Creating a free form configuration profile in Amazon AppConfig - Amazon AppConfig
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating a free form configuration profile in Amazon AppConfig

A configuration profile includes, among other things, a URI that enables Amazon AppConfig to locate your configuration data in its stored location and a profile type. Amazon AppConfig supports two configuration profile types: feature flags and freeform configurations. Feature flag configuration profiles store their data in the Amazon AppConfig hosted configuration store and the URI is simply hosted. For freeform configuration profiles, you can store your data in the Amazon AppConfig hosted configuration store or any of the following Amazon services and Systems Manager capabilities:

Location Supported file types

Amazon AppConfig hosted configuration store

YAML, JSON, and text if added using the Amazon Web Services Management Console. Any file type if added using the Amazon AppConfig CreateHostedConfigurationVersion API action.

Amazon Simple Storage Service (Amazon S3)

Any

Amazon CodePipeline

Pipeline (as defined by the service)

Amazon Secrets Manager

Secret (as defined by the service)

Amazon Systems Manager Parameter Store

Standard and secure string parameters (as defined by Parameter Store)

Amazon Systems Manager document store (SSM documents)

YAML, JSON, text

A configuration profile can also include optional validators to ensure your configuration data is syntactically and semantically correct. Amazon AppConfig performs a check using the validators when you start a deployment. If any errors are detected, the deployment stops before making any changes to the targets of the configuration.

Note

If possible, we recommend hosting your configuration data in the Amazon AppConfig hosted configuration store as it offers the most features and enhancements.

For freeform configurations stored in the Amazon AppConfig hosted configuration store or SSM documents, you can create the freeform configuration by using the Systems Manager console at the time you create a configuration profile. The process is described later in this topic.

For freeform configurations stored in Parameter Store, Secrets Manager, or Amazon S3, you must create the parameter, secret, or object first and store it in the relevant configuration store. After you store the configuration data, use the procedure in this topic to create the configuration profile.

About configuration store quotas and limitations

Configuration stores supported by Amazon AppConfig have the following quotas and limitations.

Amazon AppConfig hosted configuration store Amazon S3 Systems Manager Parameter Store Amazon Secrets Manager Systems Manager Document store Amazon CodePipeline

Configuration size limit

2 MB default, 4 MB maximum

2 MB

Enforced by Amazon AppConfig, not S3

4 KB (free tier) / 8 KB (advanced parameters)

64 KB

64 KB

2 MB

Enforced by Amazon AppConfig, not CodePipeline

Resource storage limit

1 GB

Unlimited

10,000 parameters (free tier) / 100,000 parameters (advanced parameters)

500,000

500 documents

Limited by the number of configuration profiles per application (100 profiles per application)

Server-side encryption

Yes

SSE-S3, SSE-KMS

Yes

Yes

No

Yes

Amazon CloudFormation support

Yes

Not for creating or updating data

Yes

Yes

No

Yes

Pricing

Free

See Amazon S3 pricing

See Amazon Systems Manager pricing

See Amazon Secrets Manager pricing

Free

See Amazon CodePipeline pricing

About the Amazon AppConfig hosted configuration store

Amazon AppConfig includes an internal or hosted configuration store. Configurations must be 2 MB or smaller. The Amazon AppConfig hosted configuration store provides the following benefits over other configuration store options.

  • You don't need to set up and configure other services such as Amazon Simple Storage Service (Amazon S3) or Parameter Store.

  • You don't need to configure Amazon Identity and Access Management (IAM) permissions to use the configuration store.

  • You can store configurations in YAML, JSON, or as text documents.

  • There is no cost to use the store.

  • You can create a configuration and add it to the store when you create a configuration profile.

About configurations stored in Amazon S3

You can store configurations in an Amazon Simple Storage Service (Amazon S3) bucket. When you create the configuration profile, you specify the URI to a single S3 object in a bucket. You also specify the Amazon Resource Name (ARN) of an Amazon Identity and Access Management (IAM) role that gives Amazon AppConfig permission to get the object. Before you create a configuration profile for an Amazon S3 object, be aware of the following restrictions.

Restriction Details

Size

Configurations stored as S3 objects can be a maximum of 1 MB in size.

Object encryption

A configuration profile can target SSE-S3 and SSE-KMS encrypted objects.

Storage classes

Amazon AppConfig supports the following S3 storage classes: STANDARD, INTELLIGENT_TIERING, REDUCED_REDUNDANCY, STANDARD_IA, and ONEZONE_IA. The following classes are not supported: All S3 Glacier classes (GLACIER and DEEP_ARCHIVE).

Versioning

Amazon AppConfig requires that the S3 object use versioning.

Configuring permissions for a configuration stored as an Amazon S3 object

When you create a configuration profile for a configuration stored as an S3 object, you must specify an ARN for an IAM role that gives Amazon AppConfig permission to get the object. The role must include the following permissions.

Permissions to access the S3 object

  • s3:GetObject

  • s3:GetObjectVersion

Permissions to list S3 buckets

s3:ListAllMyBuckets

Permissions to access the S3 bucket where the object is stored

  • s3:GetBucketLocation

  • s3:GetBucketVersioning

  • s3:ListBucket

  • s3:ListBucketVersions

Complete the following procedure to create a role that enables Amazon AppConfig to get a configuration stored in an S3 object.

Creating the IAM Policy for Accessing an S3 Object

Use the following procedure to create an IAM policy that enables Amazon AppConfig to get a configuration stored in an S3 object.

To create an IAM policy for accessing an S3 object
  1. Open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Policies, and then choose Create policy.

  3. On the Create policy page, choose the JSON tab.

  4. Update the following sample policy with information about your S3 bucket and configuration object. Then paste the policy into the text field on the JSON tab.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "arn:aws-cn:s3:::my-bucket/my-configurations/my-configuration.json" }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetBucketVersioning", "s3:ListBucketVersions", "s3:ListBucket" ], "Resource": [ "arn:aws-cn:s3:::my-bucket" ] }, { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" } ] }
  5. Choose Review policy.

  6. On the Review policy page, type a name in the Name box, and then type a description.

  7. Choose Create policy. The system returns you to the Roles page.

Creating the IAM Role for Accessing an S3 Object

Use the following procedure to create an IAM role that enables Amazon AppConfig to get a configuration stored in an S3 object.

To create an IAM role for accessing an Amazon S3 object
  1. Open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Roles, and then choose Create role.

  3. On the Select type of trusted entity section, choose Amazon service.

  4. In the Choose a use case section, under Common use cases, choose EC2, and then choose Next: Permissions.

  5. On the Attach permissions policy page, in the search box, enter the name of the policy you created in the previous procedure.

  6. Choose the policy and then choose Next: Tags.

  7. On the Add tags (optional) page, enter a key and an optional value, and then choose Next: Review.

  8. On the Review page, type a name in the Role name field, and then type a description.

  9. Choose Create role. The system returns you to the Roles page.

  10. On the Roles page, choose the role you just created to open the Summary page. Note the Role Name and Role ARN. You will specify the role ARN when you create the configuration profile later in this topic.

Creating a Trust Relationship

Use the following procedure to configure the role you just created to trust Amazon AppConfig.

To add a trust relationship
  1. In the Summary page for the role you just created, choose the Trust Relationships tab, and then choose Edit Trust Relationship.

  2. Delete "ec2.amazonaws.com" and add "appconfig.amazonaws.com", as shown in the following example.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "appconfig.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
  3. Choose Update Trust Policy.

Creating a freeform configuration and configuration profile

This section describes how to create a freeform configuration and configuration profile. Before you begin, note the following information.

  • The following procedure requires you to specify an IAM service role so that Amazon AppConfig can access your configuration data in the configuration store you choose. This role is not required if you use the Amazon AppConfig hosted configuration store. If you choose S3, Parameter Store, or the Systems Manager document store, then you must either choose an existing IAM role or choose the option to have the system automatically create the role for you. For more information, about this role, see About the configuration profile IAM role.

  • If you want to create a configuration profile for configurations stored in S3, you must configure permissions. For more information about permissions and other requirements for using S3 as a configuration store, see About configurations stored in Amazon S3.

  • If you want to use validators, review the details and requirements for using them. For more information, see About validators.

Creating an Amazon AppConfig freeform configuration profile (console)

Use the following procedure to create an Amazon AppConfig freeform configuration profile and (optionally) a freeform-configuration by using the Amazon Systems Manager console.

To create a configuration profile
  1. Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/appconfig/.

  2. On the Applications tab, choose the application you created in Create an Amazon AppConfig configuration and then choose the Configuration profiles and feature flags tab.

  3. Choose Create freeform configuration profile.

  4. For Name, enter a name for the configuration profile.

  5. For Description, enter information about the configuration profile.

  6. On the Select configuration source page, choose an option.

    • If you selected Amazon AppConfig hosted configuration, then choose either YAML, JSON, or Text, and enter your configuration in the field. Choose Next and go to Step 10 in this procedure.

    • If you selected Amazon S3 object, then enter the object URI. Choose Next.

    • If you selected Amazon Systems Manager parameter, then choose the name of the parameter from the list. Choose Next.

    • If you selected Secrets Manager secret, then enter the name of the secret. Choose Next.

    • If you selected Amazon CodePipeline, then choose Next and go to Step 10 in this procedure.

    • If you selected Amazon Systems Manager document, then complete the following steps.

    1. In the Document source section, choose either Saved document or New document.

    2. If you choose Saved document, then choose the SSM document from the list. If you choose New document, the Details and Content sections appear.

    3. In the Details section, enter a name for the new application configuration.

    4. For the Application configuration schema section, either choose the JSON schema using the list or choose Create schema. If you choose Create schema, Systems Manager opens the Create schema page. Enter the schema details in the Content section, and then choose Create schema.

      
                      Enter details of an Amazon AppConfig configuration
    5. For Application configuration schema version either choose the version from the list or choose Update schema to edit the schema and create a new version.

    6. In the Content section, choose either YAML or JSON and then enter the configuration data in the field.

    7. Choose Next.

  7. In the Service role section, choose New service role to have Amazon AppConfig create the IAM role that provides access to the configuration data. Amazon AppConfig automatically populates the Role name field based on the name you entered earlier. Or, to choose a role that already exists in IAM, choose Existing service role. Choose the role by using the Role ARN list.

  8. On the Add validators page, choose either JSON Schema or Amazon Lambda. If you choose JSON Schema, enter the JSON Schema in the field. If you choose Amazon Lambda, choose the function Amazon Resource Name (ARN) and the version from the list.

    Important

    Configuration data stored in SSM documents must validate against an associated JSON Schema before you can add the configuration to the system. SSM parameters do not require a validation method, but we recommend that you create a validation check for new or updated SSM parameter configurations by using Amazon Lambda.

  9. In the Tags section, enter a key and an optional value. You can specify a maximum of 50 tags for a resource.

  10. Choose Create configuration profile.

Important

If you created a configuration profile for Amazon CodePipeline, then after you create a deployment strategy, as described in the next section, you must create a pipeline in CodePipeline that specifies Amazon AppConfig as the deploy provider. For information about creating a pipeline that specifies Amazon AppConfig as the deploy provider, see Tutorial: Create a Pipeline That Uses Amazon AppConfig as a Deployment Provider in the Amazon CodePipeline User Guide.

Proceed to Deploying feature flags and configuration data in Amazon AppConfig.

Creating an Amazon AppConfig freeform configuration profile (command line)

The following procedure describes how to use the Amazon CLI (on Linux or Windows) or Amazon Tools for PowerShell to create an Amazon AppConfig freeform configuration profile. If you prefer, you can use Amazon CloudShell to run the commands listed below. For more information, see What is Amazon CloudShell? in the Amazon CloudShell User Guide.

Note

For freeform configurations hosted in the Amazon AppConfig hosted configuration store, you specify hosted for the location URI.

To create a configuration profile step by step
  1. Open the Amazon CLI.

  2. Run the following command to create a freeform configuration profile.

    Linux
    aws appconfig create-configuration-profile \ --application-id The_application_ID \ --name A_name_for_the_configuration_profile \ --description A_description_of_the_configuration_profile \ --location-uri A_URI_to_locate_the_configuration or hosted \ --retrieval-role-arn The_ARN_of_the_IAM_role_with_permission_to_access_the_configuration_at_the_specified_LocationUri \ --tags User_defined_key_value_pair_metadata_of_the_configuration_profile \ --validators "Content=JSON_Schema_content_or_the_ARN_of_an_Amazon Lambda_function,Type=JSON_SCHEMA or LAMBDA"
    Windows
    aws appconfig create-configuration-profile ^ --application-id The_application_ID ^ --name A_name_for_the_configuration_profile ^ --description A_description_of_the_configuration_profile ^ --location-uri A_URI_to_locate_the_configuration or hosted ^ --retrieval-role-arn The_ARN_of_the_IAM_role_with_permission_to_access_the_configuration_at_the_specified_LocationUri ^ --tags User_defined_key_value_pair_metadata_of_the_configuration_profile ^ --validators "Content=JSON_Schema_content_or_the_ARN_of_an_Amazon Lambda_function,Type=JSON_SCHEMA or LAMBDA"
    PowerShell
    New-APPCConfigurationProfile ` -Name A_name_for_the_configuration_profile ` -ApplicationId The_application_ID ` -Description Description_of_the_configuration_profile ` -LocationUri A_URI_to_locate_the_configuration or hosted ` -RetrievalRoleArn The_ARN_of_the_IAM_role_with_permission_to_access_the_configuration_at_the_specified_LocationUri ` -Tag Hashtable_type_user_defined_key_value_pair_metadata_of_the_configuration_profile ` -Validators "Content=JSON_Schema_content_or_the_ARN_of_an_Amazon Lambda_function,Type=JSON_SCHEMA or LAMBDA"
Note

If you created a configuration in the Amazon AppConfig hosted configuration store, you can create new versions of the configuration by using the CreateHostedConfigurationVersion API operations. To view Amazon CLI details and sample commands for this API operation, see create-hosted-configuration-version in the Amazon CLI Command Reference.