{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://catalog.lintel.tools/schemas/schemastore/landing-zone-accelerator-on-aws-customizations-config/latest.json", "x-lintel": { "source": "https://raw.githubusercontent.com/awslabs/landing-zone-accelerator-on-aws/main/source/packages/@aws-accelerator/config/lib/schemas/customizations-config.json", "sourceSha256": "009632c6afe15dd7ee50ec97ed03a2ff39028524cdc64cfcbcb385c9879a8578", "fileMatch": [ "customizations-config.yaml" ], "parsers": [ "yaml" ] }, "$ref": "#/$defs/ICustomizationsConfig", "$defs": { "AlbListenerProtocolEnum": { "enum": [ "HTTP", "HTTPS" ], "type": "string" }, "AlbListenerTypeEnum": { "enum": [ "fixed-response", "forward", "redirect" ], "type": "string" }, "AlbRoutingHttpConfigMitigationModeEnum": { "enum": [ "monitor", "defensive", "strictest" ], "type": "string" }, "AlbSchemeEnum": { "enum": [ "internet-facing", "internal" ], "type": "string" }, "AlpnPolicyEnum": { "enum": [ "HTTP1Only", "HTTP2Only", "HTTP2Optional", "HTTP2Preferred", "None" ], "type": "string" }, "AutoScalingHealthCheckTypeEnum": { "enum": [ "EC2", "ELB" ], "type": "string" }, "IAlbAttributesConfig": { "type": "object", "description": "Application Load Balancer attributes config.", "properties": { "deletionProtection": { "description": "Enable or disable deletion protection.", "type": "boolean" }, "http2Enabled": { "description": "Indicates whether HTTP/2 is enabled. The possible values are true and false. The default is true. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.", "type": "boolean" }, "idleTimeout": { "description": "The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds.", "type": "number" }, "routingHttpDesyncMitigationMode": { "$ref": "#/$defs/AlbRoutingHttpConfigMitigationModeEnum", "description": "Determines how the load balancer handles requests that might pose a security risk to your application. The possible values are `monitor` , `defensive` , and `strictest` . The default is `defensive`." }, "routingHttpDropInvalidHeader": { "description": "Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( true ) or routed to targets ( false ). The default is false.", "type": "boolean" }, "routingHttpXAmznTlsCipherEnable": { "description": "Indicates whether the two headers ( x-amzn-tls-version and x-amzn-tls-cipher-suite ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The x-amzn-tls-version header has information about the TLS protocol version negotiated with the client, and the x-amzn-tls-cipher-suite header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are true and false . The default is false.", "type": "boolean" }, "routingHttpXffClientPort": { "description": "Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer. The possible values are true and false . The default is false.", "type": "boolean" }, "routingHttpXffHeaderProcessingMode": { "$ref": "#/$defs/RoutingHttpXffHeaderProcessingModeEnum", "description": "Enables you to modify, preserve, or remove the X-Forwarded-For header in the HTTP request before the Application Load Balancer sends the request to the target. The possible values are append, preserve, and remove. The default is append." }, "wafFailOpen": { "description": "Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are true and false. The default is false.", "type": "boolean" } }, "additionalProperties": false }, "IAlbListenerConfig": { "type": "object", "description": "Application Load Balancer listener config. Currently only action type of `forward`, `redirect` and `fixed-response` is allowed.", "properties": { "certificate": { "$ref": "#/$defs/NonEmptyString", "description": "Applies to HTTPS listeners. The default certificate for the listener. You must provide exactly one certificate arn or a certificate name which was created by LZA" }, "fixedResponseConfig": { "$ref": "#/$defs/IAlbListenerFixedResponseConfig", "description": "Information for creating an action that returns a custom HTTP response. Specify only when type is `fixed-response`." }, "forwardConfig": { "$ref": "#/$defs/IAlbListenerForwardConfig", "description": "Information for creating an action that distributes requests to targetGroup. Stickiness for targetGroup can be set here." }, "name": { "$ref": "#/$defs/NonEmptyString", "description": "The name of the application load balancer listener" }, "order": { "description": "The order for the action. This value is required for rules with multiple actions. The action with the lowest value for order is performed first", "type": "number" }, "port": { "description": "Port of the application load balancer listener", "type": "number" }, "protocol": { "$ref": "#/$defs/AlbListenerProtocolEnum", "description": "Protocol of the application load balancer listener. The supported protocols are HTTP and HTTPS" }, "redirectConfig": { "$ref": "#/$defs/IAlbListenerRedirectConfig", "description": "Information for creating a redirect action. Specify only when type is `redirect`." }, "sslPolicy": { "$ref": "#/$defs/SslPolicyAlbEnum", "description": "The security policy that defines which protocols and ciphers are supported." }, "targetGroup": { "$ref": "#/$defs/NonEmptyString", "description": "Target Group name to which traffic will be forwarded to. This name should be same as {@link ApplicationLoadBalancerTargetGroupConfig targetGroup } name." }, "type": { "$ref": "#/$defs/AlbListenerTypeEnum", "description": "Type of the application load balancer listener" } }, "required": [ "name", "port", "protocol", "type", "targetGroup" ], "additionalProperties": false }, "IAlbListenerFixedResponseConfig": { "type": "object", "description": "Application load balancer listener fixed response config\nIt returns a custom HTTP response.\nApplicable only when `type` under {@link ApplicationLoadBalancerListenerConfig listener} is `fixed-response`.", "properties": { "contentType": { "$ref": "#/$defs/NonEmptyString", "description": "The message to send back." }, "messageBody": { "$ref": "#/$defs/NonEmptyString", "description": "The HTTP response code (2XX, 4XX, or 5XX)." }, "statusCode": { "$ref": "#/$defs/NonEmptyString", "description": "The content type. Valid Values: text/plain | text/css | text/html | application/javascript | application/json" } }, "required": [ "statusCode" ], "additionalProperties": false }, "IAlbListenerForwardConfig": { "type": "object", "description": "Application Load balancer listener forward config. Used to define forward action.\nApplicable only when `type` under {@link ApplicationLoadBalancerListenerConfig listener} is `forward`.", "properties": { "targetGroupStickinessConfig": { "$ref": "#/$defs/IAlbListenerTargetGroupStickinessConfig" } }, "additionalProperties": false }, "IAlbListenerRedirectConfig": { "type": "object", "description": "Application Load balancer listener redirect config. Used to define redirect action.\nApplicable only when `type` under {@link ApplicationLoadBalancerListenerConfig listener} is `redirect`.", "properties": { "host": { "$ref": "#/$defs/NonEmptyString" }, "path": { "$ref": "#/$defs/NonEmptyString" }, "port": { "type": "number" }, "protocol": { "$ref": "#/$defs/NonEmptyString" }, "query": { "$ref": "#/$defs/NonEmptyString" }, "statusCode": { "$ref": "#/$defs/NonEmptyString" } }, "additionalProperties": false }, "IAlbListenerTargetGroupStickinessConfig": { "type": "object", "description": "Application Load balancer listener forward config target group stickiness config\nApplicable only when `type` under {@link ApplicationLoadBalancerListenerConfig listener} is `forward`.", "properties": { "durationSeconds": { "description": "The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days).", "type": "number" }, "enabled": { "description": "Indicates whether target group stickiness is enabled.", "type": "boolean" } }, "additionalProperties": false }, "IAppConfigItem": { "type": "object", "description": "Application configuration.\nUsed to define two tier application configurations for the accelerator.", "properties": { "applicationLoadBalancer": { "$ref": "#/$defs/IApplicationLoadBalancerConfig", "description": "Application Load Balancer for the application" }, "autoscaling": { "$ref": "#/$defs/IAutoScalingConfig", "description": "AutoScalingGroup for the application" }, "deploymentTargets": { "$ref": "#/$defs/IDeploymentTargets", "description": "The location where the application will be deployed." }, "launchTemplate": { "$ref": "#/$defs/ILaunchTemplateConfig", "description": "Launch Template for the application" }, "name": { "$ref": "#/$defs/NonEmptyString", "description": "The name of the application. This should be unique per application." }, "networkLoadBalancer": { "$ref": "#/$defs/INetworkLoadBalancerConfig", "description": "Network Load Balancer for the application" }, "targetGroups": { "description": "Target groups for the application", "items": { "$ref": "#/$defs/ITargetGroupItem" }, "type": "array" }, "vpc": { "$ref": "#/$defs/NonEmptyString", "description": "VPC where the application will be deployed. The value should be a reference to the vpc in the network config under `vpcs:`." } }, "required": [ "name", "vpc", "deploymentTargets" ], "additionalProperties": false }, "IApplicationLoadBalancerConfig": { "type": "object", "description": "Used to define Application Load Balancer configurations for the accelerator.", "properties": { "attributes": { "$ref": "#/$defs/IAlbAttributesConfig", "description": "Attributes for Application Load Balancer." }, "listeners": { "description": "Listeners for Application Load Balancer.", "items": { "$ref": "#/$defs/IAlbListenerConfig" }, "type": "array" }, "name": { "$ref": "#/$defs/NonEmptyString", "description": "The name of the application load balancer" }, "scheme": { "$ref": "#/$defs/AlbSchemeEnum", "description": "Internal or internet facing scheme for Application Load Balancer." }, "securityGroups": { "description": "Security Groups to attach to the Application Load Balancer.", "items": { "$ref": "#/$defs/NonEmptyString" }, "type": "array" }, "shareTargets": { "$ref": "#/$defs/IShareTargets", "description": "The location where the Application Load Balancer(s) will be deployed to.\n*" }, "subnets": { "description": "Subnets to launch the Application Load Balancer in.", "items": { "$ref": "#/$defs/NonEmptyString" }, "type": "array" } }, "required": [ "name", "subnets", "securityGroups" ], "additionalProperties": false }, "IAutoScalingConfig": { "type": "object", "description": "Autoscaling group configuration for the application.", "properties": { "desiredSize": { "description": "The desired capacity is the initial capacity of the Auto Scaling group at the time of its creation and the capacity it attempts to maintain. It can scale beyond this capacity if you configure auto scaling. This number must be greater than or equal to the minimum size of the group and less than or equal to the maximum size of the group.", "type": "number" }, "healthCheckGracePeriod": { "description": "The amount of time, in seconds, that Amazon EC2 Auto Scaling waits before checking the health status of an EC2 instance that has come into service and marking it unhealthy due to a failed Elastic Load Balancing or custom health check. This is useful if your instances do not immediately pass these health checks after they enter the `InService` state. Defaults to 0 if unspecified.", "type": "number" }, "healthCheckType": { "$ref": "#/$defs/AutoScalingHealthCheckTypeEnum", "description": "The service to use for the health checks. The valid values are EC2 (default) and ELB. If you configure an Auto Scaling group to use load balancer (ELB) health checks, it considers the instance unhealthy if it fails either the EC2 status checks or the load balancer health checks." }, "launchTemplate": { "$ref": "#/$defs/NonEmptyString", "description": "Information used to specify the launch template and version to use to launch instances." }, "maxInstanceLifetime": { "description": "The maximum instance lifetime specifies the maximum amount of time (in seconds) that an instance can be in service before it is terminated and replaced. A common use case might be a requirement to replace your instances on a schedule because of internal security policies or external compliance controls. You must specify a value of at least 86,400 seconds (one day). To clear a previously set value, specify a new value of 0. This setting applies to all current and future instances in your Auto Scaling group", "type": "number" }, "maxSize": { "description": "The maximum size of the group.", "type": "number" }, "minSize": { "description": "The minimum size of the group.", "type": "number" }, "name": { "$ref": "#/$defs/NonEmptyString", "description": "The name of the Auto Scaling group. This name must be unique per Region per account. The name can contain any ASCII character 33 to 126 including most punctuation characters, digits, and upper and lowercased letters.\n*Note* You cannot use a colon (:) in the name." }, "subnets": { "description": "List of subnet names for a virtual private cloud (VPC) where instances in the Auto Scaling group can be created. These subnets should be created under the VPC in network-config.yaml.", "items": { "$ref": "#/$defs/NonEmptyString" }, "type": "array" }, "targetGroups": { "description": "Target group name array to associate with the Auto Scaling group. These names are from the {@link TargetGroupItemConfig target group } set in the application. Instances are registered as targets with the target groups. The target groups receive incoming traffic and route requests to one or more registered targets.", "items": { "$ref": "#/$defs/NonEmptyString" }, "type": "array" } }, "required": [ "name", "minSize", "maxSize", "desiredSize", "launchTemplate", "subnets" ], "additionalProperties": false }, "IBlockDeviceMappingItem": { "type": "object", "description": "The parameters for a block device mapping in launch template.", "properties": { "deviceName": { "$ref": "#/$defs/NonEmptyString", "description": "The device name (for example, /dev/sdh or xvdh)." }, "ebs": { "$ref": "#/$defs/IEbsItem", "description": "Parameters used to automatically set up EBS volumes when the instance is launched." } }, "required": [ "deviceName" ], "additionalProperties": false }, "ICfnParameter": { "type": "object", "description": "## CloudFormation Parameter Interface\n\nInterface for AWS CloudFormation template parameters that can be passed to CloudFormation stacks during deployment. Parameters allow customization of stack resources without modifying the template.\n\n### Key Features\n\n- **Template Customization**: Modify stack behavior without changing templates\n- **Environment Flexibility**: Use different values across environments\n- **Reusability**: Make templates reusable across different contexts\n- **Security**: Pass sensitive values securely to stacks\n\n### Example\n\n```yaml parameters: - name: InstanceType value: t3.micro - name: Environment value: Production ```\n\nLearn more about [CloudFormation Parameters](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html).", "properties": { "name": { "description": "**Parameter Name** *(Required)*\n\nThe name of the CloudFormation parameter as defined in the template. Must match exactly with the parameter name in the CloudFormation template.", "type": "string" }, "value": { "description": "**Parameter Value** *(Required)*\n\nThe value to pass to the CloudFormation parameter during stack deployment. The value must be compatible with the parameter type defined in the template.", "type": "string" } }, "required": [ "name", "value" ], "additionalProperties": false }, "ICloudFormationStack": { "type": "object", "description": "Defines a custom CloudFormation Stack to be deployed to the environment.", "properties": { "deploymentTargets": { "$ref": "#/$defs/IDeploymentTargets", "description": "CloudFormation Stack deployment targets" }, "description": { "$ref": "#/$defs/NonEmptyString", "description": "The description is to used to provide more information about the stack." }, "name": { "$ref": "#/$defs/NonEmptyString", "description": "The friendly name that will be used as a base for the created CloudFormation Stack Name. The name should not contain any spaces as this isn't supported by the Accelerator." }, "parameters": { "description": "The parameters to pass to the stack.", "items": { "$ref": "#/$defs/ICfnParameter" }, "type": "array" }, "regions": { "description": "A list of AWS regions to deploy the stack to.", "items": { "type": "string" }, "type": "array" }, "runOrder": { "description": "The order to deploy the stack relative to the other stacks. Must be a positive integer. To deploy stacks in parallel, set runOrder of each stack to 1.", "type": "number" }, "template": { "$ref": "#/$defs/NonEmptyString", "description": "The file path to the template file defining the stack." }, "terminationProtection": { "description": "This determines whether to enable termination protection for the stack.", "type": "boolean" } }, "required": [ "deploymentTargets", "name", "regions", "runOrder", "template", "terminationProtection" ], "additionalProperties": false }, "ICloudFormationStackSet": { "type": "object", "description": "Defines a custom CloudFormation StackSet to be deployed to the environment.", "properties": { "administrationRoleArn": { "description": "The Amazon Resource Name (ARN) of the IAM role to use when creating this stack set. This field is optional. If specified, it allows you to set a custom IAM role for stack set operations. If left blank, the default permissions associated with your account will be used.", "type": "string" }, "capabilities": { "description": "The CloudFormation capabilities enabled to deploy the stackset.", "items": { "enum": [ "CAPABILITY_IAM", "CAPABILITY_NAMED_IAM", "CAPABILITY_AUTO_EXPAND" ], "type": "string" }, "type": "array" }, "dependsOn": { "description": "The other StackSets this StackSet depends on. For stackset names you define here, a CloudFormation DependsOn attribute will be added between the resources. Please note this does not guarantee the deployment order of the stack instances within the StackSet.", "items": { "type": "string" }, "type": "array" }, "deploymentTargets": { "$ref": "#/$defs/IDeploymentTargets", "description": "CloudFormation StackSet deployment targets" }, "description": { "$ref": "#/$defs/NonEmptyString", "description": "The description is to used to provide more information about the stackset." }, "executionRoleName": { "description": "The name of the IAM execution role to use when creating the stack set. This field is optional. If provided, it allows you to specify a custom execution role for stack set operations. If omitted, the default execution role associated with your account will be used.", "type": "string" }, "name": { "$ref": "#/$defs/NonEmptyString", "description": "The friendly name that will be used as a base for the created CloudFormation StackSet Name. The name should not contain any spaces as this isn't supported by the Accelerator." }, "operationPreferences": { "$ref": "#/$defs/IOperationPreferences", "description": "The operational preferences of current stackset" }, "parameters": { "description": "The parameters to be passed to the stackset.", "items": { "$ref": "#/$defs/ICfnParameter" }, "type": "array" }, "regions": { "description": "A list of regions to deploy the stackset.", "items": { "type": "string" }, "type": "array" }, "template": { "$ref": "#/$defs/NonEmptyString", "description": "The file path to the template file used for deployment." } }, "required": [ "deploymentTargets", "name", "regions", "template" ], "additionalProperties": false }, "ICustomizationConfig": { "type": "object", "description": "Defines CloudFormation Stacks and StackSets to be deployed to the environment.\nThis feature supports the deployment of customer-provided CloudFormation templates to AWS\naccounts and/or organizational units. These deployments can leverage independent CloudFormation stacks\nor CloudFormation StackSets depending on the customer's deployment preference.", "properties": { "cloudFormationStackSets": { "items": { "$ref": "#/$defs/ICloudFormationStackSet" }, "type": "array" }, "cloudFormationStacks": { "items": { "$ref": "#/$defs/ICloudFormationStack" }, "type": "array" }, "serviceCatalogPortfolios": { "items": { "$ref": "#/$defs/IPortfolioConfig" }, "type": "array" } }, "additionalProperties": false }, "ICustomizationsConfig": { "additionalProperties": false, "description": "Defines custom CloudFormation and external web and application tier resources. We recommend creating resources\nwith native LZA features where possible.", "properties": { "applications": { "items": { "$ref": "#/$defs/IAppConfigItem" }, "type": "array" }, "createCfnStackSetExecutionRole": { "description": "Defines whether or not the StackSetExecution role is created in all workload accounts and if the StackSetAdmin role is created in the management account. If you are using stacksets and set the value to false, you will need to ensure that the roles are created.\n\nDefault value is true.", "type": "boolean" }, "customizations": { "$ref": "#/$defs/ICustomizationConfig" }, "firewalls": { "$ref": "#/$defs/IEc2FirewallConfig" } }, "type": "object", "patternProperties": { "^\\.": { "description": "YAML anchor" } } }, "IDeploymentTargets": { "type": "object", "description": "## Deployment Targets Interface\n\nDefines where AWS resources should be deployed within your AWS organization. This interface provides flexible targeting options for resource deployment across accounts, organizational units, and regions.\n\n### Key Features\n\n- **Account-level targeting**: Deploy to specific AWS accounts\n- **OU-level targeting**: Deploy to all accounts within organizational units\n- **Regional exclusions**: Skip specific AWS regions for compliance or cost optimization\n- **Account exclusions**: Exclude specific accounts from broader deployments\n\n### Example\n\n```yaml deploymentTargets: organizationalUnits: - Production - Development excludedAccounts: - Management excludedRegions: - us-west-1 ```", "properties": { "accounts": { "description": "**Target Accounts** *(Optional)*\n\nList of specific account names where resources should be deployed. Use for precise account-level targeting.", "items": { "type": "string" }, "type": "array" }, "excludedAccounts": { "description": "**Excluded Accounts** *(Optional)*\n\nList of account names to exclude from deployment. Takes precedence over organizational unit and account inclusions.", "items": { "type": "string" }, "type": "array" }, "excludedRegions": { "description": "**Excluded Regions** *(Optional)*\n\nList of AWS regions to exclude from deployment. Useful for compliance requirements or cost optimization.", "items": { "type": "string" }, "type": "array" }, "organizationalUnits": { "description": "**Organizational Units** *(Optional)*\n\nList of organizational unit names where resources should be deployed. When specified, resources will be created in all accounts within these OUs.", "items": { "type": "string" }, "type": "array" } }, "additionalProperties": false }, "IEbsItem": { "type": "object", "description": "The parameters for a block device for an EBS volume.", "properties": { "deleteOnTermination": { "description": "Indicates whether the EBS volume is deleted on instance termination.", "type": "boolean" }, "encrypted": { "description": "Indicates whether the EBS volume is encrypted. Encrypted volumes can only be attached to instances that support Amazon EBS encryption. If you are creating a volume from a snapshot, you can't specify an encryption value. If encrypted is `true` and kmsKeyId is not provided, then accelerator checks for {@link EbsDefaultVolumeEncryptionConfig default ebs encryption } in the config.", "type": "boolean" }, "iops": { "description": "The number of I/O operations per second (IOPS). For gp3, io1, and io2 volumes, this represents the number of IOPS that are provisioned for the volume. For gp2 volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting. This parameter is supported for io1, io2, and gp3 volumes only. This parameter is not supported for gp2, st1, sc1, or standard volumes.", "type": "number" }, "kmsKeyId": { "$ref": "#/$defs/NonEmptyString", "description": "The ARN of the symmetric AWS Key Management Service (AWS KMS) CMK used for encryption." }, "snapshotId": { "$ref": "#/$defs/NonEmptyString", "description": "The ID of the snapshot." }, "throughput": { "description": "The throughput to provision for a gp3 volume, with a maximum of 1,000 MiB/s. Valid Range: Minimum value of 125. Maximum value of 1000.", "type": "number" }, "volumeSize": { "description": "The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. The following are the supported volumes sizes for each volume type:\n- gp2 and gp3: 1-16,384\n- io1 and io2: 4-16,384\n- st1 and sc1: 125-16,384\n- standard: 1-1,024", "type": "number" }, "volumeType": { "$ref": "#/$defs/NonEmptyString", "description": "The volume type. Valid Values: `standard | io1 | io2 | gp2 | sc1 | st1 | gp3`" } }, "additionalProperties": false }, "IEc2FirewallAutoScalingGroupConfig": { "type": "object", "description": "EC2 firewall autoscaling group configuration.\nUsed to define EC2-based firewall instances to be deployed in an autoscaling group.\n\n```\n- name: accelerator-firewall-asg\n autoscaling:\n name: firewall-asg\n maxSize: 4\n minSize: 1\n desiredSize: 2\n launchTemplate: firewall-lt\n healthCheckGracePeriod: 300\n healthCheckType: ELB\n targetGroups:\n - firewall-gwlb-tg\n subnets:\n - firewall-subnet-a\n - firewall-subnet-b\n maxInstanceLifetime: 86400\n launchTemplate:\n name: firewall-lt\n blockDeviceMappings:\n - deviceName: /dev/xvda\n ebs:\n deleteOnTermination: true\n encrypted: true\n volumeSize: 20\n enforceImdsv2: true\n iamInstanceProfile: firewall-profile\n imageId: ami-123xyz\n instanceType: c6i.xlarge\n networkInterfaces:\n - deleteOnTermination: true\n description: Primary interface\n deviceIndex: 0\n groups:\n - firewall-data-sg\n - deleteOnTermination: true\n description: Management interface\n deviceIndex: 1\n groups:\n - firewall-mgmt-sg\n userData: path/to/userdata.txt\n vpc: Network-Inspection\n tags: []\n```", "properties": { "account": { "$ref": "#/$defs/NonEmptyString", "description": "(OPTIONAL) The logical name of the account to deploy the firewall autoscaling group to" }, "autoscaling": { "$ref": "#/$defs/IAutoScalingConfig", "description": "An AutoScaling Group configuration" }, "configDir": { "$ref": "#/$defs/NonEmptyString", "description": "(OPTIONAL) Specify a relative S3 directory path to pull a firewall configuration directory.\n\nEither configFile or configDir can be set but not both.\n\nFor example, if your S3 folder path is `s3://path/to/config`, specify `path/to/config` for this property.\n\n**NOTE:** The custom resource backing this feature does not force update on every core pipeline run. To update the resource, update the name of the configuration directory." }, "configFile": { "$ref": "#/$defs/NonEmptyString", "description": "(OPTIONAL) Specify a relative S3 object path to pull a firewall configuration file from.\n\nFor example, if your S3 object path is `s3://path/to/config.txt`, specify `path/to/config.txt` for this property.\n\n**NOTE:** The custom resource backing this feature does not force update on every core pipeline run. To update the resource, update the name of the configuration file." }, "launchTemplate": { "$ref": "#/$defs/ILaunchTemplateConfig", "description": "The launch template for the firewall instance" }, "licenseFile": { "$ref": "#/$defs/NonEmptyString", "description": "(OPTIONAL) Specify a relative S3 object path to pull a firewall license file from.\n\nFor example, if your S3 object path is `s3://path/to/license.lic`, specify `path/to/license.lic` for this property.\n\n**NOTE:** The custom resource backing this feature does not force update on every core pipeline run. To update the resource, update the name of the license file." }, "name": { "$ref": "#/$defs/NonEmptyString", "description": "The friendly name of the firewall instance" }, "staticReplacements": { "description": "(OPTIONAL) Static firewall configuration replacements definition.", "items": { "$ref": "#/$defs/IFirewallStaticReplacementsConfig" }, "type": "array" }, "tags": { "description": "(OPTIONAL) An array of tags", "items": { "$ref": "#/$defs/ITag" }, "type": "array" }, "vpc": { "$ref": "#/$defs/NonEmptyString", "description": "The friendly name of the VPC to deploy the firewall instance to" } }, "required": [ "name", "autoscaling", "launchTemplate", "vpc" ], "additionalProperties": false }, "IEc2FirewallConfig": { "type": "object", "description": "EC2 firewall configuration.\nUsed to define EC2-based firewall and management appliances", "properties": { "autoscalingGroups": { "description": "Define EC2-based firewall instances in autoscaling groups", "items": { "$ref": "#/$defs/IEc2FirewallAutoScalingGroupConfig" }, "type": "array" }, "instances": { "description": "Define EC2-based firewall standalone instances", "items": { "$ref": "#/$defs/IEc2FirewallInstanceConfig" }, "type": "array" }, "managerInstances": { "description": "Define EC2-based firewall management instances", "items": { "$ref": "#/$defs/IEc2FirewallInstanceConfig" }, "type": "array" }, "targetGroups": { "description": "Define target groups for EC2-based firewalls", "items": { "$ref": "#/$defs/ITargetGroupItem" }, "type": "array" } }, "additionalProperties": false }, "IEc2FirewallInstanceConfig": { "type": "object", "description": "EC2 firewall instance configuration.\nUse to define an array of standalone firewall instances", "properties": { "account": { "$ref": "#/$defs/NonEmptyString", "description": "(OPTIONAL) The logical name of the account to deploy the firewall instance to" }, "configDir": { "$ref": "#/$defs/NonEmptyString", "description": "(OPTIONAL) Specify a relative S3 directory path to pull a firewall configuration directory.\n\nEither configFile or configDir can be set but not both.\n\nFor example, if your S3 folder path is `s3://path/to/config`, specify `path/to/config` for this property.\n\n**NOTE:** The custom resource backing this feature does not force update on every core pipeline run. To update the resource, update the name of the configuration directory." }, "configFile": { "$ref": "#/$defs/NonEmptyString", "description": "(OPTIONAL) Specify a relative S3 object path to pull a firewall configuration file from.\n\nFor example, if your S3 object path is `s3://path/to/config.txt`, specify `path/to/config.txt` for this property.\n\n**NOTE:** The custom resource backing this feature does not force update on every core pipeline run. To update the resource, update the name of the configuration file." }, "detailedMonitoring": { "description": "(OPTIONAL) Specify true to enable detailed monitoring. Otherwise, basic monitoring is enabled.", "type": "boolean" }, "launchTemplate": { "$ref": "#/$defs/ILaunchTemplateConfig", "description": "The launch template for the firewall instance" }, "licenseFile": { "$ref": "#/$defs/NonEmptyString", "description": "(OPTIONAL) Specify a relative S3 object path to pull a firewall license file from.\n\nFor example, if your S3 object path is `s3://path/to/license.lic`, specify `path/to/license.lic` for this property.\n\n**NOTE:** The custom resource backing this feature does not force update on every core pipeline run. To update the resource, update the name of the license file." }, "name": { "$ref": "#/$defs/NonEmptyString", "description": "The friendly name of the firewall instance" }, "staticReplacements": { "description": "(OPTIONAL) Static firewall configuration replacements definition.", "items": { "$ref": "#/$defs/IFirewallStaticReplacementsConfig" }, "type": "array" }, "tags": { "description": "(OPTIONAL) An array of tags", "items": { "$ref": "#/$defs/ITag" }, "type": "array" }, "terminationProtection": { "description": "(OPTIONAL) If you set this parameter to true , you can't terminate the instance using the Amazon EC2 console, CLI, or API.\n\nMore information: ", "type": "boolean" }, "vpc": { "$ref": "#/$defs/NonEmptyString", "description": "The friendly name of the VPC to deploy the firewall instance to" } }, "required": [ "name", "launchTemplate", "vpc" ], "additionalProperties": false }, "IFirewallStaticReplacementsConfig": { "type": "object", "description": "Firewall Static Replacements Config", "properties": { "key": { "$ref": "#/$defs/NonEmptyString", "description": "The key name for the static replacement" }, "value": { "$ref": "#/$defs/NonEmptyString", "description": "The value of the static replacement" } }, "required": [ "key", "value" ], "additionalProperties": false }, "ILaunchTemplateConfig": { "type": "object", "description": "Configure a launch template for the application.", "properties": { "blockDeviceMappings": { "description": "The block device mapping.", "items": { "$ref": "#/$defs/IBlockDeviceMappingItem" }, "type": "array" }, "enforceImdsv2": { "description": "By default, {@link IMDSv2 } is enabled. Disable it by setting this to false.", "type": "boolean" }, "iamInstanceProfile": { "$ref": "#/$defs/NonEmptyString", "description": "Name of the instance profile created by accelerator in iam-config.yaml under roleSets" }, "imageId": { "$ref": "#/$defs/NonEmptyString", "description": "Valid AMI ID or a reference to ssm parameter store to get AMI ID. If ssm parameter is referenced it should follow the pattern ${ACCEL_LOOKUP::ImageId:/path/to/ssm/parameter/for/ami}\n\nFor example to get the latest x86_64 amazon linux 2 ami, the value would be `${ACCEL_LOOKUP::ImageId:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2}`" }, "instanceType": { "$ref": "#/$defs/NonEmptyString", "description": "Valid instance type which can be launched in the target account and region." }, "keyPair": { "$ref": "#/$defs/NonEmptyString", "description": "The name of the key pair. LZA does not create keypair. This should exist in the account/region or else deployment will fail." }, "name": { "$ref": "#/$defs/NonEmptyString", "description": "Name of Launch Template" }, "networkInterfaces": { "description": "One or more network interfaces. If you specify a network interface, you must specify any security groups and subnets as part of the network interface.", "items": { "$ref": "#/$defs/INetworkInterfaceItem" }, "type": "array" }, "securityGroups": { "description": "One or more security group names. These should be created under the VPC in network-config.yaml", "items": { "$ref": "#/$defs/NonEmptyString" }, "type": "array" }, "userData": { "$ref": "#/$defs/NonEmptyString", "description": "Path to user data. The path is relative to the config repository and the content should be in regular text. It is encoded in base64 before passing in to Launch Template" } }, "required": [ "name", "imageId", "instanceType" ], "additionalProperties": false }, "INetworkInterfaceItem": { "type": "object", "description": "The parameters for a network interface.", "properties": { "associateCarrierIpAddress": { "description": "Associates a Carrier IP address with eth0 for a new network interface. Use this option when you launch an instance in a Wavelength Zone and want to associate a Carrier IP address with the network interface.", "type": "boolean" }, "associateElasticIp": { "description": "Associate an elastic IP with the interface", "type": "boolean" }, "associatePublicIpAddress": { "description": "Associates a public IPv4 address with eth0 for a new network interface.", "type": "boolean" }, "deleteOnTermination": { "description": "Indicates whether the network interface is deleted when the instance is terminated.", "type": "boolean" }, "description": { "$ref": "#/$defs/NonEmptyString", "description": "A description for the network interface." }, "deviceIndex": { "description": "The device index for the network interface attachment.", "type": "number" }, "groups": { "description": "Security group names to associate with this network interface.", "items": { "$ref": "#/$defs/NonEmptyString" }, "type": "array" }, "interfaceType": { "$ref": "#/$defs/NonEmptyString", "description": "The type of network interface. To create an Elastic Fabric Adapter (EFA), specify efa. If you are not creating an EFA, specify interface or omit this parameter. Valid values: `interface | efa`" }, "networkCardIndex": { "description": "The index of the network card. Some instance types support multiple network cards. The primary network interface must be assigned to network card index 0. The default is network card index 0.", "type": "number" }, "networkInterfaceId": { "$ref": "#/$defs/NonEmptyString", "description": "The ID of the network interface." }, "privateIpAddress": { "$ref": "#/$defs/NonEmptyString", "description": "The primary private IPv4 address of the network interface." }, "privateIpAddresses": { "description": "One or more private IPv4 addresses.", "items": { "$ref": "#/$defs/IPrivateIpAddressItem" }, "type": "array" }, "secondaryPrivateIpAddressCount": { "description": "The number of secondary private IPv4 addresses to assign to a network interface.", "type": "number" }, "sourceDestCheck": { "description": "If the value is true , source/destination checks are enabled; otherwise, they are disabled. The default value is true. You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls.", "type": "boolean" }, "subnetId": { "$ref": "#/$defs/NonEmptyString", "description": "Valid subnet name from network-config.yaml under the same vpc" } }, "additionalProperties": false }, "INetworkLoadBalancerConfig": { "type": "object", "description": "Network Load Balancer configuration.", "properties": { "crossZoneLoadBalancing": { "description": "Cross Zone load balancing for Network Load Balancer.", "type": "boolean" }, "deletionProtection": { "description": "Deletion protection for Network Load Balancer.", "type": "boolean" }, "listeners": { "description": "Listeners for Network Load Balancer.", "items": { "$ref": "#/$defs/INlbListenerConfig" }, "type": "array" }, "name": { "$ref": "#/$defs/NonEmptyString", "description": "Name for Network Load Balancer." }, "scheme": { "$ref": "#/$defs/LoadBalancerSchemeEnum", "description": "Load Balancer scheme. If undefined, the default of {@link ELBv2 CreateLoadBalancer API } is used." }, "subnets": { "description": "Subnets to launch the Network Load Balancer in.", "items": { "$ref": "#/$defs/NonEmptyString" }, "type": "array" } }, "required": [ "subnets", "name" ], "additionalProperties": false }, "INlbListenerConfig": { "type": "object", "description": "Application Load Balancer listener config. Currently only action type of `forward`, `redirect` and `fixed-response` is allowed.", "properties": { "alpnPolicy": { "$ref": "#/$defs/AlpnPolicyEnum", "description": "Application-Layer Protocol Negotiation (ALPN) policy} for TLS encrypted traffic" }, "certificate": { "$ref": "#/$defs/NonEmptyString", "description": "ACM ARN of the certificate to be associated with the listener." }, "name": { "$ref": "#/$defs/NonEmptyString", "description": "Name for Listener." }, "port": { "description": "Port where the traffic is directed to.", "type": "number" }, "protocol": { "$ref": "#/$defs/NlbProtocolEnum", "description": "Protocol used for the traffic. The supported protocols are TCP, TLS, UDP, or TCP_UDP." }, "sslPolicy": { "$ref": "#/$defs/SslPolicyNlbEnum", "description": "SSL policy for TLS encrypted traffic" }, "targetGroup": { "$ref": "#/$defs/NonEmptyString", "description": "Target Group to direct the traffic to." } }, "required": [ "name", "targetGroup" ], "additionalProperties": false }, "INlbTargetType": { "type": "object", "description": "The codes to use when checking for a successful response from a target. If the protocol version is gRPC, these are gRPC codes. Otherwise, these are HTTP codes.", "properties": { "account": { "$ref": "#/$defs/NonEmptyString", "description": "Friendly Account Name where the NLB is deployed" }, "nlbName": { "$ref": "#/$defs/NonEmptyString", "description": "Friendly name of the NLB" }, "region": { "$ref": "#/$defs/NonEmptyString", "description": "Region where the NLB is deployed" } }, "required": [ "account", "region", "nlbName" ], "additionalProperties": false }, "IOperationPreferences": { "type": "object", "description": "## CloudFormation StackSet Operation Preferences Interface\n\nConfiguration interface for AWS CloudFormation StackSet operation preferences. These preferences control how StackSet operations are executed across multiple accounts and regions, including failure tolerance and concurrency settings.\n\n### Key Features\n\n- **Failure Tolerance**: Control how many failures are acceptable during deployment\n- **Concurrency Control**: Manage how many operations run simultaneously\n- **Regional Ordering**: Specify the order of region deployments\n- **Parallel Execution**: Configure parallel vs sequential deployment patterns\n\n### Example\n\n```yaml operationPreferences: failureTolerancePercentage: 10 maxConcurrentPercentage: 50 regionConcurrencyType: PARALLEL regionOrder: - us-east-1 - us-west-2 ```\n\nLearn more about [StackSet Operation Preferences](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html#stacksets-concepts-ops).", "properties": { "failureToleranceCount": { "description": "**Failure Tolerance Count** *(Optional)*\n\nThe absolute number of accounts in which stack operations can fail before the operation is stopped. Cannot be used with failureTolerancePercentage.", "type": "number" }, "failureTolerancePercentage": { "description": "**Failure Tolerance Percentage** *(Optional)*\n\nThe percentage of accounts in which stack operations can fail before the operation is stopped. Cannot be used with failureToleranceCount.", "type": "number" }, "maxConcurrentCount": { "description": "**Maximum Concurrent Count** *(Optional)*\n\nThe absolute maximum number of accounts in which stack operations can be performed concurrently. Cannot be used with maxConcurrentPercentage.", "type": "number" }, "maxConcurrentPercentage": { "description": "**Maximum Concurrent Percentage** *(Optional)*\n\nThe maximum percentage of accounts in which stack operations can be performed concurrently. Cannot be used with maxConcurrentCount.", "type": "number" }, "regionConcurrencyType": { "default": "PARALLEL", "description": "**Region Concurrency Type** *(Optional)*\n\nThe concurrency type of deploying StackSets operations in regions. Valid values are SEQUENTIAL and PARALLEL.", "type": "string" }, "regionOrder": { "description": "**Region Order** *(Optional)*\n\nThe order of the regions where you want to perform the stack operation. Only applies when regionConcurrencyType is SEQUENTIAL.", "items": { "type": "string" }, "type": "array" } }, "additionalProperties": false }, "IPortfolioAssociatoinConfig": { "type": "object", "description": "Portfolio Associations configuration", "properties": { "name": { "$ref": "#/$defs/NonEmptyString", "description": "Indicates the name of the principal to associate the portfolio with." }, "propagateAssociation": { "description": "Indicates whether the principal association should be created in accounts the portfolio is shared with. Verify the IAM principal exists in all accounts the portfolio is shared with before enabling.", "type": "boolean" }, "type": { "$ref": "#/$defs/PortfolioAssociationType", "description": "Indicates the type of portfolio association, valid values are: Group, User, and Role." } }, "required": [ "type", "name" ], "additionalProperties": false }, "IPortfolioConfig": { "type": "object", "description": "Service Catalog Portfolios configuration", "properties": { "account": { "$ref": "#/$defs/NonEmptyString", "description": "The name of the account to deploy the portfolio." }, "name": { "$ref": "#/$defs/NonEmptyString", "description": "The name of the portfolio" }, "portfolioAssociations": { "description": "Configuration of portfolio associations to give access to IAM principals.", "items": { "$ref": "#/$defs/IPortfolioAssociatoinConfig" }, "type": "array" }, "products": { "description": "Product Configuration", "items": { "$ref": "#/$defs/IProductConfig" }, "type": "array" }, "provider": { "$ref": "#/$defs/NonEmptyString", "description": "The provider of the portfolio" }, "regions": { "description": "The region names to deploy the portfolio.", "items": { "type": "string" }, "type": "array" }, "shareTagOptions": { "description": "Whether or not to share TagOptions with other account(s)/OU(s)", "type": "boolean" }, "shareTargets": { "$ref": "#/$defs/IShareTargets", "description": "Portfolio share target. Sharing portfolios to Organizational Units is only supported for portfolios in the Management account." }, "tagOptions": { "description": "Portfolio TagOptions configuration", "items": { "$ref": "#/$defs/ITagOptionsConfig" }, "type": "array" } }, "required": [ "name", "account", "regions", "provider" ], "additionalProperties": false }, "IPrivateIpAddressItem": { "type": "object", "description": "Configure a secondary private IPv4 address for a network interface.", "properties": { "primary": { "description": "Indicates whether the private IPv4 address is the primary private IPv4 address. Only one IPv4 address can be designated as primary.", "type": "boolean" }, "privateIpAddress": { "$ref": "#/$defs/NonEmptyString", "description": "The private IPv4 address." } }, "additionalProperties": false }, "IProductConfig": { "type": "object", "description": "Service Catalog Products configuration", "properties": { "constraints": { "$ref": "#/$defs/IProductConstraintConfig", "description": "Product Constraint configuration" }, "description": { "$ref": "#/$defs/NonEmptyString", "description": "Product description" }, "distributor": { "$ref": "#/$defs/NonEmptyString", "description": "The name of the product's publisher." }, "name": { "$ref": "#/$defs/NonEmptyString", "description": "The name of the product" }, "owner": { "$ref": "#/$defs/NonEmptyString", "description": "The owner of the product" }, "support": { "$ref": "#/$defs/IProductSupportConfig", "description": "Product support details." }, "tagOptions": { "description": "Product TagOptions configuration", "items": { "$ref": "#/$defs/ITagOptionsConfig" }, "type": "array" }, "versions": { "description": "Product version configuration", "items": { "$ref": "#/$defs/IProductVersionConfig" }, "type": "array" } }, "required": [ "name", "owner", "versions" ], "additionalProperties": false }, "IProductConstraintConfig": { "type": "object", "description": "Service Catalog Product Constraint configuration. For more information see ", "properties": { "launch": { "$ref": "#/$defs/IProductLaunchConstraintConfig", "description": "Launch constraint role name and type, supports LocalRole or Role." }, "notifications": { "description": "A list of SNS topic names to stream product notifications to", "items": { "$ref": "#/$defs/NonEmptyString" }, "type": "array" }, "tagUpdate": { "description": "Determines if Service Catalog Tag Update constraint is enabled", "type": "boolean" } }, "additionalProperties": false }, "IProductLaunchConstraintConfig": { "type": "object", "description": "Service Catalog Product Constraint configuration. For more information see ", "properties": { "role": { "$ref": "#/$defs/NonEmptyString", "description": "The name of the IAM Role." }, "type": { "$ref": "#/$defs/ProductLaunchConstraintType", "description": "The type of launch constraint, either Role or LocalRole. For more information, see " } }, "required": [ "type", "role" ], "additionalProperties": false }, "IProductSupportConfig": { "type": "object", "description": "Product Support configuration", "properties": { "description": { "$ref": "#/$defs/NonEmptyString", "description": "Support description of how users should use email contact and support link." }, "email": { "$ref": "#/$defs/NonEmptyString", "description": "The email address to report issues with the product" }, "url": { "$ref": "#/$defs/NonEmptyString", "description": "The url to the site where users can find support information or file tickets." } }, "additionalProperties": false }, "IProductVersionConfig": { "type": "object", "description": "Product Versions configuration", "properties": { "description": { "$ref": "#/$defs/NonEmptyString", "description": "The version description" }, "name": { "$ref": "#/$defs/NonEmptyString", "description": "Name of the version of the product" }, "template": { "$ref": "#/$defs/NonEmptyString", "description": "The product template." } }, "required": [ "name", "template" ], "additionalProperties": false }, "IShareTargets": { "type": "object", "description": "## Resource Access Manager (RAM) Share Targets Interface\n\nInterface for AWS Resource Access Manager (RAM) share targets, which defines where shared resources should be made available within your AWS organization. RAM enables secure sharing of resources between AWS accounts and organizational units without duplicating resources or compromising security.\n\n### Key Features\n\n- **Cross-Account Sharing**: Share resources across multiple AWS accounts\n- **OU-Level Sharing**: Share with entire organizational units at once\n- **Centralized Management**: Manage shared resources from a central account\n- **Cost Optimization**: Avoid resource duplication across accounts\n- **Security**: Maintain resource ownership while enabling controlled access\n\n### Example\n\n```yaml shareTargets: organizationalUnits: - Root ```\n\nLearn more about [AWS Resource Access Manager](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html).", "properties": { "accounts": { "description": "**Target Accounts** *(Optional)*\n\nList of specific account names that should receive access to the shared resource. Use this for precise, account-level control over resource sharing.", "items": { "type": "string" }, "type": "array" }, "organizationalUnits": { "description": "**Organizational Units** *(Optional)*\n\nList of organizational unit names that should receive access to the shared resource. When specified, all accounts within these OUs will be able to consume the shared resource.", "items": { "type": "string" }, "type": "array" } }, "additionalProperties": false }, "ITag": { "type": "object", "description": "## AWS Resource Tag Configuration\n\nDefines key-value pairs used for tagging AWS resources. Tags provide metadata for resource organization, cost allocation, access control, and automation.\n\n### Key Features\n\n- **Resource Organization**: Group and categorize resources logically\n- **Cost Allocation**: Track costs by project, department, or environment\n- **Access Control**: Use tags in IAM policies for conditional access\n- **Automation**: Trigger automated actions based on tag values\n- **Compliance**: Meet organizational and regulatory tagging requirements\n\n### Example\n\n```yaml tags: - key: Environment value: Production - key: Project value: WebApplication - key: Owner value: Platform-Team - key: CostCenter value: Engineering - key: Backup value: Daily ```", "properties": { "key": { "description": "**Tag Key** *(Required)*\n\nThe tag key name that identifies the type of metadata being stored. Tag keys should follow consistent naming conventions across your organization.", "type": "string" }, "value": { "description": "**Tag Value** *(Required)*\n\nThe tag value that provides the actual metadata content for the tag key. Values should be meaningful and follow organizational standards.", "type": "string" } }, "required": [ "key", "value" ], "additionalProperties": false }, "ITagOptionsConfig": { "type": "object", "description": "Service Catalog TagOptions configuration.", "properties": { "key": { "$ref": "#/$defs/NonEmptyString", "description": "The tag key" }, "values": { "description": "An array of values that can be used for the tag key", "items": { "$ref": "#/$defs/NonEmptyString" }, "type": "array" } }, "required": [ "key", "values" ], "additionalProperties": false }, "ITargetGroupAttributeTypes": { "type": "object", "description": "Set attributes for target group.", "properties": { "algorithm": { "$ref": "#/$defs/TargetGroupAttributeAlgorithm", "description": "The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is round_robin or least_outstanding_requests. The default is round_robin. The following attribute is supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address." }, "appCookieDuration": { "description": "The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds). The following attribute is supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address.", "type": "number" }, "appCookieName": { "$ref": "#/$defs/NonEmptyString", "description": "Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: AWSALB, AWSALBAPP, and AWSALBTG; they're reserved for use by the load balancer. The following attribute is supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address." }, "connectionTermination": { "description": "Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is true or false. The default is false. The following attribute is supported only by Network Load Balancers.", "type": "boolean" }, "deregistrationDelay": { "description": "The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. The default value is 300 seconds.", "type": "number" }, "lbCookieDuration": { "description": "The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds). The following attribute is supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address.", "type": "number" }, "preserveClientIp": { "description": "Indicates whether client IP preservation is enabled. The value is true or false. The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation cannot be disabled for UDP and TCP_UDP target groups. The following attribute is supported only by Network Load Balancers.", "type": "boolean" }, "proxyProtocolV2": { "description": "Indicates whether Proxy Protocol version 2 is enabled. The value is true or false. The default is false. The following attribute is supported only by Network Load Balancers.", "type": "boolean" }, "slowStart": { "description": "The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled). The following attribute is supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address.", "type": "number" }, "stickiness": { "description": "Indicates whether target stickiness is enabled. The value is true or false. The default is false.", "type": "boolean" }, "stickinessType": { "$ref": "#/$defs/TargetGroupAttributeStickinessType", "description": "Indicates the type of stickiness. The possible values are: - lb_cookie and app_cookie for Application Load Balancers. - source_ip for Network Load Balancers. - source_ip_dest_ip and source_ip_dest_ip_proto for Gateway Load Balancers" }, "targetFailover": { "$ref": "#/$defs/TargetGroupTargetFailoverType", "description": "Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered or becomes unhealthy. The possible values are rebalance and no_rebalance. The default is no_rebalance" } }, "additionalProperties": false }, "ITargetGroupHealthCheckType": { "type": "object", "description": "Configure health check for target group.", "properties": { "interval": { "description": "The approximate amount of time, in seconds, between health checks of an individual target. The range is 5-300. If the target group protocol is TCP, TLS, UDP, TCP_UDP, HTTP or HTTPS, the default is 30 seconds. If the target group protocol is GENEVE, the default is 10 seconds.", "type": "number" }, "path": { "$ref": "#/$defs/NonEmptyString", "description": "[HTTP/HTTPS health checks] The destination for health checks on the targets. [HTTP1 or HTTP2 protocol version] The ping path. The default is /. [GRPC protocol version] The path of a custom health check method with the format /package.service/method. The default is /AWS.ALB/healthcheck." }, "port": { "description": "The port the load balancer uses when performing health checks on targets. If the protocol is HTTP, HTTPS, TCP, TLS, UDP, or TCP_UDP, the default is `traffic-port`, which is the port on which each target receives traffic from the load balancer. If the protocol is GENEVE, the default is port 80.", "type": "number" }, "protocol": { "$ref": "#/$defs/TargetGroupHealthCheckProtocolType", "description": "The protocol the load balancer uses when performing health checks on targets. For Application Load Balancers, the default is HTTP. For Network Load Balancers and Gateway Load Balancers, the default is TCP. The TCP protocol is not supported for health checks if the protocol of the target group is HTTP or HTTPS. GENEVE, TLS, UDP, and TCP_UDP protocols are not supported for health checks." }, "timeout": { "description": "The amount of time, in seconds, during which no response from a target means a failed health check. The range is 2–120 seconds. For target groups with a protocol of HTTP, the default is 6 seconds. For target groups with a protocol of TCP, TLS or HTTPS, the default is 10 seconds. For target groups with a protocol of GENEVE, the default is 5 seconds.", "type": "number" } }, "additionalProperties": false }, "ITargetGroupItem": { "type": "object", "description": "Target Group Configuration", "properties": { "attributes": { "$ref": "#/$defs/ITargetGroupAttributeTypes", "description": "Target Group Attributes." }, "healthCheck": { "$ref": "#/$defs/ITargetGroupHealthCheckType", "description": "Target Group HealthCheck." }, "matcher": { "$ref": "#/$defs/ITargetGroupMatcherType", "description": "The HTTP or gRPC codes to use when checking for a successful response from a target. For target groups with a protocol of TCP, TCP_UDP, UDP or TLS the range is 200-599. For target groups with a protocol of HTTP or HTTPS, the range is 200-499." }, "name": { "$ref": "#/$defs/NonEmptyString", "description": "The name of the target group. This value is used in {@link ApplicationLoadBalancerListenerConfig Application Load Balancer listeners } , {@link NetworkLoadBalancerListenerConfig Network Load Balancer listeners } , and {@link AutoScalingConfig Autoscaling config } ." }, "port": { "description": "The port on which the targets receive traffic.", "type": "number" }, "protocol": { "$ref": "#/$defs/TargetGroupProtocolType", "description": "Target group protocol version. Should be one of HTTP, HTTPS, GENEVE, TCP, UDP, TCP_UDP or TLS The protocol to use for routing traffic to the targets. For Application Load Balancers, the supported protocols are HTTP and HTTPS. For Network Load Balancers, the supported protocols are TCP, TLS, UDP, or TCP_UDP. A TCP_UDP listener must be associated with a TCP_UDP target group. For Gateway Load Balancers, the supported protocol is GENEVE." }, "protocolVersion": { "$ref": "#/$defs/TargetGroupProtocolVersionType", "description": "The protocol version. Should be one of 'GRPC', 'HTTP1', 'HTTP2'. Specify GRPC to send requests to targets using gRPC. Specify HTTP2 to send requests to targets using HTTP/2. The default is HTTP1, which sends requests to targets using HTTP/1.1." }, "shareTargets": { "$ref": "#/$defs/IShareTargets", "description": "The accounts/OUs location where the Target Group will be deployed to." }, "targets": { "description": "Target group targets. These targets should be the friendly names assigned to firewall instances.", "items": { "anyOf": [ { "$ref": "#/$defs/NonEmptyString" }, { "$ref": "#/$defs/INlbTargetType" } ] }, "type": "array" }, "threshold": { "$ref": "#/$defs/ITargetGroupThresholdType", "description": "Target Group Threshold." }, "type": { "$ref": "#/$defs/TargetGroupType", "description": "The type of target that you must specify when registering targets with this target group. You can't specify targets for a target group using more than one target type.\n- `instance` - Register targets by instance ID. This is the default value.\n- `ip` - Register targets by IP address. You can specify IP addresses from the subnets of the virtual private cloud (VPC) for the target group, the RFC 1918 range (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16), and the RFC 6598 range (100.64.0.0/10). You can't specify publicly routable IP addresses. `alb` - Register a single Application Load Balancer as a target." } }, "required": [ "name", "port", "protocol", "type" ], "additionalProperties": false }, "ITargetGroupMatcherType": { "type": "object", "description": "Add the ability to target an NLB created by the Landing Zone Accelerator", "properties": { "grpcCode": { "$ref": "#/$defs/NonEmptyString", "description": "You can specify values between 0 and 99. You can specify multiple values (for example, \"0,1\") or a range of values (for example, \"0-5\"). The default value is 12." }, "httpCode": { "$ref": "#/$defs/NonEmptyString", "description": "For Application Load Balancers, you can specify values between 200 and 499, with the default value being 200. You can specify multiple values (for example, \"200,202\") or a range of values (for example, \"200-299\"). For Network Load Balancers, you can specify values between 200 and 599, with the default value being 200-399. You can specify multiple values (for example, \"200,202\") or a range of values (for example, \"200-299\"). Note that when using shorthand syntax, some values such as commas need to be escaped." } }, "additionalProperties": false }, "ITargetGroupThresholdType": { "type": "object", "description": "Configure health check threshold for target group.", "properties": { "healthy": { "description": "The number of consecutive health check successes required before considering a target healthy. The range is 2-10. If the target group protocol is TCP, TCP_UDP, UDP, TLS, HTTP or HTTPS, the default is 5. For target groups with a protocol of GENEVE, the default is 3.", "type": "number" }, "unhealthy": { "description": "The number of consecutive health check failures required before considering a target unhealthy. The range is 2-10. If the target group protocol is TCP, TCP_UDP, UDP, TLS, HTTP or HTTPS, the default is 2. For target groups with a protocol of GENEVE, the default is 3.", "type": "number" } }, "additionalProperties": false }, "LoadBalancerSchemeEnum": { "enum": [ "internet-facing", "internal" ], "type": "string" }, "NlbProtocolEnum": { "enum": [ "TCP", "UDP", "TLS", "TCP_UDP" ], "type": "string" }, "NonEmptyString": { "description": "## Non-Empty String Type\n\nRepresents a string that must contain at least one character. Used for required text fields throughout the Landing Zone Accelerator configuration where empty values are not permitted.\n\n```", "minLength": 1, "type": "string" }, "PortfolioAssociationType": { "enum": [ "User", "Group", "Role", "PermissionSet" ], "type": "string" }, "ProductLaunchConstraintType": { "enum": [ "Role", "LocalRole" ], "type": "string" }, "RoutingHttpXffHeaderProcessingModeEnum": { "enum": [ "append", "preserve", "remove" ], "type": "string" }, "SslPolicyAlbEnum": { "enum": [ "ELBSecurityPolicy-TLS13-1-2-2021-06", "ELBSecurityPolicy-TLS13-1-2-Res-2021-06", "ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06", "ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06", "ELBSecurityPolicy-TLS13-1-1-2021-06", "ELBSecurityPolicy-TLS13-1-0-2021-06", "ELBSecurityPolicy-TLS13-1-3-2021-06", "ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04", "ELBSecurityPolicy-TLS-1-0-2015-04", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS-1-2-2017-01", "ELBSecurityPolicy-TLS-1-2-Ext-2018-06", "ELBSecurityPolicy-FS-2018-06", "ELBSecurityPolicy-FS-1-1-2019-08", "ELBSecurityPolicy-FS-1-2-2019-08", "ELBSecurityPolicy-FS-1-2-Res-2019-08", "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-FS-1-2-Res-2020-10", "ELBSecurityPolicy-2016-08" ], "type": "string" }, "SslPolicyNlbEnum": { "enum": [ "ELBSecurityPolicy-TLS13-1-2-2021-06", "ELBSecurityPolicy-TLS13-1-2-Res-2021-06", "ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06", "ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06", "ELBSecurityPolicy-TLS13-1-1-2021-06", "ELBSecurityPolicy-TLS13-1-0-2021-06", "ELBSecurityPolicy-TLS13-1-3-2021-06", "ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04", "ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04", "ELBSecurityPolicy-TLS-1-0-2015-04", "ELBSecurityPolicy-TLS-1-1-2017-01", "ELBSecurityPolicy-TLS-1-2-2017-01", "ELBSecurityPolicy-TLS-1-2-Ext-2018-06", "ELBSecurityPolicy-FS-2018-06", "ELBSecurityPolicy-FS-1-1-2019-08", "ELBSecurityPolicy-FS-1-2-2019-08", "ELBSecurityPolicy-FS-1-2-Res-2019-08", "ELBSecurityPolicy-2015-05", "ELBSecurityPolicy-FS-1-2-Res-2020-10", "ELBSecurityPolicy-2016-08" ], "type": "string" }, "TargetGroupAttributeAlgorithm": { "enum": [ "round_robin", "least_outstanding_requests" ], "type": "string" }, "TargetGroupAttributeStickinessType": { "enum": [ "lb_cookie", "app_cookie", "source_ip", "source_ip_dest_ip", "source_ip_dest_ip_proto" ], "type": "string" }, "TargetGroupHealthCheckProtocolType": { "enum": [ "HTTP", "HTTPS", "TCP" ], "type": "string" }, "TargetGroupProtocolType": { "enum": [ "TCP", "TLS", "UDP", "TCP_UDP", "HTTP", "HTTPS", "GENEVE" ], "type": "string" }, "TargetGroupProtocolVersionType": { "enum": [ "GRPC", "HTTP1", "HTTP2" ], "type": "string" }, "TargetGroupTargetFailoverType": { "enum": [ "no_rebalance", "rebalance" ], "type": "string" }, "TargetGroupType": { "enum": [ "instance", "ip", "alb", "lambda" ], "type": "string" } } }