Skip to main content
← back to extensions

@swamp/aws/ec2

v2026.04.24.1

AWS EC2 infrastructure models

Repository

https://github.com/systeminit/swamp-extensions

Platforms

linux-x86_64linux-aarch64darwin-x86_64darwin-aarch64

Labels

awsec2cloudinfrastructure

Contents

models

Quality score

Verified by Swamp

How well-documented and verifiable this extension is.

100%

Grade A

  • Has README or module doc2/2earned
  • README has a code example1/1earned
  • README is substantive1/1earned
  • Most symbols documented1/1earned
  • No slow types1/1earned
  • Has description1/1earned
  • At least one platform tag (or universal)1/1earned
  • Two or more platform tags (or universal)1/1earned
  • License declared1/1earned
  • Verified public repository2/2earned

Install

$ swamp extension pull @swamp/aws/ec2

Release Notes

  • Updated: ec2fleet

network_insights_path.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
SourceIp?string
FilterAtSource?object
FilterAtDestination?object
DestinationIp?string
Sourcestring
Destination?string
Protocolenum
DestinationPort?number
Tags?array
createCreate a EC2 NetworkInsightsPath
getGet a EC2 NetworkInsightsPath
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 NetworkInsightsPath
updateUpdate a EC2 NetworkInsightsPath
deleteDelete a EC2 NetworkInsightsPath
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 NetworkInsightsPath
syncSync EC2 NetworkInsightsPath state from AWS
verified_access_endpoint.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
VerifiedAccessGroupIdstringThe ID of the AWS Verified Access group.
SecurityGroupIds?arrayThe IDs of the security groups for the endpoint.
NetworkInterfaceOptions?objectThe ID of the network interface.
LoadBalancerOptions?objectThe ARN of the load balancer.
RdsOptions?objectThe IP protocol.
CidrOptions?objectThe IP address range, in CIDR notation.
EndpointTypestringThe type of AWS Verified Access endpoint. Incoming application requests will be sent to an IP address, load balancer or a network interface depending on the endpoint type specified.The type of AWS Verified Access endpoint. Incoming application requests will be sent to an IP address, load balancer or a network interface depending on the endpoint type specified.
EndpointDomainPrefix?stringA custom identifier that gets prepended to a DNS name that is generated for the endpoint.
DomainCertificateArn?stringThe ARN of a public TLS/SSL certificate imported into or created with ACM.
AttachmentTypestringThe type of attachment used to provide connectivity between the AWS Verified Access endpoint and the application.
ApplicationDomain?stringThe DNS name for users to reach your application.
Description?stringA description for the AWS Verified Access endpoint.
PolicyDocument?stringThe AWS Verified Access policy document.
PolicyEnabled?booleanThe status of the Verified Access policy.
Tags?arrayAn array of key-value pairs to apply to this resource.
SseSpecification?objectKMS Key Arn used to encrypt the group policy
createCreate a EC2 VerifiedAccessEndpoint
getGet a EC2 VerifiedAccessEndpoint
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VerifiedAccessEndpoint
updateUpdate a EC2 VerifiedAccessEndpoint
deleteDelete a EC2 VerifiedAccessEndpoint
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VerifiedAccessEndpoint
syncSync EC2 VerifiedAccessEndpoint state from AWS
carrier_gateway.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
VpcIdstringThe ID of the VPC.
Tags?arrayThe tags for the carrier gateway.
createCreate a EC2 CarrierGateway
getGet a EC2 CarrierGateway
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 CarrierGateway
updateUpdate a EC2 CarrierGateway
deleteDelete a EC2 CarrierGateway
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 CarrierGateway
syncSync EC2 CarrierGateway state from AWS
transit_gateway_multicast_group_member.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
GroupIpAddressstringThe IP address assigned to the transit gateway multicast group.
TransitGatewayMulticastDomainIdstringThe ID of the transit gateway multicast domain.
NetworkInterfaceIdstringThe ID of the transit gateway attachment.
createCreate a EC2 TransitGatewayMulticastGroupMember
getGet a EC2 TransitGatewayMulticastGroupMember
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayMulticastGroupMember
deleteDelete a EC2 TransitGatewayMulticastGroupMember
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayMulticastGroupMember
syncSync EC2 TransitGatewayMulticastGroupMember state from AWS
instance.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
Volumes?arrayThe volumes to attach to the instance.
EnclaveOptions?objectIf this parameter is set to true, the instance is enabled for AWS Nitro Enclaves; otherwise, it is not enabled for AWS Nitro Enclaves.
ImageId?stringThe ID of the AMI. An AMI ID is required to launch an instance and must be specified here or in a launch template.
Tags?arrayThe tags to add to the instance.
AdditionalInfo?stringThis property is reserved for internal use. If you use it, the stack fails with this error: Bad property set: [Testing this property] (Service: AmazonEC2; Status Code: 400; Error Code: InvalidParameterCombination; Request ID: 0XXXXXX-49c7-4b40-8bcc-76885dcXXXXX).
HibernationOptions?objectIf you set this parameter to true, your instance is enabled for hibernation.
LicenseSpecifications?arrayThe license configurations.
MetadataOptions?objectThe number of network hops that the metadata token can travel. Maximum is 64.
CpuOptions?objectThe CPU options for the instance.
AvailabilityZone?stringThe Availability Zone of the instance.
PrivateDnsNameOptions?objectIndicates whether to respond to DNS queries for instance hostnames with DNS A records. For more information, see Amazon EC2 instance hostname types in the Amazon Elastic Compute Cloud User Guide.
HostId?stringIf you specify host for the Affinity property, the ID of a dedicated host that the instance is associated with. If you don't specify an ID, Amazon EC2 launches the instance onto any available, compatible dedicated host in your account.
SecurityGroupIds?arrayThe IDs of the security groups.
PlacementGroupName?stringThe name of an existing placement group that you want to launch the instance into (cluster | partition | spread).
SsmAssociations?arrayThe SSM document and parameter values in AWS Systems Manager to associate with this instance.
State?objectThe state of the instance as a 16-bit unsigned integer.
Affinity?enumIndicates whether the instance is associated with a dedicated host. If you want the instance to always restart on the same host on which it was launched, specify host. If you want the instance to restart on any available host, but try to launch onto the last host it ran on (on a best-effort basis), specify default.
Tenancy?stringThe tenancy of the instance (if the instance is running in a VPC). An instance with a tenancy of dedicated runs on single-tenant hardware.
SecurityGroups?arraythe names of the security groups. For a nondefault VPC, you must use security group IDs instead.
PrivateIpAddress?string[EC2-VPC] The primary IPv4 address. You must specify a value from the IPv4 address range of the subnet.
UserData?stringThe user data to make available to the instance.
BlockDeviceMappings?arrayThe block device mapping entries that defines the block devices to attach to the instance at launch.
IamInstanceProfile?stringThe IAM instance profile.
Ipv6Addresses?array[EC2-VPC] The IPv6 addresses from the range of the subnet to associate with the primary network interface.
KernelId?stringThe ID of the kernel.
SubnetId?string[EC2-VPC] The ID of the subnet to launch the instance into.
EbsOptimized?booleanIndicates whether the instance is optimized for Amazon EBS I/O.
PropagateTagsToVolumeOnCreation?booleanIndicates whether to assign the tags from the instance to all of the volumes attached to the instance at launch. If you specify true and you assign tags to the instance, those tags are automatically assigned to all of the volumes that you attach to the instance at launch. If you specify false, those tags are not assigned to the attached volumes.
ElasticGpuSpecifications?arrayAn elastic GPU to associate with the instance. Amazon Elastic Graphics is no longer available.
ElasticInferenceAccelerators?arrayAn elastic inference accelerator to associate with the instance. Amazon Elastic Inference is no longer available.
Ipv6AddressCount?number[EC2-VPC] The number of IPv6 addresses to associate with the primary network interface. Amazon EC2 chooses the IPv6 addresses from the range of your subnet.
LaunchTemplate?objectThe name of the launch template. You must specify the LaunchTemplateName or the LaunchTemplateId, but not both.
NetworkInterfaces?arrayThe network interfaces to associate with the instance.
InstanceType?stringThe instance type.
Monitoring?booleanSpecifies whether detailed monitoring is enabled for the instance.
InstanceInitiatedShutdownBehavior?stringIndicates whether an instance stops or terminates when you initiate shutdown from the instance (using the operating system command for system shutdown).
HostResourceGroupArn?stringThe ARN of the host resource group in which to launch the instances. If you specify a host resource group ARN, omit the Tenancy parameter or set it to host.
DisableApiTermination?booleanIf you set this parameter to true, you can't terminate the instance using the Amazon EC2 console, CLI, or API; otherwise, you can.
KeyName?stringThe name of the key pair.
RamdiskId?stringThe ID of the RAM disk to select.
SourceDestCheck?booleanSpecifies whether to enable an instance launched in a VPC to perform NAT.
CreditSpecification?objectThe credit option for CPU usage of the burstable performance instance. Valid values are standard and unlimited.
createCreate a EC2 Instance
getGet a EC2 Instance
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 Instance
updateUpdate a EC2 Instance
deleteDelete a EC2 Instance
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 Instance
syncSync EC2 Instance state from AWS
local_gateway_route_table_vpcassociation.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
LocalGatewayRouteTableIdstringThe ID of the local gateway route table.
VpcIdstringThe ID of the VPC.
Tags?arrayThe tags for the association.
createCreate a EC2 LocalGatewayRouteTableVPCAssociation
getGet a EC2 LocalGatewayRouteTableVPCAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 LocalGatewayRouteTableVPCAssociation
updateUpdate a EC2 LocalGatewayRouteTableVPCAssociation
deleteDelete a EC2 LocalGatewayRouteTableVPCAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 LocalGatewayRouteTableVPCAssociation
syncSync EC2 LocalGatewayRouteTableVPCAssociation state from AWS
security_group_egress.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
CidrIp?stringThe IPv4 address range, in CIDR format. You must specify exactly one of the following: CidrIp, CidrIpv6, DestinationPrefixListId, or DestinationSecurityGroupId. For examples of rules that you can add to security groups for specific access scenarios, see [Security group rules for different use cases](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html) in the *User Guide*.
CidrIpv6?stringThe IPv6 address range, in CIDR format. You must specify exactly one of the following: CidrIp, CidrIpv6, DestinationPrefixListId, or DestinationSecurityGroupId. For examples of rules that you can add to security groups for specific access scenarios, see [Security group rules for different use cases](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html) in the *User Guide*.
Description?stringThe description of an egress (outbound) security group rule. Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and._-:/()#,@[]+=;{}!$*
FromPort?numberIf the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).
ToPort?numberIf the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).
IpProtocolstringThe IP protocol name ( tcp, udp, icmp, icmpv6) or number (see [Protocol Numbers](https://docs.aws.amazon.com/http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)). Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp, udp, icmp, or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp, udp, and icmp, you must specify a port range. For icmpv6, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
DestinationSecurityGroupId?stringThe ID of the security group. You must specify exactly one of the following: CidrIp, CidrIpv6, DestinationPrefixListId, or DestinationSecurityGroupId.
DestinationPrefixListId?stringThe prefix list IDs for an AWS service. This is the AWS service to access through a VPC endpoint from instances associated with the security group. You must specify exactly one of the following: CidrIp, CidrIpv6, DestinationPrefixListId, or DestinationSecurityGroupId.
GroupIdstringThe ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.
createCreate a EC2 SecurityGroupEgress
getGet a EC2 SecurityGroupEgress
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 SecurityGroupEgress
updateUpdate a EC2 SecurityGroupEgress
deleteDelete a EC2 SecurityGroupEgress
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 SecurityGroupEgress
syncSync EC2 SecurityGroupEgress state from AWS
network_insights_analysis.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
FilterOutArns?array
NetworkInsightsPathIdstring
FilterInArns?array
AdditionalAccounts?array
Tags?array
createCreate a EC2 NetworkInsightsAnalysis
getGet a EC2 NetworkInsightsAnalysis
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 NetworkInsightsAnalysis
updateUpdate a EC2 NetworkInsightsAnalysis
deleteDelete a EC2 NetworkInsightsAnalysis
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 NetworkInsightsAnalysis
syncSync EC2 NetworkInsightsAnalysis state from AWS
transit_gateway_route_table_association.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
TransitGatewayRouteTableIdstringThe ID of transit gateway route table.
TransitGatewayAttachmentIdstringThe ID of transit gateway attachment.
createCreate a EC2 TransitGatewayRouteTableAssociation
getGet a EC2 TransitGatewayRouteTableAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayRouteTableAssociation
deleteDelete a EC2 TransitGatewayRouteTableAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayRouteTableAssociation
syncSync EC2 TransitGatewayRouteTableAssociation state from AWS
instance_connect_endpoint.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
SubnetIdstringThe ID of the subnet in which the EC2 Instance Connect Endpoint was created.
ClientToken?stringThe client token of the instance connect endpoint.
PreserveClientIp?booleanIndicates whether your client's IP address is preserved as the source when you connect to a resource.
Tags?arrayThe tags assigned to the EC2 Instance Connect Endpoint.
SecurityGroupIds?arrayThe security groups associated with the endpoint.
PublicDnsNames?objectThe IPv4-only DNS name of the EC2 Instance Connect Endpoint.
createCreate a EC2 InstanceConnectEndpoint
getGet a EC2 InstanceConnectEndpoint
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 InstanceConnectEndpoint
updateUpdate a EC2 InstanceConnectEndpoint
deleteDelete a EC2 InstanceConnectEndpoint
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 InstanceConnectEndpoint
syncSync EC2 InstanceConnectEndpoint state from AWS
transit_gateway_connect_peer.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
TransitGatewayAttachmentIdstringThe ID of the Connect attachment.
ConnectPeerConfigurationobjectThe range of interior BGP peer IP addresses.
Tags?arrayThe tags for the Connect Peer.
createCreate a EC2 TransitGatewayConnectPeer
getGet a EC2 TransitGatewayConnectPeer
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayConnectPeer
updateUpdate a EC2 TransitGatewayConnectPeer
deleteDelete a EC2 TransitGatewayConnectPeer
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayConnectPeer
syncSync EC2 TransitGatewayConnectPeer state from AWS
volume_attachment.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
VolumeIdstringThe ID of the Amazon EBS volume. The volume and instance must be within the same Availability Zone. This value can be a reference to an [AWS::EC2::Volume](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volume.html) resource, or it can be the volume ID of an existing Amazon EBS volume.
InstanceIdstringThe ID of the instance to which the volume attaches. This value can be a reference to an [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html) resource, or it can be the physical ID of an existing EC2 instance.
Device?stringThe device name (for example, /dev/sdh or xvdh).
EbsCardIndex?numberThe index of the EBS card. Some instance types support multiple EBS cards. The default EBS card index is 0.
createCreate a EC2 VolumeAttachment
getGet a EC2 VolumeAttachment
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VolumeAttachment
deleteDelete a EC2 VolumeAttachment
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VolumeAttachment
syncSync EC2 VolumeAttachment state from AWS
security_group_ingress.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
CidrIp?stringThe IPv4 ranges
CidrIpv6?string[VPC only] The IPv6 ranges
Description?stringUpdates the description of an ingress (inbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously
FromPort?numberThe start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes. Use this for ICMP and any protocol that uses ports.
GroupId?stringThe ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID. You must specify the GroupName property or the GroupId property. For security groups that are in a VPC, you must use the GroupId property.
GroupName?stringThe name of the security group.
IpProtocolstringThe IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers). [VPC only] Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp, udp, icmp, or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp, udp, and icmp, you must specify a port range. For icmpv6, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
SourcePrefixListId?string[EC2-VPC only] The ID of a prefix list.
SourceSecurityGroupId?stringThe ID of the security group. You must specify either the security group ID or the security group name. For security groups in a nondefault VPC, you must specify the security group ID.
SourceSecurityGroupName?string[EC2-Classic, default VPC] The name of the source security group. You must specify the GroupName property or the GroupId property. For security groups that are in a VPC, you must use the GroupId property.
SourceSecurityGroupOwnerId?string[nondefault VPC] The AWS account ID that owns the source security group. You can't specify this property with an IP address range. If you specify SourceSecurityGroupName or SourceSecurityGroupId and that security group is owned by a different account than the account creating the stack, you must specify the SourceSecurityGroupOwnerId; otherwise, this property is optional.
ToPort?numberThe end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of -1 indicates all ICMP/ICMPv6 codes for the specified ICMP type. If you specify all ICMP/ICMPv6 types, you must specify all codes. Use this for ICMP and any protocol that uses ports.
createCreate a EC2 SecurityGroupIngress
getGet a EC2 SecurityGroupIngress
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 SecurityGroupIngress
updateUpdate a EC2 SecurityGroupIngress
deleteDelete a EC2 SecurityGroupIngress
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 SecurityGroupIngress
syncSync EC2 SecurityGroupIngress state from AWS
local_gateway_virtual_interface_group.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
LocalGatewayIdstringThe ID of the local gateway
LocalBgpAsn?numberThe Autonomous System Number(ASN) for the local Border Gateway Protocol (BGP)
LocalBgpAsnExtended?numberThe extended 32-bit ASN for the local BGP configuration
Tags?arrayThe tags assigned to the virtual interface group
createCreate a EC2 LocalGatewayVirtualInterfaceGroup
getGet a EC2 LocalGatewayVirtualInterfaceGroup
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 LocalGatewayVirtualInterfaceGroup
updateUpdate a EC2 LocalGatewayVirtualInterfaceGroup
deleteDelete a EC2 LocalGatewayVirtualInterfaceGroup
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 LocalGatewayVirtualInterfaceGroup
syncSync EC2 LocalGatewayVirtualInterfaceGroup state from AWS
transit_gateway_metering_policy_entry.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
DestinationTransitGatewayAttachmentId?stringThe ID of the source attachment through which traffic leaves a transit gateway
SourcePortRange?stringThe list of ports on source instances sending traffic to the transit gateway
PolicyRuleNumbernumberThe rule number of the metering policy entry
DestinationTransitGatewayAttachmentType?enumThe type of the attachment through which traffic leaves a transit gateway
DestinationCidrBlock?stringThe list of IP addresses of the instances receiving traffic from the transit gateway
TransitGatewayMeteringPolicyIdstringThe ID of the transit gateway metering policy for which the entry is being created
DestinationPortRange?stringThe list of ports on destination instances receiving traffic from the transit gateway
MeteredAccountenumThe resource owner information responsible for paying default billable charges for the traffic flow
SourceCidrBlock?stringThe list of IP addresses of the instances sending traffic to the transit gateway for which the metering policy entry is applicable
Protocol?stringThe protocol of the traffic
SourceTransitGatewayAttachmentId?stringThe ID of the source attachment through which traffic enters a transit gateway
SourceTransitGatewayAttachmentType?enumThe type of the attachment through which traffic enters a transit gateway
createCreate a EC2 TransitGatewayMeteringPolicyEntry
getGet a EC2 TransitGatewayMeteringPolicyEntry
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayMeteringPolicyEntry
deleteDelete a EC2 TransitGatewayMeteringPolicyEntry
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayMeteringPolicyEntry
syncSync EC2 TransitGatewayMeteringPolicyEntry state from AWS
verified_access_instance.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
VerifiedAccessTrustProviders?arrayAWS Verified Access trust providers.
VerifiedAccessTrustProviderIds?arrayThe IDs of the AWS Verified Access trust providers.
Description?stringA description for the AWS Verified Access instance.
LoggingConfigurations?objectSelect log version for Verified Access logs.
Tags?arrayAn array of key-value pairs to apply to this resource.
FipsEnabled?booleanIndicates whether FIPS is enabled
CidrEndpointsCustomSubDomain?stringIntroduce CidrEndpointsCustomSubDomain property to represent the domain (say, ava.my-company.com)
createCreate a EC2 VerifiedAccessInstance
getGet a EC2 VerifiedAccessInstance
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VerifiedAccessInstance
updateUpdate a EC2 VerifiedAccessInstance
deleteDelete a EC2 VerifiedAccessInstance
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VerifiedAccessInstance
syncSync EC2 VerifiedAccessInstance state from AWS
vpccidr_block.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
CidrBlock?stringAn IPv4 CIDR block to associate with the VPC.
Ipv6Pool?stringThe ID of an IPv6 address pool from which to allocate the IPv6 CIDR block.
VpcIdstringThe ID of the VPC.
Ipv6CidrBlock?stringAn IPv6 CIDR block from the IPv6 address pool.
Ipv4IpamPoolId?stringThe ID of the IPv4 IPAM pool to Associate a CIDR from to a VPC.
Ipv4NetmaskLength?numberThe netmask length of the IPv4 CIDR you would like to associate from an Amazon VPC IP Address Manager (IPAM) pool.
Ipv6IpamPoolId?stringThe ID of the IPv6 IPAM pool to Associate a CIDR from to a VPC.
Ipv6NetmaskLength?numberThe netmask length of the IPv6 CIDR you would like to associate from an Amazon VPC IP Address Manager (IPAM) pool.
AmazonProvidedIpv6CidrBlock?booleanRequests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IPv6 addresses, or the size of the CIDR block.
Ipv6CidrBlockNetworkBorderGroup?stringThe name of the location from which we advertise the IPV6 CIDR block.
createCreate a EC2 VPCCidrBlock
getGet a EC2 VPCCidrBlock
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCCidrBlock
deleteDelete a EC2 VPCCidrBlock
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCCidrBlock
syncSync EC2 VPCCidrBlock state from AWS
traffic_mirror_session.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
NetworkInterfaceIdstringThe ID of the source network interface.
TrafficMirrorTargetIdstringThe ID of a Traffic Mirror target.
TrafficMirrorFilterIdstringThe ID of a Traffic Mirror filter.
PacketLength?numberThe number of bytes in each packet to mirror.
SessionNumbernumberThe session number determines the order in which sessions are evaluated when an interface is used by multiple sessions. The first session with a matching filter is the one that mirrors the packets.
VirtualNetworkId?numberThe VXLAN ID for the Traffic Mirror session.
Description?stringThe description of the Traffic Mirror session.
OwnerId?stringThe ID of the account that owns the Traffic Mirror session.
Tags?arrayThe tags assigned to the Traffic Mirror session.
createCreate a EC2 TrafficMirrorSession
getGet a EC2 TrafficMirrorSession
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TrafficMirrorSession
updateUpdate a EC2 TrafficMirrorSession
deleteDelete a EC2 TrafficMirrorSession
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TrafficMirrorSession
syncSync EC2 TrafficMirrorSession state from AWS
local_gateway_route_table.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
LocalGatewayIdstringThe ID of the local gateway.
Mode?stringThe mode of the local gateway route table.
Tags?arrayThe tags for the local gateway route table.
createCreate a EC2 LocalGatewayRouteTable
getGet a EC2 LocalGatewayRouteTable
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 LocalGatewayRouteTable
updateUpdate a EC2 LocalGatewayRouteTable
deleteDelete a EC2 LocalGatewayRouteTable
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 LocalGatewayRouteTable
syncSync EC2 LocalGatewayRouteTable state from AWS
vpcendpoint.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
PrivateDnsEnabled?booleanIndicate whether to associate a private hosted zone with the specified VPC. The private hosted zone contains a record set for the default public DNS name for the service for the Region (for example, kinesis.us-east-1.amazonaws.com), which resolves to the private IP addresses of the endpoint network interfaces in the VPC. This enables you to make requests to the default public DNS name for the service instead of the public DNS names that are automatically generated by the VPC endpoint service. To use a private hosted zone, you must set the following VPC attributes to true: enableDnsHostnames and enableDnsSupport. This property is supported only for interface endpoints. Default: false
IpAddressType?enumThe supported IP address types.
ServiceRegion?stringDescribes a Region.
DnsOptions?objectIndicates whether to enable private DNS only for inbound endpoints. This option is available only for services that support both gateway and interface endpoints. It routes traffic that originates from the VPC to the gateway endpoint and traffic that originates from on-premises to the interface endpoint.
ResourceConfigurationArn?stringThe Amazon Resource Name (ARN) of the resource configuration.
SecurityGroupIds?arrayThe IDs of the security groups to associate with the endpoint network interfaces. If this parameter is not specified, we use the default security group for the VPC. Security groups are supported only for interface endpoints.
SubnetIds?arrayThe IDs of the subnets in which to create endpoint network interfaces. You must specify this property for an interface endpoint or a Gateway Load Balancer endpoint. You can't specify this property for a gateway endpoint. For a Gateway Load Balancer endpoint, you can specify only one subnet.
ServiceNetworkArn?stringThe Amazon Resource Name (ARN) of the service network.
VpcIdstringThe ID of the VPC.
RouteTableIds?arrayThe IDs of the route tables. Routing is supported only for gateway endpoints.
ServiceName?stringThe name of the endpoint service.
PolicyDocument?stringAn endpoint policy, which controls access to the service from the VPC. The default endpoint policy allows full access to the service. Endpoint policies are supported only for gateway and interface endpoints. For CloudFormation templates in YAML, you can provide the policy in JSON or YAML format. For example, if you have a JSON policy, you can convert it to YAML before including it in the YAML template, and CFNlong converts the policy to JSON format before calling the API actions for privatelink. Alternatively, you can include the JSON directly in the YAML, as shown in the following Properties section: Properties: VpcEndpointType: \'Interface\' ServiceName:!Sub \'com.amazonaws.${AWS::Region}.logs\' PolicyDocument: \'{ "Version":"2012-10-17", "Statement": [{ "Effect":"Allow", "Principal":"*", "Action":["logs:Describe*","logs:Get*","logs:List*","logs:FilterLogEvents"], "Resource":"*" }] }\'
VpcEndpointType?enumThe type of endpoint. Default: Gateway
Tags?arrayThe tags to associate with the endpoint.
createCreate a EC2 VPCEndpoint
getGet a EC2 VPCEndpoint
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCEndpoint
updateUpdate a EC2 VPCEndpoint
deleteDelete a EC2 VPCEndpoint
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCEndpoint
syncSync EC2 VPCEndpoint state from AWS
network_performance_metric_subscription.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
SourcestringThe starting Region or Availability Zone for metric to subscribe to.
DestinationstringThe target Region or Availability Zone for the metric to subscribe to.
MetricstringThe metric type to subscribe to.
StatisticstringThe statistic to subscribe to.
createCreate a EC2 NetworkPerformanceMetricSubscription
getGet a EC2 NetworkPerformanceMetricSubscription
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 NetworkPerformanceMetricSubscription
deleteDelete a EC2 NetworkPerformanceMetricSubscription
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 NetworkPerformanceMetricSubscription
syncSync EC2 NetworkPerformanceMetricSubscription state from AWS
network_interface_attachment.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
DeleteOnTermination?booleanWhether to delete the network interface when the instance terminates. By default, this value is set to true.
DeviceIndexstringThe network interface's position in the attachment order. For example, the first attached network interface has a DeviceIndex of 0.
InstanceIdstringThe ID of the instance to which you will attach the ENI.
NetworkInterfaceIdstringThe ID of the ENI that you want to attach.
EnaSrdSpecification?objectIndicates whether ENA Express is enabled for the network interface.
EnaQueueCount?numberThe number of ENA queues created with the instance.
createCreate a EC2 NetworkInterfaceAttachment
getGet a EC2 NetworkInterfaceAttachment
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 NetworkInterfaceAttachment
updateUpdate a EC2 NetworkInterfaceAttachment
deleteDelete a EC2 NetworkInterfaceAttachment
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 NetworkInterfaceAttachment
syncSync EC2 NetworkInterfaceAttachment state from AWS
capacity_reservation.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
Tenancy?string
EndDateType?string
TagSpecifications?array
UnusedReservationBillingOwnerId?string
EbsOptimized?boolean
OutPostArn?string
InstanceTypestring
AvailabilityZoneId?string
AvailabilityZone?string
EndDate?string
InstanceCountnumber
PlacementGroupArn?string
CommitmentInfo?object
InstancePlatformstring
EphemeralStorage?boolean
InstanceMatchCriteria?string
createCreate a EC2 CapacityReservation
getGet a EC2 CapacityReservation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 CapacityReservation
updateUpdate a EC2 CapacityReservation
deleteDelete a EC2 CapacityReservation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 CapacityReservation
syncSync EC2 CapacityReservation state from AWS
ipam.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
Description?string
OperatingRegions?arrayThe regions IPAM is enabled for. Allows pools to be created in these regions, as well as enabling monitoring
Tier?enumThe tier of the IPAM.
EnablePrivateGua?booleanEnable provisioning of GUA space in private pools.
MeteredAccount?enumA metered account is an account that is charged for active IP addresses managed in IPAM
DefaultResourceDiscoveryOrganizationalUnitExclusions?arrayA set of organizational unit (OU) exclusions for the default resource discovery, created with this IPAM.
Tags?arrayAn array of key-value pairs to apply to this resource.
createCreate a EC2 IPAM
getGet a EC2 IPAM
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 IPAM
updateUpdate a EC2 IPAM
deleteDelete a EC2 IPAM
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 IPAM
syncSync EC2 IPAM state from AWS
ipamresource_discovery_association.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
IpamResourceDiscoveryIdstringThe Amazon Resource Name (ARN) of the IPAM Resource Discovery Association.
IpamIdstringThe Id of the IPAM this Resource Discovery is associated to.
Tags?arrayAn array of key-value pairs to apply to this resource.
createCreate a EC2 IPAMResourceDiscoveryAssociation
getGet a EC2 IPAMResourceDiscoveryAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 IPAMResourceDiscoveryAssociation
updateUpdate a EC2 IPAMResourceDiscoveryAssociation
deleteDelete a EC2 IPAMResourceDiscoveryAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 IPAMResourceDiscoveryAssociation
syncSync EC2 IPAMResourceDiscoveryAssociation state from AWS
subnet_route_table_association.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
RouteTableIdstringThe ID of the route table. The physical ID changes when the route table ID is changed.
SubnetIdstringThe ID of the subnet.
createCreate a EC2 SubnetRouteTableAssociation
getGet a EC2 SubnetRouteTableAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 SubnetRouteTableAssociation
deleteDelete a EC2 SubnetRouteTableAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 SubnetRouteTableAssociation
syncSync EC2 SubnetRouteTableAssociation state from AWS
spot_fleet.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
SpotFleetRequestConfigData?object
Tags?arrayThe tags to specify in SpotFleetRequestConfigData
createCreate a EC2 SpotFleet
getGet a EC2 SpotFleet
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 SpotFleet
updateUpdate a EC2 SpotFleet
deleteDelete a EC2 SpotFleet
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 SpotFleet
syncSync EC2 SpotFleet state from AWS
vpcendpoint_connection_notification.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
ConnectionEventsarrayThe endpoint events for which to receive notifications.
VPCEndpointId?stringThe ID of the endpoint.
ConnectionNotificationArnstringThe ARN of the SNS topic for the notifications.
ServiceId?stringThe ID of the endpoint service.
createCreate a EC2 VPCEndpointConnectionNotification
getGet a EC2 VPCEndpointConnectionNotification
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCEndpointConnectionNotification
updateUpdate a EC2 VPCEndpointConnectionNotification
deleteDelete a EC2 VPCEndpointConnectionNotification
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCEndpointConnectionNotification
syncSync EC2 VPCEndpointConnectionNotification state from AWS
capacity_manager_data_export.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
S3BucketNamestringThe name of the Amazon S3 bucket where the capacity manager data export will be stored. The bucket must exist and be accessible by EC2 Capacity Manager service.
S3BucketPrefix?stringThe prefix for the S3 bucket location where exported files will be placed. If not specified, files will be placed in the root of the bucket.
ScheduleenumThe schedule for the capacity manager data export. Currently supports hourly exports that provide periodic snapshots of capacity manager data.
OutputFormatenumThe format of the exported capacity manager data. Choose 'csv' for comma-separated values or 'parquet' for optimized columnar storage format.
Tags?arrayAn array of key-value pairs to apply to the capacity manager data export.
createCreate a EC2 CapacityManagerDataExport
getGet a EC2 CapacityManagerDataExport
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 CapacityManagerDataExport
updateUpdate a EC2 CapacityManagerDataExport
deleteDelete a EC2 CapacityManagerDataExport
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 CapacityManagerDataExport
syncSync EC2 CapacityManagerDataExport state from AWS
vpc.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
InstanceTenancy?stringThe allowed tenancy of instances launched into the VPC. default: An instance launched into the VPC runs on shared hardware by default, unless you explicitly specify a different tenancy during instance launch. dedicated: An instance launched into the VPC runs on dedicated hardware by default, unless you explicitly specify a tenancy of host during instance launch. You cannot specify a tenancy of default during instance launch. Updating InstanceTenancy requires no replacement only if you are updating its value from dedicated to default. Updating InstanceTenancy from default to dedicated requires replacement.
Ipv4NetmaskLength?numberThe netmask length of the IPv4 CIDR you want to allocate to this VPC from an Amazon VPC IP Address Manager (IPAM) pool. For more information about IPAM, see [What is IPAM?](https://docs.aws.amazon.com//vpc/latest/ipam/what-is-it-ipam.html) in the *Amazon VPC IPAM User Guide*.
CidrBlock?stringThe IPv4 network range for the VPC, in CIDR notation. For example, 10.0.0.0/16. We modify the specified CIDR block to its canonical form; for example, if you specify 100.68.0.18/18, we modify it to 100.68.0.0/18. You must specify either CidrBlock or Ipv4IpamPoolId.
Ipv4IpamPoolId?stringThe ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR. For more information, see [What is IPAM?](https://docs.aws.amazon.com//vpc/latest/ipam/what-is-it-ipam.html) in the *Amazon VPC IPAM User Guide*. You must specify either CidrBlock or Ipv4IpamPoolId.
EnableDnsSupport?booleanIndicates whether the DNS resolution is supported for the VPC. If enabled, queries to the Amazon provided DNS server at the 169.254.169.253 IP address, or the reserved IP address at the base of the VPC network range "plus two" succeed. If disabled, the Amazon provided DNS service in the VPC that resolves public DNS hostnames to IP addresses is not enabled. Enabled by default. For more information, see [DNS attributes in your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-support).
EnableDnsHostnames?booleanIndicates whether the instances launched in the VPC get DNS hostnames. If enabled, instances in the VPC get DNS hostnames; otherwise, they do not. Disabled by default for nondefault VPCs. For more information, see [DNS attributes in your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-support). You can only enable DNS hostnames if you've enabled DNS support.
Tags?arrayThe tags for the VPC.
createCreate a EC2 VPC
getGet a EC2 VPC
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPC
updateUpdate a EC2 VPC
deleteDelete a EC2 VPC
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPC
syncSync EC2 VPC state from AWS
ipampool.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
AddressFamilystringThe address family of the address space in this pool. Either IPv4 or IPv6.
AllocationMinNetmaskLength?numberThe minimum allowed netmask length for allocations made from this pool.
AllocationDefaultNetmaskLength?numberThe default netmask length for allocations made from this pool. This value is used when the netmask length of an allocation isn't specified.
AllocationMaxNetmaskLength?numberThe maximum allowed netmask length for allocations made from this pool.
AllocationResourceTags?arrayWhen specified, an allocation will not be allowed unless a resource has a matching set of tags.
AutoImport?booleanDetermines what to do if IPAM discovers resources that haven't been assigned an allocation. If set to true, an allocation will be made automatically.
AwsService?enumLimits which service in Amazon Web Services that the pool can be used in.
Description?string
IpamScopeIdstringThe Id of the scope this pool is a part of.
Locale?stringThe region of this pool. If not set, this will default to "None" which will disable non-custom allocations. If the locale has been specified for the source pool, this value must match.
ProvisionedCidrs?arrayA list of cidrs representing the address space available for allocation in this pool.
PublicIpSource?enumThe IP address source for pools in the public scope. Only used for provisioning IP address CIDRs to pools in the public scope. Default is `byoip`.
PubliclyAdvertisable?booleanDetermines whether or not address space from this pool is publicly advertised. Must be set if and only if the pool is IPv6.
SourceIpamPoolId?stringThe Id of this pool's source. If set, all space provisioned in this pool must be free space provisioned in the parent pool.
SourceResource?objectThe resource associated with this pool's space. Depending on the ResourceType, setting a SourceResource changes which space can be provisioned in this pool and which types of resources can receive allocations
Tags?arrayAn array of key-value pairs to apply to this resource.
createCreate a EC2 IPAMPool
getGet a EC2 IPAMPool
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 IPAMPool
updateUpdate a EC2 IPAMPool
deleteDelete a EC2 IPAMPool
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 IPAMPool
syncSync EC2 IPAMPool state from AWS
vpcgateway_attachment.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
InternetGatewayId?stringThe ID of the internet gateway. You must specify either InternetGatewayId or VpnGatewayId, but not both.
VpcIdstringThe ID of the VPC.
VpnGatewayId?stringThe ID of the virtual private gateway. You must specify either InternetGatewayId or VpnGatewayId, but not both.
createCreate a EC2 VPCGatewayAttachment
getGet a EC2 VPCGatewayAttachment
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCGatewayAttachment
updateUpdate a EC2 VPCGatewayAttachment
deleteDelete a EC2 VPCGatewayAttachment
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCGatewayAttachment
syncSync EC2 VPCGatewayAttachment state from AWS
gateway_route_table_association.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
RouteTableIdstringThe ID of the route table.
GatewayIdstringThe ID of the gateway.
createCreate a EC2 GatewayRouteTableAssociation
getGet a EC2 GatewayRouteTableAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 GatewayRouteTableAssociation
updateUpdate a EC2 GatewayRouteTableAssociation
deleteDelete a EC2 GatewayRouteTableAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 GatewayRouteTableAssociation
syncSync EC2 GatewayRouteTableAssociation state from AWS
route_server_endpoint.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
RouteServerIdstringRoute Server ID
SubnetIdstringSubnet ID
Tags?arrayAn array of key-value pairs to apply to this resource.
createCreate a EC2 RouteServerEndpoint
getGet a EC2 RouteServerEndpoint
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 RouteServerEndpoint
updateUpdate a EC2 RouteServerEndpoint
deleteDelete a EC2 RouteServerEndpoint
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 RouteServerEndpoint
syncSync EC2 RouteServerEndpoint state from AWS
ip_pool_route_table_association.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
PublicIpv4PoolstringThe ID of the public IPv4 pool.
RouteTableIdstringThe ID of the route table.
createCreate a EC2 IpPoolRouteTableAssociation
getGet a EC2 IpPoolRouteTableAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 IpPoolRouteTableAssociation
deleteDelete a EC2 IpPoolRouteTableAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 IpPoolRouteTableAssociation
syncSync EC2 IpPoolRouteTableAssociation state from AWS
transit_gateway_route_table.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
TransitGatewayIdstringThe ID of the transit gateway.
Tags?arrayTags are composed of a Key/Value pair. You can use tags to categorize and track each parameter group. The tag value null is permitted.
createCreate a EC2 TransitGatewayRouteTable
getGet a EC2 TransitGatewayRouteTable
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayRouteTable
updateUpdate a EC2 TransitGatewayRouteTable
deleteDelete a EC2 TransitGatewayRouteTable
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayRouteTable
syncSync EC2 TransitGatewayRouteTable state from AWS
transit_gateway_route.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
TransitGatewayRouteTableIdstringThe ID of transit gateway route table.
DestinationCidrBlockstringThe CIDR range used for destination matches. Routing decisions are based on the most specific match.
Blackhole?booleanIndicates whether to drop traffic that matches this route.
TransitGatewayAttachmentId?stringThe ID of transit gateway attachment.
createCreate a EC2 TransitGatewayRoute
getGet a EC2 TransitGatewayRoute
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayRoute
deleteDelete a EC2 TransitGatewayRoute
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayRoute
syncSync EC2 TransitGatewayRoute state from AWS
transit_gateway_attachment.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
Options?objectIndicates whether to enable Ipv6 Support for Vpc Attachment. Valid Values: enable | disable
TransitGatewayIdstring
VpcIdstring
SubnetIdsarray
Tags?array
createCreate a EC2 TransitGatewayAttachment
getGet a EC2 TransitGatewayAttachment
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayAttachment
updateUpdate a EC2 TransitGatewayAttachment
deleteDelete a EC2 TransitGatewayAttachment
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayAttachment
syncSync EC2 TransitGatewayAttachment state from AWS
vpcendpoint_service.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
NetworkLoadBalancerArns?array
ContributorInsightsEnabled?boolean
PayerResponsibility?string
AcceptanceRequired?boolean
GatewayLoadBalancerArns?array
Tags?arrayThe tags to add to the VPC endpoint service.
SupportedIpAddressTypes?arraySpecify which Ip Address types are supported for VPC endpoint service.
SupportedRegions?arrayThe Regions from which service consumers can access the service.
createCreate a EC2 VPCEndpointService
getGet a EC2 VPCEndpointService
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCEndpointService
updateUpdate a EC2 VPCEndpointService
deleteDelete a EC2 VPCEndpointService
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCEndpointService
syncSync EC2 VPCEndpointService state from AWS
eip.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
Domain?stringThe network ( vpc). If you define an Elastic IP address and associate it with a VPC that is defined in the same template, you must declare a dependency on the VPC-gateway attachment by using the [DependsOn Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html) on this resource.
NetworkBorderGroup?stringA unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses. Use this parameter to limit the IP address to this location. IP addresses cannot move between network border groups. Use [DescribeAvailabilityZones](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html) to view the network border groups.
TransferAddress?stringThe Elastic IP address you are accepting for transfer. You can only accept one transferred address. For more information on Elastic IP address transfers, see [Transfer Elastic IP addresses](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-eips.html#transfer-EIPs-intro) in the *Amazon Virtual Private Cloud User Guide*.
InstanceId?stringThe ID of the instance. Updates to the InstanceId property may require *some interruptions*. Updates on an EIP reassociates the address on its associated resource.
PublicIpv4Pool?stringThe ID of an address pool that you own. Use this parameter to let Amazon EC2 select an address from the address pool. Updates to the PublicIpv4Pool property may require *some interruptions*. Updates on an EIP reassociates the address on its associated resource.
IpamPoolId?string
Address?string
Tags?arrayAny tags assigned to the Elastic IP address. Updates to the Tags property may require *some interruptions*. Updates on an EIP reassociates the address on its associated resource.
createCreate a EC2 EIP
getGet a EC2 EIP
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 EIP
updateUpdate a EC2 EIP
deleteDelete a EC2 EIP
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 EIP
syncSync EC2 EIP state from AWS
network_insights_access_scope.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
Tags?array
MatchPaths?array
ExcludePaths?array
createCreate a EC2 NetworkInsightsAccessScope
getGet a EC2 NetworkInsightsAccessScope
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 NetworkInsightsAccessScope
updateUpdate a EC2 NetworkInsightsAccessScope
deleteDelete a EC2 NetworkInsightsAccessScope
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 NetworkInsightsAccessScope
syncSync EC2 NetworkInsightsAccessScope state from AWS
ipamresource_discovery.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
OperatingRegions?arrayThe regions Resource Discovery is enabled for. Allows resource discoveries to be created in these regions, as well as enabling monitoring
Description?string
OrganizationalUnitExclusions?arrayA set of organizational unit (OU) exclusions for this resource.
Tags?arrayAn array of key-value pairs to apply to this resource.
createCreate a EC2 IPAMResourceDiscovery
getGet a EC2 IPAMResourceDiscovery
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 IPAMResourceDiscovery
updateUpdate a EC2 IPAMResourceDiscovery
deleteDelete a EC2 IPAMResourceDiscovery
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 IPAMResourceDiscovery
syncSync EC2 IPAMResourceDiscovery state from AWS
customer_gateway.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
TypestringThe type of VPN connection that this customer gateway supports ( ipsec.1).
IpAddressstringThe IP address for the customer gateway device's outside interface. The address must be static. If OutsideIpAddressType in your VPN connection options is set to PrivateIpv4, you can use an RFC6598 or RFC1918 private IPv4 address. If OutsideIpAddressType is set to Ipv6, you can use an IPv6 address.
BgpAsnExtended?numberFor customer gateway devices that support BGP, specify the device's ASN. You must specify either BgpAsn or BgpAsnExtended when creating the customer gateway. If the ASN is larger than 2,147,483,647, you must use BgpAsnExtended. Valid values: 2,147,483,648 to 4,294,967,295
BgpAsn?numberFor customer gateway devices that support BGP, specify the device's ASN. You must specify either BgpAsn or BgpAsnExtended when creating the customer gateway. If the ASN is larger than 2,147,483,647, you must use BgpAsnExtended. Default: 65000 Valid values: 1 to 2,147,483,647
Tags?arrayOne or more tags for the customer gateway.
CertificateArn?stringThe Amazon Resource Name (ARN) for the customer gateway certificate.
DeviceName?stringThe name of customer gateway device.
createCreate a EC2 CustomerGateway
getGet a EC2 CustomerGateway
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 CustomerGateway
updateUpdate a EC2 CustomerGateway
deleteDelete a EC2 CustomerGateway
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 CustomerGateway
syncSync EC2 CustomerGateway state from AWS
snapshot_block_public_access.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
StateenumThe state of EBS Snapshot Block Public Access.
createCreate a EC2 SnapshotBlockPublicAccess
getGet a EC2 SnapshotBlockPublicAccess
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 SnapshotBlockPublicAccess
updateUpdate a EC2 SnapshotBlockPublicAccess
deleteDelete a EC2 SnapshotBlockPublicAccess
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 SnapshotBlockPublicAccess
syncSync EC2 SnapshotBlockPublicAccess state from AWS
route_server_association.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
RouteServerIdstringRoute Server ID
VpcIdstringVPC ID
createCreate a EC2 RouteServerAssociation
getGet a EC2 RouteServerAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 RouteServerAssociation
deleteDelete a EC2 RouteServerAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 RouteServerAssociation
syncSync EC2 RouteServerAssociation state from AWS
transit_gateway_multicast_domain.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
TransitGatewayIdstringThe ID of the transit gateway.
Tags?arrayThe tags for the transit gateway multicast domain.
Options?objectIndicates whether to automatically cross-account subnet associations that are associated with the transit gateway multicast domain. Valid Values: enable | disable
createCreate a EC2 TransitGatewayMulticastDomain
getGet a EC2 TransitGatewayMulticastDomain
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayMulticastDomain
updateUpdate a EC2 TransitGatewayMulticastDomain
deleteDelete a EC2 TransitGatewayMulticastDomain
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayMulticastDomain
syncSync EC2 TransitGatewayMulticastDomain state from AWS
placement_group.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
Strategy?stringThe placement strategy.
SpreadLevel?stringThe Spread Level of Placement Group is an enum where it accepts either host or rack when strategy is spread
PartitionCount?numberThe number of partitions. Valid only when **Strategy** is set to `partition`
Tags?arrayAn array of key-value pairs to apply to this resource.
createCreate a EC2 PlacementGroup
getGet a EC2 PlacementGroup
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 PlacementGroup
deleteDelete a EC2 PlacementGroup
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 PlacementGroup
syncSync EC2 PlacementGroup state from AWS
host.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
AutoPlacement?enumIndicates whether the host accepts any untargeted instance launches that match its instance type configuration, or if it only accepts Host tenancy instance launches that specify its unique host ID.
AvailabilityZonestringThe Availability Zone in which to allocate the Dedicated Host.
HostRecovery?enumIndicates whether to enable or disable host recovery for the Dedicated Host. Host recovery is disabled by default.
InstanceType?stringSpecifies the instance type to be supported by the Dedicated Hosts. If you specify an instance type, the Dedicated Hosts support instances of the specified instance type only.
InstanceFamily?stringSpecifies the instance family to be supported by the Dedicated Hosts. If you specify an instance family, the Dedicated Hosts support multiple instance types within that instance family.
OutpostArn?stringThe Amazon Resource Name (ARN) of the Amazon Web Services Outpost on which to allocate the Dedicated Host.
HostMaintenance?enumAutomatically allocates a new dedicated host and moves your instances on to it if a degradation is detected on your current host.
AssetId?stringThe ID of the Outpost hardware asset.
Tags?arrayAny tags assigned to the Host.
createCreate a EC2 Host
getGet a EC2 Host
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 Host
updateUpdate a EC2 Host
deleteDelete a EC2 Host
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 Host
syncSync EC2 Host state from AWS
local_gateway_route.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
DestinationCidrBlock?stringThe CIDR block used for destination matches.
LocalGatewayRouteTableId?stringThe ID of the local gateway route table.
LocalGatewayVirtualInterfaceGroupId?stringThe ID of the virtual interface group.
NetworkInterfaceId?stringThe ID of the network interface.
createCreate a EC2 LocalGatewayRoute
getGet a EC2 LocalGatewayRoute
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 LocalGatewayRoute
updateUpdate a EC2 LocalGatewayRoute
deleteDelete a EC2 LocalGatewayRoute
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 LocalGatewayRoute
syncSync EC2 LocalGatewayRoute state from AWS
transit_gateway_vpc_attachment.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
TransitGatewayIdstring
VpcIdstring
SubnetIdsarray
AddSubnetIds?array
RemoveSubnetIds?array
Tags?array
Options?objectIndicates whether to enable DNS Support for Vpc Attachment. Valid Values: enable | disable
createCreate a EC2 TransitGatewayVpcAttachment
getGet a EC2 TransitGatewayVpcAttachment
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayVpcAttachment
updateUpdate a EC2 TransitGatewayVpcAttachment
deleteDelete a EC2 TransitGatewayVpcAttachment
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayVpcAttachment
syncSync EC2 TransitGatewayVpcAttachment state from AWS
local_gateway_virtual_interface.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
LocalGatewayVirtualInterfaceGroupIdstringThe ID of the virtual interface group
OutpostLagIdstringThe Outpost LAG ID.
VlannumberThe ID of the VLAN.
LocalAddressstringThe local address.
PeerAddressstringThe peer address.
PeerBgpAsn?numberThe peer BGP ASN.
PeerBgpAsnExtended?numberThe extended 32-bit ASN of the BGP peer for use with larger ASN values.
Tags?arrayAn array of key-value pairs to apply to this resource.
createCreate a EC2 LocalGatewayVirtualInterface
getGet a EC2 LocalGatewayVirtualInterface
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 LocalGatewayVirtualInterface
updateUpdate a EC2 LocalGatewayVirtualInterface
deleteDelete a EC2 LocalGatewayVirtualInterface
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 LocalGatewayVirtualInterface
syncSync EC2 LocalGatewayVirtualInterface state from AWS
subnet.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
AssignIpv6AddressOnCreation?booleanIndicates whether a network interface created in this subnet receives an IPv6 address. The default value is false. If you specify AssignIpv6AddressOnCreation, you must also specify an IPv6 CIDR block.
VpcIdstringThe ID of the VPC the subnet is in. If you update this property, you must also update the CidrBlock property.
MapPublicIpOnLaunch?booleanIndicates whether instances launched in this subnet receive a public IPv4 address. The default value is false. AWS charges for all public IPv4 addresses, including public IPv4 addresses associated with running instances and Elastic IP addresses. For more information, see the *Public IPv4 Address* tab on the [VPC pricing page](https://docs.aws.amazon.com/vpc/pricing/).
EnableLniAtDeviceIndex?numberIndicates the device position for local network interfaces in this subnet. For example, 1 indicates local network interfaces in this subnet are the secondary network interface (eth1).
AvailabilityZone?stringThe Availability Zone of the subnet. If you update this property, you must also update the CidrBlock property.
AvailabilityZoneId?stringThe AZ ID of the subnet.
CidrBlock?stringThe IPv4 CIDR block assigned to the subnet. If you update this property, we create a new subnet, and then delete the existing one.
Ipv6CidrBlock?stringThe IPv6 CIDR block. If you specify AssignIpv6AddressOnCreation, you must also specify an IPv6 CIDR block.
OutpostArn?stringThe Amazon Resource Name (ARN) of the Outpost.
Ipv6Native?booleanIndicates whether this is an IPv6 only subnet. For more information, see [Subnet basics](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html#subnet-basics) in the *User Guide*.
EnableDns64?booleanIndicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. You must first configure a NAT gateway in a public subnet (separate from the subnet containing the IPv6-only workloads). For example, the subnet containing the NAT gateway should have a 0.0.0.0/0 route pointing to the internet gateway. For more information, see [Configure DNS64 and NAT64](https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-nat64-dns64.html#nat-gateway-nat64-dns64-walkthrough) in the *User Guide*.
PrivateDnsNameOptionsOnLaunch?objectThe hostname type for EC2 instances launched into this subnet and how DNS A and AAAA record queries to the instances should be handled. For more information, see [Amazon EC2 instance hostname types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-naming.html) in the *User Guide*. Available options: EnableResourceNameDnsAAAARecord (true | false) EnableResourceNameDnsARecord (true | false) HostnameType (ip-name | resource-name)
Tags?arrayAny tags assigned to the subnet.
Ipv4IpamPoolId?stringAn IPv4 IPAM pool ID for the subnet.
Ipv4NetmaskLength?numberAn IPv4 netmask length for the subnet.
Ipv6IpamPoolId?stringAn IPv6 IPAM pool ID for the subnet.
Ipv6NetmaskLength?numberAn IPv6 netmask length for the subnet.
BlockPublicAccessStates?objectThe mode of VPC BPA. Options here are off, block-bidirectional, block-ingress
createCreate a EC2 Subnet
getGet a EC2 Subnet
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 Subnet
updateUpdate a EC2 Subnet
deleteDelete a EC2 Subnet
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 Subnet
syncSync EC2 Subnet state from AWS
flow_log.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
DeliverCrossAccountRole?stringThe ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.
DeliverLogsPermissionArn?stringThe ARN for the IAM role that permits Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
LogDestination?stringSpecifies the destination to which the flow log data is to be published. Flow log data can be published to a CloudWatch Logs log group, an Amazon S3 bucket, or a Kinesis Firehose stream. The value specified for this parameter depends on the value specified for LogDestinationType.
LogDestinationType?enumSpecifies the type of destination to which the flow log data is to be published. Flow log data can be published to CloudWatch Logs or Amazon S3.
LogFormat?stringThe fields to include in the flow log record, in the order in which they should appear.
LogGroupName?stringThe name of a new or existing CloudWatch Logs log group where Amazon EC2 publishes your flow logs. If you specify LogDestinationType as s3 or kinesis-data-firehose, do not specify DeliverLogsPermissionArn or LogGroupName.
MaxAggregationInterval?numberThe maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. You can specify 60 seconds (1 minute) or 600 seconds (10 minutes).
ResourceIdstringThe ID of the subnet, network interface, or VPC for which you want to create a flow log.
ResourceTypeenumThe type of resource for which to create the flow log. For example, if you specified a VPC ID for the ResourceId property, specify VPC for this property.
Tags?arrayThe tags to apply to the flow logs.
TrafficType?enumThe type of traffic to log. You can log traffic that the resource accepts or rejects, or all traffic.
DestinationOptions?object
createCreate a EC2 FlowLog
getGet a EC2 FlowLog
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 FlowLog
updateUpdate a EC2 FlowLog
deleteDelete a EC2 FlowLog
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 FlowLog
syncSync EC2 FlowLog state from AWS
nat_gateway.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
SubnetId?stringThe ID of the subnet in which the NAT gateway is located.
ConnectivityType?stringIndicates whether the NAT gateway supports public or private connectivity. The default is public connectivity.
PrivateIpAddress?stringThe private IPv4 address to assign to the NAT gateway. If you don't provide an address, a private IPv4 address will be automatically assigned.
Tags?arrayThe tags for the NAT gateway.
AllocationId?string[Public NAT gateway only] The allocation ID of the Elastic IP address that's associated with the NAT gateway. This property is required for a public NAT gateway and cannot be specified with a private NAT gateway.
SecondaryAllocationIds?arraySecondary EIP allocation IDs. For more information, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-working-with.html) in the *Amazon VPC User Guide*.
SecondaryPrivateIpAddresses?arraySecondary private IPv4 addresses. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide*. SecondaryPrivateIpAddressCount and SecondaryPrivateIpAddresses cannot be set at the same time.
SecondaryPrivateIpAddressCount?number[Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. For more information about secondary addresses, see [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon Virtual Private Cloud User Guide*. SecondaryPrivateIpAddressCount and SecondaryPrivateIpAddresses cannot be set at the same time.
MaxDrainDurationSeconds?numberThe maximum amount of time to wait (in seconds) before forcibly releasing the IP addresses if connections are still in progress. Default value is 350 seconds.
VpcId?stringThe ID of the VPC in which the NAT gateway is located.
AvailabilityMode?stringIndicates whether this is a zonal (single-AZ) or regional (multi-AZ) NAT gateway. A zonal NAT gateway is a NAT Gateway that provides redundancy and scalability within a single availability zone. A regional NAT gateway is a single NAT Gateway that works across multiple availability zones (AZs) in your VPC, providing redundancy, scalability and availability across all the AZs in a Region. For more information, see [Regional NAT gateways for automatic multi-AZ expansion](https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateways-regional.html) in the *Amazon VPC User Guide*.
AvailabilityZoneAddresses?arrayFor regional NAT gateways only: Specifies which Availability Zones you want the NAT gateway to support and the Elastic IP addresses (EIPs) to use in each AZ. The regional NAT gateway uses these EIPs to handle outbound NAT traffic from their respective AZs. If not specified, the NAT gateway will automatically expand to new AZs and associate EIPs upon detection of an elastic network interface. If you specify this parameter, auto-expansion is disabled and you must manually manage AZ coverage. A regional NAT gateway is a single NAT Gateway that works across multiple availability zones (AZs) in your VPC, providing redundancy, scalability and availability across all the AZs in a Region. For more information, see [Regional NAT gateways for automatic multi-AZ expansion](https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateways-regional.html) in the *Amazon VPC User Guide*.
createCreate a EC2 NatGateway
getGet a EC2 NatGateway
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 NatGateway
updateUpdate a EC2 NatGateway
deleteDelete a EC2 NatGateway
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 NatGateway
syncSync EC2 NatGateway state from AWS
vpngateway.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
AmazonSideAsn?numberThe private Autonomous System Number (ASN) for the Amazon side of a BGP session.
Tags?arrayAny tags assigned to the virtual private gateway.
TypestringThe type of VPN connection the virtual private gateway supports.
createCreate a EC2 VPNGateway
getGet a EC2 VPNGateway
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPNGateway
updateUpdate a EC2 VPNGateway
deleteDelete a EC2 VPNGateway
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPNGateway
syncSync EC2 VPNGateway state from AWS
vpnconnection.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
RemoteIpv6NetworkCidr?stringThe IPv6 CIDR on the AWS side of the VPN connection. Default:::/0
RemoteIpv4NetworkCidr?stringThe IPv4 CIDR on the AWS side of the VPN connection. Default: 0.0.0.0/0
VpnTunnelOptionsSpecifications?arrayThe tunnel options for the VPN connection.
CustomerGatewayIdstringThe ID of the customer gateway at your end of the VPN connection.
OutsideIpAddressType?stringThe type of IP address assigned to the outside interface of the customer gateway device. Valid values: PrivateIpv4 | PublicIpv4 | Ipv6 Default: PublicIpv4
StaticRoutesOnly?booleanIndicates whether the VPN connection uses static routes only. Static routes must be used for devices that don't support BGP. If you are creating a VPN connection for a device that does not support Border Gateway Protocol (BGP), you must specify true.
EnableAcceleration?booleanIndicate whether to enable acceleration for the VPN connection. Default: false
TransitGatewayId?stringThe ID of the transit gateway associated with the VPN connection. You must specify either TransitGatewayId or VpnGatewayId, but not both.
TypestringThe type of VPN connection.
TunnelBandwidth?enumThe desired bandwidth specification for the VPN tunnel, used when creating or modifying VPN connection options to set the tunnel's throughput capacity. standard supports up to 1.25 Gbps per tunnel, while large supports up to 5 Gbps per tunnel. The default value is standard. Existing VPN connections without a bandwidth setting will automatically default to standard.
LocalIpv4NetworkCidr?stringThe IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection. Default: 0.0.0.0/0
VpnGatewayId?stringThe ID of the virtual private gateway at the AWS side of the VPN connection. You must specify either TransitGatewayId or VpnGatewayId, but not both.
VpnConcentratorId?stringThe ID of the VPN concentrator to associate with the VPN connection.
PreSharedKeyStorage?enumDescribes the storage location for an instance store-backed AMI.
TransportTransitGatewayAttachmentId?stringThe transit gateway attachment ID to use for the VPN tunnel. Required if OutsideIpAddressType is set to PrivateIpv4.
LocalIpv6NetworkCidr?stringThe IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection. Default:::/0
TunnelInsideIpVersion?stringIndicate whether the VPN tunnels process IPv4 or IPv6 traffic. Default: ipv4
Tags?arrayAny tags assigned to the VPN connection.
createCreate a EC2 VPNConnection
getGet a EC2 VPNConnection
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPNConnection
updateUpdate a EC2 VPNConnection
deleteDelete a EC2 VPNConnection
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPNConnection
syncSync EC2 VPNConnection state from AWS
vpcdhcpoptions_association.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
DhcpOptionsIdstringThe ID of the DHCP options set, or default to associate no DHCP options with the VPC.
VpcIdstringThe ID of the VPC.
createCreate a EC2 VPCDHCPOptionsAssociation
getGet a EC2 VPCDHCPOptionsAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCDHCPOptionsAssociation
updateUpdate a EC2 VPCDHCPOptionsAssociation
deleteDelete a EC2 VPCDHCPOptionsAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCDHCPOptionsAssociation
syncSync EC2 VPCDHCPOptionsAssociation state from AWS
security_group_vpc_association.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
GroupIdstringThe group ID of the specified security group.
VpcIdstringThe ID of the VPC in the security group vpc association.
createCreate a EC2 SecurityGroupVpcAssociation
getGet a EC2 SecurityGroupVpcAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 SecurityGroupVpcAssociation
deleteDelete a EC2 SecurityGroupVpcAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 SecurityGroupVpcAssociation
syncSync EC2 SecurityGroupVpcAssociation state from AWS
vpnconnection_route.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
DestinationCidrBlockstringThe CIDR block associated with the local subnet of the customer network.
VpnConnectionIdstringThe ID of the VPN connection.
createCreate a EC2 VPNConnectionRoute
getGet a EC2 VPNConnectionRoute
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPNConnectionRoute
deleteDelete a EC2 VPNConnectionRoute
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPNConnectionRoute
syncSync EC2 VPNConnectionRoute state from AWS
ipamallocation.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
IpamPoolIdstringId of the IPAM Pool.
Cidr?stringRepresents an IPAM custom allocation of a single IPv4 or IPv6 CIDR
NetmaskLength?numberThe desired netmask length of the allocation. If set, IPAM will choose a block of free space with this size and return the CIDR representing it.
Description?string
createCreate a EC2 IPAMAllocation
getGet a EC2 IPAMAllocation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 IPAMAllocation
deleteDelete a EC2 IPAMAllocation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 IPAMAllocation
syncSync EC2 IPAMAllocation state from AWS
transit_gateway_multicast_domain_association.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
TransitGatewayMulticastDomainIdstringThe ID of the transit gateway multicast domain.
TransitGatewayAttachmentIdstringThe ID of the transit gateway attachment.
SubnetIdstringThe IDs of the subnets to associate with the transit gateway multicast domain.
createCreate a EC2 TransitGatewayMulticastDomainAssociation
getGet a EC2 TransitGatewayMulticastDomainAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayMulticastDomainAssociation
deleteDelete a EC2 TransitGatewayMulticastDomainAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayMulticastDomainAssociation
syncSync EC2 TransitGatewayMulticastDomainAssociation state from AWS
local_gateway_route_table_virtual_interface_group_association.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
LocalGatewayRouteTableIdstringThe ID of the local gateway route table.
LocalGatewayVirtualInterfaceGroupIdstringThe ID of the local gateway route table virtual interface group.
Tags?arrayThe tags for the local gateway route table virtual interface group association.
createCreate a EC2 LocalGatewayRouteTableVirtualInterfaceGroupAssociation
getGet a EC2 LocalGatewayRouteTableVirtualInterfaceGroupAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 LocalGatewayRouteTableVirtualInterfaceGroupAssociation
updateUpdate a EC2 LocalGatewayRouteTableVirtualInterfaceGroupAssociation
deleteDelete a EC2 LocalGatewayRouteTableVirtualInterfaceGroupAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 LocalGatewayRouteTableVirtualInterfaceGroupAssociation
syncSync EC2 LocalGatewayRouteTableVirtualInterfaceGroupAssociation state from AWS
transit_gateway_metering_policy.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
TransitGatewayIdstringThe Id of transit gateway
MiddleboxAttachmentIds?arrayMiddle box attachment Ids
Tags?array
createCreate a EC2 TransitGatewayMeteringPolicy
getGet a EC2 TransitGatewayMeteringPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayMeteringPolicy
updateUpdate a EC2 TransitGatewayMeteringPolicy
deleteDelete a EC2 TransitGatewayMeteringPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayMeteringPolicy
syncSync EC2 TransitGatewayMeteringPolicy state from AWS
traffic_mirror_target.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
NetworkLoadBalancerArn?stringThe Amazon Resource Name (ARN) of the Network Load Balancer that is associated with the target.
Description?stringThe description of the Traffic Mirror target.
NetworkInterfaceId?stringThe network interface ID that is associated with the target.
GatewayLoadBalancerEndpointId?stringThe ID of the Gateway Load Balancer endpoint.
Tags?arrayThe tags to assign to the Traffic Mirror target.
createCreate a EC2 TrafficMirrorTarget
getGet a EC2 TrafficMirrorTarget
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TrafficMirrorTarget
updateUpdate a EC2 TrafficMirrorTarget
deleteDelete a EC2 TrafficMirrorTarget
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TrafficMirrorTarget
syncSync EC2 TrafficMirrorTarget state from AWS
transit_gateway_route_table_propagation.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
TransitGatewayRouteTableIdstringThe ID of transit gateway route table.
TransitGatewayAttachmentIdstringThe ID of transit gateway attachment.
createCreate a EC2 TransitGatewayRouteTablePropagation
getGet a EC2 TransitGatewayRouteTablePropagation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayRouteTablePropagation
deleteDelete a EC2 TransitGatewayRouteTablePropagation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayRouteTablePropagation
syncSync EC2 TransitGatewayRouteTablePropagation state from AWS
vpcendpoint_service_permissions.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
AllowedPrincipals?array
ServiceIdstring
createCreate a EC2 VPCEndpointServicePermissions
getGet a EC2 VPCEndpointServicePermissions
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCEndpointServicePermissions
updateUpdate a EC2 VPCEndpointServicePermissions
deleteDelete a EC2 VPCEndpointServicePermissions
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCEndpointServicePermissions
syncSync EC2 VPCEndpointServicePermissions state from AWS
network_interface.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
Description?stringA description for the network interface.
PrivateIpAddress?stringAssigns a single private IP address to the network interface, which is used as the primary private IP address. If you want to specify multiple private IP address, use the PrivateIpAddresses property.
PrivateIpAddresses?arrayAssigns a list of private IP addresses to the network interface. You can specify a primary private IP address by setting the value of the Primary property to true in the PrivateIpAddressSpecification property. If you want EC2 to automatically assign private IP addresses, use the SecondaryPrivateIpAddressCount property and do not specify this property.
SecondaryPrivateIpAddressCount?numberThe number of secondary private IPv4 addresses to assign to a network interface. When you specify a number of secondary IPv4 addresses, Amazon EC2 selects these IP addresses within the subnet's IPv4 CIDR range. You can't specify this option and specify more than one private IP address using privateIpAddresses
Ipv4Prefixes?arrayAssigns a list of IPv4 prefixes to the network interface. If you want EC2 to automatically assign IPv4 prefixes, use the Ipv4PrefixCount property and do not specify this property. Presently, only /28 prefixes are supported. You can't specify IPv4 prefixes if you've specified one of the following: a count of IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.
Ipv4PrefixCount?numberThe number of IPv4 prefixes to assign to a network interface. When you specify a number of IPv4 prefixes, Amazon EC2 selects these prefixes from your existing subnet CIDR reservations, if available, or from free spaces in the subnet. By default, these will be /28 prefixes. You can't specify a count of IPv4 prefixes if you've specified one of the following: specific IPv4 prefixes, specific private IPv4 addresses, or a count of private IPv4 addresses.
GroupSet?arrayA list of security group IDs associated with this network interface.
Ipv6Addresses?arrayOne or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet to associate with the network interface. If you're specifying a number of IPv6 addresses, use the Ipv6AddressCount property and don't specify this property.
Ipv6Prefixes?arrayAssigns a list of IPv6 prefixes to the network interface. If you want EC2 to automatically assign IPv6 prefixes, use the Ipv6PrefixCount property and do not specify this property. Presently, only /80 prefixes are supported. You can't specify IPv6 prefixes if you've specified one of the following: a count of IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.
Ipv6PrefixCount?numberThe number of IPv6 prefixes to assign to a network interface. When you specify a number of IPv6 prefixes, Amazon EC2 selects these prefixes from your existing subnet CIDR reservations, if available, or from free spaces in the subnet. By default, these will be /80 prefixes. You can't specify a count of IPv6 prefixes if you've specified one of the following: specific IPv6 prefixes, specific IPv6 addresses, or a count of IPv6 addresses.
SubnetIdstringThe ID of the subnet to associate with the network interface.
SourceDestCheck?booleanIndicates whether traffic to or from the instance is validated.
InterfaceType?stringIndicates the type of network interface.
Ipv6AddressCount?numberThe number of IPv6 addresses to assign to a network interface. Amazon EC2 automatically selects the IPv6 addresses from the subnet range. To specify specific IPv6 addresses, use the Ipv6Addresses property and don't specify this property.
EnablePrimaryIpv6?booleanIf you have instances or ENIs that rely on the IPv6 address not changing, to avoid disrupting traffic to instances or ENIs, you can enable a primary IPv6 address. Enable this option to automatically assign an IPv6 associated with the ENI attached to your instance to be the primary IPv6 address. When you enable an IPv6 address to be a primary IPv6, you cannot disable it. Traffic will be routed to the primary IPv6 address until the instance is terminated or the ENI is detached. If you have multiple IPv6 addresses associated with an ENI and you enable a primary IPv6 address, the first IPv6 address associated with the ENI becomes the primary IPv6 address.
ConnectionTrackingSpecification?object
Tags?arrayAn arbitrary set of tags (key-value pairs) for this network interface.
PublicIpDnsHostnameTypeSpecification?enumPublic IP DNS hostname type
PublicIpDnsNameOptions?objectDescribes the public hostname type options, including public hostname type, IPv4-enabled public hostname, IPv6-enabled public hostname, and dual-stack public hostname.
createCreate a EC2 NetworkInterface
getGet a EC2 NetworkInterface
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 NetworkInterface
updateUpdate a EC2 NetworkInterface
deleteDelete a EC2 NetworkInterface
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 NetworkInterface
syncSync EC2 NetworkInterface state from AWS
route_table.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
VpcIdstringThe ID of the VPC.
Tags?arrayAny tags assigned to the route table.
createCreate a EC2 RouteTable
getGet a EC2 RouteTable
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 RouteTable
updateUpdate a EC2 RouteTable
deleteDelete a EC2 RouteTable
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 RouteTable
syncSync EC2 RouteTable state from AWS
transit_gateway_multicast_group_source.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
GroupIpAddressstringThe IP address assigned to the transit gateway multicast group.
TransitGatewayMulticastDomainIdstringThe ID of the transit gateway multicast domain.
NetworkInterfaceIdstringThe ID of the transit gateway attachment.
createCreate a EC2 TransitGatewayMulticastGroupSource
getGet a EC2 TransitGatewayMulticastGroupSource
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayMulticastGroupSource
deleteDelete a EC2 TransitGatewayMulticastGroupSource
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayMulticastGroupSource
syncSync EC2 TransitGatewayMulticastGroupSource state from AWS
eipassociation.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
PrivateIpAddress?stringThe primary or secondary private IP address to associate with the Elastic IP address. If no private IP address is specified, the Elastic IP address is associated with the primary private IP address.
InstanceId?stringThe ID of the instance. The instance must have exactly one attached network interface. You can specify either the instance ID or the network interface ID, but not both.
AllocationId?stringThe allocation ID. This is required.
NetworkInterfaceId?stringThe ID of the network interface. If the instance has more than one network interface, you must specify a network interface ID. You can specify either the instance ID or the network interface ID, but not both.
EIP?string
createCreate a EC2 EIPAssociation
getGet a EC2 EIPAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 EIPAssociation
deleteDelete a EC2 EIPAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 EIPAssociation
syncSync EC2 EIPAssociation state from AWS
ipampool_cidr.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
IpamPoolIdstringId of the IPAM Pool.
Cidr?stringRepresents a single IPv4 or IPv6 CIDR
NetmaskLength?numberThe desired netmask length of the provision. If set, IPAM will choose a block of free space with this size and return the CIDR representing it.
createCreate a EC2 IPAMPoolCidr
getGet a EC2 IPAMPoolCidr
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 IPAMPoolCidr
deleteDelete a EC2 IPAMPoolCidr
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 IPAMPoolCidr
syncSync EC2 IPAMPoolCidr state from AWS
ipamscope.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
IpamIdstringThe Id of the IPAM this scope is a part of.
Description?string
Tags?arrayAn array of key-value pairs to apply to this resource.
ExternalAuthorityConfiguration?objectAn external service connecting to your AWS IPAM scope.
createCreate a EC2 IPAMScope
getGet a EC2 IPAMScope
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 IPAMScope
updateUpdate a EC2 IPAMScope
deleteDelete a EC2 IPAMScope
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 IPAMScope
syncSync EC2 IPAMScope state from AWS
key_pair.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
KeyNamestringA unique name for the key pair. Constraints: Up to 255 ASCII characters
KeyType?enumThe type of key pair. Note that ED25519 keys are not supported for Windows instances. If the PublicKeyMaterial property is specified, the KeyType property is ignored, and the key type is inferred from the PublicKeyMaterial value. Default: rsa
KeyFormat?enumThe format of the key pair. Default: pem
PublicKeyMaterial?stringThe public key material. The PublicKeyMaterial property is used to import a key pair. If this property is not specified, then a new key pair will be created.
Tags?arrayThe tags to apply to the key pair.
createCreate a EC2 KeyPair
getGet a EC2 KeyPair
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 KeyPair
deleteDelete a EC2 KeyPair
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 KeyPair
syncSync EC2 KeyPair state from AWS
traffic_mirror_filter_rule.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
DestinationPortRange?objectThe first port in the Traffic Mirror port range.
Description?stringThe description of the Traffic Mirror Filter rule.
SourcePortRange?objectThe first port in the Traffic Mirror port range.
RuleActionstringThe action to take on the filtered traffic (accept/reject).
SourceCidrBlockstringThe source CIDR block to assign to the Traffic Mirror Filter rule.
RuleNumbernumberThe number of the Traffic Mirror rule.
DestinationCidrBlockstringThe destination CIDR block to assign to the Traffic Mirror rule.
TrafficMirrorFilterIdstringThe ID of the filter that this rule is associated with.
TrafficDirectionstringThe direction of traffic (ingress/egress).
Protocol?numberThe number of protocol, for example 17 (UDP), to assign to the Traffic Mirror rule.
Tags?arrayAny tags assigned to the Traffic Mirror Filter rule.
createCreate a EC2 TrafficMirrorFilterRule
getGet a EC2 TrafficMirrorFilterRule
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TrafficMirrorFilterRule
updateUpdate a EC2 TrafficMirrorFilterRule
deleteDelete a EC2 TrafficMirrorFilterRule
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TrafficMirrorFilterRule
syncSync EC2 TrafficMirrorFilterRule state from AWS
route.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
CarrierGatewayId?stringThe ID of the carrier gateway. You can only use this option when the VPC contains a subnet which is associated with a Wavelength Zone.
CoreNetworkArn?stringThe Amazon Resource Name (ARN) of the core network.
DestinationCidrBlock?stringThe IPv4 CIDR address block used for the destination match. Routing decisions are based on the most specific match. We modify the specified CIDR block to its canonical form; for example, if you specify 100.68.0.18/18, we modify it to 100.68.0.0/18.
DestinationIpv6CidrBlock?stringThe IPv6 CIDR block used for the destination match. Routing decisions are based on the most specific match.
DestinationPrefixListId?stringThe ID of a prefix list used for the destination match.
EgressOnlyInternetGatewayId?string[IPv6 traffic only] The ID of an egress-only internet gateway.
GatewayId?stringThe ID of an internet gateway or virtual private gateway attached to your VPC.
InstanceId?stringThe ID of a NAT instance in your VPC. The operation fails if you specify an instance ID unless exactly one network interface is attached.
LocalGatewayId?stringThe ID of the local gateway.
NatGatewayId?string[IPv4 traffic only] The ID of a NAT gateway.
NetworkInterfaceId?stringThe ID of a network interface.
RouteTableIdstringThe ID of the route table for the route.
TransitGatewayId?stringThe ID of a transit gateway.
VpcEndpointId?stringThe ID of a VPC endpoint. Supported for Gateway Load Balancer endpoints only.
VpcPeeringConnectionId?stringThe ID of a VPC peering connection.
createCreate a EC2 Route
getGet a EC2 Route
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 Route
updateUpdate a EC2 Route
deleteDelete a EC2 Route
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 Route
syncSync EC2 Route state from AWS
capacity_reservation_fleet.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
AllocationStrategy?string
TagSpecifications?array
InstanceTypeSpecifications?array
TotalTargetCapacity?number
EndDate?string
InstanceMatchCriteria?enum
Tenancy?enum
RemoveEndDate?boolean
NoRemoveEndDate?boolean
createCreate a EC2 CapacityReservationFleet
getGet a EC2 CapacityReservationFleet
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 CapacityReservationFleet
updateUpdate a EC2 CapacityReservationFleet
deleteDelete a EC2 CapacityReservationFleet
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 CapacityReservationFleet
syncSync EC2 CapacityReservationFleet state from AWS
transit_gateway_connect.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
TransportTransitGatewayAttachmentIdstringThe ID of the attachment from which the Connect attachment was created.
Tags?arrayThe tags for the attachment.
Options?objectThe tunnel protocol.
createCreate a EC2 TransitGatewayConnect
getGet a EC2 TransitGatewayConnect
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayConnect
updateUpdate a EC2 TransitGatewayConnect
deleteDelete a EC2 TransitGatewayConnect
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayConnect
syncSync EC2 TransitGatewayConnect state from AWS
dhcpoptions.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
DomainName?stringThis value is used to complete unqualified DNS hostnames.
DomainNameServers?arrayThe IPv4 addresses of up to four domain name servers, or AmazonProvidedDNS.
NetbiosNameServers?arrayThe IPv4 addresses of up to four NetBIOS name servers.
NetbiosNodeType?numberThe NetBIOS node type (1, 2, 4, or 8).
NtpServers?arrayThe IPv4 addresses of up to four Network Time Protocol (NTP) servers.
Ipv6AddressPreferredLeaseTime?numberThe preferred Lease Time for ipV6 address in seconds.
Tags?arrayAny tags assigned to the DHCP options set.
createCreate a EC2 DHCPOptions
getGet a EC2 DHCPOptions
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 DHCPOptions
updateUpdate a EC2 DHCPOptions
deleteDelete a EC2 DHCPOptions
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 DHCPOptions
syncSync EC2 DHCPOptions state from AWS
route_server_peer.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
RouteServerEndpointIdstringRoute Server Endpoint ID
PeerAddressstringIP address of the Route Server Peer
BgpOptions?objectBGP ASN of the Route Server Peer
Tags?arrayAn array of key-value pairs to apply to this resource.
createCreate a EC2 RouteServerPeer
getGet a EC2 RouteServerPeer
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 RouteServerPeer
updateUpdate a EC2 RouteServerPeer
deleteDelete a EC2 RouteServerPeer
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 RouteServerPeer
syncSync EC2 RouteServerPeer state from AWS
transit_gateway_peering_attachment.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
Status?objectThe status message, if applicable.
TransitGatewayIdstringThe ID of the transit gateway.
PeerTransitGatewayIdstringThe ID of the peer transit gateway.
PeerAccountIdstringThe ID of the peer account
PeerRegionstringPeer Region
Tags?arrayThe tags for the transit gateway peering attachment.
createCreate a EC2 TransitGatewayPeeringAttachment
getGet a EC2 TransitGatewayPeeringAttachment
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayPeeringAttachment
updateUpdate a EC2 TransitGatewayPeeringAttachment
deleteDelete a EC2 TransitGatewayPeeringAttachment
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGatewayPeeringAttachment
syncSync EC2 TransitGatewayPeeringAttachment state from AWS
internet_gateway.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
Tags?arrayAny tags to assign to the internet gateway.
createCreate a EC2 InternetGateway
getGet a EC2 InternetGateway
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 InternetGateway
updateUpdate a EC2 InternetGateway
deleteDelete a EC2 InternetGateway
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 InternetGateway
syncSync EC2 InternetGateway state from AWS
ec2fleet.tsv2026.04.24.1

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
Context?string
TargetCapacitySpecification?object
OnDemandOptions?object
ExcessCapacityTerminationPolicy?enum
TagSpecifications?array
SpotOptions?object
LaunchTemplateConfigsarray
TerminateInstancesWithExpiration?boolean
ValidUntil?string
Type?enum
ReservedCapacityOptions?object
ValidFrom?string
ReplaceUnhealthyInstances?boolean
createCreate a EC2 EC2Fleet
getGet a EC2 EC2Fleet
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 EC2Fleet
updateUpdate a EC2 EC2Fleet
deleteDelete a EC2 EC2Fleet
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 EC2Fleet
syncSync EC2 EC2Fleet state from AWS
transit_gateway.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
DefaultRouteTablePropagation?string
Description?string
AutoAcceptSharedAttachments?string
DefaultRouteTableAssociation?string
VpnEcmpSupport?string
DnsSupport?string
SecurityGroupReferencingSupport?string
MulticastSupport?string
AmazonSideAsn?number
TransitGatewayCidrBlocks?array
Tags?array
AssociationDefaultRouteTableId?string
PropagationDefaultRouteTableId?string
EncryptionSupport?enum
createCreate a EC2 TransitGateway
getGet a EC2 TransitGateway
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGateway
updateUpdate a EC2 TransitGateway
deleteDelete a EC2 TransitGateway
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TransitGateway
syncSync EC2 TransitGateway state from AWS
route_server_propagation.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
RouteServerIdstringRoute Server ID
RouteTableIdstringRoute Table ID
createCreate a EC2 RouteServerPropagation
getGet a EC2 RouteServerPropagation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 RouteServerPropagation
deleteDelete a EC2 RouteServerPropagation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 RouteServerPropagation
syncSync EC2 RouteServerPropagation state from AWS
volume.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
MultiAttachEnabled?booleanIndicates whether Amazon EBS Multi-Attach is enabled. CFNlong does not currently support updating a single-attach volume to be multi-attach enabled, updating a multi-attach enabled volume to be single-attach, or updating the size or number of I/O operations per second (IOPS) of a multi-attach enabled volume.
KmsKeyId?stringThe identifier of the kms-key-long to use for Amazon EBS encryption. If KmsKeyId is specified, the encrypted state must be true. If you omit this property and your account is enabled for encryption by default, or *Encrypted* is set to true, then the volume is encrypted using the default key specified for your account. If your account does not have a default key, then the volume is encrypted using the aws-managed-key. Alternatively, if you want to specify a different key, you can specify one of the following: Key ID. For example, 1234abcd-12ab-34cd-56ef-1234567890ab. Key alias. Specify the alias for the key, prefixed with alias/. For example, for a key with the alias my_cmk, use alias/my_cmk. Or to specify the aws-managed-key, use alias/aws/ebs. Key ARN. For example, arn:aws:kms:us-east-1:012345678910:key/1234abcd-12ab-34cd-56ef-1234567890ab. Alias ARN. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias. If you are creating a volume copy, omit this parameter. The volume is automatically encrypted with the same KMS key as the source volume. You can't copy unencrypted volumes.
Encrypted?booleanIndicates whether the volume should be encrypted. The effect of setting the encryption state to true depends on the volume origin (new, from a snapshot, or from an existing volume), starting encryption state, ownership, and whether encryption by default is enabled. For more information, see [Encryption by default](https://docs.aws.amazon.com/ebs/latest/userguide/work-with-ebs-encr.html#encryption-by-default) in the *Amazon EBS User Guide*. If you are creating a volume copy, omit this parameter. The volume is automatically encrypted with the same KMS key as the source volume. You can't copy unencrypted volumes.
Size?numberThe size of the volume, in GiBs. Required for new empty volumes. Optional for volumes created from snapshots and volume copies. In this case, the size defaults to the size of the snapshot or source volume. You can optionally specify a size that is equal to or larger than the size of the source snapshot or volume. Supported volume sizes: gp2: 1 - 16,384 GiB gp3: 1 - 65,536 GiB io1: 4 - 16,384 GiB io2: 4 - 65,536 GiB st1 and sc1: 125 - 16,384 GiB standard: 1 - 1024 GiB
AutoEnableIO?booleanIndicates whether the volume is auto-enabled for I/O operations. By default, EBS disables I/O to the volume from attached EC2 instances when it determines that a volume's data is potentially inconsistent. If the consistency of the volume is not a concern, and you prefer that the volume be made available immediately if it's impaired, you can configure the volume to automatically enable I/O.
OutpostArn?stringThe Amazon Resource Name (ARN) of the Outpost on which to create the volume. If you intend to use a volume with an instance running on an outpost, then you must create the volume on the same outpost as the instance. You can't use a volume created in an AWS Region with an instance on an AWS outpost, or the other way around.
AvailabilityZone?stringThe ID of the Availability Zone in which to create the volume. For example, us-east-1a. Either AvailabilityZone or AvailabilityZoneId must be specified, but not both. If you are creating a volume copy, omit this parameter. The volume copy is created in the same Availability Zone as the source volume.
AvailabilityZoneId?stringThe ID of the Availability Zone in which to create the volume. For example, use1-az1. Either AvailabilityZone or AvailabilityZoneId must be specified, but not both. If you are creating a volume copy, omit this parameter. The volume copy is created in the same Availability Zone as the source volume.
Throughput?numberThe throughput to provision for a volume, with a maximum of 2,000 MiB/s. This parameter is valid only for gp3 volumes. The default value is 125. Valid Range: Minimum value of 125. Maximum value of 2000. The maximum ratio of throughput to IOPS is 0.25 MiB/s per IOPS. For example, a volume with 3,000 IOPS can have a maximum throughput of 750 MiB/s (3,000 x 0.25).
Iops?numberThe number of I/O operations per second (IOPS) to provision for the volume. Required for io1 and io2 volumes. Optional for gp3 volumes. Omit for all other volume types. Valid ranges: gp3: 3,000 (*default*) - 80,000 IOPS io1: 100 - 64,000 IOPS io2: 100 - 256,000 IOPS [Instances built on the Nitro System](https://docs.aws.amazon.com/ec2/latest/instancetypes/ec2-nitro-instances.html) can support up to 256,000 IOPS. Other instances can support up to 32,000 IOPS.
SnapshotId?stringThe snapshot from which to create the volume. Only specify to create a volume from a snapshot. To create a new empty volume, omit this parameter and specify a value for Size instead. To create a volume copy, omit this parameter and specify SourceVolumeId instead.
SourceVolumeId?stringThe ID of the source EBS volume to copy. When specified, the volume is created as an exact copy of the specified volume. Only specify to create a volume copy. To create a new empty volume or to create a volume from a snapshot, omit this parameter,
VolumeType?stringThe volume type. This parameter can be one of the following values: General Purpose SSD: gp2 | gp3 Provisioned IOPS SSD: io1 | io2 Throughput Optimized HDD: st1 Cold HDD: sc1 Magnetic: standard Throughput Optimized HDD ( st1) and Cold HDD ( sc1) volumes can't be used as boot volumes. For more information, see [Amazon EBS volume types](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-volume-types.html) in the *Amazon EBS User Guide*. Default: gp2
Tags?arrayThe tags to apply to the volume during creation.
VolumeInitializationRate?numberSpecifies the Amazon EBS Provisioned Rate for Volume Initialization (volume initialization rate), in MiB/s, at which to download the snapshot blocks from Amazon S3 to the volume. This is also known as *volume initialization*. Specifying a volume initialization rate ensures that the volume is initialized at a predictable and consistent rate after creation. This parameter is supported only for volumes created from snapshots. Omit this parameter if: You want to create the volume using fast snapshot restore. You must specify a snapshot that is enabled for fast snapshot restore. In this case, the volume is fully initialized at creation. If you specify a snapshot that is enabled for fast snapshot restore and a volume initialization rate, the volume will be initialized at the specified rate instead of fast snapshot restore. You want to create a volume that is initialized at the default rate. For more information, see [Initialize Amazon EBS volumes](https://docs.aws.amazon.com/ebs/latest/userguide/initalize-volume.html) in the *Amazon EC2 User Guide*. Valid range: 100 - 300 MiB/s
createCreate a EC2 Volume
getGet a EC2 Volume
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 Volume
updateUpdate a EC2 Volume
deleteDelete a EC2 Volume
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 Volume
syncSync EC2 Volume state from AWS
vpcblock_public_access_options.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
InternetGatewayBlockModeenumThe desired Block Public Access mode for Internet Gateways in your account. We do not allow to create in a off mode as this is the default value
createCreate a EC2 VPCBlockPublicAccessOptions
getGet a EC2 VPCBlockPublicAccessOptions
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCBlockPublicAccessOptions
updateUpdate a EC2 VPCBlockPublicAccessOptions
deleteDelete a EC2 VPCBlockPublicAccessOptions
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCBlockPublicAccessOptions
syncSync EC2 VPCBlockPublicAccessOptions state from AWS
ipamprefix_list_resolver.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
IpamId?stringThe Id of the IPAM this Prefix List Resolver is a part of.
AddressFamilystringThe address family of the address space in this Prefix List Resolver. Either IPv4 or IPv6.
Description?string
Rules?arrayRules define the business logic for selecting CIDRs from IPAM.
Tags?arrayAn array of key-value pairs to apply to this resource.
createCreate a EC2 IPAMPrefixListResolver
getGet a EC2 IPAMPrefixListResolver
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 IPAMPrefixListResolver
updateUpdate a EC2 IPAMPrefixListResolver
deleteDelete a EC2 IPAMPrefixListResolver
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 IPAMPrefixListResolver
syncSync EC2 IPAMPrefixListResolver state from AWS
vpcpeering_connection.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
PeerRoleArn?stringThe Amazon Resource Name (ARN) of the VPC peer role for the peering connection in another AWS account.
VpcIdstringThe ID of the VPC.
PeerVpcIdstringThe ID of the VPC with which you are creating the VPC peering connection. You must specify this parameter in the request.
AssumeRoleRegion?stringThe Region code to use when calling Security Token Service (STS) to assume the PeerRoleArn, if provided.
PeerRegion?stringThe Region code for the accepter VPC, if the accepter VPC is located in a Region other than the Region in which you make the request.
PeerOwnerId?stringThe AWS account ID of the owner of the accepter VPC.
Tags?array
createCreate a EC2 VPCPeeringConnection
getGet a EC2 VPCPeeringConnection
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCPeeringConnection
updateUpdate a EC2 VPCPeeringConnection
deleteDelete a EC2 VPCPeeringConnection
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCPeeringConnection
syncSync EC2 VPCPeeringConnection state from AWS
network_acl.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
VpcIdstringThe ID of the VPC for the network ACL.
Tags?arrayThe tags for the network ACL.
createCreate a EC2 NetworkAcl
getGet a EC2 NetworkAcl
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 NetworkAcl
updateUpdate a EC2 NetworkAcl
deleteDelete a EC2 NetworkAcl
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 NetworkAcl
syncSync EC2 NetworkAcl state from AWS
vpcencryption_control.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
Tags?arrayThe tags to assign to the VPC encryption control.
VpcId?stringThe VPC on which this VPC encryption control is applied.
Mode?enumThe VPC encryption control mode, either monitor or enforce.
InternetGatewayExclusionInput?enumUsed to enable or disable IGW exclusion
EgressOnlyInternetGatewayExclusionInput?enumUsed to enable or disable EIGW exclusion
NatGatewayExclusionInput?enumUsed to enable or disable Nat gateway exclusion
VirtualPrivateGatewayExclusionInput?enumUsed to enable or disable VGW exclusion
VpcPeeringExclusionInput?enumUsed to enable or disable VPC peering exclusion
VpcLatticeExclusionInput?enumUsed to enable or disable Vpc Lattice exclusion
ElasticFileSystemExclusionInput?enumUsed to enable or disable EFS exclusion
LambdaExclusionInput?enumUsed to enable or disable Lambda exclusion
createCreate a EC2 VPCEncryptionControl
getGet a EC2 VPCEncryptionControl
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCEncryptionControl
updateUpdate a EC2 VPCEncryptionControl
deleteDelete a EC2 VPCEncryptionControl
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCEncryptionControl
syncSync EC2 VPCEncryptionControl state from AWS
vpnconcentrator.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
TransitGatewayIdstringThe ID of the transit gateway associated with the VPN concentrator.
TypestringThe type of VPN concentrator.
Tags?arrayAny tags assigned to the VPN concentrator.
createCreate a EC2 VPNConcentrator
getGet a EC2 VPNConcentrator
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPNConcentrator
updateUpdate a EC2 VPNConcentrator
deleteDelete a EC2 VPNConcentrator
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPNConcentrator
syncSync EC2 VPNConcentrator state from AWS
verified_access_trust_provider.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
TrustProviderTypestringType of trust provider. Possible values: user|device
DeviceTrustProviderType?stringThe type of device-based trust provider. Possible values: jamf|crowdstrike
UserTrustProviderType?stringThe type of device-based trust provider. Possible values: oidc|iam-identity-center
OidcOptions?objectThe OIDC issuer.
DeviceOptions?objectThe ID of the tenant application with the device-identity provider.
PolicyReferenceNamestringThe identifier to be used when working with policy rules.
Description?stringA description for the Amazon Web Services Verified Access trust provider.
Tags?arrayAn array of key-value pairs to apply to this resource.
SseSpecification?objectKMS Key Arn used to encrypt the group policy
NativeApplicationOidcOptions?objectThe OIDC issuer.
createCreate a EC2 VerifiedAccessTrustProvider
getGet a EC2 VerifiedAccessTrustProvider
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VerifiedAccessTrustProvider
updateUpdate a EC2 VerifiedAccessTrustProvider
deleteDelete a EC2 VerifiedAccessTrustProvider
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VerifiedAccessTrustProvider
syncSync EC2 VerifiedAccessTrustProvider state from AWS
subnet_cidr_block.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
Ipv6CidrBlock?stringThe IPv6 network range for the subnet, in CIDR notation. The subnet size must use a /64 prefix length
Ipv6IpamPoolId?stringThe ID of an IPv6 Amazon VPC IP Address Manager (IPAM) pool from which to allocate, to get the subnet's CIDR
Ipv6NetmaskLength?numberThe netmask length of the IPv6 CIDR to allocate to the subnet from an IPAM pool
SubnetIdstringThe ID of the subnet
createCreate a EC2 SubnetCidrBlock
getGet a EC2 SubnetCidrBlock
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 SubnetCidrBlock
deleteDelete a EC2 SubnetCidrBlock
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 SubnetCidrBlock
syncSync EC2 SubnetCidrBlock state from AWS
prefix_list.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
PrefixListNamestringName of Prefix List.
AddressFamilyenumIp Version of Prefix List.
MaxEntries?numberMax Entries of Prefix List.
Tags?arrayTags for Prefix List
Entries?arrayEntries of Prefix List.
createCreate a EC2 PrefixList
getGet a EC2 PrefixList
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 PrefixList
updateUpdate a EC2 PrefixList
deleteDelete a EC2 PrefixList
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 PrefixList
syncSync EC2 PrefixList state from AWS
network_insights_access_scope_analysis.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
NetworkInsightsAccessScopeIdstring
Tags?array
createCreate a EC2 NetworkInsightsAccessScopeAnalysis
getGet a EC2 NetworkInsightsAccessScopeAnalysis
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 NetworkInsightsAccessScopeAnalysis
updateUpdate a EC2 NetworkInsightsAccessScopeAnalysis
deleteDelete a EC2 NetworkInsightsAccessScopeAnalysis
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 NetworkInsightsAccessScopeAnalysis
syncSync EC2 NetworkInsightsAccessScopeAnalysis state from AWS
subnet_network_acl_association.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
SubnetIdstringThe ID of the subnet
NetworkAclIdstringThe ID of the network ACL
createCreate a EC2 SubnetNetworkAclAssociation
getGet a EC2 SubnetNetworkAclAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 SubnetNetworkAclAssociation
deleteDelete a EC2 SubnetNetworkAclAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 SubnetNetworkAclAssociation
syncSync EC2 SubnetNetworkAclAssociation state from AWS
route_server.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
AmazonSideAsnnumberThe Amazon-side ASN of the Route Server.
PersistRoutes?enumWhether to enable persistent routes
PersistRoutesDuration?numberThe duration of persistent routes in minutes
SnsNotificationsEnabled?booleanWhether to enable SNS notifications
Tags?arrayAn array of key-value pairs to apply to this resource.
createCreate a EC2 RouteServer
getGet a EC2 RouteServer
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 RouteServer
updateUpdate a EC2 RouteServer
deleteDelete a EC2 RouteServer
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 RouteServer
syncSync EC2 RouteServer state from AWS
enclave_certificate_iam_role_association.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
CertificateArnstringThe Amazon Resource Name (ARN) of the ACM certificate with which to associate the IAM role.
RoleArnstringThe Amazon Resource Name (ARN) of the IAM role to associate with the ACM certificate. You can associate up to 16 IAM roles with an ACM certificate.
createCreate a EC2 EnclaveCertificateIamRoleAssociation
getGet a EC2 EnclaveCertificateIamRoleAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 EnclaveCertificateIamRoleAssociation
deleteDelete a EC2 EnclaveCertificateIamRoleAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 EnclaveCertificateIamRoleAssociation
syncSync EC2 EnclaveCertificateIamRoleAssociation state from AWS
ipamprefix_list_resolver_target.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
IpamPrefixListResolverIdstringThe Id of the IPAM Prefix List Resolver associated with this Target.
PrefixListIdstringThe Id of the Managed Prefix List.
PrefixListRegionstringThe region that the Managed Prefix List is located in.
DesiredVersion?numberThe desired version of the Prefix List Resolver that this Target should synchronize with.
TrackLatestVersionbooleanIndicates whether this Target automatically tracks the latest version of the Prefix List Resolver.
Tags?arrayAn array of key-value pairs to apply to this resource.
createCreate a EC2 IPAMPrefixListResolverTarget
getGet a EC2 IPAMPrefixListResolverTarget
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 IPAMPrefixListResolverTarget
updateUpdate a EC2 IPAMPrefixListResolverTarget
deleteDelete a EC2 IPAMPrefixListResolverTarget
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 IPAMPrefixListResolverTarget
syncSync EC2 IPAMPrefixListResolverTarget state from AWS
sql_ha_standby_detected_instance.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
InstanceIdstringThe ID of the EC2 instance to enable for SQL Server high availability standby detection.
SqlServerCredentials?stringThe ARN of the AWS Secrets Manager secret containing SQL Server access credentials to the EC2 instance. If not specified, AWS Systems Manager agent will use default local user credentials.
createCreate a EC2 SqlHaStandbyDetectedInstance
getGet a EC2 SqlHaStandbyDetectedInstance
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 SqlHaStandbyDetectedInstance
updateUpdate a EC2 SqlHaStandbyDetectedInstance
deleteDelete a EC2 SqlHaStandbyDetectedInstance
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 SqlHaStandbyDetectedInstance
syncSync EC2 SqlHaStandbyDetectedInstance state from AWS
security_group.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
GroupDescriptionstringA description for the security group.
GroupName?stringThe name of the security group.
VpcId?stringThe ID of the VPC for the security group.
SecurityGroupIngress?arrayThe inbound rules associated with the security group. There is a short interruption during which you cannot connect to the security group.
SecurityGroupEgress?array[VPC only] The outbound rules associated with the security group. There is a short interruption during which you cannot connect to the security group.
Tags?arrayAny tags assigned to the security group.
createCreate a EC2 SecurityGroup
getGet a EC2 SecurityGroup
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 SecurityGroup
updateUpdate a EC2 SecurityGroup
deleteDelete a EC2 SecurityGroup
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 SecurityGroup
syncSync EC2 SecurityGroup state from AWS
launch_template.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
LaunchTemplateName?stringA name for the launch template.
LaunchTemplateData?objectThe names of the security groups. For a nondefault VPC, you must use security group IDs instead. If you specify a network interface, you must specify any security groups as part of the network interface instead of using this parameter.
VersionDescription?stringA description for the first version of the launch template.
TagSpecifications?arrayThe tags to apply to the launch template on creation. To tag the launch template, the resource type must be launch-template. To specify the tags for resources that are created during instance launch, use [TagSpecifications](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-tagspecifications).
createCreate a EC2 LaunchTemplate
getGet a EC2 LaunchTemplate
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 LaunchTemplate
updateUpdate a EC2 LaunchTemplate
deleteDelete a EC2 LaunchTemplate
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 LaunchTemplate
syncSync EC2 LaunchTemplate state from AWS
vpcblock_public_access_exclusion.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
InternetGatewayExclusionModeenumThe desired Block Public Access Exclusion Mode for a specific VPC/Subnet.
VpcId?stringThe ID of the vpc. Required only if you don't specify SubnetId.
SubnetId?stringThe ID of the subnet. Required only if you don't specify VpcId
Tags?arrayAn array of key-value pairs to apply to this resource.
createCreate a EC2 VPCBlockPublicAccessExclusion
getGet a EC2 VPCBlockPublicAccessExclusion
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCBlockPublicAccessExclusion
updateUpdate a EC2 VPCBlockPublicAccessExclusion
deleteDelete a EC2 VPCBlockPublicAccessExclusion
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VPCBlockPublicAccessExclusion
syncSync EC2 VPCBlockPublicAccessExclusion state from AWS
traffic_mirror_filter.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
NetworkServices?arrayThe network service that is associated with the traffic mirror filter.
Description?stringThe description of a traffic mirror filter.
Tags?arrayThe tags for a traffic mirror filter.
createCreate a EC2 TrafficMirrorFilter
getGet a EC2 TrafficMirrorFilter
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TrafficMirrorFilter
updateUpdate a EC2 TrafficMirrorFilter
deleteDelete a EC2 TrafficMirrorFilter
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 TrafficMirrorFilter
syncSync EC2 TrafficMirrorFilter state from AWS
verified_access_group.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
VerifiedAccessInstanceIdstringThe ID of the AWS Verified Access instance.
Description?stringA description for the AWS Verified Access group.
PolicyDocument?stringThe AWS Verified Access policy document.
PolicyEnabled?booleanThe status of the Verified Access policy.
Tags?arrayAn array of key-value pairs to apply to this resource.
SseSpecification?objectKMS Key Arn used to encrypt the group policy
createCreate a EC2 VerifiedAccessGroup
getGet a EC2 VerifiedAccessGroup
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VerifiedAccessGroup
updateUpdate a EC2 VerifiedAccessGroup
deleteDelete a EC2 VerifiedAccessGroup
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 VerifiedAccessGroup
syncSync EC2 VerifiedAccessGroup state from AWS
egress_only_internet_gateway.tsv2026.04.23.2

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
VpcIdstringThe ID of the VPC for which to create the egress-only internet gateway.
Tags?arrayAny tags assigned to the egress only internet gateway.
createCreate a EC2 EgressOnlyInternetGateway
getGet a EC2 EgressOnlyInternetGateway
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 EgressOnlyInternetGateway
updateUpdate a EC2 EgressOnlyInternetGateway
deleteDelete a EC2 EgressOnlyInternetGateway
ArgumentTypeDescription
identifierstringThe primary identifier of the EC2 EgressOnlyInternetGateway
syncSync EC2 EgressOnlyInternetGateway state from AWS