We Keep Coding

How do I configure my PUBLIC AWS custom domain to resolve to a lambda that is configured for my VPC?

What is working:
Using the serverless framework:
I have configured an AWS VPC
I have an Amazon Aurora database configured
for my VPC
I have an AWS API Gateway lambda that is configured for my
VPC
When I deploy my lambda, I am able to access it publicly via the AWS
generated URL: XXX.execute-api.us-east-1.amazonaws.com/prod/outages
In my Lambda,I run a very simple query that proves I can connect to
my database.
This all works fine.
What is NOT working:
I have registered a domain with AWS/Route 53 and added a cert (e.g. *.foo.com)
I use the serverless-domain-manager plugin to make my lambda available via my domain (e.g. api.foo.com/outages resolves to XXX.execute-api.us-east-1.amazonaws.com/prod/outages)
This works fine if my lambda is NOT configured for my VPC
But when my lambda IS configured for my VPC, the custom domain api.foo.com/outages does NOT resolve to XXX.execute-api.us-east-1.amazonaws.com/prod/outages
I other words: I can NOT access api.foo.com/outages publicly.
What I need is:
1 - XXX.execute-api.us-east-1.amazonaws.com/prod/outages is available publicly (this works)
2 - My custom domain, api.foo.com/outages points to the SAME lambda as XXX.execute-api.us-east-1.amazonaws.com/prod/outages (in my VPC) and is available publicly (not working. I get: {"message":"Forbidden"})
virtual-private-cloud.yml
service: virtual-private-cloud
provider:
name: aws
region: us-east-1
stage: ${opt:stage, dev}
custom:
appVersion: 0.0.0
VPC_CIDR: 10
resources:
Resources:
ServerlessVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: ${self:custom.VPC_CIDR}.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
ServerlessSubnetA:
DependsOn: ServerlessVPC
Type: AWS::EC2::Subnet
Properties:
VpcId:
Ref: ServerlessVPC
AvailabilityZone: ${self:provider.region}a
CidrBlock: ${self:custom.VPC_CIDR}.0.0.0/24
ServerlessSubnetB:
DependsOn: ServerlessVPC
Type: AWS::EC2::Subnet
Properties:
VpcId:
Ref: ServerlessVPC
AvailabilityZone: ${self:provider.region}b
CidrBlock: ${self:custom.VPC_CIDR}.0.1.0/24
ServerlessSubnetC:
DependsOn: ServerlessVPC
Type: AWS::EC2::Subnet
Properties:
VpcId:
Ref: ServerlessVPC
AvailabilityZone: ${self:provider.region}c
CidrBlock: ${self:custom.VPC_CIDR}.0.2.0/24
Outputs:
VPCDefaultSecurityGroup:
Value:
Fn::GetAtt:
- ServerlessVPC
- DefaultSecurityGroup
Export:
Name: VPCDefaultSecurityGroup-${self:provider.stage}
SubnetA:
Description: 'Subnet A.'
Value: !Ref ServerlessSubnetA
Export:
Name: vpc-subnet-A-${self:provider.stage}
SubnetB:
Description: 'Subnet B.'
Value: !Ref ServerlessSubnetB
Export:
Name: vpc-subnet-B-${self:provider.stage}
SubnetC:
Description: 'Subnet C.'
Value: !Ref ServerlessSubnetC
Export:
Name: vpc-subnet-C-${self:provider.stage}
database-service.yml
service: database-service
provider:
name: aws
region: us-east-1
stage: ${opt:stage, dev}
environment:
stage: ${opt:stage, dev}
plugins:
- serverless-plugin-ifelse
custom:
appVersion: 0.0.1
AURORA:
DB_NAME: database${self:provider.stage}
USERNAME: ${ssm:/my-db-username~true}
PASSWORD: ${ssm:/my-db-password~true}
HOST:
Fn::GetAtt: [AuroraRDSCluster, Endpoint.Address]
PORT:
Fn::GetAtt: [AuroraRDSCluster, Endpoint.Port]
serverlessIfElse:
- If: '"${opt:stage}" == "prod"'
Set:
resources.Resources.AuroraRDSCluster.Properties.EngineMode: provisioned
ElseSet:
resources.Resources.AuroraRDSCluster.Properties.EngineMode: serverless
resources.Resources.AuroraRDSCluster.Properties.ScalingConfiguration.MinCapacity: 1
resources.Resources.AuroraRDSCluster.Properties.ScalingConfiguration.MaxCapacity: 4
ElseExclude:
- resources.Resources.AuroraRDSInstanceParameter
- resources.Resources.AuroraRDSInstance
resources:
Resources:
AuroraSubnetGroup:
Type: AWS::RDS::DBSubnetGroup
Properties:
DBSubnetGroupDescription: "Aurora Subnet Group"
SubnetIds:
- 'Fn::ImportValue': vpc-subnet-A-${self:provider.stage}
- 'Fn::ImportValue': vpc-subnet-B-${self:provider.stage}
- 'Fn::ImportValue': vpc-subnet-C-${self:provider.stage}
AuroraRDSClusterParameter:
Type: AWS::RDS::DBClusterParameterGroup
Properties:
Description: Parameter group for the Serverless Aurora RDS DB.
Family: aurora5.6
Parameters:
character_set_database: "utf32"
AuroraRDSCluster:
Type: "AWS::RDS::DBCluster"
Properties:
MasterUsername: ${self:custom.AURORA.USERNAME}
MasterUserPassword: ${self:custom.AURORA.PASSWORD}
DBSubnetGroupName:
Ref: AuroraSubnetGroup
Engine: aurora
EngineVersion: "5.6.10a"
DatabaseName: ${self:custom.AURORA.DB_NAME}
BackupRetentionPeriod: 3
DBClusterParameterGroupName:
Ref: AuroraRDSClusterParameter
VpcSecurityGroupIds:
- 'Fn::ImportValue': VPCDefaultSecurityGroup-${self:provider.stage}
# this is needed for non-serverless mode
AuroraRDSInstanceParameter:
Type: AWS::RDS::DBParameterGroup
Properties:
Description: Parameter group for the Serverless Aurora RDS DB.
Family: aurora5.6
Parameters:
sql_mode: IGNORE_SPACE
max_connections: 100
wait_timeout: 900
interactive_timeout: 900
# this is needed for non-serverless mode
AuroraRDSInstance:
Type: "AWS::RDS::DBInstance"
Properties:
DBInstanceClass: db.t2.small
DBSubnetGroupName:
Ref: AuroraSubnetGroup
Engine: aurora
EngineVersion: "5.6.10a"
PubliclyAccessible: false
DBParameterGroupName:
Ref: AuroraRDSInstanceParameter
DBClusterIdentifier:
Ref: AuroraRDSCluster
Outputs:
DatabaseName:
Description: 'Database name.'
Value: ${self:custom.AURORA.DB_NAME}
Export:
Name: DatabaseName-${self:provider.stage}
DatabaseHost:
Description: 'Database host.'
Value: ${self:custom.AURORA.HOST}
Export:
Name: DatabaseHost-${self:provider.stage}
DatabasePort:
Description: 'Database port.'
Value: ${self:custom.AURORA.PORT}
Export:
Name: DatabasePort-${self:provider.stage}
outage-service.yml
service: outage-service
package:
individually: true
plugins:
- serverless-bundle
- serverless-plugin-ifelse
- serverless-domain-manager
custom:
appVersion: 0.0.12
stage: ${opt:stage}
domains:
prod: api.foo.com
test: test-api.foo.com
dev: dev-api.foo.com
customDomain:
domainName: ${self:custom.domains.${opt:stage}}
stage: ${opt:stage}
basePath: outages
custom.customDomain.certificateName: "*.foo.com"
custom.customDomain.certificateArn: 'arn:aws:acm:us-east-1:395671985612:certificate/XXXX'
createRoute53Record: true
serverlessIfElse:
- If: '"${opt:stage}" == "prod"'
Set:
custom.customDomain.enabled: true
ElseSet:
custom.customDomain.enabled: false
provider:
name: aws
runtime: nodejs12.x
stage: ${opt:stage}
region: us-east-1
environment:
databaseName: !ImportValue DatabaseName-${self:provider.stage}
databaseUsername: ${ssm:/my-db-username~true}
databasePassword: ${ssm:/my-db-password~true}
databaseHost: !ImportValue DatabaseHost-${self:provider.stage}
databasePort: !ImportValue DatabasePort-${self:provider.stage}
functions:
hello:
memorySize: 2048
timeout: 30
handler: functions/handler.hello
vpc:
securityGroupIds:
- 'Fn::ImportValue': VPCDefaultSecurityGroup-${self:provider.stage}
subnetIds:
- 'Fn::ImportValue': vpc-subnet-A-${self:provider.stage}
- 'Fn::ImportValue': vpc-subnet-B-${self:provider.stage}
- 'Fn::ImportValue': vpc-subnet-C-${self:provider.stage}
environment:
functionName: getTowns
events:
- http:
path: outage
method: get
cors:
origin: '*'
headers:
- Content-Type
- authorization
resources:
- Outputs:
ApiGatewayRestApiId:
Value:
Ref: ApiGatewayRestApi
Export:
Name: ${self:custom.stage}-ApiGatewayRestApiId
ApiGatewayRestApiRootResourceId:
Value:
Fn::GetAtt:
- ApiGatewayRestApi
- RootResourceId
Export:
Name: ${self:custom.stage}-ApiGatewayRestApiRootResourceId

I believe you might have missed to add VPC endpoints for API Gateway.
Ensure you create a VPC interface endpoint for API GW and use it in the API you create. This will allow API requests to lambda running within VPC
References:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html#apigateway-private-api-create-interface-vpc-endpoint
https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints/
Hope this helps !!

SOLUTION: We found a solution, in our case the solution is that you can't use wildcard certificates. So if you make a certificate for the exact API URL it does work. Obviously this is not a nice solution for everyone and everything but when you do have this problem and must deploy you can make it work this way.
Also maybe good to mention we did not have any additional problems with the below mentioned case:
I also wanted to add a post I found that might also have lead to this setup not working even if we do get the network to play nice. But again if you or anyone has a working setup like the above mentioned one let me know how you did it.
TLDR
If anyone wants to understand what was going on with API Gateway, take
a look at this thread.
It basically says that API Gateway processes regular URLs (like
aaaaaaaaaaaa.execute-api.us-east-1.amazonaws.com) differently than how
it processes Custom Domain Name URLs (like api.myservice.com). So when
API Gateway forwards your API request to your Lambda Function, your
Lambda Function will receive different path values, depending on which
type of your URL you used to invoke your API.
source:
Understanding AWS API Gateway Custom Domain Names

AWS ECS: Invalid service in ARN (Service: AmazonECS; ...)

Trying to create a ECS Service (on Fargate) with cloudformation but got error:
Invalid service in ARN (Service: AmazonECS; Status Code: 400; Error
Code: InvalidParameterException; Request ID: xxx).
According to error message seems some ARN is wrong, but I didn't find the reason, I checked ARN of IAM roles and its ok. The other ARN are passed with !Ref function (so not a typo error)
All Resources (including from all others nested templates, vpc, cluster, alb etc) are created, except the "Service" resouce (the ECS service).
Below is the template used (nested template). All parameters are ok (passed from root template). Parameters TaskExecutionRole and ServiceRole are ARNs from IAM roles created by ECS wizard:
Description: >
Deploys xxx ECS service, with load balancer listener rule,
target group, task definition, service definition and auto scaling
Parameters:
EnvironmentName:
Description: An environment name that will be prefixed to resource names
Type: String
EnvironmentType:
Description: See master template
Type: String
VpcId:
Type: String
PublicSubnet1:
Type: String
PublicSubnet2:
Type: String
ALBListener:
Description: ALB listener
Type: String
Cluster:
Description: ECS Cluster
Type: String
TaskExecutionRole:
Description: See master template
Type: String
ServiceRole:
Description: See master template
Type: String
ServiceName:
Description: Service name (used as a variable)
Type: String
Default: xxx
Cpu:
Description: Task size (CPU)
Type: String
Memory:
Description: Task size (memory)
Type: String
Conditions:
HasHttps: !Equals [!Ref EnvironmentType, production]
HasNotHttps: !Not [!Equals [!Ref EnvironmentType, production]]
Resources:
ServiceTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
Name: !Sub '${EnvironmentName}-${ServiceName}'
VpcId: !Ref VpcId
TargetType: ip
Port: 80
Protocol: HTTP
AlbListenerRule:
Type: AWS::ElasticLoadBalancingV2::ListenerRule
Properties:
Actions:
- Type: forward
TargetGroupArn: !Ref ServiceTargetGroup
Conditions:
- Field: host-header
Values: [www.mydomain.com] # test
ListenerArn: !Ref ALBListener
Priority: 1
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
Family: !Sub '${EnvironmentName}-${ServiceName}-Task'
ContainerDefinitions:
- Name: !Ref ServiceName
Image: nginx
PortMappings:
- ContainerPort: 80
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref EnvironmentName
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: !Ref ServiceName
NetworkMode: awsvpc
RequiresCompatibilities: [FARGATE]
Cpu: !Ref Cpu
Memory: !Ref Memory
ExecutionRoleArn: !Ref TaskExecutionRole
Service:
Type: AWS::ECS::Service
DependsOn: TaskDefinition
Properties:
Cluster: !Ref Cluster
ServiceName: !Ref ServiceName
TaskDefinition: !Ref TaskDefinition
LaunchType: FARGATE
DesiredCount: 1
LoadBalancers:
- ContainerName: !Ref ServiceName
ContainerPort: 80
TargetGroupArn: !Ref ServiceTargetGroup
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: ENABLED
Subnets:
- !Ref PublicSubnet1
- !Ref PublicSubnet2
Role: !Ref ServiceRole
I lost a few hours in this and could not solve it, I reviewed a lot in the documentation but nothing, if someone knows how to help.
Thanks!

The error message is confusing because it does not explain which parameter is wrong. Amazon API expects resource ARNs in several parameters including Cluster, TaskDefinition and TargetGroup. The error happens when one of these parameters are wrong. Please check carefully these parameters and make sure they are valid ARNs.
I had exactly the same error and in my case I made a mistake and provided wrong Cluster value.
And I am posting an answer here because this was the first search result for this error message and it had no answer.

The problem for me was that the default AWS region was set to the wrong one. To fix that, run the following command (using the correct region).
$ aws configure set default.region us-west-2

AWS + Cloudformation + Elasticbeanstalk

When I do a create stack with the following cloudformation template using the input parameter EnvironmentType "dev", it creates the ebs application, creates the environment inside the application and deploys the sample-app.war file from the S3 bucket.
Then I am doing an update stack using the same template with an input parameter EnvironmentType "stage", this time it removes the existing dev environment and creates the stage environment inside the application.
I also tried to create stack again using the sample template entering sample application name created in the first step and this time it shows application already exist.
My requirement is to retain the dev environment and stage environment to get created inside the sample application using cloudformation.
Any suggestions, please..
---
AWSTemplateFormatVersion: 2010-09-09
Description: 'Create an ElasticBeanstalk Application, Environment and deploy the war file from S3 bucket'
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
-
Label:
default: 'EBS Application Configuration'
Parameters:
- ApplicationName
- ApplicationDescription
- ApplicationVersion
-
Label:
default: 'EBS Environment Configuration'
Parameters:
- EnvironmentName
- EnvironmentType
- EnvironmentDescription
- EnvironmentCName
- MinInstances
- MaxInstances
Mappings:
PropertiesMap:
IntanceType:
dev: 'SingleInstance'
qa: 'SingleInstance'
stage: 'LoadBalanced'
prod: 'LoadBalanced'
Parameters:
ApplicationName:
Type: String
Description: 'Name of the ElasticBeanstalk Application'
ApplicationDescription:
Type: String
Description: 'ElasticBeanstalk Application Description'
ApplicationVersion:
Type: String
Description: 'Application version description'
EnvironmentName:
Type: String
Description: 'Name of the Environment'
AllowedPattern: '^([A-Za-z]|[0-9]|-)+$'
EnvironmentType:
Type: String
Description: 'Type of the Environment (dev, qa, stage, prod)'
AllowedValues:
- 'dev'
- 'qa'
- 'stage'
- 'prod'
EnvironmentCName:
Type: String
Description: 'CName Prefix for the ElasticBeanstalk environment'
AllowedPattern: '^([A-Za-z]|[0-9]|-)+$'
EnvironmentDescription:
Type: String
Description: 'Description of the ElasticBeanstalk environment'
MinInstances:
Type: Number
Description: 'Minimum load balanced instances (Mandatory for stage/prod)'
Default: 2
MinValue: 2
MaxValue: 10
MaxInstances:
Type: Number
Description: 'Maximum load balanced instances (Mandatory for stage/prod)'
Default: 2
MinValue: 2
MaxValue: 10
Conditions:
IsStageOrProdEnvironment:
!Or [!Equals [stage, !Ref EnvironmentType], !Equals [prod, !Ref EnvironmentType]]
Resources:
EBSApplication:
Type: AWS::ElasticBeanstalk::Application
Properties:
ApplicationName: !Ref ApplicationName
Description: !Ref ApplicationDescription
EBSApplicationVersion:
Type: AWS::ElasticBeanstalk::ApplicationVersion
Properties:
ApplicationName: !Ref EBSApplication
Description: !Ref ApplicationVersion
SourceBundle:
S3Bucket: deployable
S3Key: artifacts/sample-app.war
EBSApplicationConfigurationTemplate:
Type: AWS::ElasticBeanstalk::ConfigurationTemplate
Properties:
ApplicationName: !Ref EBSApplication
Description: 'ElasticBeanstalk Configuration Template'
SolutionStackName: '64bit Amazon Linux 2018.03 v3.0.2 running Tomcat 8.5 Java 8'
OptionSettings:
- Namespace: aws:elasticbeanstalk:environment
OptionName: EnvironmentType
Value: !FindInMap [PropertiesMap, IntanceType, !Ref EnvironmentType]
- Namespace: aws:autoscaling:asg
OptionName: MinSize
Value: !If [IsStageOrProdEnvironment, !Ref MinInstances, !Ref 'AWS::NoValue']
- Namespace: aws:autoscaling:asg
OptionName: MaxSize
Value: !If [IsStageOrProdEnvironment, !Ref MaxInstances, !Ref 'AWS::NoValue']
EBSEnvironment:
Type: AWS::ElasticBeanstalk::Environment
Properties:
ApplicationName: !Ref EBSApplication
CNAMEPrefix: !Ref EnvironmentCName
Description: !Ref EnvironmentDescription
EnvironmentName: !Ref EnvironmentName
TemplateName: !Ref EBSApplicationConfigurationTemplate
VersionLabel: !Ref EBSApplicationVersion
Outputs:
ApplicationURL:
Description: 'ElasticBeanstalk environment endpoint'
Value: !Join
- ''
- - 'http://'
- !GetAtt EBSEnvironment.EndpointURL

Cloudformation + EBS. How to create a static IP and route all outbound app server traffic through it?

I have the following Cloudformation config, it does the following:
Creates and Elasticbeanstalk app
Links a domain name to its loadbalancer
I need to be able to access an FTP server but they only allow whitelisted IP addresses.
How would I go about creating a static (elastic?) IP within configuration, route traffic through it, and have the IP remain the same if I run this Cloudformation multiple times?
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
S3Bucket:
Type: String
Description: S3 Bucket containing zip file
RolePath:
Type: String
Description: RolePath
HostedZoneName:
Type: String
Description: HostedZoneName
QueueNamePrefix:
Type: String
Description: QueueNamePrefix
AppDebug:
Type: String
Description: Debug
Default: 'false'
AppDnsCname:
Type: String
Description: AppDnsCname
Environment:
Type: String
Description: Environment
AppName:
Type: String
Description: AppName
AWSRegion:
Type: String
Description: AWSRegion
AppHealthCheckPath:
Type: String
Description: Path for container health check
Description: Elastic Beanstalk application & IAM policies
Resources:
ElasticBeanstalkProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: !Ref 'RolePath'
Roles:
- !Ref 'ElasticBeanstalkRole'
ElasticBeanstalkRole:
Type: AWS::IAM::Role
Properties:
Path: !Ref 'RolePath'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier
- arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess
- arn:aws:iam::aws:policy/AmazonEC2ContainerServiceFullAccess
- arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker
- arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier
- arn:aws:iam::aws:policy/AmazonSQSFullAccess
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Policies: []
ElasticBeanstalkApplication:
Type: AWS::ElasticBeanstalk::Application
Properties:
Description: !Ref 'AppName'
ElasticBeanstalkVersion:
Type: AWS::ElasticBeanstalk::ApplicationVersion
Properties:
ApplicationName: !Ref 'ElasticBeanstalkApplication'
Description: Source Code
SourceBundle:
S3Bucket: !Ref 'S3Bucket'
S3Key: !Ref 'S3ZipKey'
ElasticBeanstalkConfigurationTemplate:
Type: AWS::ElasticBeanstalk::ConfigurationTemplate
DependsOn:
- ElasticBeanstalkProfile
Properties:
Description: my-app Configuration Template
ApplicationName: !Ref 'ElasticBeanstalkApplication'
SolutionStackName: 64bit Amazon Linux 2017.09 v2.8.4 running Multi-container Docker 17.09.1-ce (Generic)
OptionSettings:
- Namespace: aws:elasticbeanstalk:environment
OptionName: EnvironmentType
Value: LoadBalanced
- Namespace: aws:elasticbeanstalk:application
OptionName: Application Healthcheck URL
Value: !Ref 'AppHealthCheckPath'
- Namespace: aws:elasticbeanstalk:cloudwatch:logs
OptionName: StreamLogs
Value: true
- Namespace: aws:elasticbeanstalk:cloudwatch:logs
OptionName: DeleteOnTerminate
Value: false
- Namespace: aws:elasticbeanstalk:cloudwatch:logs
OptionName: RetentionInDays
Value: 180
- Namespace: aws:autoscaling:launchconfiguration
OptionName: IamInstanceProfile
Value: !GetAtt 'ElasticBeanstalkProfile.Arn'
- Namespace: aws:elasticbeanstalk:application:environment
OptionName: DEBUG
Value: !Ref 'AppDebug'
- Namespace: aws:elasticbeanstalk:application:environment
OptionName: AWS_REGION
Value: !Ref 'AWSRegion'
- Namespace: aws:elasticbeanstalk:application:environment
- Namespace: aws:autoscaling:launchconfiguration
OptionName: InstanceType
Value: "t2.small"
- Namespace: aws:elasticbeanstalk:healthreporting:system
OptionName: SystemType
Value: "enhanced"
MyAppDNS:
Type: AWS::Route53::RecordSetGroup
DependsOn: ElasticBeanstalkEnvironment
Properties:
HostedZoneName: !Ref 'HostedZoneName'
RecordSets:
- Name: !Ref 'AppDnsCname'
Type: CNAME
TTL: '60'
ResourceRecords:
- !GetAtt 'ElasticBeanstalkEnvironment.EndpointURL'
ElasticBeanstalkEnvironment:
Type: AWS::ElasticBeanstalk::Environment
Properties:
Description: !Ref 'Environment'
ApplicationName: !Ref 'ElasticBeanstalkApplication'
TemplateName: !Ref 'ElasticBeanstalkConfigurationTemplate'
VersionLabel: !Ref 'ElasticBeanstalkVersion'
Tier:
Type: Standard
Name: WebServer

Use Elastic IP resource association through CloudFormation.
Create the Elastic IP resource:
Type: AWS::EC2::EIP
Properties:
InstanceId: String
Domain: String
Associate the Elastic IP resource with your EC2 instance resource:
Type: AWS::EC2::EIPAssociation
Properties:
AllocationId: String
EIP: String
InstanceId: String
NetworkInterfaceId: String
PrivateIpAddress: String
Don't forget to join these two using !Ref
and finally, here's an official example on how to do this.
Assigning an Amazon EC2 Elastic IP Using AWS::EC2::EIP Snippet

AWS Cloudformation: how to refer multiple security groups in AWS elastic beanstalk configuration

I am new to AWS Cloudformation world. I am trying to create an elasticbeanstalk configuration template. For it's one of the setting, I need to use two security groups. So, I have given it as following
MyConfigurationTemplate:
Type: AWS::ElasticBeanstalk::ConfigurationTemplate
Properties:
Properties:
ApplicationName: MyApplication
Description: A default Application
SolutionStackName: SolutionStack
OptionSettings:
....
....
- Namespace: aws:autoscaling:launchconfiguration
OptionName: SecurityGroups
Value:
!If
- ConditionIsTrue
- [!Ref FirstGroup, !ImportValue SecondGroup]
- !Ref FirstGroup
....
....
I read from AWS docs here, that SecurityGroups is a list and we can provide comma seprated list. But it is not working for me. AWS throws following error
Value of property Value must be of type String
I tried giving value of security groups in following ways but none of them worked.
1) "!Ref FirstGroup, !ImportValue SecondGroup"
2) !Ref FirstGroup, !ImportValue SecondGroup
Any idea how this list of security groups should be provided?

I got it myself with some trial and error. As it accepts comma separated list. We need to use !join as follows.
MyConfigurationTemplate:
Type: AWS::ElasticBeanstalk::ConfigurationTemplate
Properties:
ApplicationName: MyApplication
Description: A default Application
SolutionStackName: SolutionStack
OptionSettings:
....
....
- Namespace: aws:autoscaling:launchconfiguration
OptionName: SecurityGroups
Value:
!If
- ConditionIsTrue
- !Join [',', [!Ref FirstGroup, !ImportValue SecondGroup]]
- !Ref FirstGroup
....
....