscaling

resource "aws_appautoscaling_target" "ecs_target" {

max_capacity = 4
min_capacity = 1
resource_id = "service/${aws_ecs_cluster.example.name}/${aws_ecs_service.example.name}"
role_arn = "${var.ecs_iam_role}"
scalable_dimension = "ecs:service:DesiredCount"
service_namespace = "ecs"
}

Aurora Read Replica Autoscaling

resource "aws_appautoscaling_target" "replicas" {

service_namespace = "rds"
scalable_dimension = "rds:cluster:ReadReplicaCount"
resource_id = "cluster:${aws_rds_cluster.example.id}"
min_capacity = 1
max_capacity = 15
}

Argument Reference
The following arguments are supported:
max_capacity - (Required) The max capacity of the scalable target.

min_capacity - (Required) The min capacity of the scalable target.

resource_id - (Required) The resource type and unique identi er string for the resource associated with the scaling policy. Documentation can be
found in the ResourceId parameter at: AWS Application Auto Scaling API Reference
(https://docs.aws.amazon.com/autoscaling/application/APIReference/API_RegisterScalableTarget.html#API_RegisterScalableTarget_RequestParameters)

role_arn - (Optional) The ARN of the IAM role that allows Application AutoScaling to modify your scalable target on your behalf.

scalable_dimension - (Required) The scalable dimension of the scalable target. Documentation can be found in the ScalableDimension
parameter at: AWS Application Auto Scaling API Reference
(https://docs.aws.amazon.com/autoscaling/application/APIReference/API_RegisterScalableTarget.html#API_RegisterScalableTarget_RequestParameters)

service_namespace - (Required) The AWS service namespace of the scalable target. Documentation can be found in the ServiceNamespace
parameter at: AWS Application Auto Scaling API Reference
(https://docs.aws.amazon.com/autoscaling/application/APIReference/API_RegisterScalableTarget.html#API_RegisterScalableTarget_RequestParameters)

Import
Application AutoScaling Target can be imported using the service-namespace , resource-id and scalable-dimension separated by / .

$ terraform import aws_appautoscaling_target.test-target service-namespace/resource-id/scalable-dimension

Resource: aws_app_cookie_stickiness_policy
Provides an application cookie stickiness policy, which allows an ELB to wed its sticky cookie's expiration to a cookie
generated by your application.

Example Usage

resource "aws_elb" "lb" {

name = "test-lb"
availability_zones = ["us-east-1a"]

listener {
instance_port = 8000
instance_protocol = "http"
lb_port = 80
lb_protocol = "http"
}
}

resource "aws_app_cookie_stickiness_policy" "foo" {

name = "foo_policy"
load_balancer = "${aws_elb.lb.name}"
lb_port = 80
cookie_name = "MyAppCookie"
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the stickiness policy.

load_balancer - (Required) The name of load balancer to which the policy should be attached.

lb_port - (Required) The load balancer port to which the policy should be applied. This must be an active listener on
the load balancer.

cookie_name - (Required) The application cookie whose lifetime the ELB's cookie should follow.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the policy.

name - The name of the stickiness policy.

load_balancer - The name of load balancer to which the policy is attached.

lb_port - The load balancer port to which the policy is applied.

cookie_name - The application cookie whose lifetime the ELB's cookie should follow.

Import
Application cookie stickiness policies can be imported using the ELB name, port, and policy name separated by colons ( : ),
e.g.

$ terraform import aws_app_cookie_stickiness_policy.example my-elb:80:my-policy

Resource: aws_appmesh_mesh
Provides an AWS App Mesh service mesh resource.

Example Usage

Basic

resource "aws_appmesh_mesh" "simple" {

name = "simpleapp"
}

Egress Filter

resource "aws_appmesh_mesh" "simple" {

name = "simpleapp"

spec {
egress_filter {
type = "ALLOW_ALL"
}
}
}

Argument Reference
The following arguments are supported:

name - (Required) The name to use for the service mesh.

spec - (Optional) The service mesh speci cation to apply.

tags - (Optional) A mapping of tags to assign to the resource.

The spec object supports the following:

egress_filter - (Optional) The egress lter rules for the service mesh.

The egress_filter object supports the following:

type - (Optional) The egress lter type. By default, the type is DROP_ALL . Valid values are ALLOW_ALL and
DROP_ALL .

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the service mesh.

arn - The ARN of the service mesh.

created_date - The creation date of the service mesh.

last_updated_date - The last update date of the service mesh.

Import
App Mesh service meshes can be imported using the name , e.g.

$ terraform import aws_appmesh_mesh.simple simpleapp

Resource: aws_appmesh_route
Provides an AWS App Mesh route resource.

Example Usage

HTTP Routing

resource "aws_appmesh_route" "serviceb" {

name = "serviceB-route"
mesh_name = "${aws_appmesh_mesh.simple.id}"
virtual_router_name = "${aws_appmesh_virtual_router.serviceb.name}"

spec {
http_route {
match {
prefix = "/"
}

action {
weighted_target {
virtual_node = "${aws_appmesh_virtual_node.serviceb1.name}"
weight = 90
}

weighted_target {
virtual_node = "${aws_appmesh_virtual_node.serviceb2.name}"
weight = 10
}
}
}
}
}

TCP Routing
resource "aws_appmesh_route" "serviceb" {
name = "serviceB-route"
mesh_name = "${aws_appmesh_mesh.simple.id}"
virtual_router_name = "${aws_appmesh_virtual_router.serviceb.name}"

spec {
tcp_route {
action {
weighted_target {
virtual_node = "${aws_appmesh_virtual_node.serviceb1.name}"
weight = 100
}
}
}
}
}

Argument Reference
The following arguments are supported:

name - (Required) The name to use for the route.

mesh_name - (Required) The name of the service mesh in which to create the route.

virtual_router_name - (Required) The name of the virtual router in which to create the route.

spec - (Required) The route speci cation to apply.

tags - (Optional) A mapping of tags to assign to the resource.

The spec object supports the following:

http_route - (Optional) The HTTP routing information for the route.

tcp_route - (Optional) The TCP routing information for the route.

The http_route object supports the following:

action - (Required) The action to take if a match is determined.

match - (Required) The criteria for determining an HTTP request match.

The tcp_route object supports the following:

action - (Required) The action to take if a match is determined.

The action object supports the following:

weighted_target - (Required) The targets that tra c is routed to when a request matches the route. You can specify
one or more targets and their relative weights with which to distribute tra c.

The match object supports the following:

prefix - (Required) Speci es the path with which to match requests. This parameter must always start with /, which
by itself matches all requests to the virtual router service name.
The weighted_target object supports the following:

virtual_node - (Required) The virtual node to associate with the weighted target.

weight - (Required) The relative weight of the weighted target. An integer between 0 and 100.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the route.

arn - The ARN of the route.

created_date - The creation date of the route.

last_updated_date - The last update date of the route.

Import
App Mesh virtual routes can be imported using mesh_name and virtual_router_name together with the route's name ,
e.g.

$ terraform import aws_appmesh_virtual_route.serviceb simpleapp/serviceB/serviceB-route

Resource: aws_appmesh_virtual_node
Provides an AWS App Mesh virtual node resource.

Breaking Changes
Because of backward incompatible API changes (read here (https://github.com/awslabs/aws-app-mesh-
examples/issues/92)), aws_appmesh_virtual_node resource de nitions created with provider versions earlier than v2.3.0
will need to be modi ed:

Rename the service_name attribute of the dns object to hostname .

Replace the backends attribute of the spec object with one or more backend con guration blocks, setting
virtual_service_name to the name of the service.

The Terraform state associated with existing resources will automatically be migrated.

Example Usage

Basic

resource "aws_appmesh_virtual_node" "serviceb1" {

name = "serviceBv1"
mesh_name = "${aws_appmesh_mesh.simple.id}"

spec {
backend {
virtual_service {
virtual_service_name = "servicea.simpleapp.local"
}
}

listener {
port_mapping {
port = 8080
protocol = "http"
}
}

service_discovery {
dns {
hostname = "serviceb.simpleapp.local"
}
}
}
}
AWS Cloud Map Service Discovery

resource "aws_service_discovery_http_namespace" "example" {

name = "example-ns"
}

resource "aws_appmesh_virtual_node" "serviceb1" {

name = "serviceBv1"
mesh_name = "${aws_appmesh_mesh.simple.id}"

spec {
backend {
virtual_service {
virtual_service_name = "servicea.simpleapp.local"
}
}

listener {
port_mapping {
port = 8080
protocol = "http"
}
}

service_discovery {
aws_cloud_map {
attributes = {
stack = "blue"
}

service_name = "serviceb1"
namespace_name = "${aws_service_discovery_http_namespace.example.name}"
}
}
}
}

Listener Health Check

resource "aws_appmesh_virtual_node" "serviceb1" {
name = "serviceBv1"
mesh_name = "${aws_appmesh_mesh.simple.id}"

spec {
backend {
virtual_service {
virtual_service_name = "servicea.simpleapp.local"
}
}

listener {
port_mapping {
port = 8080
protocol = "http"
}

health_check {
protocol = "http"
path = "/ping"
healthy_threshold = 2
unhealthy_threshold = 2
timeout_millis = 2000
interval_millis = 5000
}
}

service_discovery {
dns {
hostname = "serviceb.simpleapp.local"
}
}
}
}

Logging
resource "aws_appmesh_virtual_node" "serviceb1" {
name = "serviceBv1"
mesh_name = "${aws_appmesh_mesh.simple.id}"

spec {
backend {
virtual_service {
virtual_service_name = "servicea.simpleapp.local"
}
}

listener {
port_mapping {
port = 8080
protocol = "http"
}
}

service_discovery {
dns {
hostname = "serviceb.simpleapp.local"
}
}

logging {
access_log {
file {
path = "/dev/stdout"
}
}
}
}
}

Argument Reference
The following arguments are supported:

name - (Required) The name to use for the virtual node.

mesh_name - (Required) The name of the service mesh in which to create the virtual node.

spec - (Required) The virtual node speci cation to apply.

tags - (Optional) A mapping of tags to assign to the resource.

The spec object supports the following:

backend - (Optional) The backends to which the virtual node is expected to send outbound tra c.

listener - (Optional) The listeners from which the virtual node is expected to receive inbound tra c.

logging - (Optional) The inbound and outbound access logging information for the virtual node.

service_discovery - (Optional) The service discovery information for the virtual node.
The backend object supports the following:

virtual_service - (Optional) Speci es a virtual service to use as a backend for a virtual node.

The virtual_service object supports the following:

virtual_service_name - (Required) The name of the virtual service that is acting as a virtual node backend.

The listener object supports the following:

port_mapping - (Required) The port mapping information for the listener.

health_check - (Optional) The health check information for the listener.

The logging object supports the following:

access_log - (Optional) The access log con guration for a virtual node.

The access_log object supports the following:

file - (Optional) The le object to send virtual node access logs to.

The file object supports the following:

path - (Required) The le path to write access logs to. You can use /dev/stdout to send access logs to standard out.

The service_discovery object supports the following:

aws_cloud_map - (Optional) Speci es any AWS Cloud Map information for the virtual node.

dns - (Optional) Speci es the DNS service name for the virtual node.

The aws_cloud_map object supports the following:

attributes - (Optional) A string map that contains attributes with values that you can use to lter instances by any
custom attribute that you speci ed when you registered the instance. Only instances that match all of the speci ed
key/value pairs will be returned.

namespace_name - (Required) The name of the AWS Cloud Map namespace to use. Use the
aws_service_discovery_http_namespace (/docs/providers/aws/r/service_discovery_http_namespace.html)
resource to con gure a Cloud Map namespace.

service_name - (Required) The name of the AWS Cloud Map service to use. Use the
aws_service_discovery_service (/docs/providers/aws/r/service_discovery_service.html) resource to con gure a
Cloud Map service.

The dns object supports the following:

hostname - (Required) The DNS host name for your virtual node.

The port_mapping object supports the following:

port - (Required) The port used for the port mapping.

protocol - (Required) The protocol used for the port mapping. Valid values are http and tcp .

The health_check object supports the following:

healthy_threshold - (Required) The number of consecutive successful health checks that must occur before
declaring listener healthy.
interval_millis - (Required) The time period in milliseconds between each health check execution.

protocol - (Required) The protocol for the health check request. Valid values are http and tcp .

timeout_millis - (Required) The amount of time to wait when receiving a response from the health check, in
milliseconds.

unhealthy_threshold - (Required) The number of consecutive failed health checks that must occur before declaring
a virtual node unhealthy.

path - (Optional) The destination path for the health check request. This is only required if the speci ed protocol is
http .

port - (Optional) The destination port for the health check request. This port must match the port de ned in the
port_mapping for the listener.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the virtual node.

arn - The ARN of the virtual node.

created_date - The creation date of the virtual node.

last_updated_date - The last update date of the virtual node.

Import
App Mesh virtual nodes can be imported using mesh_name together with the virtual node's name , e.g.

$ terraform import aws_appmesh_virtual_node.serviceb1 simpleapp/serviceBv1

Resource: aws_appmesh_virtual_router
Provides an AWS App Mesh virtual router resource.

Breaking Changes
Because of backward incompatible API changes (read here (https://github.com/awslabs/aws-app-mesh-examples/issues/92)
and here (https://github.com/awslabs/aws-app-mesh-examples/issues/94)), aws_appmesh_virtual_router resource
de nitions created with provider versions earlier than v2.3.0 will need to be modi ed:

Remove service service_names from the spec argument. AWS has created a aws_appmesh_virtual_service
resource for each of service names. These resource can be imported using terraform import .

Add a listener con guration block to the spec argument.

The Terraform state associated with existing resources will automatically be migrated.

Example Usage

resource "aws_appmesh_virtual_router" "serviceb" {

name = "serviceB"
mesh_name = "${aws_appmesh_mesh.simple.id}"

spec {
listener {
port_mapping {
port = 8080
protocol = "http"
}
}
}
}

Argument Reference
The following arguments are supported:

name - (Required) The name to use for the virtual router.

mesh_name - (Required) The name of the service mesh in which to create the virtual router.

spec - (Required) The virtual router speci cation to apply.

tags - (Optional) A mapping of tags to assign to the resource.

The spec object supports the following:

listener - (Required) The listeners that the virtual router is expected to receive inbound tra c from. Currently only
one listener is supported per virtual router.
The listener object supports the following:

port_mapping - (Required) The port mapping information for the listener.

The port_mapping object supports the following:

port - (Required) The port used for the port mapping.

protocol - (Required) The protocol used for the port mapping. Valid values are http and tcp .

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the virtual router.

arn - The ARN of the virtual router.

created_date - The creation date of the virtual router.

last_updated_date - The last update date of the virtual router.

Import
App Mesh virtual routers can be imported using mesh_name together with the virtual router's name , e.g.

$ terraform import aws_appmesh_virtual_router.serviceb simpleapp/serviceB

Resource: aws_appmesh_virtual_service
Provides an AWS App Mesh virtual service resource.

Example Usage

Virtual Node Provider

resource "aws_appmesh_virtual_service" "servicea" {

name = "servicea.simpleapp.local"
mesh_name = "${aws_appmesh_mesh.simple.id}"

spec {
provider {
virtual_node {
virtual_node_name = "${aws_appmesh_virtual_node.serviceb1.name}"
}
}
}
}

Virtual Router Provider

resource "aws_appmesh_virtual_service" "servicea" {

name = "servicea.simpleapp.local"
mesh_name = "${aws_appmesh_mesh.simple.id}"

spec {
provider {
virtual_router {
virtual_router_name = "${aws_appmesh_virtual_router.serviceb.name}"
}
}
}
}

Argument Reference
The following arguments are supported:

name - (Required) The name to use for the virtual service.

mesh_name - (Required) The name of the service mesh in which to create the virtual service.

spec - (Required) The virtual service speci cation to apply.

tags - (Optional) A mapping of tags to assign to the resource.

The spec object supports the following:

provider - (Optional) The App Mesh object that is acting as the provider for a virtual service. You can specify a single
virtual node or virtual router.

The provider object supports the following:

virtual_node - (Optional) The virtual node associated with a virtual service.

virtual_router - (Optional) The virtual router associated with a virtual service.

The virtual_node object supports the following:

virtual_node_name - (Required) The name of the virtual node that is acting as a service provider.

The virtual_router object supports the following:

virtual_router_name - (Required) The name of the virtual router that is acting as a service provider.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The ID of the virtual service.

arn - The ARN of the virtual service.

created_date - The creation date of the virtual service.

last_updated_date - The last update date of the virtual service.

Import
App Mesh virtual services can be imported using mesh_name together with the virtual service's name , e.g.

$ terraform import aws_appmesh_virtual_service.servicea simpleapp/servicea.simpleapp.local

Resource: aws_appsync_api_key
Provides an AppSync API Key.

Example Usage

resource "aws_appsync_graphql_api" "example" {

authentication_type = "API_KEY"
name = "example"
}

resource "aws_appsync_api_key" "example" {

api_id = "${aws_appsync_graphql_api.example.id}"
expires = "2018-05-03T04:00:00Z"
}

Argument Reference
The following arguments are supported:

api_id - (Required) The ID of the associated AppSync API

description - (Optional) The API key description. Defaults to "Managed by Terraform".

expires - (Optional) RFC3339 string representation of the expiry date. Rounded down to nearest hour. By default, it
is 7 days from the date of creation.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - API Key ID (Formatted as ApiId:Key)

key - The API key

Import
aws_appsync_api_key can be imported using the AppSync API ID and key separated by : , e.g.

$ terraform import aws_appsync_api_key.example xxxxx:yyyyy

Resource: aws_appsync_datasource
Provides an AppSync DataSource.

Example Usage

resource "aws_dynamodb_table" "example" {

name = "example"
read_capacity = 1
write_capacity = 1
hash_key = "UserId"

attribute {
name = "UserId"
type = "S"
}
}

resource "aws_iam_role" "example" {

name = "example"

assume_role_policy = <<EOF
<<
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "appsync.amazonaws.com"
},
"Effect": "Allow"
}
]
}
EOF
}

resource "aws_iam_role_policy" "example" {

name = "example"
role = "${aws_iam_role.example.id}"

policy = <<EOF
<<
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dynamodb:*"
],
"Effect": "Allow",
"Resource": [
"${aws_dynamodb_table.example.arn}"
]
}
]
]
}
EOF
}

resource "aws_appsync_graphql_api" "example" {

authentication_type = "API_KEY"
name = "tf_appsync_example"
}

resource "aws_appsync_datasource" "example" {

api_id = "${aws_appsync_graphql_api.example.id}"
name = "tf_appsync_example"
service_role_arn = "${aws_iam_role.example.arn}"
type = "AMAZON_DYNAMODB"

dynamodb_config {
table_name = "${aws_dynamodb_table.example.name}"
}
}

Argument Reference
The following arguments are supported:

api_id - (Required) The API ID for the GraphQL API for the DataSource.

name - (Required) A user-supplied name for the DataSource.

type - (Required) The type of the DataSource. Valid values: AWS_LAMBDA , AMAZON_DYNAMODB ,
AMAZON_ELASTICSEARCH , HTTP , NONE .

description - (Optional) A description of the DataSource.

service_role_arn - (Optional) The IAM service role ARN for the data source.

dynamodb_config - (Optional) DynamoDB settings. See below

elasticsearch_config - (Optional) Amazon Elasticsearch settings. See below

http_config - (Optional) HTTP settings. See below

lambda_config - (Optional) AWS Lambda settings. See below

dynamodb_con g
The following arguments are supported:

table_name - (Required) Name of the DynamoDB table.

region - (Optional) AWS region of the DynamoDB table. Defaults to current region.

use_caller_credentials - (Optional) Set to true to use Amazon Cognito credentials with this data source.
elasticsearch_con g
The following arguments are supported:

endpoint - (Required) HTTP endpoint of the Elasticsearch domain.

region - (Optional) AWS region of Elasticsearch domain. Defaults to current region.

http_con g
The following arguments are supported:

endpoint - (Required) HTTP URL.

lambda_con g
The following arguments are supported:

function_arn - (Required) The ARN for the Lambda function.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

arn - The ARN

Import
aws_appsync_datasource can be imported with their api_id , a hyphen, and name , e.g.

$ terraform import aws_appsync_datasource.example abcdef123456-example

Resource: aws_appsync_function
Provides an AppSync Function.

Example Usage
resource "aws_appsync_graphql_api" "test" {
authentication_type = "API_KEY"
name = "tf-example"
schema = <<EOF
<<
type Mutation {
putPost(id: ID!, title: String!): Post
}

type Post {
id: ID!
title: String!
}

type Query {
singlePost(id: ID!): Post
}

schema {
query: Query
mutation: Mutation
}
EOF
}

resource "aws_appsync_datasource" "test" {

api_id = "${aws_appsync_graphql_api.test.id}"
name = "tf-example"
type = "HTTP"

http_config {
endpoint = "http://example.com"
}
}

resource "aws_appsync_function" "test" {

api_id = "${aws_appsync_graphql_api.test.id}"
data_source = "${aws_appsync_datasource.test.name}"
name = "tf_example"
request_mapping_template = <<EOF
<<
{
"version": "2018-05-29",
"method": "GET",
"resourcePath": "/",
"params":{
"headers": $utils.http.copyheaders($ctx.request.headers)
}
}
EOF
response_mapping_template = <<EOF
<<
#if($ctx.result.statusCode == 200)
$ctx.result.body
#else
$utils.appendError($ctx.result.body, $ctx.result.statusCode)
#end
EOF
}
Argument Reference
The following arguments are supported:

api_id - (Required) The ID of the associated AppSync API.

data_source - (Required) The Function DataSource name.

name - (Required) The Function name. The function name does not have to be unique.

request_mapping_template - (Required) The Function request mapping template. Functions support only the 2018-
05-29 version of the request mapping template.

response_mapping_template - (Required) The Function response mapping template.

description - (Optional) The Function description.

function_version - (Optional) The version of the request mapping template. Currently the supported value is
2018-05-29 .

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - API Function ID (Formatted as ApiId-FunctionId)

arn - The ARN of the Function object.

function_id - A unique ID representing the Function object.

Import
aws_appsync_function can be imported using the AppSync API ID and Function ID separated by - , e.g.

$ terraform import aws_appsync_function.example xxxxx-yyyyy

Resource: aws_appsync_graphql_api
Provides an AppSync GraphQL API.

Example Usage

API Key Authentication

resource "aws_appsync_graphql_api" "example" {

authentication_type = "API_KEY"
name = "example"
}

AWS Cognito User Pool Authentication

resource "aws_appsync_graphql_api" "example" {

authentication_type = "AMAZON_COGNITO_USER_POOLS"
name = "example"

user_pool_config {
aws_region = "${data.aws_region.current.name}"
default_action = "DENY"
user_pool_id = "${aws_cognito_user_pool.example.id}"
}
}

AWS IAM Authentication

resource "aws_appsync_graphql_api" "example" {

authentication_type = "AWS_IAM"
name = "example"
}

With Schema
resource "aws_appsync_graphql_api" "example" {
authentication_type = "AWS_IAM"
name = "example"

schema = <<EOF
<<
schema {
query: Query
}
type Query {
test: Int
}
EOF
}

OpenID Connect Authentication

resource "aws_appsync_graphql_api" "example" {

authentication_type = "OPENID_CONNECT"
name = "example"

openid_connect_config {
issuer = "https://example.com"
}
}

With Multiple Authentication Providers

resource "aws_appsync_graphql_api" "example" {

authentication_type = "API_KEY"
name = "example"

additional_authentication_provider {
authentication_type = "AWS_IAM"
}
}

Enabling Logging
resource "aws_iam_role" "example" {
name = "example"

assume_role_policy = <<POLICY
<<
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY
}

resource "aws_iam_role_policy_attachment" "example" {

policy_arn = "arn:aws:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs"
role = "${aws_iam_role.example.name}"
}

resource "aws_appsync_graphql_api" "example" {

log_config {
cloudwatch_logs_role_arn = "${aws_iam_role.example.arn}"
field_log_level = "ERROR"
}
}

Argument Reference
The following arguments are supported:

authentication_type - (Required) The authentication type. Valid values: API_KEY , AWS_IAM ,

AMAZON_COGNITO_USER_POOLS , OPENID_CONNECT

name - (Required) A user-supplied name for the GraphqlApi.

log_config - (Optional) Nested argument containing logging con guration. De ned below.

openid_connect_config - (Optional) Nested argument containing OpenID Connect con guration. De ned below.

user_pool_config - (Optional) The Amazon Cognito User Pool con guration. De ned below.

schema - (Optional) The schema de nition, in GraphQL schema language format. Terraform cannot perform drift
detection of this con guration.

additional_authentication_provider - (Optional) One or more additional authentication providers for the

GraphqlApi. De ned below.

tags - (Optional) A mapping of tags to assign to the resource.

log_con g
The following arguments are supported:

cloudwatch_logs_role_arn - (Required) Amazon Resource Name of the service role that AWS AppSync will assume
to publish to Amazon CloudWatch logs in your account.

field_log_level - (Required) Field logging level. Valid values: ALL , ERROR , NONE .

additional_authentication_provider
The following arguments are supported:

authentication_type - (Required) The authentication type. Valid values: API_KEY , AWS_IAM ,

AMAZON_COGNITO_USER_POOLS , OPENID_CONNECT

openid_connect_config - (Optional) Nested argument containing OpenID Connect con guration. De ned below.

user_pool_config - (Optional) The Amazon Cognito User Pool con guration. De ned below.

openid_connect_con g
The following arguments are supported:

issuer - (Required) Issuer for the OpenID Connect con guration. The issuer returned by discovery MUST exactly
match the value of iss in the ID Token.

auth_ttl - (Optional) Number of milliseconds a token is valid after being authenticated.

client_id - (Optional) Client identi er of the Relying party at the OpenID identity provider. This identi er is typically
obtained when the Relying party is registered with the OpenID identity provider. You can specify a regular expression
so the AWS AppSync can validate against multiple client identi ers at a time.

iat_ttl - (Optional) Number of milliseconds a token is valid after being issued to a user.

user_pool_con g
The following arguments are supported:

default_action - (Required only if Cognito is used as the default auth provider) The action that you want your
GraphQL API to take when a request that uses Amazon Cognito User Pool authentication doesn't match the Amazon
Cognito User Pool con guration. Valid: ALLOW and DENY

user_pool_id - (Required) The user pool ID.

app_id_client_regex - (Optional) A regular expression for validating the incoming Amazon Cognito User Pool app
client ID.

aws_region - (Optional) The AWS region in which the user pool was created.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - API ID

arn - The ARN

uris - Map of URIs associated with the API. e.g. uris["GRAPHQL"] = https://ID.appsync-
api.REGION.amazonaws.com/graphql

Import
AppSync GraphQL API can be imported using the GraphQL API ID, e.g.

$ terraform import aws_appsync_graphql_api.example 0123456789

Resource: aws_appsync_resolver
Provides an AppSync Resolver.

Example Usage

resource "aws_appsync_graphql_api" "test" {

authentication_type = "API_KEY"
name = "tf-example"

schema = <<EOF
<<
type Mutation {
putPost(id: ID!, title: String!): Post
}

type Post {
id: ID!
title: String!
}

type Query {
singlePost(id: ID!): Post
}

schema {
query: Query
mutation: Mutation
}
EOF
}

resource "aws_appsync_datasource" "test" {

api_id = "${aws_appsync_graphql_api.test.id}"
name = "tf_example"
type = "HTTP"

http_config {
endpoint = "http://example.com"
}
}

resource "aws_appsync_resolver" "test" {

api_id = "${aws_appsync_graphql_api.test.id}"
field = "singlePost"
type = "Query"
data_source = "${aws_appsync_datasource.test.name}"

request_template = <<EOF
<<
{
"version": "2018-05-29",
"method": "GET",
"resourcePath": "/",
"params":{
"headers": $utils.http.copyheaders($ctx.request.headers)
"headers": $utils.http.copyheaders($ctx.request.headers)
}
}
EOF

response_template = <<EOF
<<
#if($ctx.result.statusCode == 200)
$ctx.result.body
#else
$utils.appendError($ctx.result.body, $ctx.result.statusCode)
#end
EOF
}

resource "aws_appsync_resolver" "Mutation_pipelineTest" {

type = "Mutation"
api_id = "${aws_appsync_graphql_api.test.id}"
field = "pipelineTest"
request_template = "{}"
response_template = "$util.toJson($ctx.result)"
kind = "PIPELINE"
pipeline_config {
functions = [
"${aws_appsync_function.test1.function_id}",
"${aws_appsync_function.test2.function_id}",
"${aws_appsync_function.test3.function_id}"
]
}
}

Argument Reference
The following arguments are supported:

api_id - (Required) The API ID for the GraphQL API.

type - (Required) The type name from the schema de ned in the GraphQL API.

field - (Required) The eld name from the schema de ned in the GraphQL API.

request_template - (Required) The request mapping template for UNIT resolver or 'before mapping template' for
PIPELINE resolver.

response_template - (Required) The response mapping template for UNIT resolver or 'after mapping template' for
PIPELINE resolver.

data_source - (Optional) The DataSource name.

kind - (Optional) The resolver type. Valid values are UNIT and PIPELINE .

pipeline_config - (Optional) The PipelineCon g. A pipeline_config block is documented below.

An pipeline_config block supports the following arguments:

functions - (Required) The list of Function ID.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

arn - The ARN

Import
aws_appsync_resolver can be imported with their api_id , a hyphen, type , a hypen and field e.g.

$ terraform import aws_appsync_resolver.example abcdef123456-exampleType-exampleField

Resource: aws_athena_database
Provides an Athena database.

Example Usage

resource "aws_s3_bucket" "hoge" {

bucket = "hoge"
}

resource "aws_athena_database" "hoge" {

name = "database_name"
bucket = "${aws_s3_bucket.hoge.bucket}"
}

Argument Reference
The following arguments are supported:

name - (Required) Name of the database to create.

bucket - (Required) Name of s3 bucket to save the results of the query execution.

encryption_configuration - (Optional) The encryption key block AWS Athena uses to decrypt the data in S3, such
as an AWS Key Management Service (AWS KMS) key. An encryption_configuration block is documented below.

force_destroy - (Optional, Default: false) A boolean that indicates all tables should be deleted from the database so
that the database can be destroyed without error. The tables are not recoverable.

An encryption_configuration block supports the following arguments:

encryption_option - (Required) The type of key; one of SSE_S3 , SSE_KMS , CSE_KMS

kms_key - (Optional) The KMS key ARN or ID; required for key types SSE_KMS and CSE_KMS .

NOTE: When Athena queries are executed, result les may be created in the speci ed bucket. Consider using
force_destroy on the bucket too in order to avoid any problems when destroying the bucket.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The database name

Resource: aws_athena_named_query
Provides an Athena Named Query resource.

Example Usage

resource "aws_s3_bucket" "hoge" {

bucket = "tf-test"
}

resource "aws_kms_key" "test" {

deletion_window_in_days = 7
description = "Athena KMS Key"
}

resource "aws_athena_workgroup" "test" {

name = "example"

configuration {
result_configuration {
encryption_configuration {
encryption_option = "SSE_KMS"
kms_key_arn = "${aws_kms_key.test.arn}"
}
}
}
}

resource "aws_athena_database" "hoge" {

name = "users"
bucket = "${aws_s3_bucket.hoge.id}"
}

resource "aws_athena_named_query" "foo" {

name = "bar"
workgroup = "${aws_athena_workgroup.test.id}"
database = "${aws_athena_database.hoge.name}"
query = "SELECT * FROM ${aws_athena_database.hoge.name} limit 10;"
}

Argument Reference
The following arguments are supported:

name - (Required) The plain language name for the query. Maximum length of 128.

workgroup - (Optional) The workgroup to which the query belongs. Defaults to primary

database - (Required) The database to which the query belongs.

query - (Required) The text of the query itself. In other words, all query statements. Maximum length of 262144.
description - (Optional) A brief explanation of the query. Maximum length of 1024.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The unique ID of the query.

Import
Athena Named Query can be imported using the query ID, e.g.

$ terraform import aws_athena_named_query.example 0123456789

Resource: aws_athena_workgroup
Provides an Athena Workgroup.

Example Usage

resource "aws_athena_workgroup" "example" {

name = "example"

configuration {
enforce_workgroup_configuration = true
publish_cloudwatch_metrics_enabled = true

result_configuration {
output_location = "s3://{aws_s3_bucket.example.bucket}/output/"

encryption_configuration {
encryption_option = "SSE_KMS"
kms_key_arn = "${aws_kms_key.example.arn}"
}
}
}
}

Argument Reference
The following arguments are supported:

name - (Required) Name of the workgroup.

configuration - (Optional) Con guration block with various settings for the workgroup. Documented below.

description - (Optional) Description of the workgroup.

state - (Optional) State of the workgroup. Valid values are DISABLED or ENABLED . Defaults to ENABLED .

tags - (Optional) Key-value mapping of resource tags for the workgroup.

con guration Argument Reference

The configuration con guration block supports the following arguments:

bytes_scanned_cutoff_per_query - (Optional) Integer for the upper data usage limit (cuto ) for the amount of
bytes a single query in a workgroup is allowed to scan. Must be at least 10485760 .

enforce_workgroup_configuration - (Optional) Boolean whether the settings for the workgroup override client-side
settings. For more information, see Workgroup Settings Override Client-Side Settings
(https://docs.aws.amazon.com/athena/latest/ug/workgroups-settings-override.html). Defaults to true .
publish_cloudwatch_metrics_enabled - (Optional) Boolean whether Amazon CloudWatch metrics are enabled for
the workgroup. Defaults to true .

result_configuration - (Optional) Con guration block with result settings. Documented below.

result_con guration Argument Reference

The result_configuration con guration block within the configuration supports the following arguments:

encryption_configuration - (Optional) Con guration block with encryption settings. Documented below.

output_location - (Optional) The location in Amazon S3 where your query results are stored, such as
s3://path/to/query/bucket/ . For more information, see Queries and Query Result Files
(https://docs.aws.amazon.com/athena/latest/ug/querying.html).

encryption_con guration Argument Reference

The encryption_configuration con guration block within the result_configuration of the configuration supports
the following arguments:

encryption_option - (Required) Indicates whether Amazon S3 server-side encryption with Amazon S3-managed keys
(SSE-S3), server-side encryption with KMS-managed keys (SSE-KMS), or client-side encryption with KMS-managed keys
(CSE-KMS) is used. If a query runs in a workgroup and the workgroup overrides client-side settings, then the
workgroup's setting for encryption is used. It speci es whether query results must be encrypted, for all queries that
run in this workgroup.

kms_key_arn - (Optional) For SSE-KMS and CSE-KMS, this is the KMS key Amazon Resource Name (ARN).

Attributes Reference
In addition to all arguments above, the following attributes are exported:

arn - Amazon Resource Name (ARN) of the workgroup

id - The workgroup name

Import
Athena Workgroups can be imported using their name, e.g.

$ terraform import aws_athena_workgroup.example example

Resource: aws_autoscaling_attachment
Provides an AutoScaling Attachment resource.

NOTE on AutoScaling Groups and ASG Attachments: Terraform currently provides both a standalone ASG Attachment
resource (describing an ASG attached to an ELB), and an AutoScaling Group resource
(/docs/providers/aws/r/autoscaling_group.html) with load_balancers de ned in-line. At this time you cannot use an
ASG with in-line load balancers in conjunction with an ASG Attachment resource. Doing so will cause a con ict and will
overwrite attachments.

Example Usage

resource "aws_autoscaling_attachment" "asg_attachment_bar" {

autoscaling_group_name = "${aws_autoscaling_group.asg.id}"
elb = "${aws_elb.bar.id}"
}

resource "aws_autoscaling_attachment" "asg_attachment_bar" {

autoscaling_group_name = "${aws_autoscaling_group.asg.id}"
alb_target_group_arn = "${aws_alb_target_group.test.arn}"
}

Argument Reference
The following arguments are supported:

autoscaling_group_name - (Required) Name of ASG to associate with the ELB.

elb - (Optional) The name of the ELB.

alb_target_group_arn - (Optional) The ARN of an ALB Target Group.

Resource: aws_autoscaling_group
Provides an AutoScaling Group resource.

Note: You must specify either launch_configuration , launch_template , or mixed_instances_policy .

Example Usage
resource "aws_placement_group" "test" {
name = "test"
strategy = "cluster"
}

resource "aws_autoscaling_group" "bar" {

name = "foobar3-terraform-test"
max_size = 5
min_size = 2
health_check_grace_period = 300
health_check_type = "ELB"
desired_capacity = 4
force_delete = true
placement_group = "${aws_placement_group.test.id}"
launch_configuration = "${aws_launch_configuration.foobar.name}"
vpc_zone_identifier = ["${aws_subnet.example1.id}", "${aws_subnet.example2.id}"]

initial_lifecycle_hook {
name = "foobar"
default_result = "CONTINUE"
heartbeat_timeout = 2000
lifecycle_transition = "autoscaling:EC2_INSTANCE_LAUNCHING"

notification_metadata = <<EOF
<<
{
"foo": "bar"
}
EOF

notification_target_arn = "arn:aws:sqs:us-east-1:444455556666:queue1*"
role_arn = "arn:aws:iam::123456789012:role/S3Access"
}

tag {
key = "foo"
value = "bar"
propagate_at_launch = true
}

timeouts {
delete = "15m"
}

tag {
key = "lorem"
value = "ipsum"
propagate_at_launch = false
}
}

With Latest Version Of Launch Template

resource "aws_launch_template" "foobar" {
name_prefix = "foobar"
image_id = "ami-1a2b3c"
instance_type = "t2.micro"
}

resource "aws_autoscaling_group" "bar" {

availability_zones = ["us-east-1a"]
desired_capacity = 1
max_size = 1
min_size = 1

launch_template {
id = "${aws_launch_template.foobar.id}"
version = "$Latest"
}
}

Mixed Instances Policy

resource "aws_launch_template" "example" {

name_prefix = "example"
image_id = "${data.aws_ami.example.id}"
instance_type = "c5.large"
}

resource "aws_autoscaling_group" "example" {

availability_zones = ["us-east-1a"]
desired_capacity = 1
max_size = 1
min_size = 1

mixed_instances_policy {
launch_template {
launch_template_specification {
launch_template_id = "${aws_launch_template.example.id}"
}

override {
instance_type = "c4.large"
}

override {
instance_type = "c3.large"
}
}
}
}

Interpolated tags
variable "extra_tags" {
default = [
{
key = "Foo"
value = "Bar"
propagate_at_launch = true
},
{
key = "Baz"
value = "Bam"
propagate_at_launch = true
},
]
}

resource "aws_autoscaling_group" "bar" {

name = "foobar3-terraform-test"
max_size = 5
min_size = 2
launch_configuration = "${aws_launch_configuration.foobar.name}"
vpc_zone_identifier = ["${aws_subnet.example1.id}", "${aws_subnet.example2.id}"]

tags = [
{
key = "explicit1"
value = "value1"
propagate_at_launch = true
},
{
key = "explicit2"
value = "value2"
propagate_at_launch = true
},
]

tags = ["${concat(
list(
map("key", "interpolation1", "value", "value3", "propagate_at_launch", true),
map("key", "interpolation2", "value", "value4", "propagate_at_launch", true)
),
var.extra_tags)
}"]
}

Argument Reference
The following arguments are supported:

name - (Optional) The name of the auto scaling group. By default generated by Terraform.

name_prefix - (Optional) Creates a unique name beginning with the speci ed pre x. Con icts with name .

max_size - (Required) The maximum size of the auto scale group.

min_size - (Required) The minimum size of the auto scale group. (See also Waiting for Capacity below.)
availability_zones - (Required only for EC2-Classic) A list of one or more availability zones for the group. This
parameter should not be speci ed when using vpc_zone_identifier .

default_cooldown - (Optional) The amount of time, in seconds, after a scaling activity completes before another
scaling activity can start.

launch_configuration - (Optional) The name of the launch con guration to use.

launch_template - (Optional) Nested argument with Launch template speci cation to use to launch instances.
De ned below.

mixed_instances_policy (Optional) Con guration block containing settings to de ne launch targets for Auto Scaling
groups. De ned below.

initial_lifecycle_hook - (Optional) One or more Lifecycle Hooks

(http://docs.aws.amazon.com/autoscaling/latest/userguide/lifecycle-hooks.html) to attach to the autoscaling group
before instances are launched. The syntax is exactly the same as the separate aws_autoscaling_lifecycle_hook
(/docs/providers/aws/r/autoscaling_lifecycle_hooks.html) resource, without the autoscaling_group_name attribute.
Please note that this will only work when creating a new autoscaling group. For all other use-cases, please use
aws_autoscaling_lifecycle_hook resource.

health_check_grace_period - (Optional, Default: 300) Time (in seconds) after instance comes into service before
checking health.

health_check_type - (Optional) "EC2" or "ELB". Controls how health checking is done.

desired_capacity - (Optional) The number of Amazon EC2 instances that should be running in the group. (See also
Waiting for Capacity below.)

force_delete - (Optional) Allows deleting the autoscaling group without waiting for all instances in the pool to
terminate. You can force an autoscaling group to delete even if it's in the process of scaling a resource. Normally,
Terraform drains all the instances before deleting the group. This bypasses that behavior and potentially leaves
resources dangling.

load_balancers (Optional) A list of elastic load balancer names to add to the autoscaling group names. Only valid for
classic load balancers. For ALBs, use target_group_arns instead.

vpc_zone_identifier (Optional) A list of subnet IDs to launch resources in.

target_group_arns (Optional) A list of aws_alb_target_group ARNs, for use with Application or Network Load
Balancing.

termination_policies (Optional) A list of policies to decide how the instances in the auto scale group should be
terminated. The allowed values are OldestInstance , NewestInstance , OldestLaunchConfiguration ,
ClosestToNextInstanceHour , OldestLaunchTemplate , AllocationStrategy , Default .

suspended_processes - (Optional) A list of processes to suspend for the AutoScaling Group. The allowed values are
Launch , Terminate , HealthCheck , ReplaceUnhealthy , AZRebalance , AlarmNotification ,
ScheduledActions , AddToLoadBalancer . Note that if you suspend either the Launch or Terminate process types,
it can prevent your autoscaling group from functioning properly.

tag (Optional) A list of tag blocks. Tags documented below.

tags (Optional) A list of tag blocks (maps). Tags documented below.

placement_group (Optional) The name of the placement group into which you'll launch your instances, if any.
metrics_granularity - (Optional) The granularity to associate with the metrics to collect. The only valid value is
1Minute . Default is 1Minute .

enabled_metrics - (Optional) A list of metrics to collect. The allowed values are GroupMinSize , GroupMaxSize ,
GroupDesiredCapacity , GroupInServiceInstances , GroupPendingInstances , GroupStandbyInstances ,
GroupTerminatingInstances , GroupTotalInstances .

wait_for_capacity_timeout (Default: "10m") A maximum duration (https://golang.org/pkg/time/#ParseDuration)

that Terraform should wait for ASG instances to be healthy before timing out. (See also Waiting for Capacity below.)
Setting this to "0" causes Terraform to skip all Capacity Waiting behavior.

min_elb_capacity - (Optional) Setting this causes Terraform to wait for this number of instances from this
autoscaling group to show up healthy in the ELB only on creation. Updates will not wait on ELB instance number
changes. (See also Waiting for Capacity below.)

wait_for_elb_capacity - (Optional) Setting this will cause Terraform to wait for exactly this number of healthy
instances from this autoscaling group in all attached load balancers on both create and update operations. (Takes
precedence over min_elb_capacity behavior.) (See also Waiting for Capacity below.)

protect_from_scale_in (Optional) Allows setting instance protection. The autoscaling group will not select instances
with this setting for terminination during scale in events.

service_linked_role_arn (Optional) The ARN of the service-linked role that the ASG will use to call other AWS
services

launch_template

NOTE: Either id or name must be speci ed.

The top-level launch_template block supports the following:

id - (Optional) The ID of the launch template. Con icts with name .

name - (Optional) The name of the launch template. Con icts with id .

version - (Optional) Template version. Can be version number, $Latest , or $Default . (Default: $Default ).

mixed_instances_policy
instances_distribution - (Optional) Nested argument containing settings on how to mix on-demand and Spot
instances in the Auto Scaling group. De ned below.

launch_template - (Required) Nested argument containing launch template settings along with the overrides to
specify multiple instance types. De ned below.

mixed_instances_policy instances_distribution

This con guration block supports the following:

on_demand_allocation_strategy - (Optional) Strategy to use when launching on-demand instances. Valid values:
prioritized . Default: prioritized .

on_demand_base_capacity - (Optional) Absolute minimum amount of desired capacity that must be ful lled by on-
demand instances. Default: 0 .

on_demand_percentage_above_base_capacity - (Optional) Percentage split between on-demand and Spot instances

above the base on-demand capacity. Default: 100 .

spot_allocation_strategy - (Optional) How to allocate capacity across the Spot pools. Valid values: lowest-
price . Default: lowest-price .

spot_instance_pools - (Optional) Number of Spot pools per availability zone to allocate capacity. EC2 Auto Scaling
selects the cheapest Spot pools and evenly allocates Spot capacity across the number of Spot pools that you specify.
Default: 2 .

spot_max_price - (Optional) Maximum price per unit hour that the user is willing to pay for the Spot instances.
Default: an empty string which means the on-demand price.

mixed_instances_policy launch_template

This con guration block supports the following:

launch_template_specification - (Required) Nested argument de nes the Launch Template. De ned below.

override - (Optional) List of nested arguments provides the ability to specify multiple instance types. This will
override the same parameter in the launch template. For on-demand instances, Auto Scaling considers the order of
preference of instance types to launch based on the order speci ed in the overrides list. De ned below.

mixed_instances_policy launch_template launch_template_speci cation

NOTE: Either launch_template_id or launch_template_name must be speci ed.

This con guration block supports the following:

launch_template_id - (Optional) The ID of the launch template. Con icts with launch_template_name .

launch_template_name - (Optional) The name of the launch template. Con icts with launch_template_id .

version - (Optional) Template version. Can be version number, $Latest , or $Default . (Default: $Default ).

mixed_instances_policy launch_template override

This con guration block supports the following:

instance_type - (Optional) Override the instance type in the Launch Template.

tag and tags

The tag attribute accepts exactly one tag declaration with the following elds:

key - (Required) Key

value - (Required) Value

propagate_at_launch - (Required) Enables propagation of the tag to Amazon EC2 instances launched via this ASG
To declare multiple tags additional tag blocks can be speci ed. Alternatively the tags attributes can be used, which
accepts a list of maps containing the above eld names as keys and their respective values. This allows the construction of
dynamic lists of tags which is not possible using the single tag attribute. tag and tags are mutually exclusive, only one of
them can be speci ed.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The autoscaling group id.

arn - The ARN for this AutoScaling Group

availability_zones - The availability zones of the autoscale group.

min_size - The minimum size of the autoscale group

max_size - The maximum size of the autoscale group

default_cooldown - Time between a scaling activity and the succeeding scaling activity.

name - The name of the autoscale group

health_check_grace_period - Time after instance comes into service before checking health.

health_check_type - "EC2" or "ELB". Controls how health checking is done.

desired_capacity -The number of Amazon EC2 instances that should be running in the group.

launch_configuration - The launch con guration of the autoscale group

vpc_zone_identifier (Optional) - The VPC zone identi er

load_balancers (Optional) The load balancer names associated with the autoscaling group.

target_group_arns (Optional) list of Target Group ARNs that apply to this AutoScaling Group

NOTE: When using ELB as the health_check_type , health_check_grace_period is required.

NOTE: Terraform has two types of ways you can add lifecycle hooks - via the initial_lifecycle_hook attribute from
this resource, or via the separate aws_autoscaling_lifecycle_hook
(/docs/providers/aws/r/autoscaling_lifecycle_hooks.html) resource. initial_lifecycle_hook exists here because any
lifecycle hooks added with aws_autoscaling_lifecycle_hook will not be added until the autoscaling group has been
created, and depending on your capacity settings, after the initial instances have been launched, creating unintended
behavior. If you need hooks to run on all instances, add them with initial_lifecycle_hook here, but take care to
not duplicate these hooks in aws_autoscaling_lifecycle_hook .

Timeouts
autoscaling_group provides the following Timeouts (/docs/con guration/resources.html#timeouts) con guration
options:
delete - (Default 10 minutes ) Used for destroying ASG.

Waiting for Capacity

A newly-created ASG is initially empty and begins to scale to min_size (or desired_capacity , if speci ed) by launching
instances using the provided Launch Con guration. These instances take time to launch and boot.

On ASG Update, changes to these values also take time to result in the target number of instances providing service.

Terraform provides two mechanisms to help consistently manage ASG scale up time across dependent resources.

Waiting for ASG Capacity

The rst is default behavior. Terraform waits after ASG creation for min_size (or desired_capacity , if speci ed) healthy
instances to show up in the ASG before continuing.

If min_size or desired_capacity are changed in a subsequent update, Terraform will also wait for the correct number of
healthy instances before continuing.

Terraform considers an instance "healthy" when the ASG reports HealthStatus: "Healthy" and LifecycleState:
"InService" . See the AWS AutoScaling Docs
(https://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/AutoScalingGroupLifecycle.html) for more information
on an ASG's lifecycle.

Terraform will wait for healthy instances for up to wait_for_capacity_timeout . If ASG creation is taking more than a few
minutes, it's worth investigating for scaling activity errors, which can be caused by problems with the selected Launch
Con guration.

Setting wait_for_capacity_timeout to "0" disables ASG Capacity waiting.

Waiting for ELB Capacity

The second mechanism is optional, and a ects ASGs with attached ELBs speci ed via the load_balancers attribute or with
ALBs speci ed with target_group_arns .

The min_elb_capacity parameter causes Terraform to wait for at least the requested number of instances to show up
"InService" in all attached ELBs during ASG creation. It has no e ect on ASG updates.

If wait_for_elb_capacity is set, Terraform will wait for exactly that number of Instances to be "InService" in all
attached ELBs on both creation and updates.

These parameters can be used to ensure that service is being provided before Terraform moves on. If new instances don't
pass the ELB's health checks for any reason, the Terraform apply will time out, and the ASG will be marked as tainted (i.e.
marked to be destroyed in a follow up run).

As with ASG Capacity, Terraform will wait for up to wait_for_capacity_timeout for the proper number of instances to be
healthy.

Troubleshooting Capacity Waiting Timeouts

If ASG creation takes more than a few minutes, this could indicate one of a number of con guration problems. See the AWS
Docs on Load Balancer Troubleshooting (https://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-
troubleshooting.html) for more information.

Import
AutoScaling Groups can be imported using the name , e.g.

$ terraform import aws_autoscaling_group.web web-asg

Resource: aws_autoscaling_lifecycle_hook
Provides an AutoScaling Lifecycle Hook resource.

NOTE: Terraform has two types of ways you can add lifecycle hooks - via the initial_lifecycle_hook attribute from
the aws_autoscaling_group (/docs/providers/aws/r/autoscaling_group.html) resource, or via this one. Hooks added
via this resource will not be added until the autoscaling group has been created, and depending on your capacity
(/docs/providers/aws/r/autoscaling_group.html#waiting-for-capacity) settings, after the initial instances have been
launched, creating unintended behavior. If you need hooks to run on all instances, add them with
initial_lifecycle_hook in aws_autoscaling_group (/docs/providers/aws/r/autoscaling_group.html), but take care
to not duplicate those hooks with this resource.

Example Usage

resource "aws_autoscaling_group" "foobar" {

availability_zones = ["us-west-2a"]
name = "terraform-test-foobar5"
health_check_type = "EC2"
termination_policies = ["OldestInstance"]

tag {
key = "Foo"
value = "foo-bar"
propagate_at_launch = true
}
}

resource "aws_autoscaling_lifecycle_hook" "foobar" {

name = "foobar"
autoscaling_group_name = "${aws_autoscaling_group.foobar.name}"
default_result = "CONTINUE"
heartbeat_timeout = 2000
lifecycle_transition = "autoscaling:EC2_INSTANCE_LAUNCHING"

notification_metadata = <<EOF
<<
{
"foo": "bar"
}
EOF

notification_target_arn = "arn:aws:sqs:us-east-1:444455556666:queue1*"
role_arn = "arn:aws:iam::123456789012:role/S3Access"
}

Argument Reference
The following arguments are supported:
name - (Required) The name of the lifecycle hook.

autoscaling_group_name - (Required) The name of the Auto Scaling group to which you want to assign the lifecycle
hook

default_result - (Optional) De nes the action the Auto Scaling group should take when the lifecycle hook timeout
elapses or if an unexpected failure occurs. The value for this parameter can be either CONTINUE or ABANDON. The
default value for this parameter is ABANDON.

heartbeat_timeout - (Optional) De nes the amount of time, in seconds, that can elapse before the lifecycle hook
times out. When the lifecycle hook times out, Auto Scaling performs the action de ned in the DefaultResult parameter

lifecycle_transition - (Required) The instance state to which you want to attach the lifecycle hook. For a list of
lifecycle hook types, see describe-lifecycle-hook-types
(https://docs.aws.amazon.com/cli/latest/reference/autoscaling/describe-lifecycle-hook-types.html#examples)

notification_metadata - (Optional) Contains additional information that you want to include any time Auto Scaling
sends a message to the noti cation target.

notification_target_arn - (Optional) The ARN of the noti cation target that Auto Scaling will use to notify you
when an instance is in the transition state for the lifecycle hook. This ARN target can be either an SQS queue or an SNS
topic.

role_arn - (Optional) The ARN of the IAM role that allows the Auto Scaling group to publish to the speci ed
noti cation target.

Import
AutoScaling Lifecycle Hook can be imported using the role autoscaling_group_name and name separated by / .

$ terraform import aws_aws_autoscaling_lifecycle_hook.test-lifecycle-hook asg-name/lifecycle-hook-name

Resource: aws_autoscaling_noti cation
Provides an AutoScaling Group with Noti cation support, via SNS Topics. Each of the notifications map to a Noti cation
Con guration (https://docs.aws.amazon.com/AutoScaling/latest/APIReference/API_DescribeNoti cationCon gurations.html)
inside Amazon Web Services, and are applied to each AutoScaling Group you supply.

Example Usage
Basic usage:

resource "aws_autoscaling_notification" "example_notifications" {

group_names = [
"${aws_autoscaling_group.bar.name}",
"${aws_autoscaling_group.foo.name}",
]

notifications = [
"autoscaling:EC2_INSTANCE_LAUNCH",
"autoscaling:EC2_INSTANCE_TERMINATE",
"autoscaling:EC2_INSTANCE_LAUNCH_ERROR",
"autoscaling:EC2_INSTANCE_TERMINATE_ERROR",
]

topic_arn = "${aws_sns_topic.example.arn}"
}

resource "aws_sns_topic" "example" {

name = "example-topic"

resource "aws_autoscaling_group" "bar" {

name = "foobar1-terraform-test"

resource "aws_autoscaling_group" "foo" {

name = "barfoo-terraform-test"

Argument Reference
The following arguments are supported:

group_names - (Required) A list of AutoScaling Group Names

notifications - (Required) A list of Noti cation Types that trigger noti cations. Acceptable values are documented
in the AWS documentation here
(https://docs.aws.amazon.com/AutoScaling/latest/APIReference/API_Noti cationCon guration.html)

topic_arn - (Required) The Topic ARN for noti cations to be sent through

Attributes Reference
In addition to all arguments above, the following attributes are exported:

group_names

notifications

topic_arn
Resource: aws_autoscaling_policy
Provides an AutoScaling Scaling Policy resource.

NOTE: You may want to omit desired_capacity attribute from attached aws_autoscaling_group when using
autoscaling policies. It's good practice to pick either manual
(https://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/as-manual-scaling.html) or dynamic
(https://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/as-scale-based-on-demand.html) (policy-based)
scaling.

Example Usage

resource "aws_autoscaling_policy" "bat" {

name = "foobar3-terraform-test"
scaling_adjustment = 4
adjustment_type = "ChangeInCapacity"
cooldown = 300
autoscaling_group_name = "${aws_autoscaling_group.bar.name}"
}

resource "aws_autoscaling_group" "bar" {

availability_zones = ["us-east-1a"]
name = "foobar3-terraform-test"
max_size = 5
min_size = 2
health_check_grace_period = 300
health_check_type = "ELB"
force_delete = true
launch_configuration = "${aws_launch_configuration.foo.name}"
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the policy.

autoscaling_group_name - (Required) The name of the autoscaling group.

adjustment_type - (Optional) Speci es whether the adjustment is an absolute number or a percentage of the
current capacity. Valid values are ChangeInCapacity , ExactCapacity , and PercentChangeInCapacity .

policy_type - (Optional) The policy type, either "SimpleScaling", "StepScaling" or "TargetTrackingScaling". If this value
isn't provided, AWS will default to "SimpleScaling."

estimated_instance_warmup - (Optional) The estimated time, in seconds, until a newly launched instance will
contribute CloudWatch metrics. Without a value, AWS will default to the group's speci ed cooldown period.

The following arguments are only available to "SimpleScaling" type policies:

cooldown - (Optional) The amount of time, in seconds, after a scaling activity completes and before the next scaling
activity can start.

scaling_adjustment - (Optional) The number of instances by which to scale. adjustment_type determines the
interpretation of this number (e.g., as an absolute number or as a percentage of the existing Auto Scaling group size). A
positive increment adds to the current capacity and a negative value removes from the current capacity.

The following arguments are only available to "StepScaling" type policies:

metric_aggregation_type - (Optional) The aggregation type for the policy's metrics. Valid values are "Minimum",
"Maximum", and "Average". Without a value, AWS will treat the aggregation type as "Average".

step_adjustments - (Optional) A set of adjustments that manage group scaling. These have the following structure:

step_adjustment {
scaling_adjustment = -1
metric_interval_lower_bound = 1.0
metric_interval_upper_bound = 2.0
}

step_adjustment {
scaling_adjustment = 1
metric_interval_lower_bound = 2.0
metric_interval_upper_bound = 3.0
}

The following elds are available in step adjustments:

scaling_adjustment - (Required) The number of members by which to scale, when the adjustment bounds are
breached. A positive value scales up. A negative value scales down.

metric_interval_lower_bound - (Optional) The lower bound for the di erence between the alarm threshold and
the CloudWatch metric. Without a value, AWS will treat this bound as in nity.

metric_interval_upper_bound - (Optional) The upper bound for the di erence between the alarm threshold and
the CloudWatch metric. Without a value, AWS will treat this bound as in nity. The upper bound must be greater than
the lower bound.

The following arguments are only available to "TargetTrackingScaling" type policies:

target_tracking_configuration - (Optional) A target tracking policy. These have the following structure:
target_tracking_configuration {
predefined_metric_specification {
predefined_metric_type = "ASGAverageCPUUtilization"
}

target_value = 40.0
}

target_tracking_configuration {
customized_metric_specification {
metric_dimension {
name = "fuga"
value = "fuga"
}

metric_name = "hoge"
namespace = "hoge"
statistic = "Average"
}

target_value = 40.0
}

The following elds are available in target tracking con guration:

predefined_metric_specification - (Optional) A prede ned metric. Con icts with

customized_metric_specification .

customized_metric_specification - (Optional) A customized metric. Con icts with

predefined_metric_specification .

target_value - (Required) The target value for the metric.

disable_scale_in - (Optional, Default: false) Indicates whether scale in by the target tracking policy is disabled.

prede ned_metric_speci cation

The following arguments are supported:

predefined_metric_type - (Required) The metric type.

resource_label - (Optional) Identi es the resource associated with the metric type.

customized_metric_speci cation
The following arguments are supported:

metric_dimension - (Optional) The dimensions of the metric.

metric_name - (Required) The name of the metric.

namespace - (Required) The namespace of the metric.

statistic - (Required) The statistic of the metric.

unit - (Optional) The unit of the metric.

metric_dimension

The following arguments are supported:

name - (Required) The name of the dimension.

value - (Required) The value of the dimension.

Attribute Reference
arn - The ARN assigned by AWS to the scaling policy.

name - The scaling policy's name.

autoscaling_group_name - The scaling policy's assigned autoscaling group.

adjustment_type - The scaling policy's adjustment type.

policy_type - The scaling policy's type.

Import
AutoScaling scaling policy can be imported using the role autoscaling_group_name and name separated by / .

$ terraform import aws_autoscaling_policy.test-policy asg-name/policy-name

Resource: aws_autoscaling_schedule
Provides an AutoScaling Schedule resource.

Example Usage

resource "aws_autoscaling_group" "foobar" {

availability_zones = ["us-west-2a"]
name = "terraform-test-foobar5"
max_size = 1
min_size = 1
health_check_grace_period = 300
health_check_type = "ELB"
force_delete = true
termination_policies = ["OldestInstance"]
}

resource "aws_autoscaling_schedule" "foobar" {

scheduled_action_name = "foobar"
min_size = 0
max_size = 1
desired_capacity = 0
start_time = "2016-12-11T18:00:00Z"
end_time = "2016-12-12T06:00:00Z"
autoscaling_group_name = "${aws_autoscaling_group.foobar.name}"
}

Argument Reference
The following arguments are supported:

autoscaling_group_name - (Required) The name or Amazon Resource Name (ARN) of the Auto Scaling group.

scheduled_action_name - (Required) The name of this scaling action.

start_time - (Optional) The time for this action to start, in "YYYY-MM-DDThh:mm:ssZ" format in UTC/GMT only (for
example, 2014-06-01T00:00:00Z ). If you try to schedule your action in the past, Auto Scaling returns an error message.

end_time - (Optional) The time for this action to end, in "YYYY-MM-DDThh:mm:ssZ" format in UTC/GMT only (for
example, 2014-06-01T00:00:00Z ). If you try to schedule your action in the past, Auto Scaling returns an error message.

recurrence - (Optional) The time when recurring future actions will start. Start time is speci ed by the user following
the Unix cron syntax format.

min_size - (Optional) The minimum size for the Auto Scaling group. Default 0. Set to -1 if you don't want to change
the minimum size at the scheduled time.

max_size - (Optional) The maximum size for the Auto Scaling group. Default 0. Set to -1 if you don't want to change
the maximum size at the scheduled time.

desired_capacity - (Optional) The number of EC2 instances that should be running in the group. Default 0. Set to -1
if you don't want to change the desired capacity at the scheduled time.

NOTE: When start_time and end_time are speci ed with recurrence , they form the boundaries of when the
recurring action will start and stop.

Attribute Reference
arn - The ARN assigned by AWS to the autoscaling schedule.

Import
AutoScaling ScheduledAction can be imported using the auto-scaling-group-name and scheduled-action-name , e.g.

$ terraform import aws_autoscaling_schedule.resource-name auto-scaling-group-name/scheduled-action-name

Resource: aws_backup_plan
Provides an AWS Backup plan resource.

Example Usage

resource "aws_backup_plan" "example" {

name = "tf_example_backup_plan"

rule {
rule_name = "tf_example_backup_rule"
target_vault_name = "${aws_backup_vault.test.name}"
schedule = "cron(0 12 * * ? *)"
}
}

Argument Reference
The following arguments are supported:

name - (Required) The display name of a backup plan.

rule - (Required) A rule object that speci es a scheduled task that is used to back up a selection of resources.

tags - (Optional) Metadata that you can assign to help organize the plans you create.

Rule Arguments
For rule the following attributes are supported:

rule_name - (Required) An display name for a backup rule.

target_vault_name (Required) - The name of a logical container where backups are stored.

schedule (Optional) - A CRON expression specifying when AWS Backup initiates a backup job.

start_window (Optional) - The amount of time in minutes before beginning a backup.

completion_window (Optional) - The amount of time AWS Backup attempts a backup before canceling the job and
returning an error.

lifecycle (Optional) - The lifecycle de nes when a protected resource is transitioned to cold storage and when it
expires. Fields documented below.

recovery_point_tags (Optional) - Metadata that you can assign to help organize the resources that you create.

Lifecycle Arguments
For lifecycle the following attributes are supported:

cold_storage_after - (Optional) Speci es the number of days after creation that a recovery point is moved to cold
storage.

delete_after (Optional) - Speci es the number of days after creation that a recovery point is deleted. Must be 90
days greater than cold_storage_after .

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The id of the backup plan.

arn - The ARN of the backup plan.

version - Unique, randomly generated, Unicode, UTF-8 encoded string that serves as the version ID of the backup
plan.
Resource: aws_backup_selection
Manages selection conditions for AWS Backup plan resources.

Example Usage

IAM Role

For more information about creating and managing IAM Roles for backups and restores, see the AWS Backup
Developer Guide (https://docs.aws.amazon.com/aws-backup/latest/devguide/iam-service-roles.html).

The below example creates an IAM role with the default managed IAM Policy for allowing AWS Backup to create backups.

resource "aws_iam_role" "example" {

name = "example"
assume_role_policy = <<POLICY
<<
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["sts:AssumeRole"],
"Effect": "allow",
"Principal": {
"Service": ["backup.amazonaws.com"]
}
}
]
}
POLICY
}

resource "aws_iam_role_policy_attachment" "example" {

policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
role = "${aws_iam_role.example.name}"
}

resource "aws_backup_selection" "example" {

iam_role_arn = "${aws_iam_role.example.arn}"
}

Selecting Backups By Tag

resource "aws_backup_selection" "example" {
iam_role_arn = "${aws_iam_role.example.arn}"
name = "tf_example_backup_selection"
plan_id = "${aws_backup_plan.example.id}"

selection_tag {
type = "STRINGEQUALS"
key = "foo"
value = "bar"
}
}

Selecting Backups By Resource

resource "aws_backup_selection" "example" {

iam_role_arn = "${aws_iam_role.example.arn}"
name = "tf_example_backup_selection"
plan_id = "${aws_backup_plan.example.id}"

resources = [
"${aws_db_instance.example.arn}",
"${aws_ebs_volume.example.arn}",
"${aws_efs_file_system.example.arn}",
]
}

Argument Reference
The following arguments are supported:

name - (Required) The display name of a resource selection document.

plan_id - (Required) The backup plan ID to be associated with the selection of resources.

iam_role_arn - (Required) The ARN of the IAM role that AWS Backup uses to authenticate when restoring and
backing up the target resource. See the AWS Backup Developer Guide (https://docs.aws.amazon.com/aws-
backup/latest/devguide/access-control.html#managed-policies) for additional information about using AWS managed
policies or creating custom policies attached to the IAM role.

selection_tag - (Optional) Tag-based conditions used to specify a set of resources to assign to a backup plan.

resources - (Optional) An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of
resources to assign to a backup plan..

Tag conditions ( selection_tag ) support the following:

type - (Required) An operation, such as StringEquals , that is applied to a key-value pair used to lter resources in a
selection.

key - (Required) The key in a key-value pair.

value - (Required) The value in a key-value pair.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - Backup Selection identi er

Import
Backup selection can be imported using the role plan_id and id separated by | .

$ terraform import aws_backup_selection.example plan-id|selection-id

Resource: aws_backup_vault
Provides an AWS Backup vault resource.

Example Usage

resource "aws_backup_vault" "example" {

name = "example_backup_vault"
kms_key_arn = "${aws_kms_key.example.arn}"
}

Argument Reference
The following arguments are supported:

name - (Required) Name of the backup vault to create.

tags - (Optional) Metadata that you can assign to help organize the resources that you create.

kms_key_arn - (Optional) The server-side encryption key that is used to protect your backups.

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - The name of the vault.

arn - The ARN of the vault.

recovery_points - The number of recovery points that are stored in a backup vault.

Import
Backup vault can be imported using the name , e.g.

$ terraform import aws_backup_vault.test-vault TestVault

Resource: aws_batch_compute_environment
Creates a AWS Batch compute environment. Compute environments contain the Amazon ECS container instances that are
used to run containerized batch jobs.

For information about AWS Batch, see What is AWS Batch? (http://docs.aws.amazon.com/batch/latest/userguide/what-is-
batch.html) . For information about compute environment, see Compute Environments
(http://docs.aws.amazon.com/batch/latest/userguide/compute_environments.html) .

Note: To prevent a race condition during environment deletion, make sure to set depends_on to the related
aws_iam_role_policy_attachment ; otherwise, the policy may be destroyed too soon and the compute environment
will then get stuck in the DELETING state, see Troubleshooting AWS Batch
(http://docs.aws.amazon.com/batch/latest/userguide/troubleshooting.html) .

Example Usage

resource "aws_iam_role" "ecs_instance_role" {

name = "ecs_instance_role"

assume_role_policy = <<EOF
<<
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}
]
}
EOF
}

resource "aws_iam_role_policy_attachment" "ecs_instance_role" {

role = "${aws_iam_role.ecs_instance_role.name}"
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
}

resource "aws_iam_instance_profile" "ecs_instance_role" {

name = "ecs_instance_role"
role = "${aws_iam_role.ecs_instance_role.name}"
}

resource "aws_iam_role" "aws_batch_service_role" {

name = "aws_batch_service_role"

assume_role_policy = <<EOF
<<
{
"Version": "2012-10-17",
"Statement": [
{
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "batch.amazonaws.com"
}
}
]
}
EOF
}

resource "aws_iam_role_policy_attachment" "aws_batch_service_role" {

role = "${aws_iam_role.aws_batch_service_role.name}"
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole"
}

resource "aws_security_group" "sample" {

name = "aws_batch_compute_environment_security_group"
}

resource "aws_vpc" "sample" {

cidr_block = "10.1.0.0/16"
}

resource "aws_subnet" "sample" {

vpc_id = "${aws_vpc.sample.id}"
cidr_block = "10.1.1.0/24"
}

resource "aws_batch_compute_environment" "sample" {

compute_environment_name = "sample"

compute_resources {
instance_role = "${aws_iam_instance_profile.ecs_instance_role.arn}"

instance_type = [
"c4.large",
]

max_vcpus = 16
min_vcpus = 0

security_group_ids = [
"${aws_security_group.sample.id}",
]

subnets = [
"${aws_subnet.sample.id}",
]

type = "EC2"
}

service_role = "${aws_iam_role.aws_batch_service_role.arn}"
type = "MANAGED"
depends_on = ["aws_iam_role_policy_attachment.aws_batch_service_role"]
}
Argument Reference
compute_environment_name - (Required) The name for your compute environment. Up to 128 letters (uppercase and
lowercase), numbers, and underscores are allowed.

compute_resources - (Optional) Details of the compute resources managed by the compute environment. This
parameter is required for managed compute environments. See details below.

service_role - (Required) The full Amazon Resource Name (ARN) of the IAM role that allows AWS Batch to make
calls to other AWS services on your behalf.

state - (Optional) The state of the compute environment. If the state is ENABLED , then the compute environment
accepts jobs from a queue and can scale out automatically based on queues. Valid items are ENABLED or DISABLED .
Defaults to ENABLED .

type - (Required) The type of the compute environment. Valid items are MANAGED or UNMANAGED .

compute_resources is a child block with a single argument:

bid_percentage - (Optional) Integer of minimum percentage that a Spot Instance price must be when compared with
the On-Demand price for that instance type before instances are launched. For example, if your bid percentage is 20%
( 20 ), then the Spot price must be below 20% of the current On-Demand price for that EC2 instance. This parameter is
required for SPOT compute environments.

desired_vcpus - (Optional) The desired number of EC2 vCPUS in the compute environment.

ec2_key_pair - (Optional) The EC2 key pair that is used for instances launched in the compute environment.

image_id - (Optional) The Amazon Machine Image (AMI) ID used for instances launched in the compute environment.

instance_role - (Required) The Amazon ECS instance role applied to Amazon EC2 instances in a compute
environment.

instance_type - (Required) A list of instance types that may be launched.

launch_template - (Optional) The launch template to use for your compute resources. See details below.

max_vcpus - (Required) The maximum number of EC2 vCPUs that an environment can reach.

min_vcpus - (Required) The minimum number of EC2 vCPUs that an environment should maintain.

security_group_ids - (Required) A list of EC2 security group that are associated with instances launched in the
compute environment.

spot_iam_fleet_role - (Optional) The Amazon Resource Name (ARN) of the Amazon EC2 Spot Fleet IAM role applied
to a SPOT compute environment. This parameter is required for SPOT compute environments.

subnets - (Required) A list of VPC subnets into which the compute resources are launched.

tags - (Optional) Key-value pair tags to be applied to resources that are launched in the compute environment.

type - (Required) The type of compute environment. Valid items are EC2 or SPOT .

launch_template
launch_template supports the following:
launch_template_id - (Optional) ID of the launch template. You must specify either the launch template ID or launch
template name in the request, but not both.

launch_template_name - (Optional) Name of the launch template.

version - (Optional) The version number of the launch template. Default: The default version of the launch template.

Attributes Reference
arn - The Amazon Resource Name (ARN) of the compute environment.

ecs_cluster_arn - The Amazon Resource Name (ARN) of the underlying Amazon ECS cluster used by the compute
environment.

status - The current status of the compute environment (for example, CREATING or VALID).

status_reason - A short, human-readable string to provide additional details about the current status of the
compute environment.
Resource: aws_batch_job_de nition
Provides a Batch Job De nition resource.

Example Usage

resource "aws_batch_job_definition" "test" {

name = "tf_test_batch_job_definition"
type = "container"

container_properties = <<CONTAINER_PROPERTIES
<<
{
"command": ["ls", "-la"],
"image": "busybox",
"memory": 1024,
"vcpus": 1,
"volumes": [
{
"host": {
"sourcePath": "/tmp"
},
"name": "tmp"
}
],
"environment": [
{"name": "VARNAME", "value": "VARVAL"}
],
"mountPoints": [
{
"sourceVolume": "tmp",
"containerPath": "/tmp",
"readOnly": false
}
],
"ulimits": [
{
"hardLimit": 1024,
"name": "nofile",
"softLimit": 1024
}
]
}
CONTAINER_PROPERTIES
}

Argument Reference
The following arguments are supported:

name - (Required) Speci es the name of the job de nition.

container_properties - (Optional) A valid container properties
(http://docs.aws.amazon.com/batch/latest/APIReference/API_RegisterJobDe nition.html) provided as a single valid
JSON document. This parameter is required if the type parameter is container .

parameters - (Optional) Speci es the parameter substitution placeholders to set in the job de nition.

retry_strategy - (Optional) Speci es the retry strategy to use for failed jobs that are submitted with this job
de nition. Maximum number of retry_strategy is 1 . De ned below.

timeout - (Optional) Speci es the timeout for jobs so that if a job runs longer, AWS Batch terminates the job.
Maximum number of timeout is 1 . De ned below.

type - (Required) The type of job de nition. Must be container

retry_strategy
retry_strategy supports the following:

attempts - (Optional) The number of times to move a job to the RUNNABLE status. You may specify between 1 and
10 attempts.

timeout
timeout supports the following:

attempt_duration_seconds - (Optional) The time duration in seconds after which AWS Batch terminates your jobs if
they have not nished. The minimum value for the timeout is 60 seconds.

Attribute Reference
In addition to all arguments above, the following attributes are exported:

arn - The Amazon Resource Name of the job de nition.

revision - The revision of the job de nition.

Resource: aws_batch_job_queue
Provides a Batch Job Queue resource.

Example Usage

resource "aws_batch_job_queue" "test_queue" {

name = "tf-test-batch-job-queue"
state = "ENABLED"
priority = 1
compute_environments = ["${aws_batch_compute_environment.test_environment_1.arn}", "${aws_batch_compute
_environment.test_environment_2.arn}"]
}

Argument Reference
The following arguments are supported:

name - (Required) Speci es the name of the job queue.

compute_environments - (Required) Speci es the set of compute environments mapped to a job queue and their
order. The position of the compute environments in the list will dictate the order. You can associate up to 3 compute
environments with a job queue.

priority - (Required) The priority of the job queue. Job queues with a higher priority are evaluated rst when
associated with the same compute environment.

state - (Required) The state of the job queue. Must be one of: ENABLED or DISABLED

Attribute Reference
In addition to all arguments above, the following attributes are exported:

arn - The Amazon Resource Name of the job queue.

Resource: aws_budgets_budget
Provides a budgets budget resource. Budgets use the cost visualisation provided by Cost Explorer to show you the status of
your budgets, to provide forecasts of your estimated costs, and to track your AWS usage, including your free tier usage.

Example Usage

resource "aws_budgets_budget" "ec2" {

name = "budget-ec2-monthly"
budget_type = "COST"
limit_amount = "1200"
limit_unit = "USD"
time_period_end = "2087-06-15_00:00"
time_period_start = "2017-07-01_00:00"
time_unit = "MONTHLY"

cost_filters = {
Service = "Amazon Elastic Compute Cloud - Compute"
}

notification {
comparison_operator = "GREATER_THAN"
threshold = 100
threshold_type = "PERCENTAGE"
notification_type = "FORECASTED"
subscriber_email_addresses = ["[email protected]"]
}
}

Create a budget for $100.

resource "aws_budgets_budget" "cost" {

budget_type = "COST"
limit_amount = "100"
limit_unit = "USD"
}

Create a budget for s3 with a limit of 3 GB of storage.

resource "aws_budgets_budget" "s3" {

budget_type = "USAGE"
limit_amount = "3"
limit_unit = "GB"
}

Argument Reference
For more detailed documentation about each argument, refer to the AWS o cial documentation
(http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/data-type-budget.html).

The following arguments are supported:

account_id - (Optional) The ID of the target account for budget. Will use current user's account_id by default if
omitted.

name - (Optional) The name of a budget. Unique within accounts.

name_prefix - (Optional) The pre x of the name of a budget. Unique within accounts.

budget_type - (Required) Whether this budget tracks monetary cost or usage.

cost_filters - (Optional) Map of CostFilters key/value pairs to apply to the budget.

cost_types - (Optional) Object containing CostTypes The types of cost included in a budget, such as tax and
subscriptions..

limit_amount - (Required) The amount of cost or usage being measured for a budget.

limit_unit - (Required) The unit of measurement used for the budget forecast, actual spend, or budget threshold,
such as dollars or GB. See Spend (http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/data-type-
spend.html) documentation.

time_period_end - (Optional) The end of the time period covered by the budget. There are no restrictions on the
end date. Format: 2017-01-01_12:00 .

time_period_start - (Required) The start of the time period covered by the budget. The start date must come
before the end date. Format: 2017-01-01_12:00 .

time_unit - (Required) The length of time until a budget resets the actual and forecasted spend. Valid values:
MONTHLY , QUARTERLY , ANNUALLY .

notification - (Optional) Object containing Budget Noti cations. Can be used multiple times to de ne more than
one budget noti cation

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - id of resource.

CostTypes
Valid keys for cost_types parameter.

include_credit - A boolean value whether to include credits in the cost budget. Defaults to true

include_discount - Speci es whether a budget includes discounts. Defaults to true

include_other_subscription - A boolean value whether to include other subscription costs in the cost budget.
Defaults to true
include_recurring - A boolean value whether to include recurring costs in the cost budget. Defaults to true

include_refund - A boolean value whether to include refunds in the cost budget. Defaults to true

include_subscription - A boolean value whether to include subscriptions in the cost budget. Defaults to true

include_support - A boolean value whether to include support costs in the cost budget. Defaults to true

include_tax - A boolean value whether to include tax in the cost budget. Defaults to true

include_upfront - A boolean value whether to include upfront costs in the cost budget. Defaults to true

use_amortized - Speci es whether a budget uses the amortized rate. Defaults to false

use_blended - A boolean value whether to use blended costs in the cost budget. Defaults to false

Refer to AWS CostTypes documentation (https://docs.aws.amazon.com/aws-cost-

management/latest/APIReference/API_budgets_CostTypes.html) for further detail.

CostFilters
Valid keys for cost_filters parameter vary depending on the budget_type value.

cost
AZ

LinkedAccount

Operation

PurchaseType

Service

TagKeyValue

usage
AZ

LinkedAccount

Operation

PurchaseType

UsageType:<service name>

TagKeyValue

Refer to AWS CostFilter documentation (http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/data-type- lter.html)

for further detail.

BudgetNoti cation
Valid keys for notification parameter.
comparison_operator - (Required) Comparison operator to use to evaluate the condition. Can be LESS_THAN ,
EQUAL_TO or GREATER_THAN .

threshold - (Required) Threshold when the noti cation should be sent.

threshold_type - (Required) What kind of threshold is de ned. Can be PERCENTAGE OR ABSOLUTE_VALUE .

notification_type - (Required) What kind of budget value to notify on. Can be ACTUAL or FORECASTED

subscriber_email_addresses - (Optional) E-Mail addresses to notify. Either this or subscriber_sns_topic_arns is

required.

subscriber_sns_topic_arns - (Optional) SNS topics to notify. Either this or subscriber_email_addresses is

required.

Import
Budgets can be imported using AccountID:BudgetName , e.g.

$ terraform import aws_budgets_budget.myBudget 123456789012:myBudget

Resource: aws_cloud9_environment_ec2
Provides a Cloud9 EC2 Development Environment.

Example Usage

resource "aws_cloud9_environment_ec2" "example" {

instance_type = "t2.micro"
name = "example-env"
}

Argument Reference
The following arguments are supported:

name - (Required) The name of the environment.

instance_type - (Required) The type of instance to connect to the environment, e.g. t2.micro .

automatic_stop_time_minutes - (Optional) The number of minutes until the running instance is shut down after the
environment has last been used.

description - (Optional) The description of the environment.

owner_arn - (Optional) The ARN of the environment owner. This can be ARN of any AWS IAM principal. Defaults to the
environment's creator.

subnet_id - (Optional) The ID of the subnet in Amazon VPC that AWS Cloud9 will use to communicate with the
Amazon EC2 instance.

Attributes Reference
In addition the the arguments listed above the following attributes are exported:

id - The ID of the environment.

arn - The ARN of the environment.

type - The type of the environment (e.g. ssh or ec2 )

Resource: aws_cloudformation_stack
Provides a CloudFormation Stack resource.

Example Usage

resource "aws_cloudformation_stack" "network" {

name = "networking-stack"

parameters = {
VPCCidr = "10.0.0.0/16"
}

template_body = <<STACK
<<
{
"Parameters" : {
"VPCCidr" : {
"Type" : "String",
"Default" : "10.0.0.0/16",
"Description" : "Enter the CIDR block for the VPC. Default is 10.0.0.0/16."
}
},
"Resources" : {
"myVpc": {
"Type" : "AWS::EC2::VPC",
"Properties" : {
"CidrBlock" : { "Ref" : "VPCCidr" },
"Tags" : [
{"Key": "Name", "Value": "Primary_CF_VPC"}
]
}
}
}
}
STACK
}

Argument Reference
The following arguments are supported:

name - (Required) Stack name.

template_body - (Optional) Structure containing the template body (max size: 51,200 bytes).

template_url - (Optional) Location of a le containing the template body (max size: 460,800 bytes).

capabilities - (Optional) A list of capabilities. Valid values: CAPABILITY_IAM , CAPABILITY_NAMED_IAM , or

CAPABILITY_AUTO_EXPAND

disable_rollback - (Optional) Set to true to disable rollback of the stack if stack creation failed. Con icts with
on_failure .

notification_arns - (Optional) A list of SNS topic ARNs to publish stack related events.

on_failure - (Optional) Action to be taken if stack creation fails. This must be one of: DO_NOTHING , ROLLBACK , or
DELETE . Con icts with disable_rollback .

parameters - (Optional) A map of Parameter structures that specify input parameters for the stack.

policy_body - (Optional) Structure containing the stack policy body. Con icts w/ policy_url .

policy_url - (Optional) Location of a le containing the stack policy. Con icts w/ policy_body .

tags - (Optional) A list of tags to associate with this stack.

iam_role_arn - (Optional) The ARN of an IAM role that AWS CloudFormation assumes to create the stack. If you don't
specify a value, AWS CloudFormation uses the role that was previously associated with the stack. If no role is available,
AWS CloudFormation uses a temporary session that is generated from your user credentials.

timeout_in_minutes - (Optional) The amount of time that can pass before the stack status becomes
CREATE_FAILED .

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - A unique identi er of the stack.

outputs - A map of outputs from the stack.

Import
Cloudformation Stacks can be imported using the name , e.g.

$ terraform import aws_cloudformation_stack.stack networking-stack

Timeouts
aws_cloudformation_stack provides the following Timeouts (/docs/con guration/resources.html#timeouts) con guration
options:

create - (Default 30 minutes ) Used for Creating Stacks

update - (Default 30 minutes ) Used for Stack modi cations

delete - (Default 30 minutes ) Used for destroying stacks.

Resource: aws_cloudformation_stack_set
Manages a CloudFormation Stack Set. Stack Sets allow CloudFormation templates to be easily deployed across multiple
accounts and regions via Stack Set Instances ( aws_cloudformation_stack_set_instance resource
(/docs/providers/aws/r/cloudformation_stack_set_instance.html)). Additional information about Stack Sets can be found in
the AWS CloudFormation User Guide (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-
cfnstacksets.html).

NOTE: All template parameters, including those with a Default , must be con gured or ignored with the lifecycle
con guration block ignore_changes argument.

NOTE: All NoEcho template parameters must be ignored with the lifecycle con guration block ignore_changes
argument.

Example Usage

data "aws_iam_policy_document" "AWSCloudFormationStackSetAdministrationRole_assume_role_policy" {

statement {
actions = ["sts:AssumeRole"]
effect = "Allow"

principals {
identifiers = ["cloudformation.amazonaws.com"]
type = "Service"
}
}
}

resource "aws_iam_role" "AWSCloudFormationStackSetAdministrationRole" {

assume_role_policy = "${data.aws_iam_policy_document.AWSCloudFormationStackSetAdministrationRole_assume
_role_policy.json}"
name = "AWSCloudFormationStackSetAdministrationRole"
}

resource "aws_cloudformation_stack_set" "example" {

administration_role_arn = "${aws_iam_role.AWSCloudFormationStackSetAdministrationRole.arn}"
name = "example"

parameters = {
VPCCidr = "10.0.0.0/16"
}

template_body = <<TEMPLATE
<<
{
"Parameters" : {
"VPCCidr" : {
"Type" : "String",
"Default" : "10.0.0.0/16",
"Description" : "Enter the CIDR block for the VPC. Default is 10.0.0.0/16."
}
},
},
"Resources" : {
"myVpc": {
"Type" : "AWS::EC2::VPC",
"Properties" : {
"CidrBlock" : { "Ref" : "VPCCidr" },
"Tags" : [
{"Key": "Name", "Value": "Primary_CF_VPC"}
]
}
}
}
}
TEMPLATE
}

data "aws_iam_policy_document" "AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy" {

statement {
actions = ["sts:AssumeRole"]
effect = "Allow"
resources = ["arn:aws:iam::*:role/${aws_cloudformation_stack_set.example.execution_role_name}"]
}
}

resource "aws_iam_role_policy" "AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy" {

name = "ExecutionPolicy"
policy = "${data.aws_iam_policy_document.AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy.js
on}"
role = "${aws_iam_role.AWSCloudFormationStackSetAdministrationRole.name}"
}

Argument Reference
The following arguments are supported:

administration_role_arn - (Required) Amazon Resource Number (ARN) of the IAM Role in the administrator
account.

name - (Required) Name of the Stack Set. The name must be unique in the region where you create your Stack Set.
The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphabetic
character and cannot be longer than 128 characters.

capabilities - (Optional) A list of capabilities. Valid values: CAPABILITY_IAM , CAPABILITY_NAMED_IAM ,

CAPABILITY_AUTO_EXPAND .

description - (Optional) Description of the Stack Set.

execution_role_name - (Optional) Name of the IAM Role in all target accounts for Stack Set operations. Defaults to
AWSCloudFormationStackSetExecutionRole .

parameters - (Optional) Key-value map of input parameters for the Stack Set template. All template parameters,
including those with a Default , must be con gured or ignored with lifecycle con guration block
ignore_changes argument. All NoEcho template parameters must be ignored with the lifecycle con guration
block ignore_changes argument.
tags - (Optional) Key-value map of tags to associate with this Stack Set and the Stacks created from it. AWS
CloudFormation also propagates these tags to supported resources that are created in the Stacks. A maximum
number of 50 tags can be speci ed.

template_body - (Optional) String containing the CloudFormation template body. Maximum size: 51,200 bytes.
Con icts with template_url .

template_url - (Optional) String containing the location of a le containing the CloudFormation template body. The
URL must point to a template that is located in an Amazon S3 bucket. Maximum location le size: 460,800 bytes.
Con icts with template_body .

Attributes Reference
In addition to all arguments above, the following attributes are exported:

arn - Amazon Resource Name (ARN) of the Stack Set.

id - Name of the Stack Set.

stack_set_id - Unique identi er of the Stack Set.

Import
CloudFormation Stack Sets can be imported using the name , e.g.

$ terraform import aws_cloudformation_stack.example example

Resource: aws_cloudformation_stack_set_instance
Manages a CloudFormation Stack Set Instance. Instances are managed in the account and region of the Stack Set after the
target account permissions have been con gured. Additional information about Stack Sets can be found in the AWS
CloudFormation User Guide (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-
cfnstacksets.html).

NOTE: All target accounts must have an IAM Role created that matches the name of the execution role con gured in the
Stack Set (the execution_role_name argument in the aws_cloudformation_stack_set resource) in a trust
relationship with the administrative account or administration IAM Role. The execution role must have appropriate
permissions to manage resources de ned in the template along with those required for Stack Sets to operate. See the
AWS CloudFormation User Guide (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-
prereqs.html) for more details.

NOTE: To retain the Stack during Terraform resource destroy, ensure retain_stack = true has been successfully
applied into the Terraform state rst. This must be completed before an apply that would destroy the resource.

Example Usage

resource "aws_cloudformation_stack_set_instance" "example" {

account_id = "123456789012"
region = "us-east-1"
stack_set_name = "${aws_cloudformation_stack_set.example.name}"
}

Example IAM Setup in Target Account

data "aws_iam_policy_document" "AWSCloudFormationStackSetExecutionRole_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
effect = "Allow"

principals {
identifiers = ["${aws_iam_role.AWSCloudFormationStackSetAdministrationRole.arn}"]
type = "AWS"
}
}
}

resource "aws_iam_role" "AWSCloudFormationStackSetExecutionRole" {

assume_role_policy = "${data.aws_iam_policy_document.AWSCloudFormationStackSetExecutionRole_assume_role
_policy.json}"
name = "AWSCloudFormationStackSetExecutionRole"
}

data "aws_iam_policy_document" "AWSCloudFormationStackSetExecutionRole_MinimumExecutionPolicy" {

statement {
actions = [
"cloudformation:*",
"s3:*",
"sns:*",
]

effect = "Allow"
resources = ["*"]
}
}

resource "aws_iam_role_policy" "AWSCloudFormationStackSetExecutionRole_MinimumExecutionPolicy" {

name = "MinimumExecutionPolicy"
policy = "${data.aws_iam_policy_document.AWSCloudFormationStackSetExecutionRole_MinimumExecutionPolicy.
json}"
role = "${aws_iam_role.AWSCloudFormationStackSetExecutionRole.name}"
}

Argument Reference
The following arguments are supported:

stack_set_name - (Required) Name of the Stack Set.

account_id - (Optional) Target AWS Account ID to create a Stack based on the Stack Set. Defaults to current account.

parameter_overrides - (Optional) Key-value map of input parameters to override from the Stack Set for this
Instance.

region - (Optional) Target AWS Region to create a Stack based on the Stack Set. Defaults to current region.

retain_stack - (Optional) During Terraform resource destroy, remove Instance from Stack Set while keeping the
Stack and its associated resources. Must be enabled in Terraform state before destroy operation to take e ect. You
cannot reassociate a retained Stack or add an existing, saved Stack to a new Stack Set. Defaults to false .

Attributes Reference
In addition to all arguments above, the following attributes are exported:

id - Stack Set name, target AWS account ID, and target AWS region separated by commas ( , )

stack_id - Stack identi er

Timeouts
aws_cloudformation_stack_set_instance provides the following Timeouts
(/docs/con guration/resources.html#timeouts) con guration options:

create - (Default 30m ) How long to wait for a Stack to be created.

update - (Default 30m ) How long to wait for a Stack to be updated.

delete - (Default 30m ) How long to wait for a Stack to be deleted.

Import
CloudFormation Stack Set Instances can be imported using the Stack Set name, target AWS account ID, and target AWS
region separated by commas ( , ) e.g.

$ terraform import aws_cloudformation_stack_set_instance.example example,123456789012,us-east-1

Resource: aws_cloudfront_distribution
Creates an Amazon CloudFront web distribution.

For information about CloudFront distributions, see the Amazon CloudFront Developer Guide
(http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html). For speci c information about creating
CloudFront web distributions, see the POST Distribution
(https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateDistribution.html) page in the Amazon CloudFront API
Reference.

NOTE: CloudFront distributions take about 15 minutes to a deployed state after creation or modi cation. During this time, deletes to
resources will be blocked. If you need to delete a distribution that is enabled and you do not want to wait, you need to use the
retain_on_delete ag.

Example Usage
The following example below creates a CloudFront distribution with an S3 origin.

resource "aws_s3_bucket" "b" {

bucket = "mybucket"
acl = "private"

tags = {
Name = "My bucket"
}
}

locals {
s3_origin_id = "myS3Origin"
}

resource "aws_cloudfront_distribution" "s3_distribution" {

origin {
domain_name = "${aws_s3_bucket.b.bucket_regional_domain_name}"
origin_id = "${local.s3_origin_id}"

s3_origin_config {
origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567"
}
}

enabled = true
is_ipv6_enabled = true
comment = "Some comment"
default_root_object = "index.html"

logging_config {
include_cookies = false
bucket = "mylogs.s3.amazonaws.com"
prefix = "myprefix"
}

aliases = ["mysite.example.com", "yoursite.example.com"]

default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "${local.s3_origin_id}"
forwarded_values {
query_string = false

cookies {
forward = "none"
}
}

viewer_protocol_policy = "allow-all"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}

ordered_cache_behavior {
path_pattern = "/content/immutable/*"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
target_origin_id = "${local.s3_origin_id}"

forwarded_values {
query_string = false
headers = ["Origin"]

cookies {
forward = "none"
}
}

min_ttl = 0
default_ttl = 86400
max_ttl = 31536000
compress = true
viewer_protocol_policy = "redirect-to-https"
}

ordered_cache_behavior {
path_pattern = "/content/*"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "${local.s3_origin_id}"

forwarded_values {
query_string = false

cookies {
forward = "none"
}
}

min_ttl = 0
default_ttl = 3600
max_ttl = 86400
compress = true
viewer_protocol_policy = "redirect-to-https"
}

price_class = "PriceClass_200"

restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = ["US", "CA", "GB", "DE"]
locations = ["US", "CA", "GB", "DE"]
}
}

tags = {
Environment = "production"
}

viewer_certificate {
cloudfront_default_certificate = true
}
}

The following example below creates a Cloudfront distribution with an origin group for failover routing:

resource "aws_cloudfront_distribution" "s3_distribution" {

origin_group {
origin_id = "groupS3"

failover_criteria {
status_codes = [403, 404, 500, 502]
}

member {
origin_id = "primaryS3"
}

member {
origin_id = "failoverS3"
}
}

origin {
domain_name = "${aws_s3_bucket.primary.bucket_regional_domain_name}"
origin_id = "primaryS3"

s3_origin_config {
origin_access_identity = "${aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path}"
}
}

origin {
domain_name = "${aws_s3_bucket.failover.bucket_regional_domain_name}"
origin_id = "failoverS3"

s3_origin_config {
origin_access_identity = "${aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path}"
}
}

default_cache_behavior {

target_origin_id = "groupS3"
}

Argument Reference
The CloudFront distribution argument layout is a complex structure composed of several sub-resources - these resources are laid out
below.

Top-Level Arguments
aliases (Optional) - Extra CNAMEs (alternate domain names), if any, for this distribution.

comment (Optional) - Any comments you want to include about the distribution.

custom_error_response (Optional) - One or more custom error response elements (multiples allowed).

default_cache_behavior (Required) - The default cache behavior for this distribution (maximum one).

default_root_object (Optional) - The object that you want CloudFront to return (for example, index.html) when an end user
requests the root URL.

enabled (Required) - Whether the distribution is enabled to accept end user requests for content.

is_ipv6_enabled (Optional) - Whether the IPv6 is enabled for the distribution.

http_version (Optional) - The maximum HTTP version to support on the distribution. Allowed values are http1.1 and http2 .
The default is http2 .

logging_config (Optional) - The logging con guration that controls how logs are written to your distribution (maximum one).

ordered_cache_behavior (Optional) - An ordered list of cache behaviors resource for this distribution. List from top to bottom in
order of precedence. The topmost cache behavior will have precedence 0.

origin (Required) - One or more origins for this distribution (multiples allowed).

origin_group (Optional) - One or more origin_group for this distribution (multiples allowed).

price_class (Optional) - The price class for this distribution. One of PriceClass_All , PriceClass_200 , PriceClass_100

restrictions (Required) - The restriction con guration for this distribution (maximum one).

tags - (Optional) A mapping of tags to assign to the resource.

viewer_certificate (Required) - The SSL con guration for this distribution (maximum one).

web_acl_id (Optional) - If you're using AWS WAF to lter CloudFront requests, the Id of the AWS WAF web ACL that is associated
with the distribution. The WAF Web ACL must exist in the WAF Global (CloudFront) region and the credentials con guring this
argument must have waf:GetWebACL permissions assigned.

retain_on_delete (Optional) - Disables the distribution instead of deleting it when destroying the resource through Terraform. If
this is set, the distribution needs to be deleted manually afterwards. Default: false .

wait_for_deployment (Optional) - If enabled, the resource will wait for the distribution status to change from InProgress to
Deployed . Setting this to false will skip the process. Default: true .

Cache Behavior Arguments

allowed_methods (Required) - Controls which HTTP methods CloudFront processes and forwards to your Amazon S3 bucket or
your custom origin.

cached_methods (Required) - Controls whether CloudFront caches the response to requests using the speci ed HTTP methods.

compress (Optional) - Whether you want CloudFront to automatically compress content for web requests that include Accept-
Encoding: gzip in the request header (default: false ).

default_ttl (Optional) - The default amount of time (in seconds) that an object is in a CloudFront cache before CloudFront
forwards another request in the absence of an Cache-Control max-age or Expires header. Defaults to 1 day.
field_level_encryption_id (Optional) - Field level encryption con guration ID

forwarded_values (Required) - The forwarded values con guration that speci es how CloudFront handles query strings, cookies
and headers (maximum one).

lambda_function_association (Optional) - A con g block that triggers a lambda function with speci c actions. De ned below,
maximum 4.

max_ttl (Optional) - The maximum amount of time (in seconds) that an object is in a CloudFront cache before CloudFront
forwards another request to your origin to determine whether the object has been updated. Only e ective in the presence of
Cache-Control max-age , Cache-Control s-maxage , and Expires headers. Defaults to 365 days.

min_ttl (Optional) - The minimum amount of time that you want objects to stay in CloudFront caches before CloudFront queries
your origin to see whether the object has been updated. Defaults to 0 seconds.

path_pattern (Required) - The pattern (for example, images/*.jpg) that speci es which requests you want this cache behavior
to apply to.

smooth_streaming (Optional) - Indicates whether you want to distribute media les in Microsoft Smooth Streaming format using
the origin that is associated with this cache behavior.

target_origin_id (Required) - The value of ID for the origin that you want CloudFront to route requests to when a request
matches the path pattern either for a cache behavior or for the default cache behavior.

trusted_signers (Optional) - The AWS accounts, if any, that you want to allow to create signed URLs for private content.

viewer_protocol_policy (Required) - Use this element to specify the protocol that users can use to access the les in the origin
speci ed by TargetOriginId when a request matches the path pattern in PathPattern. One of allow-all , https-only , or
redirect-to-https .

Forwarded Values Arguments

cookies (Required) - The forwarded values cookies that speci es how CloudFront handles cookies (maximum one).

headers (Optional) - Speci es the Headers, if any, that you want CloudFront to vary upon for this cache behavior. Specify * to
include all headers.

query_string (Required) - Indicates whether you want CloudFront to forward query strings to the origin that is associated with
this cache behavior.

query_string_cache_keys (Optional) - When speci ed, along with a value of true for query_string , all query strings are
forwarded, however only the query string keys listed in this argument are cached. When omitted with a value of true for
query_string , all query string keys are cached.

Lambda Function Association

Lambda@Edge allows you to associate an AWS Lambda Function with a prede ned event. You can associate a single function per event
type. See What is Lambda@Edge (http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/what-is-lambda-at-edge.html)
for more information.

Example con guration:

resource "aws_cloudfront_distribution" "example" {

ordered_cache_behavior {

lambda_function_association {
event_type = "viewer-request"
lambda_arn = "${aws_lambda_function.example.qualified_arn}"
include_body = false
}
}
}

event_type (Required) - The speci c event to trigger this function. Valid values: viewer-request , origin-request , viewer-
response , origin-response

lambda_arn (Required) - ARN of the Lambda function.

include_body (Optional) - When set to true it exposes the request body to the lambda function. Defaults to false. Valid values:
true , false .

Cookies Arguments

forward (Required) - Speci es whether you want CloudFront to forward cookies to the origin that is associated with this cache
behavior. You can specify all , none or whitelist . If whitelist , you must include the subsequent whitelisted_names

whitelisted_names (Optional) - If you have speci ed whitelist to forward , the whitelisted cookies that you want CloudFront
to forward to your origin.

Custom Error Response Arguments

error_caching_min_ttl (Optional) - The minimum amount of time you want HTTP error codes to stay in CloudFront caches
before CloudFront queries your origin to see whether the object has been updated.

error_code (Required) - The 4xx or 5xx HTTP status code that you want to customize.

response_code (Optional) - The HTTP status code that you want CloudFront to return with the custom error page to the viewer.

response_page_path (Optional) - The path of the custom error page (for example, /custom_404.html ).

Default Cache Behavior Arguments

The arguments for default_cache_behavior are the same as for ordered_cache_behavior , except for the path_pattern argument
is not required.

Logging Con g Arguments

bucket (Required) - The Amazon S3 bucket to store the access logs in, for example, myawslogbucket.s3.amazonaws.com .

include_cookies (Optional) - Speci es whether you want CloudFront to include cookies in access logs (default: false ).

prefix (Optional) - An optional string that you want CloudFront to pre x to the access log lenames for this distribution, for
example, myprefix/ .

Origin Arguments
custom_origin_config - The CloudFront custom origin con guration information. If an S3 origin is required, use
s3_origin_config instead.

domain_name (Required) - The DNS domain name of either the S3 bucket, or web site of your custom origin.

custom_header (Optional) - One or more sub-resources with name and value parameters that specify header data that will be
sent to the origin (multiples allowed).

origin_id (Required) - A unique identi er for the origin.

origin_path (Optional) - An optional element that causes CloudFront to request your content from a directory in your Amazon S3
bucket or your custom origin.

s3_origin_config - The CloudFront S3 origin con guration information. If a custom origin is required, use
custom_origin_config instead.

Custom Origin Con g Arguments

http_port (Required) - The HTTP port the custom origin listens on.

https_port (Required) - The HTTPS port the custom origin listens on.

origin_protocol_policy (Required) - The origin protocol policy to apply to your origin. One of http-only , https-only , or
match-viewer .

origin_ssl_protocols (Required) - The SSL/TLS protocols that you want CloudFront to use when communicating with your
origin over HTTPS. A list of one or more of SSLv3 , TLSv1 , TLSv1.1 , and TLSv1.2 .

origin_keepalive_timeout - (Optional) The Custom KeepAlive timeout, in seconds. By default, AWS enforces a limit of 60 . But
you can request an increase
(http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html#request-
custom-request-timeout).

origin_read_timeout - (Optional) The Custom Read timeout, in seconds. By default, AWS enforces a limit of 60 . But you can
request an increase
(http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html#request-
custom-request-timeout).

S3 Origin Con g Arguments

origin_access_identity (Optional) - The CloudFront origin access identity

(/docs/providers/aws/r/cloudfront_origin_access_identity.html) to associate with the origin.

Origin Group Arguments

origin_id (Required) - A unique identi er for the origin group.

failover_criteria (Required) - The failover criteria for when to failover to the secondary origin

member (Required) - Ordered member con guration blocks assigned to the origin group, where the rst member is the primary
origin. Minimum 2.

Failover Criteria Arguments

status_codes (Required) - A list of HTTP status codes for the origin group

Member Arguments

origin_id (Required) - The unique identi er of the member origin

Restrictions Arguments

The restrictions sub-resource takes another single sub-resource named geo_restriction (see the example for usage).
The arguments of geo_restriction are:

locations (Optional) - The ISO 3166-1-alpha-2 codes

(http://www.iso.org/iso/country_codes/iso_3166_code_lists/country_names_and_code_elements.htm) for which you want
CloudFront either to distribute your content ( whitelist ) or not distribute your content ( blacklist ).

restriction_type (Required) - The method that you want to use to restrict distribution of your content by country: none ,
whitelist , or blacklist .

Viewer Certi cate Arguments

acm_certificate_arn - The ARN of the AWS Certi cate Manager (https://aws.amazon.com/certi cate-manager/) certi cate that
you wish to use with this distribution. Specify this, cloudfront_default_certificate , or iam_certificate_id . The ACM
certi cate must be in US-EAST-1.

cloudfront_default_certificate - true if you want viewers to use HTTPS to request your objects and you're using the
CloudFront domain name for your distribution. Specify this, acm_certificate_arn , or iam_certificate_id .

iam_certificate_id - The IAM certi cate identi er of the custom viewer certi cate for this distribution if you are using a custom
domain. Specify this, acm_certificate_arn , or cloudfront_default_certificate .

minimum_protocol_version - The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections.
One of SSLv3 , TLSv1 , TLSv1_2016 , TLSv1.1_2016 or TLSv1.2_2018 . Default: TLSv1 . NOTE: If you are using a custom
certi cate (speci ed with acm_certificate_arn or iam_certificate_id ), and have speci ed sni-only in
ssl_support_method , TLSv1 or later must be speci ed. If you have speci ed vip in ssl_support_method , only SSLv3 or
TLSv1 can be speci ed. If you have speci ed cloudfront_default_certificate , TLSv1 must be speci ed.

ssl_support_method : Speci es how you want CloudFront to serve HTTPS requests. One of vip or sni-only . Required if you
specify acm_certificate_arn or iam_certificate_id . NOTE: vip causes CloudFront to use a dedicated IP address and may
incur extra charges.

Attribute Reference
In addition to all arguments above, the following attributes are exported:

id - The identi er for the distribution. For example: EDFDVBD632BHDS5 .

arn - The ARN (Amazon Resource Name) for the distribution. For example:
arn:aws:cloudfront::123456789012:distribution/EDFDVBD632BHDS5, where 123456789012 is your AWS account ID.

caller_reference - Internal value used by CloudFront to allow future updates to the distribution con guration.

status - The current status of the distribution. Deployed if the distribution's information is fully propagated throughout the
Amazon CloudFront system.

active_trusted_signers - The key pair IDs that CloudFront is aware of for each trusted signer, if the distribution is set up to
serve private content with signed URLs.

domain_name - The domain name corresponding to the distribution. For example: d604721fxaaqy9.cloudfront.net .

last_modified_time - The date and time the distribution was last modi ed.

in_progress_validation_batches - The number of invalidation batches currently in progress.

etag - The current version of the distribution's information. For example: E2QWRUHAPOMQZL .
hosted_zone_id - The CloudFront Route 53 zone ID that can be used to route an Alias Resource Record Set
(http://docs.aws.amazon.com/Route53/latest/APIReference/CreateAliasRRSAPI.html) to. This attribute is simply an alias for the zone
ID Z2FDTNDATAQYW2 .

Import
Cloudfront Distributions can be imported using the id , e.g.

$ terraform import aws_cloudfront_distribution.distribution E74FTE3EXAMPLE

Resource: aws_cloudfront_origin_access_identity
Creates an Amazon CloudFront origin access identity.

For information about CloudFront distributions, see the Amazon CloudFront Developer Guide
(http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html). For more information on
generating origin access identities, see Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content
(http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html).

Example Usage
The following example below creates a CloudFront origin access identity.

resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {

comment = "Some comment"
}

Argument Reference
comment (Optional) - An optional comment for the origin access identity.

Attribute Reference
In addition to all arguments above, the following attributes are exported:

id - The identi er for the distribution. For example: EDFDVBD632BHDS5 .

caller_reference - Internal value used by CloudFront to allow future updates to the origin access identity.

cloudfront_access_identity_path - A shortcut to the full path for the origin access identity to use in CloudFront,
see below.

etag - The current version of the origin access identity's information. For example: E2QWRUHAPOMQZL .

iam_arn - A pre-generated ARN for use in S3 bucket policies (see below). Example:
arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E2QWRUHAPOMQZL .

s3_canonical_user_id - The Amazon S3 canonical user ID for the origin access identity, which you use when giving
the origin access identity read permission to an object in Amazon S3.

Using With CloudFront

Normally, when referencing an origin access identity in CloudFront, you need to pre x the ID with the origin-access-
identity/cloudfront/ special path. The cloudfront_access_identity_path allows this to be circumvented. The below
snippet demonstrates use with the s3_origin_config structure for the aws_cloudfront_distribution
(/docs/providers/aws/r/cloudfront_distribution.html) resource:

s3_origin_config {
origin_access_identity = "${aws_cloudfront_origin_access_identity.origin_access_identity.cloudfront_acc
ess_identity_path}"
}

Updating your bucket policy

Note that the AWS API may translate the s3_canonical_user_id CanonicalUser principal into an AWS IAM ARN principal
when supplied in an aws_s3_bucket (/docs/providers/aws/r/s3_bucket.html) bucket policy, causing spurious di s in
Terraform. If you see this behaviour, use the iam_arn instead:

data "aws_iam_policy_document" "s3_policy" {

statement {
actions = ["s3:GetObject"]
resources = ["${aws_s3_bucket.example.arn}/*"]

principals {
type = "AWS"
identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"]
}
}

statement {
actions = ["s3:ListBucket"]
resources = ["${aws_s3_bucket.example.arn}"]

principals {
type = "AWS"
identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"]
}
}
}

resource "aws_s3_bucket_policy" "example" {

bucket = "${aws_s3_bucket.example.id}"
policy = "${data.aws_iam_policy_document.s3_policy.json}"
}

Import
Cloudfront Origin Access Identities can be imported using the id , e.g.

$ terraform import aws_cloudfront_origin_access_identity.origin_access E74FTE3AEXAMPLE

Resource: aws_cloudfront_public_key

Example Usage
The following example below creates a CloudFront public key.

resource "aws_cloudfront_public_key" "example" {

comment = "test public key"
encoded_key = "${file("public_key.pem
pem")}"
name = "test_key"
}

Argument Reference
The following arguments are supported:

comment - (Optional) An optional comment about the public key.

encoded_key - (Required) The encoded public key that you want to add to CloudFront to use with features like eld-
level encryption.

name - (Optional) The name for the public key. By default generated by Terraform.

name_prefix - (Optional) The name for the public key. Con icts with name .

Attributes Reference
In addition to all arguments above, the following attributes are exported:

caller_reference - Internal value used by CloudFront to allow future updates to the public key con guration.

etag - The current version of the public key. For example: E2QWRUHAPOMQZL .

id - The identi er for the public key. For example: K3D5EWEUDCCXON .

Resource: aws_cloudhsm_v2_cluster
Creates an Amazon CloudHSM v2 cluster.

For information about CloudHSM v2, see the AWS CloudHSM User Guide
(https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html) and the Amazon CloudHSM API Reference
(https://docs.aws.amazon.com/cloudhsm/latest/APIReference/Welcome.html).

NOTE: CloudHSM can take up to several minutes to be set up. Practically no single attribute can be updated except
TAGS. If you need to delete a cluster, you have to remove its HSM modules rst. To initialize cluster, you have to add an
hsm instance to the cluster then sign CSR and upload it.

Example Usage
The following example below creates a CloudHSM cluster.

provider "aws" {
region = "${var.aws_region}"
}

data "aws_availability_zones" "available" {}

resource "aws_vpc" "cloudhsm2_vpc" {

cidr_block = "10.0.0.0/16"

tags = {
Name = "example-aws_cloudhsm_v2_cluster"
}
}

resource "aws_subnet" "cloudhsm2_subnets" {

count = 2
vpc_id = "${aws_vpc.cloudhsm2_vpc.id}"
cidr_block = "${element(var.subnets, count.index)}"
map_public_ip_on_launch = false
availability_zone = "${element(data.aws_availability_zones.available.names, count.index)}"

tags = {
Name = "example-aws_cloudhsm_v2_cluster"
}
}

resource "aws_cloudhsm_v2_cluster" "cloudhsm_v2_cluster" {

hsm_type = "hsm1.medium"
subnet_ids = ["${aws_subnet.cloudhsm2_subnets.*.id}"]

tags = {
Name = "example-aws_cloudhsm_v2_cluster"
}
}
Argument Reference
The following arguments are supported:

source_backup_identifier - (Optional) The id of Cloud HSM v2 cluster backup to be restored.

hsm_type - (Required) The type of HSM module in the cluster. Currently, only hsm1.medium is supported.

subnet_ids - (Required) The IDs of subnets in which cluster will operate.

tags - (Optional) A mapping of tags to assign to the resource.

Attributes Reference
The following attributes are exported:

cluster_id - The id of the CloudHSM cluster.

cluster_state - The state of the cluster.

vpc_id - The id of the VPC that the CloudHSM cluster resides in.

security_group_id - The ID of the security group associated with the CloudHSM cluster.

cluster_certificates - The list of cluster certi cates.

cluster_certificates.0.cluster_certificate - The cluster certi cate issued (signed) by the issuing
certi cate authority (CA) of the cluster's owner.

cluster_certificates.0.cluster_csr - The certi cate signing request (CSR). Available only in UNINITIALIZED
state after an hsm instance is added to the cluster.

cluster_certificates.0.aws_hardware_certificate - The HSM hardware certi cate issued (signed) by AWS

CloudHSM.

cluster_certificates.0.hsm_certificate - The HSM certi cate issued (signed) by the HSM hardware.

cluster_certificates.0.manufacturer_hardware_certificate - The HSM hardware certi cate issued

(signed) by the hardware manufacturer.
Resource: aws_cloudhsm_v2_hsm
Creates an HSM module in Amazon CloudHSM v2 cluster.

Example Usage
The following example below creates an HSM module in CloudHSM cluster.

data "aws_cloudhsm_v2_cluster" "cluster" {

cluster_id = "${var.cloudhsm_cluster_id}"
}

resource "aws_cloudhsm_v2_hsm" "cloudhsm_v2_hsm" {

subnet_id = "${data.aws_cloudhsm_v2_cluster.cluster.subnet_ids[0]}"
cluster_id = "${data.aws_cloudhsm_v2_cluster.cluster.cluster_id}"
}

Argument Reference
The following arguments are supported:

cluster_id - (Required) The ID of Cloud HSM v2 cluster to which HSM will be added.

subnet_id - (Optional) The ID of subnet in which HSM module will be located.

availability_zone - (Optional) The IDs of AZ in which HSM module will be located. Do not use together with
subnet_id.

ip_address - (Optional) The IP address of HSM module. Must be within the CIDR of selected subnet.

Attributes Reference
The following attributes are exported:

hsm_id - The id of the HSM module.

hsm_state - The state of the HSM module.

hsm_eni_id - The id of the ENI interface allocated for HSM module.

Resource: aws_cloudtrail
Provides a CloudTrail resource.

NOTE: For a multi-region trail, this resource must be in the home region of the trail.

NOTE: For an organization trail, this resource must be in the master account of the organization.

Example Usage

Basic
Enable CloudTrail to capture all compatible management events in region. For capturing events from services like IAM,
include_global_service_events must be enabled.
data "aws_caller_identity" "current" {}

resource "aws_cloudtrail" "foobar" {

name = "tf-trail-foobar"
s3_bucket_name = "${aws_s3_bucket.foo.id}"
s3_key_prefix = "prefix"
include_global_service_events = false
}

resource "aws_s3_bucket" "foo" {

bucket = "tf-test-trail"
force_destroy = true

policy = <<POLICY
<<
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::tf-test-trail"
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::tf-test-trail/prefix/AWSLogs/${data.aws_caller_identity.current.acc
ount_id}/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
POLICY
}

Data Event Logging

CloudTrail can log Data Events (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-
data-events-with-cloudtrail.html#logging-data-events) for certain services such as S3 bucket objects and Lambda function
invocations. Additional information about data event con guration can be found in the CloudTrail API DataResource
documentation (https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DataResource.html).
Logging All Lambda Function Invocations

resource "aws_cloudtrail" "example" {

event_selector {
read_write_type = "All"
include_management_events = true

data_resource {
type = "AWS::Lambda::Function"
values = ["arn:aws:lambda"]
}
}
}

Logging All S3 Bucket Object Events

resource "aws_cloudtrail" "example" {

event_selector {
read_write_type = "All"