AWS CloudFormation template guidelines for AMI-based products in AWS Marketplace
AWS Marketplace gives sellers the option to list to list AMI-based product with AWS CloudFormation (Cloudformation) templates. Sellers, as Consulting Partners (CP) and Independent Software Vendors (ISVs), use the templates to define a cluster or distributed architecture for the product. Customers then deploy the solution by using CloudFormation templates, saving time and avoiding errors in the process.
In this post, I’ll provide you with the CloudFormation template requirements for listing AMI-based products with CloudFormation templates in AWS Marketplace. Understanding the CloudFormation template requirements helps you reduce the delays in publishing your AMI-based products while making it easier for customers to deploy your products.
To sell AMI-based products with CloudFormation templates in AWS Marketplace, you must complete the following prerequisites:
- Be fully registered with AWS Marketplace as a seller. For details on how to register successfully, refer to this Checklist to successfully registering as a seller in AWS Marketplace.
- Have access to the AWS Marketplace console.
- Read and understand AWS Marketplace AMI-Based Delivery Using AWS CloudFormation.
Guidelines for creating CloudFormation templates for AMI-based products in AWS Marketplace
Required for CloudFormation templates for AMI-based products
The following is a list of what your CloudFormation template must have:
- A mapping section for AMIs in available Regions. The available Regions in the mapping section must be matched with enabled regions (set to TRUE) in the CPs’ or ISVs’ Product Load Form (PLF). The CloudFormation template available instance type must be matched with the enabled instance type in the PLF. The template must launch successfully through the CloudFormation console in all of the Regions enabled for your product. You can use this tool to test your templates. For a single-AMI product delivered using AWS CloudFormation, the template must contain only one AMI.
- A minimally-privileged AWS Identity and Access Management (IAM) policy and IAM Roles only.
- A Virtual Private Cloud (VPC) with access control lists and security groups. I recommend building your VPC with appropriate access control lists (ACLs) and security groups. It should provide options to customers to either create a new VPC or choose an existing VPC.
- For clustered solution using an Auto Scaling Group, you must account for the scaling event. The new node should join the running cluster automatically. Even for single-node products, I recommend using an Auto Scaling group. In case your solution involves a cluster of multiple instances, consider using Placement groups.
- The ability to add comments in your UserData section. Use CloudFormation parameter types for inputs where available. Use AWS::CloudFormation::Interface to group and sort input parameters.
Options for CloudFormation templates for AMI-based products:
- Dependencies. It can include dependencies, such as AWS Lambda functions, config files, and scripts with your AMI. For more information, see Create a serverless application. Any external dependency included should follow AMI security policies policy guideline.
Disallowed for CloudFormation templates for AMI-based products
The following is a list of what your CloudFormation template must not have:
- Hardcoded AMI IDs in resources. You can use the Fn::FindInMap function to return a named value based on a specified key.
- A request for the customer’s AWS credentials, such as secret or key access, passwords, or certificates for either the CloudFormation parameter input or some other web form. For sensitive inputs, use the NoEcho property and enable regular expression.
- The ability to fetch files from your S3 bucket or repository. Your template must not fetch files, resources, or Lambda functions from your S3 bucket or other repositories.
- The ability to work only with a default VPC. Your template shouldn’t only work with a default VPC.
- Default value 0.0.0.0/0 (IPv4) or ::/0 (IPv6) shouldn’t be used anywhere in the template for ports giving access to the instance such as SSH port (22) or RDP port (3389)
- Designer metadata. CloudFormation designer metadata must be removed from the CloudFormation template.
- Default parameters for remote access. Your CloudFormation template should not set defaults for parameters such as remote access, CIDR/IP, or passwords for databases. The customer must provide these as input parameters.
Conclusion and next steps
In this post, I outlined CloudFormation template requirements for AMI based products in AWS Marketplace, as well as features that are disallowed.
Once your CloudFormation template is configured, you can submit your product. To do that, you must do the following:
- prepare and validate your AMI(s)
- create your CloudFormation template(s)
- estimate infrastructure price for the default configuration of each template
- create a topology diagram
- complete the PLF
- submit the materials to AWS Marketplace using the AWS Marketplace Management Portal.
About the author
Pawan Kumar is a Technical Account Manager who focuses on seller operations for AWS Marketplace and is passionate about serverless computing and solving new problems. Outside of work, he enjoys playing and watching cricket.