Creating a free form configuration profile in Amazon AppConfig - Amazon AppConfig
Understanding validatorsUnderstanding configuration store quotas and limitationsUnderstanding the Amazon AppConfig hosted configuration storeUnderstanding configurations stored in Amazon S3
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating a free form configuration profile in Amazon AppConfig

Configuration data is a collection of settings that influence the behavior of your application. A configuration profile includes, among other things, a URI that enables Amazon AppConfig to locate your configuration data in its stored location and a configure type. With freeform configuration profiles, you can store your data in the Amazon AppConfig hosted configuration store or any of the following Amazon services and Systems Manager capabilities:

Location Supported file types

Amazon AppConfig hosted configuration store

YAML, JSON, and text if added using the Amazon Web Services Management Console. Any file type if added using the Amazon AppConfig CreateHostedConfigurationVersion API action.

Amazon Simple Storage Service (Amazon S3)

Any

Amazon CodePipeline

Pipeline (as defined by the service)

Amazon Secrets Manager

Secret (as defined by the service)

Amazon Systems Manager Parameter Store

Standard and secure string parameters (as defined by Parameter Store)

Amazon Systems Manager document store (SSM documents)

YAML, JSON, text

A configuration profile can also include optional validators to ensure your configuration data is syntactically and semantically correct. Amazon AppConfig performs a check using the validators when you start a deployment. If any errors are detected, the deployment stops before making any changes to the targets of the configuration.

Note

If possible, we recommend hosting your configuration data in the Amazon AppConfig hosted configuration store as it offers the most features and enhancements.

For freeform configurations stored in the Amazon AppConfig hosted configuration store or SSM documents, you can create the freeform configuration by using the Systems Manager console at the time you create a configuration profile. The process is described later in this topic.

For freeform configurations stored in Parameter Store, Secrets Manager, or Amazon S3, you must create the parameter, secret, or object first and store it in the relevant configuration store. After you store the configuration data, use the procedure in this topic to create the configuration profile.

Topics

Understanding validators

When you create a configuration profile, you have the option to specify up to two validators. A validator ensures that your configuration data is syntactically and semantically correct. If you plan to use a validator, you must create it before you create the configuration profile. Amazon AppConfig supports the following types of validators:

  • Amazon Lambda functions: Supported for feature flags and free form configurations.

  • JSON Schema: Supported for free form configurations. (Amazon AppConfig automatically validates feature flags against a JSON Schema.)

Amazon Lambda function validators

Lambda function validators must be configured with the following event schema. Amazon AppConfig uses this schema to invoke the Lambda function. The content is a base64-encoded string, and the URI is a string. 

{
    "applicationId": "The application ID of the configuration profile being validated", 
    "configurationProfileId": "The ID of the configuration profile being validated",
    "configurationVersion": "The version of the configuration profile being validated",
    "content": "Base64EncodedByteString", 
    "uri": "The configuration uri"    
}

Amazon AppConfig verifies that the Lambda X-Amz-Function-Error header is set in the response. Lambda sets this header if the function throws an exception. For more information about X-Amz-Function-Error, see Error Handling and Automatic Retries in Amazon Lambda in the Amazon Lambda Developer Guide.

Here is a simple example of a Lambda response code for a successful validation.

import json

def handler(event, context):
     #Add your validation logic here
     print("We passed!")

Here is a simple example of a Lambda response code for an unsuccessful validation.

def handler(event, context):
     #Add your validation logic here
     raise Exception("Failure!")

Here is another example that validates only if the configuration parameter is a prime number.

function isPrime(value) {
    if (value < 2) {
        return false;
    }

    for (i = 2; i < value; i++) {
        if (value % i === 0) {
            return false;
        }
    }

    return true;
}

exports.handler = async function(event, context) {
    console.log('EVENT: ' + JSON.stringify(event, null, 2));
    const input = parseInt(Buffer.from(event.content, 'base64').toString('ascii'));
    const prime = isPrime(input);
    console.log('RESULT: ' + input + (prime ? ' is' : ' is not') + ' prime');
    if (!prime) {
        throw input + "is not prime";
    }
}

Amazon AppConfig calls your validation Lambda when calling the StartDeployment and ValidateConfigurationActivity API operations. You must provide appconfig.amazonaws.com permissions to invoke your Lambda. For more information, see Granting Function Access to Amazon Services. Amazon AppConfig limits the validation Lambda run time to 15 seconds, including start-up latency.

JSON Schema validators

If you create a configuration in an SSM document, then you must specify or create a JSON Schema for that configuration. A JSON Schema defines the allowable properties for each application configuration setting. The JSON Schema functions like a set of rules to ensure that new or updated configuration settings conform to the best practices required by your application. Here is an example. 

    {
      "$schema": "http://json-schema.org/draft-04/schema#",
      "title": "$id$",
      "description": "BasicFeatureToggle-1",
      "type": "object",
      "additionalProperties": false,
      "patternProperties": {
          "[^\\s]+$": {
              "type": "boolean"
          }
      },
      "minProperties": 1
    }

When you create a configuration from an SSM document, the system automatically verifies that the configuration conforms to the schema requirements. If it doesn't, Amazon AppConfig returns a validation error.

Important

Note the following important information about JSON Schema validators:

  • Configuration data stored in SSM documents must validate against an associated JSON Schema before you can add the configuration to the system. SSM parameters do not require a validation method, but we recommend that you create a validation check for new or updated SSM parameter configurations by using Amazon Lambda.

  • A configuration in an SSM document uses the ApplicationConfiguration document type. The corresponding JSON Schema, uses the ApplicationConfigurationSchema document type.

  • Amazon AppConfig supports JSON Schema version 4.X for inline schema. If your application configuration requires a different version of JSON Schema, then you must create a Lambda validator.

Understanding configuration store quotas and limitations

Configuration stores supported by Amazon AppConfig have the following quotas and limitations.

Amazon AppConfig hosted configuration store Amazon S3 Systems Manager Parameter Store Amazon Secrets Manager Systems Manager Document store Amazon CodePipeline

Configuration size limit

2 MB default, 4 MB maximum

2 MB

Enforced by Amazon AppConfig, not S3

4 KB (free tier) / 8 KB (advanced parameters)

64 KB

64 KB

2 MB

Enforced by Amazon AppConfig, not CodePipeline

Resource storage limit

1 GB

Unlimited

10,000 parameters (free tier) / 100,000 parameters (advanced parameters)

500,000

500 documents

Limited by the number of configuration profiles per application (100 profiles per application)

Server-side encryption

Yes

SSE-S3, SSE-KMS

Yes

Yes

No

Yes

Amazon CloudFormation support

Yes

Not for creating or updating data

Yes

Yes

No

Yes

Pricing

Free

See Amazon S3 pricing

See Amazon Systems Manager pricing

See Amazon Secrets Manager pricing

Free

See Amazon CodePipeline pricing

Understanding the Amazon AppConfig hosted configuration store

Amazon AppConfig includes an internal or hosted configuration store. Configurations must be 2 MB or smaller. The Amazon AppConfig hosted configuration store provides the following benefits over other configuration store options.

  • You don't need to set up and configure other services such as Amazon Simple Storage Service (Amazon S3) or Parameter Store.

  • You don't need to configure Amazon Identity and Access Management (IAM) permissions to use the configuration store.

  • You can store configurations in YAML, JSON, or as text documents.

  • There is no cost to use the store.

  • You can create a configuration and add it to the store when you create a configuration profile.

Understanding configurations stored in Amazon S3

You can store configurations in an Amazon Simple Storage Service (Amazon S3) bucket. When you create the configuration profile, you specify the URI to a single S3 object in a bucket. You also specify the Amazon Resource Name (ARN) of an Amazon Identity and Access Management (IAM) role that gives Amazon AppConfig permission to get the object. Before you create a configuration profile for an Amazon S3 object, be aware of the following restrictions.

Restriction Details

Size

Configurations stored as S3 objects can be a maximum of 1 MB in size.

Object encryption

A configuration profile can target SSE-S3 and SSE-KMS encrypted objects.

Storage classes

Amazon AppConfig supports the following S3 storage classes: STANDARD, INTELLIGENT_TIERING, REDUCED_REDUNDANCY, STANDARD_IA, and ONEZONE_IA. The following classes are not supported: All S3 Glacier classes (GLACIER and DEEP_ARCHIVE).

Versioning

Amazon AppConfig requires that the S3 object use versioning.

Configuring permissions for a configuration stored as an Amazon S3 object

When you create a configuration profile for a configuration stored as an S3 object, you must specify an ARN for an IAM role that gives Amazon AppConfig permission to get the object. The role must include the following permissions.

Permissions to access the S3 object

  • s3:GetObject

  • s3:GetObjectVersion

Permissions to list S3 buckets

s3:ListAllMyBuckets

Permissions to access the S3 bucket where the object is stored

  • s3:GetBucketLocation

  • s3:GetBucketVersioning

  • s3:ListBucket

  • s3:ListBucketVersions

Complete the following procedure to create a role that enables Amazon AppConfig to get a configuration stored in an S3 object.

Creating the IAM Policy for Accessing an S3 Object

Use the following procedure to create an IAM policy that enables Amazon AppConfig to get a configuration stored in an S3 object.

To create an IAM policy for accessing an S3 object

  1. Open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Policies, and then choose Create policy.

  3. On the Create policy page, choose the JSON tab.

  4. Update the following sample policy with information about your S3 bucket and configuration object. Then paste the policy into the text field on the JSON tab. Replace the placeholder values with your own information.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "Resource": "arn:aws-cn:s3:::DOC-EXAMPLE-BUCKET/my-configurations/my-configuration.json"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:GetBucketVersioning",
        "s3:ListBucketVersions",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws-cn:s3:::DOC-EXAMPLE-BUCKET"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "*"
    } 
  ]
}

  5. Choose Review policy.

  6. On the Review policy page, type a name in the Name box, and then type a description.

  7. Choose Create policy. The system returns you to the Roles page.

Creating the IAM Role for Accessing an S3 Object

Use the following procedure to create an IAM role that enables Amazon AppConfig to get a configuration stored in an S3 object.

To create an IAM role for accessing an Amazon S3 object

  1. Open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Roles, and then choose Create role.

  3. On the Select type of trusted entity section, choose Amazon service.

  4. In the Choose a use case section, under Common use cases, choose EC2, and then choose Next: Permissions.

  5. On the Attach permissions policy page, in the search box, enter the name of the policy you created in the previous procedure.

  6. Choose the policy and then choose Next: Tags.

  7. On the Add tags (optional) page, enter a key and an optional value, and then choose Next: Review.

  8. On the Review page, type a name in the Role name field, and then type a description.

  9. Choose Create role. The system returns you to the Roles page.

  10. On the Roles page, choose the role you just created to open the Summary page. Note the Role Name and Role ARN. You will specify the role ARN when you create the configuration profile later in this topic.

Creating a Trust Relationship

Use the following procedure to configure the role you just created to trust Amazon AppConfig.

To add a trust relationship

  1. In the Summary page for the role you just created, choose the Trust Relationships tab, and then choose Edit Trust Relationship.

  2. Delete "ec2.amazonaws.com" and add "appconfig.amazonaws.com", as shown in the following example.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "appconfig.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

  3. Choose Update Trust Policy.