Parameters, mappings & outputs

Make a template reusable.

Beginner12 min · lesson 3 of 12

Hard-coded templates are single-use; Parameters make one template serve many deployments. A parameter declares a typed input with an optional default, allowed values, and constraints, and you supply it at deploy time. The program refers to it with !Ref, so the same template can deploy a t3.small in dev and a t3.large in prod purely by changing the parameter.

template.yaml
Parameters:
Environment:
Type: String
AllowedValues: [dev, staging, prod]
Default: dev
InstanceType:
Type: String
Default: t3.small
AllowedValues: [t3.small, t3.large]
Resources:
AppServer:
Type: AWS::EC2::Instance
Properties:
InstanceType: !Ref InstanceType
Tags: [{ Key: Env, Value: !Ref Environment }]

Mappings and Outputs

Mappings are static lookup tables resolved with !FindInMap — the classic use is picking a region-specific AMI. Outputs publish values from the stack: an endpoint, a bucket name, a security group ID. An Output can be exported with a name, which lets another stack import it (cross-stack references, covered later) — making Outputs both a human-facing result and a machine-facing contract between stacks.

template.yaml
Mappings:
RegionAmi:
us-east-1: { ami: ami-0abc123 }
eu-west-1: { ami: ami-0def456 }
Resources:
AppServer:
Type: AWS::EC2::Instance
Properties:
ImageId: !FindInMap [RegionAmi, !Ref "AWS::Region", ami]
Outputs:
ServerId:
Value: !Ref AppServer
Export: { Name: !Sub "${Environment}-app-server-id" }
Constrain parameters and mark secrets NoEcho
Use AllowedValues, AllowedPattern, and Min/Max to reject bad input at deploy time rather than mid-provision. And never take a raw password as a plain parameter — set NoEcho: true so it is masked in the console and events, or better, use a Type that references Secrets Manager / SSM Parameter Store so the secret never sits in the template or stack history.