Landing Zone Accelerator on AWS - Customizations Config
Used to manage configuration of custom applications, third-party firewall appliances, and CloudFormation stacks
| Type | ICustomizationsConfig |
|---|---|
| File match |
customizations-config.yaml
|
| Schema URL | https://catalog.lintel.tools/schemas/schemastore/landing-zone-accelerator-on-aws-customizations-config/latest.json |
| Source | https://raw.githubusercontent.com/awslabs/landing-zone-accelerator-on-aws/main/source/packages/@aws-accelerator/config/lib/schemas/customizations-config.json |
Validate with Lintel
npx @lintel/lintel checkDefinitions
Application Load Balancer attributes config.
Enable or disable deletion protection.
Indicates whether HTTP/2 is enabled. The possible values are true and false. The default is true. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.
The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds.
Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( true ) or routed to targets ( false ). The default is false.
Indicates whether the two headers ( x-amzn-tls-version and x-amzn-tls-cipher-suite ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The x-amzn-tls-version header has information about the TLS protocol version negotiated with the client, and the x-amzn-tls-cipher-suite header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are true and false . The default is false.
Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer. The possible values are true and false . The default is false.
Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are true and false. The default is false.
Application Load Balancer listener config. Currently only action type of forward, redirect and fixed-response is allowed.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Port of the application load balancer listener
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Application load balancer listener fixed response config
It returns a custom HTTP response.
Applicable only when type under {@link ApplicationLoadBalancerListenerConfig listener} is fixed-response.
3 nested properties
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Application Load balancer listener forward config. Used to define forward action.
Applicable only when type under {@link ApplicationLoadBalancerListenerConfig listener} is forward.
1 nested properties
Application Load balancer listener forward config target group stickiness config
Applicable only when type under {@link ApplicationLoadBalancerListenerConfig listener} is forward.
2 nested properties
The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days).
Indicates whether target group stickiness is enabled.
The order for the action. This value is required for rules with multiple actions. The action with the lowest value for order is performed first
Application Load balancer listener redirect config. Used to define redirect action.
Applicable only when type under {@link ApplicationLoadBalancerListenerConfig listener} is redirect.
6 nested properties
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Application load balancer listener fixed response config
It returns a custom HTTP response.
Applicable only when type under {@link ApplicationLoadBalancerListenerConfig listener} is fixed-response.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Application Load balancer listener forward config. Used to define forward action.
Applicable only when type under {@link ApplicationLoadBalancerListenerConfig listener} is forward.
Application Load balancer listener forward config target group stickiness config
Applicable only when type under {@link ApplicationLoadBalancerListenerConfig listener} is forward.
2 nested properties
The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days).
Indicates whether target group stickiness is enabled.
Application Load balancer listener redirect config. Used to define redirect action.
Applicable only when type under {@link ApplicationLoadBalancerListenerConfig listener} is redirect.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Application Load balancer listener forward config target group stickiness config
Applicable only when type under {@link ApplicationLoadBalancerListenerConfig listener} is forward.
The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days).
Indicates whether target group stickiness is enabled.
Application configuration. Used to define two tier application configurations for the accelerator.
Deployment Targets Interface
Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.
Key Features
- Account-level targeting: Deploy to specific AWS accounts
- OU-level targeting: Deploy to all accounts within organizational units
- Regional exclusions: Skip specific AWS regions for compliance or cost optimization
- Account exclusions: Exclude specific accounts from broader deployments
Example
yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1
4 nested properties
Target Accounts (Optional)
List of specific account names where resources should be deployed. Use for precise account-level targeting.
Excluded Accounts (Optional)
List of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.
Excluded Regions (Optional)
List of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.
Organizational Units (Optional)
List of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Used to define Application Load Balancer configurations for the accelerator.
7 nested properties
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Security Groups to attach to the Application Load Balancer.
Subnets to launch the Application Load Balancer in.
Application Load Balancer attributes config.
9 nested properties
Enable or disable deletion protection.
Indicates whether HTTP/2 is enabled. The possible values are true and false. The default is true. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.
The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds.
Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( true ) or routed to targets ( false ). The default is false.
Indicates whether the two headers ( x-amzn-tls-version and x-amzn-tls-cipher-suite ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The x-amzn-tls-version header has information about the TLS protocol version negotiated with the client, and the x-amzn-tls-cipher-suite header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are true and false . The default is false.
Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer. The possible values are true and false . The default is false.
Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are true and false. The default is false.
Listeners for Application Load Balancer.
Resource Access Manager (RAM) Share Targets Interface
Interface for AWS Resource Access Manager (RAM) share targets, which defines where shared resources should be made available within your AWS organization. RAM enables secure sharing of resources between AWS accounts and organizational units without duplicating resources or compromising security.
Key Features
- Cross-Account Sharing: Share resources across multiple AWS accounts
- OU-Level Sharing: Share with entire organizational units at once
- Centralized Management: Manage shared resources from a central account
- Cost Optimization: Avoid resource duplication across accounts
- Security: Maintain resource ownership while enabling controlled access
Example
yaml shareTargets: organizationalUnits: - Root
Learn more about AWS Resource Access Manager.
2 nested properties
Target Accounts (Optional)
List of specific account names that should receive access to the shared resource. Use this for precise, account-level control over resource sharing.
Organizational Units (Optional)
List of organizational unit names that should receive access to the shared resource. When specified, all accounts within these OUs will be able to consume the shared resource.
Autoscaling group configuration for the application.
10 nested properties
The desired capacity is the initial capacity of the Auto Scaling group at the time of its creation and the capacity it attempts to maintain. It can scale beyond this capacity if you configure auto scaling. This number must be greater than or equal to the minimum size of the group and less than or equal to the maximum size of the group.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The maximum size of the group.
The minimum size of the group.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
List of subnet names for a virtual private cloud (VPC) where instances in the Auto Scaling group can be created. These subnets should be created under the VPC in network-config.yaml.
The amount of time, in seconds, that Amazon EC2 Auto Scaling waits before checking the health status of an EC2 instance that has come into service and marking it unhealthy due to a failed Elastic Load Balancing or custom health check. This is useful if your instances do not immediately pass these health checks after they enter the InService state. Defaults to 0 if unspecified.
The maximum instance lifetime specifies the maximum amount of time (in seconds) that an instance can be in service before it is terminated and replaced. A common use case might be a requirement to replace your instances on a schedule because of internal security policies or external compliance controls. You must specify a value of at least 86,400 seconds (one day). To clear a previously set value, specify a new value of 0. This setting applies to all current and future instances in your Auto Scaling group
Target group name array to associate with the Auto Scaling group. These names are from the {@link TargetGroupItemConfig target group } set in the application. Instances are registered as targets with the target groups. The target groups receive incoming traffic and route requests to one or more registered targets.
Configure a launch template for the application.
10 nested properties
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The block device mapping.
By default, {@link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html IMDSv2 } is enabled. Disable it by setting this to false.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
One or more network interfaces. If you specify a network interface, you must specify any security groups and subnets as part of the network interface.
One or more security group names. These should be created under the VPC in network-config.yaml
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Network Load Balancer configuration.
6 nested properties
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Subnets to launch the Network Load Balancer in.
Cross Zone load balancing for Network Load Balancer.
Deletion protection for Network Load Balancer.
Listeners for Network Load Balancer.
Target groups for the application
Used to define Application Load Balancer configurations for the accelerator.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Security Groups to attach to the Application Load Balancer.
Subnets to launch the Application Load Balancer in.
Application Load Balancer attributes config.
9 nested properties
Enable or disable deletion protection.
Indicates whether HTTP/2 is enabled. The possible values are true and false. The default is true. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.
The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds.
Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( true ) or routed to targets ( false ). The default is false.
Indicates whether the two headers ( x-amzn-tls-version and x-amzn-tls-cipher-suite ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The x-amzn-tls-version header has information about the TLS protocol version negotiated with the client, and the x-amzn-tls-cipher-suite header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are true and false . The default is false.
Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer. The possible values are true and false . The default is false.
Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are true and false. The default is false.
Listeners for Application Load Balancer.
Resource Access Manager (RAM) Share Targets Interface
Interface for AWS Resource Access Manager (RAM) share targets, which defines where shared resources should be made available within your AWS organization. RAM enables secure sharing of resources between AWS accounts and organizational units without duplicating resources or compromising security.
Key Features
- Cross-Account Sharing: Share resources across multiple AWS accounts
- OU-Level Sharing: Share with entire organizational units at once
- Centralized Management: Manage shared resources from a central account
- Cost Optimization: Avoid resource duplication across accounts
- Security: Maintain resource ownership while enabling controlled access
Example
yaml shareTargets: organizationalUnits: - Root
Learn more about AWS Resource Access Manager.
2 nested properties
Target Accounts (Optional)
List of specific account names that should receive access to the shared resource. Use this for precise, account-level control over resource sharing.
Organizational Units (Optional)
List of organizational unit names that should receive access to the shared resource. When specified, all accounts within these OUs will be able to consume the shared resource.
Autoscaling group configuration for the application.
The desired capacity is the initial capacity of the Auto Scaling group at the time of its creation and the capacity it attempts to maintain. It can scale beyond this capacity if you configure auto scaling. This number must be greater than or equal to the minimum size of the group and less than or equal to the maximum size of the group.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The maximum size of the group.
The minimum size of the group.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
List of subnet names for a virtual private cloud (VPC) where instances in the Auto Scaling group can be created. These subnets should be created under the VPC in network-config.yaml.
The amount of time, in seconds, that Amazon EC2 Auto Scaling waits before checking the health status of an EC2 instance that has come into service and marking it unhealthy due to a failed Elastic Load Balancing or custom health check. This is useful if your instances do not immediately pass these health checks after they enter the InService state. Defaults to 0 if unspecified.
The maximum instance lifetime specifies the maximum amount of time (in seconds) that an instance can be in service before it is terminated and replaced. A common use case might be a requirement to replace your instances on a schedule because of internal security policies or external compliance controls. You must specify a value of at least 86,400 seconds (one day). To clear a previously set value, specify a new value of 0. This setting applies to all current and future instances in your Auto Scaling group
Target group name array to associate with the Auto Scaling group. These names are from the {@link TargetGroupItemConfig target group } set in the application. Instances are registered as targets with the target groups. The target groups receive incoming traffic and route requests to one or more registered targets.
The parameters for a block device mapping in launch template.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The parameters for a block device for an EBS volume.
8 nested properties
Indicates whether the EBS volume is deleted on instance termination.
Indicates whether the EBS volume is encrypted. Encrypted volumes can only be attached to instances that support Amazon EBS encryption. If you are creating a volume from a snapshot, you can't specify an encryption value. If encrypted is true and kmsKeyId is not provided, then accelerator checks for {@link EbsDefaultVolumeEncryptionConfig default ebs encryption } in the config.
The number of I/O operations per second (IOPS). For gp3, io1, and io2 volumes, this represents the number of IOPS that are provisioned for the volume. For gp2 volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting. This parameter is supported for io1, io2, and gp3 volumes only. This parameter is not supported for gp2, st1, sc1, or standard volumes.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The throughput to provision for a gp3 volume, with a maximum of 1,000 MiB/s. Valid Range: Minimum value of 125. Maximum value of 1000.
The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. The following are the supported volumes sizes for each volume type:
- gp2 and gp3: 1-16,384
- io1 and io2: 4-16,384
- st1 and sc1: 125-16,384
- standard: 1-1,024
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
CloudFormation Parameter Interface
Interface for AWS CloudFormation template parameters that can be passed to CloudFormation stacks during deployment. Parameters allow customization of stack resources without modifying the template.
Key Features
- Template Customization: Modify stack behavior without changing templates
- Environment Flexibility: Use different values across environments
- Reusability: Make templates reusable across different contexts
- Security: Pass sensitive values securely to stacks
Example
yaml parameters: - name: InstanceType value: t3.micro - name: Environment value: Production
Learn more about CloudFormation Parameters.
Parameter Name (Required)
The name of the CloudFormation parameter as defined in the template. Must match exactly with the parameter name in the CloudFormation template.
Parameter Value (Required)
The value to pass to the CloudFormation parameter during stack deployment. The value must be compatible with the parameter type defined in the template.
Defines a custom CloudFormation Stack to be deployed to the environment.
Deployment Targets Interface
Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.
Key Features
- Account-level targeting: Deploy to specific AWS accounts
- OU-level targeting: Deploy to all accounts within organizational units
- Regional exclusions: Skip specific AWS regions for compliance or cost optimization
- Account exclusions: Exclude specific accounts from broader deployments
Example
yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1
4 nested properties
Target Accounts (Optional)
List of specific account names where resources should be deployed. Use for precise account-level targeting.
Excluded Accounts (Optional)
List of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.
Excluded Regions (Optional)
List of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.
Organizational Units (Optional)
List of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
A list of AWS regions to deploy the stack to.
The order to deploy the stack relative to the other stacks. Must be a positive integer. To deploy stacks in parallel, set runOrder of each stack to 1.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
This determines whether to enable termination protection for the stack.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The parameters to pass to the stack.
Defines a custom CloudFormation StackSet to be deployed to the environment.
Deployment Targets Interface
Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.
Key Features
- Account-level targeting: Deploy to specific AWS accounts
- OU-level targeting: Deploy to all accounts within organizational units
- Regional exclusions: Skip specific AWS regions for compliance or cost optimization
- Account exclusions: Exclude specific accounts from broader deployments
Example
yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1
4 nested properties
Target Accounts (Optional)
List of specific account names where resources should be deployed. Use for precise account-level targeting.
Excluded Accounts (Optional)
List of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.
Excluded Regions (Optional)
List of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.
Organizational Units (Optional)
List of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
A list of regions to deploy the stackset.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The Amazon Resource Name (ARN) of the IAM role to use when creating this stack set. This field is optional. If specified, it allows you to set a custom IAM role for stack set operations. If left blank, the default permissions associated with your account will be used.
The CloudFormation capabilities enabled to deploy the stackset.
The other StackSets this StackSet depends on. For stackset names you define here, a CloudFormation DependsOn attribute will be added between the resources. Please note this does not guarantee the deployment order of the stack instances within the StackSet.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The name of the IAM execution role to use when creating the stack set. This field is optional. If provided, it allows you to specify a custom execution role for stack set operations. If omitted, the default execution role associated with your account will be used.
CloudFormation StackSet Operation Preferences Interface
Configuration interface for AWS CloudFormation StackSet operation preferences. These preferences control how StackSet operations are executed across multiple accounts and regions, including failure tolerance and concurrency settings.
Key Features
- Failure Tolerance: Control how many failures are acceptable during deployment
- Concurrency Control: Manage how many operations run simultaneously
- Regional Ordering: Specify the order of region deployments
- Parallel Execution: Configure parallel vs sequential deployment patterns
Example
yaml operationPreferences: failureTolerancePercentage: 10 maxConcurrentPercentage: 50 regionConcurrencyType: PARALLEL regionOrder: - us-east-1 - us-west-2
Learn more about StackSet Operation Preferences.
6 nested properties
Failure Tolerance Count (Optional)
The absolute number of accounts in which stack operations can fail before the operation is stopped. Cannot be used with failureTolerancePercentage.
Failure Tolerance Percentage (Optional)
The percentage of accounts in which stack operations can fail before the operation is stopped. Cannot be used with failureToleranceCount.
Maximum Concurrent Count (Optional)
The absolute maximum number of accounts in which stack operations can be performed concurrently. Cannot be used with maxConcurrentPercentage.
Maximum Concurrent Percentage (Optional)
The maximum percentage of accounts in which stack operations can be performed concurrently. Cannot be used with maxConcurrentCount.
Region Concurrency Type (Optional)
The concurrency type of deploying StackSets operations in regions. Valid values are SEQUENTIAL and PARALLEL.
Region Order (Optional)
The order of the regions where you want to perform the stack operation. Only applies when regionConcurrencyType is SEQUENTIAL.
The parameters to be passed to the stackset.
Defines CloudFormation Stacks and StackSets to be deployed to the environment. This feature supports the deployment of customer-provided CloudFormation templates to AWS accounts and/or organizational units. These deployments can leverage independent CloudFormation stacks or CloudFormation StackSets depending on the customer's deployment preference.
Defines custom CloudFormation and external web and application tier resources. We recommend creating resources with native LZA features where possible.
Defines whether or not the StackSetExecution role is created in all workload accounts and if the StackSetAdmin role is created in the management account. If you are using stacksets and set the value to false, you will need to ensure that the roles are created.
Default value is true.
Defines CloudFormation Stacks and StackSets to be deployed to the environment. This feature supports the deployment of customer-provided CloudFormation templates to AWS accounts and/or organizational units. These deployments can leverage independent CloudFormation stacks or CloudFormation StackSets depending on the customer's deployment preference.
3 nested properties
EC2 firewall configuration. Used to define EC2-based firewall and management appliances
4 nested properties
Define EC2-based firewall instances in autoscaling groups
Define EC2-based firewall standalone instances
Define EC2-based firewall management instances
Define target groups for EC2-based firewalls
Deployment Targets Interface
Defines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.
Key Features
- Account-level targeting: Deploy to specific AWS accounts
- OU-level targeting: Deploy to all accounts within organizational units
- Regional exclusions: Skip specific AWS regions for compliance or cost optimization
- Account exclusions: Exclude specific accounts from broader deployments
Example
yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1
Target Accounts (Optional)
List of specific account names where resources should be deployed. Use for precise account-level targeting.
Excluded Accounts (Optional)
List of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.
Excluded Regions (Optional)
List of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.
Organizational Units (Optional)
List of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.
The parameters for a block device for an EBS volume.
Indicates whether the EBS volume is deleted on instance termination.
Indicates whether the EBS volume is encrypted. Encrypted volumes can only be attached to instances that support Amazon EBS encryption. If you are creating a volume from a snapshot, you can't specify an encryption value. If encrypted is true and kmsKeyId is not provided, then accelerator checks for {@link EbsDefaultVolumeEncryptionConfig default ebs encryption } in the config.
The number of I/O operations per second (IOPS). For gp3, io1, and io2 volumes, this represents the number of IOPS that are provisioned for the volume. For gp2 volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting. This parameter is supported for io1, io2, and gp3 volumes only. This parameter is not supported for gp2, st1, sc1, or standard volumes.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The throughput to provision for a gp3 volume, with a maximum of 1,000 MiB/s. Valid Range: Minimum value of 125. Maximum value of 1000.
The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. The following are the supported volumes sizes for each volume type:
- gp2 and gp3: 1-16,384
- io1 and io2: 4-16,384
- st1 and sc1: 125-16,384
- standard: 1-1,024
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
EC2 firewall autoscaling group configuration. Used to define EC2-based firewall instances to be deployed in an autoscaling group.
- name: accelerator-firewall-asg
autoscaling:
name: firewall-asg
maxSize: 4
minSize: 1
desiredSize: 2
launchTemplate: firewall-lt
healthCheckGracePeriod: 300
healthCheckType: ELB
targetGroups:
- firewall-gwlb-tg
subnets:
- firewall-subnet-a
- firewall-subnet-b
maxInstanceLifetime: 86400
launchTemplate:
name: firewall-lt
blockDeviceMappings:
- deviceName: /dev/xvda
ebs:
deleteOnTermination: true
encrypted: true
volumeSize: 20
enforceImdsv2: true
iamInstanceProfile: firewall-profile
imageId: ami-123xyz
instanceType: c6i.xlarge
networkInterfaces:
- deleteOnTermination: true
description: Primary interface
deviceIndex: 0
groups:
- firewall-data-sg
- deleteOnTermination: true
description: Management interface
deviceIndex: 1
groups:
- firewall-mgmt-sg
userData: path/to/userdata.txt
vpc: Network-Inspection
tags: []
Autoscaling group configuration for the application.
10 nested properties
The desired capacity is the initial capacity of the Auto Scaling group at the time of its creation and the capacity it attempts to maintain. It can scale beyond this capacity if you configure auto scaling. This number must be greater than or equal to the minimum size of the group and less than or equal to the maximum size of the group.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The maximum size of the group.
The minimum size of the group.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
List of subnet names for a virtual private cloud (VPC) where instances in the Auto Scaling group can be created. These subnets should be created under the VPC in network-config.yaml.
The amount of time, in seconds, that Amazon EC2 Auto Scaling waits before checking the health status of an EC2 instance that has come into service and marking it unhealthy due to a failed Elastic Load Balancing or custom health check. This is useful if your instances do not immediately pass these health checks after they enter the InService state. Defaults to 0 if unspecified.
The maximum instance lifetime specifies the maximum amount of time (in seconds) that an instance can be in service before it is terminated and replaced. A common use case might be a requirement to replace your instances on a schedule because of internal security policies or external compliance controls. You must specify a value of at least 86,400 seconds (one day). To clear a previously set value, specify a new value of 0. This setting applies to all current and future instances in your Auto Scaling group
Target group name array to associate with the Auto Scaling group. These names are from the {@link TargetGroupItemConfig target group } set in the application. Instances are registered as targets with the target groups. The target groups receive incoming traffic and route requests to one or more registered targets.
Configure a launch template for the application.
10 nested properties
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The block device mapping.
By default, {@link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html IMDSv2 } is enabled. Disable it by setting this to false.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
One or more network interfaces. If you specify a network interface, you must specify any security groups and subnets as part of the network interface.
One or more security group names. These should be created under the VPC in network-config.yaml
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
(OPTIONAL) Static firewall configuration replacements definition.
(OPTIONAL) An array of tags
EC2 firewall configuration. Used to define EC2-based firewall and management appliances
Define EC2-based firewall instances in autoscaling groups
Define EC2-based firewall standalone instances
Define EC2-based firewall management instances
Define target groups for EC2-based firewalls
EC2 firewall instance configuration. Use to define an array of standalone firewall instances
Configure a launch template for the application.
10 nested properties
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The block device mapping.
By default, {@link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html IMDSv2 } is enabled. Disable it by setting this to false.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
One or more network interfaces. If you specify a network interface, you must specify any security groups and subnets as part of the network interface.
One or more security group names. These should be created under the VPC in network-config.yaml
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
(OPTIONAL) Specify true to enable detailed monitoring. Otherwise, basic monitoring is enabled.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
(OPTIONAL) Static firewall configuration replacements definition.
(OPTIONAL) An array of tags
(OPTIONAL) If you set this parameter to true , you can't terminate the instance using the Amazon EC2 console, CLI, or API.
More information: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html#Using_ChangingDisableAPITermination
Firewall Static Replacements Config
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Configure a launch template for the application.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The block device mapping.
By default, {@link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html IMDSv2 } is enabled. Disable it by setting this to false.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
One or more network interfaces. If you specify a network interface, you must specify any security groups and subnets as part of the network interface.
One or more security group names. These should be created under the VPC in network-config.yaml
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The parameters for a network interface.
Associates a Carrier IP address with eth0 for a new network interface. Use this option when you launch an instance in a Wavelength Zone and want to associate a Carrier IP address with the network interface.
Associate an elastic IP with the interface
Associates a public IPv4 address with eth0 for a new network interface.
Indicates whether the network interface is deleted when the instance is terminated.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The device index for the network interface attachment.
Security group names to associate with this network interface.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The index of the network card. Some instance types support multiple network cards. The primary network interface must be assigned to network card index 0. The default is network card index 0.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
One or more private IPv4 addresses.
The number of secondary private IPv4 addresses to assign to a network interface.
If the value is true , source/destination checks are enabled; otherwise, they are disabled. The default value is true. You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Network Load Balancer configuration.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Subnets to launch the Network Load Balancer in.
Cross Zone load balancing for Network Load Balancer.
Deletion protection for Network Load Balancer.
Listeners for Network Load Balancer.
Application Load Balancer listener config. Currently only action type of forward, redirect and fixed-response is allowed.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Port where the traffic is directed to.
The codes to use when checking for a successful response from a target. If the protocol version is gRPC, these are gRPC codes. Otherwise, these are HTTP codes.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
CloudFormation StackSet Operation Preferences Interface
Configuration interface for AWS CloudFormation StackSet operation preferences. These preferences control how StackSet operations are executed across multiple accounts and regions, including failure tolerance and concurrency settings.
Key Features
- Failure Tolerance: Control how many failures are acceptable during deployment
- Concurrency Control: Manage how many operations run simultaneously
- Regional Ordering: Specify the order of region deployments
- Parallel Execution: Configure parallel vs sequential deployment patterns
Example
yaml operationPreferences: failureTolerancePercentage: 10 maxConcurrentPercentage: 50 regionConcurrencyType: PARALLEL regionOrder: - us-east-1 - us-west-2
Learn more about StackSet Operation Preferences.
Failure Tolerance Count (Optional)
The absolute number of accounts in which stack operations can fail before the operation is stopped. Cannot be used with failureTolerancePercentage.
Failure Tolerance Percentage (Optional)
The percentage of accounts in which stack operations can fail before the operation is stopped. Cannot be used with failureToleranceCount.
Maximum Concurrent Count (Optional)
The absolute maximum number of accounts in which stack operations can be performed concurrently. Cannot be used with maxConcurrentPercentage.
Maximum Concurrent Percentage (Optional)
The maximum percentage of accounts in which stack operations can be performed concurrently. Cannot be used with maxConcurrentCount.
Region Concurrency Type (Optional)
The concurrency type of deploying StackSets operations in regions. Valid values are SEQUENTIAL and PARALLEL.
Region Order (Optional)
The order of the regions where you want to perform the stack operation. Only applies when regionConcurrencyType is SEQUENTIAL.
Portfolio Associations configuration
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Indicates whether the principal association should be created in accounts the portfolio is shared with. Verify the IAM principal exists in all accounts the portfolio is shared with before enabling.
Service Catalog Portfolios configuration
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The region names to deploy the portfolio.
Configuration of portfolio associations to give access to IAM principals.
Product Configuration
Whether or not to share TagOptions with other account(s)/OU(s)
Resource Access Manager (RAM) Share Targets Interface
Interface for AWS Resource Access Manager (RAM) share targets, which defines where shared resources should be made available within your AWS organization. RAM enables secure sharing of resources between AWS accounts and organizational units without duplicating resources or compromising security.
Key Features
- Cross-Account Sharing: Share resources across multiple AWS accounts
- OU-Level Sharing: Share with entire organizational units at once
- Centralized Management: Manage shared resources from a central account
- Cost Optimization: Avoid resource duplication across accounts
- Security: Maintain resource ownership while enabling controlled access
Example
yaml shareTargets: organizationalUnits: - Root
Learn more about AWS Resource Access Manager.
2 nested properties
Target Accounts (Optional)
List of specific account names that should receive access to the shared resource. Use this for precise, account-level control over resource sharing.
Organizational Units (Optional)
List of organizational unit names that should receive access to the shared resource. When specified, all accounts within these OUs will be able to consume the shared resource.
Portfolio TagOptions configuration
Configure a secondary private IPv4 address for a network interface.
Indicates whether the private IPv4 address is the primary private IPv4 address. Only one IPv4 address can be designated as primary.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Service Catalog Products configuration
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Product version configuration
Service Catalog Product Constraint configuration. For more information see https://docs.aws.amazon.com/servicecatalog/latest/adminguide/constraints.html
3 nested properties
Service Catalog Product Constraint configuration. For more information see https://docs.aws.amazon.com/servicecatalog/latest/adminguide/constraints.html
A list of SNS topic names to stream product notifications to
Determines if Service Catalog Tag Update constraint is enabled
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Product Support configuration
3 nested properties
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Product TagOptions configuration
Service Catalog Product Constraint configuration. For more information see https://docs.aws.amazon.com/servicecatalog/latest/adminguide/constraints.html
Service Catalog Product Constraint configuration. For more information see https://docs.aws.amazon.com/servicecatalog/latest/adminguide/constraints.html
A list of SNS topic names to stream product notifications to
Determines if Service Catalog Tag Update constraint is enabled
Service Catalog Product Constraint configuration. For more information see https://docs.aws.amazon.com/servicecatalog/latest/adminguide/constraints.html
Product Support configuration
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Product Versions configuration
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
AWS Resource Tag Configuration
Defines key-value pairs used for tagging AWS resources. Tags provide metadata for resource organization, cost allocation, access control, and automation.
Key Features
- Resource Organization: Group and categorize resources logically
- Cost Allocation: Track costs by project, department, or environment
- Access Control: Use tags in IAM policies for conditional access
- Automation: Trigger automated actions based on tag values
- Compliance: Meet organizational and regulatory tagging requirements
Example
yaml tags: - key: Environment value: Production - key: Project value: WebApplication - key: Owner value: Platform-Team - key: CostCenter value: Engineering - key: Backup value: Daily
Tag Key (Required)
The tag key name that identifies the type of metadata being stored. Tag keys should follow consistent naming conventions across your organization.
Tag Value (Required)
The tag value that provides the actual metadata content for the tag key. Values should be meaningful and follow organizational standards.
Service Catalog TagOptions configuration.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
An array of values that can be used for the tag key
Set attributes for target group.
The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds). The following attribute is supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is true or false. The default is false. The following attribute is supported only by Network Load Balancers.
The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. The default value is 300 seconds.
The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds). The following attribute is supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address.
Indicates whether client IP preservation is enabled. The value is true or false. The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation cannot be disabled for UDP and TCP_UDP target groups. The following attribute is supported only by Network Load Balancers.
Indicates whether Proxy Protocol version 2 is enabled. The value is true or false. The default is false. The following attribute is supported only by Network Load Balancers.
The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled). The following attribute is supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address.
Indicates whether target stickiness is enabled. The value is true or false. The default is false.
Configure health check for target group.
The approximate amount of time, in seconds, between health checks of an individual target. The range is 5-300. If the target group protocol is TCP, TLS, UDP, TCP_UDP, HTTP or HTTPS, the default is 30 seconds. If the target group protocol is GENEVE, the default is 10 seconds.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The port the load balancer uses when performing health checks on targets. If the protocol is HTTP, HTTPS, TCP, TLS, UDP, or TCP_UDP, the default is traffic-port, which is the port on which each target receives traffic from the load balancer. If the protocol is GENEVE, the default is port 80.
The amount of time, in seconds, during which no response from a target means a failed health check. The range is 2–120 seconds. For target groups with a protocol of HTTP, the default is 6 seconds. For target groups with a protocol of TCP, TLS or HTTPS, the default is 10 seconds. For target groups with a protocol of GENEVE, the default is 5 seconds.
Target Group Configuration
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The port on which the targets receive traffic.
Set attributes for target group.
12 nested properties
The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds). The following attribute is supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is true or false. The default is false. The following attribute is supported only by Network Load Balancers.
The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. The default value is 300 seconds.
The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds). The following attribute is supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address.
Indicates whether client IP preservation is enabled. The value is true or false. The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation cannot be disabled for UDP and TCP_UDP target groups. The following attribute is supported only by Network Load Balancers.
Indicates whether Proxy Protocol version 2 is enabled. The value is true or false. The default is false. The following attribute is supported only by Network Load Balancers.
The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled). The following attribute is supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address.
Indicates whether target stickiness is enabled. The value is true or false. The default is false.
Configure health check for target group.
5 nested properties
The approximate amount of time, in seconds, between health checks of an individual target. The range is 5-300. If the target group protocol is TCP, TLS, UDP, TCP_UDP, HTTP or HTTPS, the default is 30 seconds. If the target group protocol is GENEVE, the default is 10 seconds.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
The port the load balancer uses when performing health checks on targets. If the protocol is HTTP, HTTPS, TCP, TLS, UDP, or TCP_UDP, the default is traffic-port, which is the port on which each target receives traffic from the load balancer. If the protocol is GENEVE, the default is port 80.
The amount of time, in seconds, during which no response from a target means a failed health check. The range is 2–120 seconds. For target groups with a protocol of HTTP, the default is 6 seconds. For target groups with a protocol of TCP, TLS or HTTPS, the default is 10 seconds. For target groups with a protocol of GENEVE, the default is 5 seconds.
Add the ability to target an NLB created by the Landing Zone Accelerator
2 nested properties
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Resource Access Manager (RAM) Share Targets Interface
Interface for AWS Resource Access Manager (RAM) share targets, which defines where shared resources should be made available within your AWS organization. RAM enables secure sharing of resources between AWS accounts and organizational units without duplicating resources or compromising security.
Key Features
- Cross-Account Sharing: Share resources across multiple AWS accounts
- OU-Level Sharing: Share with entire organizational units at once
- Centralized Management: Manage shared resources from a central account
- Cost Optimization: Avoid resource duplication across accounts
- Security: Maintain resource ownership while enabling controlled access
Example
yaml shareTargets: organizationalUnits: - Root
Learn more about AWS Resource Access Manager.
2 nested properties
Target Accounts (Optional)
List of specific account names that should receive access to the shared resource. Use this for precise, account-level control over resource sharing.
Organizational Units (Optional)
List of organizational unit names that should receive access to the shared resource. When specified, all accounts within these OUs will be able to consume the shared resource.
Target group targets. These targets should be the friendly names assigned to firewall instances.
Configure health check threshold for target group.
2 nested properties
The number of consecutive health check successes required before considering a target healthy. The range is 2-10. If the target group protocol is TCP, TCP_UDP, UDP, TLS, HTTP or HTTPS, the default is 5. For target groups with a protocol of GENEVE, the default is 3.
The number of consecutive health check failures required before considering a target unhealthy. The range is 2-10. If the target group protocol is TCP, TCP_UDP, UDP, TLS, HTTP or HTTPS, the default is 2. For target groups with a protocol of GENEVE, the default is 3.
Add the ability to target an NLB created by the Landing Zone Accelerator
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.
Configure health check threshold for target group.
The number of consecutive health check successes required before considering a target healthy. The range is 2-10. If the target group protocol is TCP, TCP_UDP, UDP, TLS, HTTP or HTTPS, the default is 5. For target groups with a protocol of GENEVE, the default is 3.
The number of consecutive health check failures required before considering a target unhealthy. The range is 2-10. If the target group protocol is TCP, TCP_UDP, UDP, TLS, HTTP or HTTPS, the default is 2. For target groups with a protocol of GENEVE, the default is 3.
Non-Empty String Type
Represents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.