Creating a free form configuration profile in Amazon AppConfig
Configuration data is a collection of settings that influence the behavior of your application. A configuration profile includes, among other things, a URI that enables Amazon AppConfig to locate your configuration data in its stored location and a configure type. With freeform configuration profiles, you can store your data in the Amazon AppConfig hosted configuration store or any of the following Amazon services and Systems Manager capabilities:
Location | Supported file types |
---|---|
Amazon AppConfig hosted configuration store |
YAML, JSON, and text if added using the Amazon Web Services Management Console. Any file type if added using the Amazon AppConfig CreateHostedConfigurationVersion API action. |
Any |
|
Pipeline (as defined by the service) |
|
Secret (as defined by the service) |
|
Standard and secure string parameters (as defined by Parameter Store) |
|
YAML, JSON, text |
A configuration profile can also include optional validators to ensure your configuration data is syntactically and semantically correct. Amazon AppConfig performs a check using the validators when you start a deployment. If any errors are detected, the deployment stops before making any changes to the targets of the configuration.
Note
If possible, we recommend hosting your configuration data in the Amazon AppConfig hosted configuration store as it offers the most features and enhancements.
For freeform configurations stored in the Amazon AppConfig hosted configuration store or SSM documents, you can create the freeform configuration by using the Systems Manager console at the time you create a configuration profile. The process is described later in this topic.
For freeform configurations stored in Parameter Store, Secrets Manager, or Amazon S3, you must create the parameter, secret, or object first and store it in the relevant configuration store. After you store the configuration data, use the procedure in this topic to create the configuration profile.
Topics
- Understanding validators
- Understanding configuration store quotas and limitations
- Understanding the Amazon AppConfig hosted configuration store
- Understanding configurations stored in Amazon S3
- Creating an Amazon AppConfig freeform configuration profile (console)
- Creating an Amazon AppConfig freeform configuration profile (command line)
Understanding validators
When you create a configuration profile, you have the option to specify up to two validators. A validator ensures that your configuration data is syntactically and semantically correct. If you plan to use a validator, you must create it before you create the configuration profile. Amazon AppConfig supports the following types of validators:
-
Amazon Lambda functions: Supported for feature flags and free form configurations.
-
JSON Schema: Supported for free form configurations. (Amazon AppConfig automatically validates feature flags against a JSON Schema.)
Amazon Lambda function validators
Lambda function validators must be configured with the following event schema. Amazon AppConfig uses this schema to invoke the Lambda function. The content is a base64-encoded string, and the URI is a string.
{ "applicationId": "
The application ID of the configuration profile being validated
", "configurationProfileId": "The ID of the configuration profile being validated
", "configurationVersion": "The version of the configuration profile being validated
", "content": "Base64EncodedByteString", "uri": "The configuration uri
" }
Amazon AppConfig verifies that the Lambda X-Amz-Function-Error
header is set in
the response. Lambda sets this header if the function throws an exception. For more
information about X-Amz-Function-Error
, see Error Handling and Automatic Retries in
Amazon Lambda in the Amazon Lambda Developer Guide.
Here is a simple example of a Lambda response code for a successful validation.
import json def handler(event, context): #Add your validation logic here print("We passed!")
Here is a simple example of a Lambda response code for an unsuccessful validation.
def handler(event, context): #Add your validation logic here raise Exception("Failure!")
Here is another example that validates only if the configuration parameter is a prime number.
function isPrime(value) { if (value < 2) { return false; } for (i = 2; i < value; i++) { if (value % i === 0) { return false; } } return true; } exports.handler = async function(event, context) { console.log('EVENT: ' + JSON.stringify(event, null, 2)); const input = parseInt(Buffer.from(event.content, 'base64').toString('ascii')); const prime = isPrime(input); console.log('RESULT: ' + input + (prime ? ' is' : ' is not') + ' prime'); if (!prime) { throw input + "is not prime"; } }
Amazon AppConfig calls your validation Lambda when calling the StartDeployment
and
ValidateConfigurationActivity
API operations. You must provide
appconfig.amazonaws.com
permissions to invoke your Lambda. For more
information, see Granting Function Access to Amazon Services. Amazon AppConfig limits the validation
Lambda run time to 15 seconds, including start-up latency.
JSON Schema validators
If you create a configuration in an SSM document, then you must specify or create a JSON Schema for that configuration. A JSON Schema defines the allowable properties for each application configuration setting. The JSON Schema functions like a set of rules to ensure that new or updated configuration settings conform to the best practices required by your application. Here is an example.
{ "$schema": "http://json-schema.org/draft-04/schema#", "title": "$id$", "description": "BasicFeatureToggle-1", "type": "object", "additionalProperties": false, "patternProperties": { "[^\\s]+$": { "type": "boolean" } }, "minProperties": 1 }
When you create a configuration from an SSM document, the system automatically verifies that the configuration conforms to the schema requirements. If it doesn't, Amazon AppConfig returns a validation error.
Important
Note the following important information about JSON Schema validators:
-
Configuration data stored in SSM documents must validate against an associated JSON Schema before you can add the configuration to the system. SSM parameters do not require a validation method, but we recommend that you create a validation check for new or updated SSM parameter configurations by using Amazon Lambda.
-
A configuration in an SSM document uses the
ApplicationConfiguration
document type. The corresponding JSON Schema, uses theApplicationConfigurationSchema
document type. -
Amazon AppConfig supports JSON Schema version 4.X for inline schema. If your application configuration requires a different version of JSON Schema, then you must create a Lambda validator.
Understanding configuration store quotas and limitations
Configuration stores supported by Amazon AppConfig have the following quotas and limitations.
Amazon AppConfig hosted configuration store | Amazon S3 | Systems Manager Parameter Store | Amazon Secrets Manager | Systems Manager Document store | Amazon CodePipeline | |
---|---|---|---|---|---|---|
Configuration size limit |
2 MB default, 4 MB maximum |
2 MB Enforced by Amazon AppConfig, not S3 |
4 KB (free tier) / 8 KB (advanced parameters) |
64 KB |
64 KB |
2 MB Enforced by Amazon AppConfig, not CodePipeline |
Resource storage limit |
1 GB |
Unlimited |
10,000 parameters (free tier) / 100,000 parameters (advanced parameters) |
500,000 |
500 documents |
Limited by the number of configuration profiles per application (100 profiles per application) |
Server-side encryption |
Yes |
Yes |
Yes |
No |
Yes |
|
Amazon CloudFormation support |
Yes |
Not for creating or updating data |
Yes |
Yes |
No |
Yes |
Pricing |
Free |
Free |
Understanding the Amazon AppConfig hosted configuration store
Amazon AppConfig includes an internal or hosted configuration store. Configurations must be 2 MB or smaller. The Amazon AppConfig hosted configuration store provides the following benefits over other configuration store options.
-
You don't need to set up and configure other services such as Amazon Simple Storage Service (Amazon S3) or Parameter Store.
-
You don't need to configure Amazon Identity and Access Management (IAM) permissions to use the configuration store.
-
You can store configurations in YAML, JSON, or as text documents.
-
There is no cost to use the store.
-
You can create a configuration and add it to the store when you create a configuration profile.
Understanding configurations stored in Amazon S3
You can store configurations in an Amazon Simple Storage Service (Amazon S3) bucket. When you create the configuration profile, you specify the URI to a single S3 object in a bucket. You also specify the Amazon Resource Name (ARN) of an Amazon Identity and Access Management (IAM) role that gives Amazon AppConfig permission to get the object. Before you create a configuration profile for an Amazon S3 object, be aware of the following restrictions.
Restriction | Details |
---|---|
Size |
Configurations stored as S3 objects can be a maximum of 1 MB in size. |
Object encryption |
A configuration profile can target SSE-S3 and SSE-KMS encrypted objects. |
Storage classes |
Amazon AppConfig supports the following S3 storage classes: |
Versioning |
Amazon AppConfig requires that the S3 object use versioning. |
Configuring permissions for a configuration stored as an Amazon S3 object
When you create a configuration profile for a configuration stored as an S3 object, you must specify an ARN for an IAM role that gives Amazon AppConfig permission to get the object. The role must include the following permissions.
Permissions to access the S3 object
-
s3:GetObject
-
s3:GetObjectVersion
Permissions to list S3 buckets
s3:ListAllMyBuckets
Permissions to access the S3 bucket where the object is stored
-
s3:GetBucketLocation
-
s3:GetBucketVersioning
-
s3:ListBucket
-
s3:ListBucketVersions
Complete the following procedure to create a role that enables Amazon AppConfig to get a configuration stored in an S3 object.
Creating the IAM Policy for Accessing an S3 Object
Use the following procedure to create an IAM policy that enables Amazon AppConfig to get a configuration stored in an S3 object.
To create an IAM policy for accessing an S3 object
Open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane, choose Policies, and then choose Create policy.
-
On the Create policy page, choose the JSON tab.
-
Update the following sample policy with information about your S3 bucket and configuration object. Then paste the policy into the text field on the JSON tab. Replace the
placeholder values
with your own information.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "arn:aws-cn:s3:::
DOC-EXAMPLE-BUCKET
/my-configurations
/my-configuration
.json" }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetBucketVersioning", "s3:ListBucketVersions", "s3:ListBucket" ], "Resource": [ "arn:aws-cn:s3:::DOC-EXAMPLE-BUCKET
" ] }, { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" } ] } -
Choose Review policy.
-
On the Review policy page, type a name in the Name box, and then type a description.
-
Choose Create policy. The system returns you to the Roles page.
Creating the IAM Role for Accessing an S3 Object
Use the following procedure to create an IAM role that enables Amazon AppConfig to get a configuration stored in an S3 object.
To create an IAM role for accessing an Amazon S3 object
Open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane, choose Roles, and then choose Create role.
-
On the Select type of trusted entity section, choose Amazon service.
-
In the Choose a use case section, under Common use cases, choose EC2, and then choose Next: Permissions.
-
On the Attach permissions policy page, in the search box, enter the name of the policy you created in the previous procedure.
-
Choose the policy and then choose Next: Tags.
-
On the Add tags (optional) page, enter a key and an optional value, and then choose Next: Review.
-
On the Review page, type a name in the Role name field, and then type a description.
-
Choose Create role. The system returns you to the Roles page.
-
On the Roles page, choose the role you just created to open the Summary page. Note the Role Name and Role ARN. You will specify the role ARN when you create the configuration profile later in this topic.
Creating a Trust Relationship
Use the following procedure to configure the role you just created to trust Amazon AppConfig.
To add a trust relationship
-
In the Summary page for the role you just created, choose the Trust Relationships tab, and then choose Edit Trust Relationship.
-
Delete
"ec2.amazonaws.com"
and add"appconfig.amazonaws.com"
, as shown in the following example.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "appconfig.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
-
Choose Update Trust Policy.