ufo 4.6.3 → 5.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1d21bb7586b951ad481495696dc9c1e9422544dca617a499d732572eb771f980
-  data.tar.gz: e4bb2a216b12b683267700525e5bc91e0d1232c1ce0e2b9a8b770a73a11da6a9
+  metadata.gz: ce5c8180b261636a61805a4abc5cbd3d556784f77dbf20ca0f2384d8ab50ae32
+  data.tar.gz: 9d6e1955bd7ca4b35b347c61986af5c92c916410a1d9b43b0d11a76e1dbd4fc3
 SHA512:
-  metadata.gz: 12ec77a43798cc2689e0a73a8403c4b2e5a283b8f91a8fd7201b5a5d5d1811ec392aa345d5f0b23a01a7ad65df51ff726506e8a7d403a0574aedc0f23cb3ec75
-  data.tar.gz: 8ad9032a96b45cf5c79757eb4df295cc4acbb38b51687faa4abde46290bc8eaa901a38de1fd0049284671fddeaa1558b1915c53bf7977d5000dfc8187f519f4f
+  metadata.gz: 60ec0e82534f94e8daffbb9587f22753e4df92a77545ba4f220e0f9f3f1568a7dc0722f32e278f1853160ab477e80b0cfef8dbde6330c0b0af46a3e4695c8bc6
+  data.tar.gz: 4bb7540d47f271ea211b3ade315b6a69fe9d1ce23b2cf0cef82cf2ddb1905d849a6064a08aab07279e623073f985542f8396533aedde86fc0b78a39e99ca8bb0

data/CHANGELOG.md

@@ -3,6 +3,20 @@
 All notable changes to this project will be documented in this file.
 This project *tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
 
+## [5.0.0]
+- #104 adjust logs default format to detailed
+- #105 major rework: build cfn template with Ruby instead of ERB for new features
+- #106 secrets support
+- Codified iam_role support with .ufo/iam_roles files: custom and managed policy support. The ECS Task definition was moved into CloudFormation to support this.
+- Allow per service security groups
+- Conventional .ufo/settings cfn and network files based on ufo env
+- Managed_security_groups_enabled=false setting.yml
+- Project custom helper methods support
+- Add image-override option for ufo ship
+- Notification ARN stack cloudformation support for compliance reasons
+- update cfn/default to use CamelCase. maintain backward compatibility with underscore. through encourage users to upgrade to CamelCase. There's less mental translation overhead.
+- remove pretty option: always pretty
+
 ## [4.6.3]
 - #101 improve ufo init help
 

data/docs/_docs/extras/notification-arns.md

@@ -0,0 +1,21 @@
+---
+title: Notification ARNs
+categories: extras
+nav_order: 99
+---
+
+You can specific notification arns for CloudFormation stack related events with [configs/settings.yml]({% link _docs/settings.md %}). This may be useful for compliance purposes.
+
+## Example
+
+configs/settings.yml
+
+```yaml
+base:
+  notification_arns:
+  - arn:aws:sns:us-west-2:112233445566:my-sns-topic1
+```
+
+This will set the `notification_arns` option as the CloudFormation stack created by `ufo ship`.
+
+{% include prev_next.md %}

data/docs/_docs/helpers.md

@@ -9,10 +9,12 @@ For example, one of the helper methods provides the exposed port in the Dockerfi
 
 Helper  | Description
 ------------- | -------------
-full\_image\_name | The full docker image name that ufo builds. The "base" portion of the docker image name is defined in `settings.yml`. For example, the base portion is `tongueroo/demo-ufo` and the full image name is `tongueroo/demo-ufo:ufo-[timestamp]-[sha]`. The base name does not include the generated Docker tag, which contains a timestamp and git sha of the project.
-dockerfile\_port | Exposed port extracted from the Dockerfile of the project. 
-env_vars(text) | This method takes a block of text that contains the env values in `key=value` format and converts that block of text to the proper task definition JSON format.
-env_file(path) | This method takes a `.env` file which contains a simple key-value list of environment variables and converts the list to the proper task definition JSON format.
+full\_image\_name | The full docker image name that ufo builds. The "base" portion of the docker image name is defined in `settings.yml`. For example, the base portion is `tongueroo/demo-ufo` and the full image name is `tongueroo/demo-ufo:ufo-[timestamp]-[sha]`. The base name does not include the generated Docker tag, which contains a timestamp and git sha of the project.
+dockerfile\_port | Exposed port extracted from the Dockerfile of the project.
+env_vars(text) | This method takes a block of text that contains the env values in `key=value` format and converts that block of text to the proper task definition JSON format.
+env_file(path) | This method takes a `.env` file which contains a simple key-value list of environment variables and converts the list to the proper task definition JSON format.
+secrets_vars(text) | This method takes a block of text that contains the secrets values in `key=value` format and converts that block of text to the proper task definition JSON format.
+secrets_file(path) | This method takes a `.secrets` file which contains a simple key-value list of environment variables and converts the list to the proper task definition JSON format.
 task_definition_name | The name of the task_definition.  So if the code looks like this `task_definition "demo-web" do`, the task_definition_name is "demo-web".
 
 To call the helper in task_definitions.rb you must add `helper.` in front.  So `full_image_name` is called via `helper.full_image_name`.

data/docs/_docs/iam-roles.md

@@ -0,0 +1,111 @@
+---
+title: Task Definition IAM Roles
+---
+
+## What are ECS IAM Roles?
+
+For ECS Task Definitions, you can assign it 2 IAM roles: 1) taskRoleArn and 2) executionRoleArn. It's usually defined in the JSON structure like so:
+
+```json
+{
+  "family": "..",
+  "taskRoleArn": "...",
+  "executionRoleArn": "...",
+  "containerDefinitions": [
+    ...
+  ]
+}
+```
+
+Here's a table that explains the difference between the 2 IAM roles.
+
+Name | Purpose
+--- | ---
+taskRoleArn | This is the role that the ECS task itself uses. So this is what IAM permissions your application has access to. Think about it as the "container role".
+executionRoleArn | This is the role that the EC2 instance host uses. This allows the EC2 instance to pull from the ECR registry. Think about it as the "host role".
+
+## How to Assign IAM Roles with UFO
+
+You can assign an IAM role to the ECS Task definition in ways:
+
+1. IAM Role with Code (UFO Managed)
+2. Precreated IAM Role
+
+## IAM Role with Code (UFO Managed)
+
+UFO can automatically create the IAM and assign it to the task definition. You create these files so UFO will know to create and manage the IAM roles.
+
+    .ufo/iam_roles/execution_role.rb
+    .ufo/iam_roles/task_role.rb
+
+### Example 1
+
+You then use a DSL to create the IAM roles. Here are examples:
+
+.ufo/iam_roles/execution_role.rb
+
+```ruby
+managed_iam_policy("AmazonEC2ContainerRegistryReadOnly")
+managed_iam_policy("AmazonSSMReadOnlyAccess")
+managed_iam_policy("CloudWatchLogsFullAccess")
+managed_iam_policy("SecretsManagerReadWrite")
+managed_iam_policy("service-role/AmazonECSTaskExecutionRolePolicy")
+```
+
+.ufo/iam_roles/task_role.rb
+
+```ruby
+iam_policy("AmazonS3ReadOnlyAccess",
+  Action: [
+    "s3:Get*",
+    "s3:List*"
+  ],
+  Effect: "Allow",
+  Resource: "*"
+)
+iam_policy("CloudwatchWrite",
+  Action: [
+    "cloudwatch:PutMetricData",
+  ],
+  Effect: "Allow",
+  Resource: "*"
+)
+```
+
+### Example 2
+
+You can use the `managed_iam_policy` and `iam_policy` together. You can also group multiple statements in the `iam_policy` declaration.
+
+.ufo/iam_roles/task_role.rb
+
+```ruby
+managed_iam_policy("AmazonSSMManagedInstanceCore")
+
+iam_policy("custom-policy", [
+  {
+    Action: "ecs:UpdateContainerInstancesState",
+    Resource: "*",
+    Effect: "Allow"
+  },
+  {
+    Action: "sns:Publish",
+    Resource: "*",
+    Effect: "Allow"
+  }
+])
+```
+
+## Pre-Created IAM Role
+
+You can also assign the task definition `executionRoleArn` with pre-created IAM roles. It looks something like this in the `.ufo/templates/main.json.erb` file:
+
+```json
+{
+  "family": "<%= @family %>",
+  "taskRoleArn": "arn:aws:iam::112233445566:role/pre-created-iam-role",
+  "executionRoleArn": "arn:aws:iam::112233445566:role/pre-created-iam-role",
+  "containerDefinitions": [
+    ...
+  ]
+}
+```

data/docs/_docs/secrets.md

@@ -0,0 +1,112 @@
+---
+title: Secrets
+---
+
+## What are Secrets?
+
+[ECS supports injecting secrets or sensitive data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) into the the environment as variables.  ECS handles the decryption the secrets go straight from AWS to the ECS task environment. It never passes through the machine calling `ufo ship` IE: your laptop, a deploy server, or CodeBuild, etc.
+
+ECS supports 2 storage backends for secrets:
+
+1. [Secrets Manager](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data-secrets.html#secrets-envvar)
+2. [Systems Manager Parameter Store](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data-parameters.html#secrets-envvar-parameters)
+
+Here are both of the formats:
+
+Secrets manager format:
+
+```json
+{
+  "containerDefinitions": [{
+    "secrets": [{
+      "name": "environment_variable_name",
+      "valueFrom": "arn:aws:secretsmanager:region:aws_account_id:secret:secret_name-AbCdEf"
+    }]
+  }]
+}
+```
+
+Parameter store format:
+
+```json
+{
+  "containerDefinitions": [{
+    "secrets": [{
+      "name": "environment_variable_name",
+      "valueFrom": "arn:aws:ssm:region:aws_account_id:parameter/parameter_name"
+    }]
+  }]
+}
+```
+
+## UFO Support
+
+Ufo supports both forms of secrets. You create a `.secrets` file and can reference it in the `.ufo/templates/main.json.erb`
+
+```json
+{
+  "family": "<%= @family %>",
+  # ...
+  <% if @secrets %>
+  "secrets": <%= helper.secrets_file(".secrets") %>,
+  <% end %>
+}
+```
+
+The `.secrets` file is like an env file that will understand a secrets-smart format.  Example:
+
+    NAME1=SSM:/my/parameter_name
+    NAME2=SECRETSMANAGER:/my/secret_name-AbCdEf
+
+The `SSM:` and `SECRETSMANAGER:` prefix will be expanded to the full ARN. You can also just specify the full ARN.
+
+    NAME1=arn:aws:ssm:region:aws_account_id:parameter/my/parameter_name
+    NAME2=arn:aws:secretsmanager:region:aws_account_id:secret:my/secret_name-AbCdEf
+
+In turn, this generates:
+
+```json
+{
+  "containerDefinitions": [{
+    "secrets": [
+      {
+        "name": "NAME1",
+        "valueFrom": "arn:aws:ssm:us-west-2:536766270177:parameter/demo/development/foo"
+      },
+      {
+        "name": "NAME2",
+        "valueFrom": "arn:aws:secretsmanager:us-west-2:536766270177:secret:/demo/development/my-secret-test-qRoJel"
+      }
+    ]
+  }]
+}
+```
+
+## Substitution
+
+Ufo also does a simple substition on the value. For example, the `:UFO_ENV` is replaced with the actual value of `UFO_ENV=development`. Example:
+
+    NAME1=SSM:demo/:UFO_ENV/parameter_name
+    NAME2=SECRETSMANAGER:demo/:UFO_ENV/secret_name-AbCdEf
+
+Expands to:
+
+    NAME1=arn:aws:ssm:region:aws_account_id:parameter/demo/development/parameter_name
+    NAME2=arn:aws:secretsmanager:region:aws_account_id:secret:/demo/development/secret_name-AbCdEf
+
+## IAM Permission
+
+If you're using secrets, you'll need to provide an IAM execution role so the EC2 instance has permission to read the secrets. Here's a starter example:
+
+.ufo/iam_roles/execution_role.rb
+
+```ruby
+managed_iam_policy("AmazonEC2ContainerRegistryReadOnly")
+managed_iam_policy("AmazonSSMReadOnlyAccess")
+managed_iam_policy("CloudWatchLogsFullAccess")
+managed_iam_policy("SecretsManagerReadWrite")
+```
+
+More info [ECS IAM Roles]({% link _docs/iam-roles.md %})
+
+{% include prev_next.md %}

data/docs/_docs/settings/cluster.md

@@ -11,25 +11,19 @@ Normally, the ECS cluster defaults to whatever UFO_ENV is set to by [convention]
 
 By default, these are all the same:
 
-```sh
-ufo ship demo-web
-UFO_ENV=development ufo ship demo-web # same
-UFO_ENV=development ufo ship demo-web --cluster development # same
-```
+    ufo ship demo-web
+    UFO_ENV=development ufo ship demo-web # same
+    UFO_ENV=development ufo ship demo-web --cluster development # same
 
 If you use a specific `UFO_ENV=production`, these are the same
 
-```
-UFO_ENV=production ufo ship demo-web
-UFO_ENV=production ufo ship demo-web --cluster production # same
-```
+    UFO_ENV=production ufo ship demo-web
+    UFO_ENV=production ufo ship demo-web --cluster production # same
 
 Override the convention by explicitly specifying the `--cluster` option in the CLI.
 
-```sh
-ufo ship demo-web --cluster custom-cluster # override the cluster
-UFO_ENV=production ufo ship demo-web --cluster production-cluster # override the cluster
-```
+    ufo ship demo-web --cluster custom-cluster # override the cluster
+    UFO_ENV=production ufo ship demo-web --cluster production-cluster # override the cluster
 
 The cavaet is that you must remember to specify `--cluster`.  A wrapper `bin/deploy` script could be useful here.
 

data/docs/_includes/subnav.html

@@ -25,6 +25,8 @@
                 </li>
                 <li><a href="{% link _docs/variables.md %}">Shared Variables</a></li>
                 <li><a href="{% link _docs/helpers.md %}">Helpers</a></li>
+                <li><a href="{% link _docs/secrets.md %}">Secrets</a></li>
+                <li><a href="{% link _docs/iam-roles.md %}">IAM Roles</a></li>
                 <li><a href="{% link _docs/conventions.md %}">Conventions</a></li>
                 <li><a href="{% link _docs/ufo-logs.md %}">Ufo Logs</a></li>
                 <li><a href="{% link _docs/ufo-env.md %}">Ufo Env</a></li>
@@ -44,6 +46,7 @@
                 <li><a href="{% link _docs/extras/minimal-deploy-iam.md %}">Minimal Deploy IAM</a></li>
                 <li><a href="{% link _docs/extras/codebuild-iam-role.md %}">CodeBuild IAM Role</a></li>
                 <li><a href="{% link _docs/extras/dockerfile-erb.md %}">Dockerfile.erb</a></li>
+                <li><a href="{% link _docs/extras/notification-arns.md %}">Notification Arns</a></li>
             </ul>
         </li>
         <li><a href="{% link _docs/upgrading.md %}">Upgrading</a>

data/docs/_reference/ufo-deploy.md

@@ -58,13 +58,12 @@ A more detailed post is available here: [How to Create Unlimited Extra Environme
 [--elb=ELB]                                  # Decides to create elb, not create elb or use existing target group.
 [--elb-eip-ids=one two three]                # EIP Allocation ids to use for network load balancer.
 [--elb-type=ELB_TYPE]                        # ELB type: application or network. Keep current deployed elb type when not specified.
-[--pretty], [--no-pretty]                    # Pretty format the json for the task definitions
-                                             # Default: true
 [--scheduling-strategy=SCHEDULING_STRATEGY]  # Scheduling strategy to use for the service. IE: replica, daemon
 [--stop-old-tasks], [--no-stop-old-tasks]    # Stop old tasks as part of deployment to speed it up
 [--task=TASK]                                # ECS task name, to override the task name convention.
 [--wait], [--no-wait]                        # Wait for deployment to complete
                                              # Default: true
+[--image-override=IMAGE_OVERRIDE]            # Override image in task definition for quick testing
 [--register], [--no-register]                # Register task definition
                                              # Default: true
 [--build], [--no-build]                      # Build task definition

data/docs/_reference/ufo-logs.md

@@ -30,7 +30,7 @@ If you have a current service name set.
                                    # Default: true
 [--since=SINCE]                    # From what time to begin displaying logs.  By default, logs will be displayed starting from 1 minutes in the past. The value provided can be an ISO 8601 timestamp or a relative time.
 [--format=FORMAT]                  # The format to display the logs. IE: detailed or short.  With detailed, the log stream name is also shown.
-                                   # Default: simple
+                                   # Default: detailed
 [--filter-pattern=FILTER_PATTERN]  # The filter pattern to use. If not provided, all the events are matched
 [--verbose], [--no-verbose]        
 [--mute], [--no-mute]              

data/docs/_reference/ufo-rollback.md

@@ -51,6 +51,8 @@ You only need to specify enough for a match to be found.  Ufo searches the 30 mo
 ## Options
 
 ```
+[--wait], [--no-wait]        # Wait for deployment to complete
+                             # Default: true
 [--verbose], [--no-verbose]  
 [--mute], [--no-mute]        
 [--noop], [--no-noop]        

data/docs/_reference/ufo-ship.md

@@ -115,13 +115,12 @@ You can change the scheduling strategy by explicitly specifying it.  Otherwise,
 [--elb=ELB]                                  # Decides to create elb, not create elb or use existing target group.
 [--elb-eip-ids=one two three]                # EIP Allocation ids to use for network load balancer.
 [--elb-type=ELB_TYPE]                        # ELB type: application or network. Keep current deployed elb type when not specified.
-[--pretty], [--no-pretty]                    # Pretty format the json for the task definitions
-                                             # Default: true
 [--scheduling-strategy=SCHEDULING_STRATEGY]  # Scheduling strategy to use for the service. IE: replica, daemon
 [--stop-old-tasks], [--no-stop-old-tasks]    # Stop old tasks as part of deployment to speed it up
 [--task=TASK]                                # ECS task name, to override the task name convention.
 [--wait], [--no-wait]                        # Wait for deployment to complete
                                              # Default: true
+[--image-override=IMAGE_OVERRIDE]            # Override image in task definition for quick testing
 [--verbose], [--no-verbose]                  
 [--mute], [--no-mute]                        
 [--noop], [--no-noop]                        

data/docs/_reference/ufo-ships.md

@@ -55,12 +55,11 @@ Note: The `--task` option is not used with the `ufo ships` command.
 [--elb=ELB]                                  # Decides to create elb, not create elb or use existing target group.
 [--elb-eip-ids=one two three]                # EIP Allocation ids to use for network load balancer.
 [--elb-type=ELB_TYPE]                        # ELB type: application or network. Keep current deployed elb type when not specified.
-[--pretty], [--no-pretty]                    # Pretty format the json for the task definitions
-                                             # Default: true
 [--scheduling-strategy=SCHEDULING_STRATEGY]  # Scheduling strategy to use for the service. IE: replica, daemon
 [--stop-old-tasks], [--no-stop-old-tasks]    # Stop old tasks as part of deployment to speed it up
 [--task=TASK]                                # ECS task name, to override the task name convention.
 [--wait], [--no-wait]                        # Wait for deployment to complete
+[--image-override=IMAGE_OVERRIDE]            # Override image in task definition for quick testing
 [--verbose], [--no-verbose]                  
 [--mute], [--no-mute]                        
 [--noop], [--no-noop]                        

data/docs/_reference/ufo-tasks-build.md

@@ -173,7 +173,6 @@ If you need to modify the task definition template to suite your own needs it is
 ## Options
 
 ```
-[--pretty], [--no-pretty]  # Pretty format the json for the task definitions
-                           # Default: true
+[--image-override=IMAGE_OVERRIDE]  # Override image in task definition for quick testing
 ```
 

data/lib/template/.secrets

@@ -0,0 +1,3 @@
+# fine to have comment in this file
+NAME1=SSM:parameter_name
+NAME2=SECRETSMANAGER:secret_name-AbCdEf

data/lib/template/.ufo/settings.yml.tt

@@ -13,6 +13,7 @@ base:
   # replacment might not work. For example, adding and removing a load balancer.
   # In these cases, you must delete the entire ecs service and recreate it.
   stack_naming: append_env
+  auto_camelize: false # new default setting in ufo v5
 
 development:
   # cluster: development

data/lib/template/.ufo/settings/cfn/default.yml.tt

@@ -3,38 +3,38 @@
 # CloudFormation. These options are inserting into the generated template.
 # More info: https://ufoships.com/docs/customize-cloudformation
 
-elb:
-  scheme: internet-facing
+Elb:
+  Scheme: internet-facing
 
 # https://docs.aws.amazon.com/fr_fr/elasticloadbalancing/latest/APIReference/API_CreateTargetGroup.html
 #
 # When using SSL with network elb, the target group protocol is usually http still
 # unless you also handle SSL termination at the app level.
-target_group:
-  port: 80 # only used with ECS if awsvpc mode
-  # protocol: TCP # valid values - application elb: HTTP HTTPS, network elb: TCP
+TargetGroup:
+  Port: 80 # only used with ECS if awsvpc mode
+  # Protocol: TCP # valid values - application elb: HTTP HTTPS, network elb: TCP
                   # ufo sets defaults in cloudformation template
                   #   application elb: HTTP
                   #   network elb: TCP
                   # so we can keep this commented out, unless we need HTTPS at the app level
   # Health check settings are supported by application load balancer only:
-  # health_check_path: /up # health check
-  health_check_interval_seconds: 10 # default: 30. Network ELB can only take 10 or 30
-  healthy_threshold_count: 2
-  unhealthy_threshold_count: 2 # default: 10
-  # health_check_protocol: HTTP # HTTP or HTTPS
-  # health_check_port: traffic-port
-  target_group_attributes:
-  - key: deregistration_delay.timeout_seconds
-    value: 10
+  # HealthCheckPath: /up # health check
+  HealthCheckIntervalSeconds: 10 # default: 30. Network ELB can only take 10 or 30
+  HealthyThresholdCount: 2
+  UnhealthyThresholdCount: 2 # default: 10
+  # HealthCheckProtocol: HTTP # HTTP or HTTPS
+  # HealthCheckPort: traffic-port
+  TargetGroupAttributes:
+  - Key: deregistration_delay.timeout_seconds
+    Value: 10
 
 # https://docs.aws.amazon.com/fr_fr/elasticloadbalancing/latest/APIReference/API_CreateListener.html
 #
 # This is the default listener and normally should listen to port 80.
-listener:
-  port: 80
+Listener:
+  Port: 80
   # For Application Load Balancers, the supported protocols are HTTP and HTTPS. For Network Load Balancers, the supported protocol is TCP.
-  # protocol: TCP # valid values - application elb: HTTP HTTPS, network elb: TCP, TLS
+  # Protocol: TCP # valid values - application elb: HTTP HTTPS, network elb: TCP, TLS
                   # ufo sets these defaults:
                   #   application elb: HTTP  # unless port is 443
                   #   application elb: HTTPS # if port is 443
@@ -43,8 +43,8 @@ listener:
                   # Can keep protocol commented out,
                   # unless need to override the defaults.
   # If using the listener to handle SSL
-  # certificates:
-  # - certificate_arn: arn:aws:acm:us-east-1:111111111111:certificate/11111111-2222-3333-4444-555555555555
+  # Certificates:
+  # - CertificateArn: arn:aws:acm:us-east-1:111111111111:certificate/11111111-2222-3333-4444-555555555555
 
 # An optional second listener can be created.
 # If HTTPS and SSL is required then the listener_ssl config is what you should use.
@@ -53,11 +53,11 @@ listener:
 #   to handle SSL termination.
 #
 # ufo creates an ssl listener when listener_ssl is set.
-# listener_ssl:
-#   port: 443
-#   # certificates:
-#   # - certificate_arn: arn:aws:acm:us-east-1:111111111111:certificate/11111111-2222-3333-4444-555555555555
-#   # protocol: TCP # valid values - application elb: HTTP HTTPS, network elb: TCP, TLS
+# ListenerSsl:
+#   Port: 443
+#   # Certificates:
+#   # - CertificateArn: arn:aws:acm:us-east-1:111111111111:certificate/11111111-2222-3333-4444-555555555555
+#   # Protocol: TCP # valid values - application elb: HTTP HTTPS, network elb: TCP, TLS
 #                   # ufo handles setting the defaults:
 #                   #   application elb: HTTPS
 #                   #   network elb: TLS
@@ -66,7 +66,7 @@ listener:
 # Note, the route53 record set for the domain name must already exist.
 # The {stack_name} variable gets replaced with the name of the CloudFormation stack name.
 # Example: {stack_name} => demo-web
-# dns:
-#   name: "{stack_name}.yourdomain."
-#   hosted_zone_name: yourdomain. # dont forget the trailing period
+# Dns:
+#   Name: "{stack_name}.yourdomain."
+#   HostedZoneName: yourdomain. # dont forget the trailing period
 #   TTL: '60' # ttl has special upcase casing