Amazon rule functions
In the condition or assertions of a rule, you can use intrinsic functions, such as
Fn::Equals, Fn::Not, and Fn::RefAll. The condition
property determines if Amazon CloudFormation applies the assertions. If the condition evaluates to
true, CloudFormation evaluates the assertions to verify whether a parameter value is
valid when a provisioned product is created or updated. If a parameter value isn't valid,
CloudFormation doesn't create or update the stack. If the condition evaluates to false,
CloudFormation doesn't check the parameter value and proceeds with the stack operation.
Functions
Fn::And
Returns true if all the specified conditions evaluate to true;
returns false if any one of the conditions evaluates to false.
Fn::And acts as an AND operator. The minimum number of conditions that you can
include is two, and the maximum is ten.
Declaration
"Fn::And" : [{condition}, {...}]Parameters
- condition
-
A rule-specific intrinsic function that evaluates to
trueorfalse.
Example
The following example evaluates to true if the referenced security group
name is equal to sg-mysggroup and if the InstanceType parameter
value is either m1.large or m1.small:
"Fn::And": [ { "Fn::Equals": [ "sg-mysggroup", {"Ref": "ASecurityGroup"} ] }, { "Fn::Contains": [ [ "m1.large", "m1.small" ], {"Ref": "InstanceType"} ] } ]
Fn::Contains
Returns true if a specified string matches at least one value in a list of
strings.
Declaration
"Fn::Contains" : [[list_of_strings], string]Parameters
- list_of_strings
-
A list of strings, such as
"A", "B", "C". - string
-
A string, such as
"A", that you want to compare against a list of strings.
Example
The following function evaluates to true if the InstanceType
parameter value is contained in the list (m1.large or
m1.small):
"Fn::Contains" : [ ["m1.large", "m1.small"], {"Ref" : "InstanceType"} ]
Fn::EachMemberEquals
Returns true if a specified string matches all values in a list.
Declaration
"Fn::EachMemberEquals" : [[list_of_strings], string]Parameters
- list_of_strings
-
A list of strings, such as
"A", "B", "C". - string
-
A string, such as
"A", that you want to compare against a list of strings.
Example
The following function returns true if the Department tag for
all parameters of type
AWS::EC2::VPC::Id have a value of IT:
"Fn::EachMemberEquals" : [ {"Fn::ValueOfAll" : ["AWS::EC2::VPC::Id", "Tags.Department"]}, "IT" ]
Fn::EachMemberIn
Returns true if each member in a list of strings matches at least one value
in a second list of strings.
Declaration
"Fn::EachMemberIn" : [[strings_to_check], [strings_to_match]]Parameters
- strings_to_check
-
A list of strings, such as
"A", "B", "C". CloudFormation checks whether each member in thestrings_to_checkparameter is in thestrings_to_matchparameter. - strings_to_match
-
A list of strings, such as
"A", "B", "C". Each member in thestrings_to_matchparameter is compared against the members of thestrings_to_checkparameter.
Example
The following function checks whether users specify a subnet that's in a valid virtual private cloud (VPC).
The VPC must be in the account and the Region in which users are working with the stack. The function applies to all
parameters of type AWS::EC2::Subnet::Id.
"Fn::EachMemberIn" : [ {"Fn::ValueOfAll" : ["AWS::EC2::Subnet::Id", "VpcId"]}, {"Fn::RefAll" : "AWS::EC2::VPC::Id"} ]
Fn::Equals
Compares two values to determine whether they're equal. Returns true if the
two values are equal and false if they aren't.
Declaration
"Fn::Equals" : ["value_1", "value_2"]Parameters
value-
A value of any type that you want to compare with another value.
Example
The following example evaluates to true if the value for the
EnvironmentType parameter is equal to prod:
"Fn::Equals" : [{"Ref" : "EnvironmentType"}, "prod"]
Fn::Not
Returns true for a condition that evaluates to false, and
returns false for a condition that evaluates to true.
Fn::Not acts as a NOT operator.
Declaration
"Fn::Not" : [{condition}]Parameters
condition-
A rule-specific intrinsic function that evaluates to
trueorfalse.
Example
The following example evaluates to true if the value for the
EnvironmentType parameter isn't equal to prod:
"Fn::Not" : [{"Fn::Equals" : [{"Ref" : "EnvironmentType"}, "prod"]}]
Fn::Or
Returns true if any one of the specified conditions evaluates to
true; returns false if all the conditions evaluate to
false. Fn::Or acts as an OR operator. The minimum number of
conditions that you can include is two, and the maximum is ten.
Declaration
"Fn::Or" : [{condition}, {...}]Parameters
condition-
A rule-specific intrinsic function that evaluates to
trueorfalse.
Example
The following example evaluates to true if the referenced security group
name is equal to sg-mysggroup or if the InstanceType parameter
value is either m1.large or m1.small:
"Fn::Or" : [ {"Fn::Equals" : ["sg-mysggroup", {"Ref" : "ASecurityGroup"}]}, {"Fn::Contains" : [["m1.large", "m1.small"], {"Ref" : "InstanceType"}]} ]
Fn::RefAll
Returns all values for a specified parameter type.
Declaration
"Fn::RefAll" : "parameter_type"Parameters
- parameter_type
-
An Amazon-specific parameter type, such as
AWS::EC2::SecurityGroup::IdorAWS::EC2::VPC::Id. For more information, see Parameters in the Amazon CloudFormation User Guide.
Example
The following function returns a list of all VPC IDs for the Region and Amazon Web Services account in which the stack is being created or updated:
"Fn::RefAll" : "AWS::EC2::VPC::Id"
Fn::ValueOf
Returns an attribute value or list of values for a specific parameter and attribute.
Declaration
"Fn::ValueOf" : [ "parameter_logical_id", "attribute" ]Parameters
- attribute
-
The name of an attribute from which you want to retrieve a value. For more information about attributes, see Supported attributes.
- parameter_logical_id
-
The name of a parameter for which you want to retrieve attribute values. The parameter must be declared in the
Parameterssection of the template.
Examples
The following example returns the value of the Department tag for the VPC
that's specified by the ElbVpc parameter:
"Fn::ValueOf" : ["ElbVpc", "Tags.Department"]
If you specify multiple values for a parameter, the Fn::ValueOf function can return a list. For example, you can specify multiple subnets and get a list of Availability Zones where each member is the Availability Zone of a particular subnet:
"Fn::ValueOf" : ["ListOfElbSubnets", "AvailabilityZone"]
Fn::ValueOfAll
Returns a list of all attribute values for a given parameter type and attribute.
Declaration
"Fn::ValueOfAll" : ["parameter_type", "attribute"]Parameters
- attribute
-
The name of an attribute from which you want to retrieve a value. For more information about attributes, see Supported attributes.
- parameter_type
-
An Amazon-specific parameter type, such as
AWS::EC2::SecurityGroup::IdorAWS::EC2::VPC::Id. For more information, see Parameters in the Amazon CloudFormation User Guide.
Example
In the following example, the Fn::ValueOfAll function returns a list of
values, where each member is the Department tag value for VPCs with that
tag:
"Fn::ValueOfAll" : ["AWS::EC2::VPC::Id", "Tags.Department"]
Supported functions
You can't use another function within the Fn::ValueOf and
Fn::ValueOfAll functions. However, you can use the following functions within
all other rule-specific intrinsic functions:
-
Ref -
Other rule-specific intrinsic functions
Supported attributes
The following list describes the attribute values that you can retrieve for specific resources and parameter types:
- The
AWS::EC2::VPC::Idparameter type or VPC IDs. -
-
DefaultNetworkAcl
-
DefaultSecurityGroup
-
Tags.
tag_key
-
- The
AWS::EC2::Subnet::Idparameter type or subnet IDs, -
-
AvailabilityZone
-
Tags.
tag_key -
VpcId
-
- The
AWS::EC2::SecurityGroup::Idparameter type or security group IDs. -
-
Tags.
tag_key
-