platform.engineering/awsofficialv0.1.11stableresource

AWS resource plugin (CloudControl-based)

installation
$formae plugin install aws

AWS Plugin for Formae

AWS resource plugin for formae. This plugin enables Formae to manage AWS resources using the AWS Cloud Control API.

Supported Resources

This plugin supports 209 AWS resource types across 21 services via the CloudControl API:

Service Resources Examples
EC2 96 VPC, Subnet, SecurityGroup, Instance, NATGateway, InternetGateway
IAM 16 Role, Policy, User, Group, InstanceProfile, OIDCProvider
RDS 16 DBInstance, DBCluster, DBSubnetGroup, OptionGroup
Lambda 10 Function, LayerVersion, Permission, EventSourceMapping
ECS 7 Cluster, Service, TaskDefinition, CapacityProvider
S3 11 Bucket, BucketPolicy, AccessPoint
EKS 2 Cluster, NodeGroup
Route53 7 HostedZone, RecordSet, HealthCheck
DynamoDB 2 Table, GlobalTable
KMS 2 Key, Alias
Secrets Manager 4 Secret, ResourcePolicy, RotationSchedule
CloudFront 1 Distribution
ELBv2 7 LoadBalancer, TargetGroup, Listener, ListenerRule
ECR 6 Repository, RegistryPolicy, ReplicationConfiguration
EFS 3 FileSystem, MountTarget, AccessPoint
SQS 3 Queue, QueuePolicy
API Gateway 8 RestApi, Resource, Method, Deployment, Stage
SageMaker 4 Domain, UserProfile, Endpoint
Elastic Beanstalk 4 Application, Environment, ConfigurationTemplate
Logs 1 LogGroup

See schema/pkl/ for the complete list of supported resource types.

Configuration

Target Configuration

Configure an AWS target in your Forma file:

import "@formae/formae.pkl"
import "@aws/aws.pkl"

target: formae.Target = new formae.Target {
  label = "aws-target"
  config = new aws.Config {
    region = "us-east-1"
    // Optional: specify a named profile
    // profile = "my-profile"
  }
}

Credentials

The plugin uses the standard AWS credential chain. Configure credentials using one of:

Environment Variables:

export AWS_ACCESS_KEY_ID="your-access-key"
export AWS_SECRET_ACCESS_KEY="your-secret-key"
export AWS_REGION="us-east-1"

# For temporary credentials (e.g., from STS AssumeRole)
export AWS_SESSION_TOKEN="your-session-token"

Named Profile:

# Use a profile from ~/.aws/credentials
export AWS_PROFILE="my-profile"

IAM Instance Profile / ECS Task Role: When running on EC2 or ECS, credentials are automatically retrieved from the instance metadata service.

OIDC (for CI/CD): See .github/workflows/ci.yml for an example using GitHub Actions OIDC with aws-actions/configure-aws-credentials.

Examples

See the examples/ directory for usage examples.

# Evaluate an example
formae eval examples/complete/lifeline/basic_infrastructure.pkl

# Apply resources
formae apply --mode reconcile --watch examples/complete/lifeline/basic_infrastructure.pkl

License

This plugin is licensed under the Functional Source License, Version 1.1, ALv2 Future License (FSL-1.1-ALv2).

Copyright 2026 Platform Engineering Labs Inc.

type
resource
category
cloud
license
FSL-1.1-ALv2
originator
platform.engineering
namespace
AWS
latest
v0.1.11 · stable
platforms
repo
github.com/platform-engineering-labs/formae-plugin-aws
versions (23)
v0.1.12-dev.4beta
2026-06-16
v0.1.12-dev.3beta
2026-06-16
v0.1.12-dev.2beta
2026-06-15
v0.1.12-dev.1beta
2026-06-15
v0.1.12-dev.0beta
2026-06-14
v0.1.11stable
2026-06-06
v0.1.11-dev.12beta
2026-06-05
v0.1.11-dev.11beta
2026-06-05
v0.1.11-dev.10beta
2026-06-05
v0.1.11-dev.9beta
2026-06-05
v0.1.11-dev.8beta
2026-06-04
v0.1.11-dev.7beta
2026-06-04
v0.1.11-dev.6beta
2026-06-03
v0.1.11-dev.5beta
2026-06-03
v0.1.11-dev.4beta
2026-06-03
v0.1.11-dev.3beta
2026-05-30
v0.1.11-dev.2beta
2026-05-30
v0.1.11-dev.1beta
2026-05-29
v0.1.11-dev.0beta
2026-05-27
v0.1.10stable
2026-05-19
v0.1.9stable
2026-05-18
v0.1.8stable
2026-05-16
v0.1.7stable
2026-05-13