Template validation

You can self-validate your CloudFormation template before submitting it to AMS.

Templates submitted to AMS AWS CloudFormation ingest are validated to ensure they are safe to deploy within an AMS account. The validation process checks the following:

Supported resources – Only AMS AWS CloudFormation ingest-supported resources are used. For more information, see Supported Resources.
Supported AMIs – The AMI in the template is an AMS-supported AMI. For information about AMS AMIs, see AMS Amazon Machine Images (AMIs).
AMS Shared Services subnet – The template does not attempt to launch resources into the AMS Shared Services subnet.
Resource policies – There are no overly permissive resource policies, such as a publicly readable or writeable S3 bucket policy. AMS doesn't allow publicly readable or writable S3 buckets in AWS accounts.

You can self-validate your CloudFormation template before submitting it to AMS by using the AWS CloudFormation Linter tool.

The AWS CloudFormation Linter tool is the best way to validate your CloudFormation template as it provides validation for resource/property names, data types, and functions. For more information, see aws-cloudformation/cfn-python-lint.

The AWS CloudFormation Linter output of the template shown previously is as follows:


$ cfn-lint -t ./testtmpl.json
E3002 Invalid Property Resources/SNSTopic/Properties/Name
./testtmpl.json:6:9

To assist with offline validation of CloudFormation templates, AMS has developed a set of pluggable custom validation rules for the AWS CloudFormation Linter tool. They're located on the Developers Resources page of the AMS console.

Follow these steps to use AWS CloudFormation pre-ingestion validation scripts:

Install the AWS CloudFormation Linter tool. For installation instructions, see aws-cloudformation / cfn-lint .
Download a .zip file with validation scripts:
CFN Lint Custom Rules.
Unzip the attached rules to a directory of your choice.

Validate your CloudFormation template by running the following command:


cfn-lint --template {TEMPLATE_FILE} --append-rules {DIRECTORY_WITH_CUSTOM_RULES}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Best Practices

CloudFormation ingest stack: CFN validator examples