Authoring desired state

This guide explains how to author the desired state in MechCloud Stateless IaC for AWS. You define your infrastructure using a clean, hierarchical YAML format that is inspired by CloudFormation but significantly simpler — no logical IDs, no !Ref, no state files, and no PascalCase. Instead, you use nesting for relationships, snake_case for properties, and ref: syntax for cross-resource references.

Key Principles

Step-by-Step: From CloudFormation to MechCloud

Let’s convert a simple CloudFormation stack into a MechCloud desired state.

CloudFormation (Original)

Resources:
  VPC1:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: "10.2.0.0/16"

  SGWeb:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: !Ref VPC1
      GroupDescription: "Allow HTTP from internet"
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: "0.0.0.0/0"

  SGService:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: !Ref VPC1
      GroupDescription: "Allow app traffic only from web1 SG"
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 8080
          ToPort: 8080
          SourceSecurityGroupId: !Ref SGWeb

  Subnet1:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC1
      CidrBlock: "10.2.1.0/24"

  Service1:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: "ami-0bc691261a82b32bc"
      InstanceType: "t3.small"
      SubnetId: !Ref Subnet1
      SecurityGroupIds:
        - !Ref SGService

  Web1:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: "ami-0bc691261a82b32bc"
      InstanceType: "t3.small"
      SubnetId: !Ref Subnet1
      SecurityGroupIds:
        - !Ref SGWeb

MechCloud Desired State (Converted)

This template contains two security groups (sg_web and sg_service) that are declared together under the same parent resource (vpc1). sg_service needs to refer to the ID of sg_web in its ingress rule (AWS expects an actual security-group ID like sg-0123456789). Because that ID is only known once the security group is created, MechCloud lets you refer to the other resource by name using the special ref:<name> syntax.

The EC2 instances (web1 and service1) are nested under subnet1, which is a different resources: block (a different parent) than the security groups. They therefore cannot use the short ref:sg_name form (which resolves only among siblings in the same resources: block). Instead they must use the full relative path to the security group so MechCloud can uniquely locate it across the hierarchy:

• source_security_group_id: "ref:sg_web" — used inside sg_service because sg_web and sg_service are siblings under vpc1; this references sg_web’s ID for the security-group ingress rule.

• security_group_ids: ["ref:vpc1/sg_web"] and ["ref:vpc1/sg_service"] — used on the EC2 instances because the instances live under vpc1/subnet1. The full path (vpc1/sg_web) tells MechCloud exactly which security-group resource to resolve and then substitute its actual ID into the instance’s SecurityGroupIds property.

In short: ref:<name> (short form) points to a sibling resource in the same resources: block; ref:<full_path> (path form) is required when the target resource lives under a different parent. MechCloud resolves either form at plan/apply time to the underlying AWS ID that CloudFormation/AWS expects.

Conversion Rules

Tip: Use hyphens in names for readability (e.g., my-vpc), but avoid spaces or special characters.

Notes and clarifications for the example template

• snake_case is mandatory in MechCloud YAML. MechCloud translates these property names to the AWS/CloudFormation property names when making provider calls (for example source_security_group_id → SourceSecurityGroupId).

• There are two kinds of ref: forms used in the example:

  • Short name (sibling) form: ref:<name> — used when one resource needs the ID of another resource that is declared together under the same parent. In the example both sg_web and sg_service are siblings under vpc1, so sg_service uses:

    MechCloud resolves ref:sg_web at plan/apply time to the actual security-group ID (for AWS).

  • Full-path (non-sibling) form: ref:<relative_path> — used when the referencing resource is in a different part of the hierarchy (different parent). In the example EC2 instances live under vpc1/subnet1, so they must reference the security groups by full relative path:

    The full path disambiguates the target resource for MechCloud so it can resolve it to the AWS GroupId.

• Use source_security_group_owner_id when referencing a security group that belongs to a different AWS account (this maps to CloudFormation SourceSecurityGroupOwnerId).

• Always ensure the ref: target resolves to a security-group resource (so MechCloud can substitute the runtime GroupId). If a ref: points to a non-existent path/name, plan will fail with an unresolved reference error.

Resource Paths (Must Be Unique)

Each resource gets a unique relative path based on its nesting within the hierarchy. This path allows MechCloud to resolve references (ref:) precisely at plan and apply time.

Each resource’s path must be unique across the entire desired state file.

Resource Id Aliases

Passing AMI ids and other resource identifiers, generated by a cloud provider, in the desired state is a huge pain. So you will first go to console or use cli and find out unique id of a cloud resource before using a child or linked resource. To simply this we support resource id aliases where you attached a special tag mc-alias to the target resource with a value of your choice and then use the value in a special format along with a predefined prefix for resource type. For example, instead of specifying AMI Ids, which vary by region, you can simply tag an AMI (e.g ubuntu server 24.04 for arm64) with arm64_ubuntu_24_04 alias in all the regions and then use this value in the desired state, which will be region agnostic, as follows -

resource id aliases are only supported for AWS AMIs at this moment and more resource types will be supported in the future -

Next Steps

1. Select Execution Context At the top of the MechCloud console, select the execution context for your operation:

   • Team — e.g., Academy (User 2)

   • Cloud Provider — e.g., AWS

   • Cloud Account — e.g., Academy

   • Region — e.g., Europe (Ireland)

   • Context — e.g., app1-dev1

2. Generate the Plan Click Plan to generate an execution plan. MechCloud compares the desired state (defined in YAML) with the actual AWS infrastructure and determines which resources require changes.

3. Review Plan Actions Each resource in the plan shows an action indicating how MechCloud will reconcile it:

   • create — the resource does not exist and will be created.

   • update — the resource exists but properties differ and will be updated.

   • delete — the resource exists but is no longer in the desired state and will be removed.

   • recreate — the resource will be deleted and then created again (for non-updatable property changes).

   • none — the resource is already in the desired state; no action required.

4. Apply the Plan (When Changes Exist)

   • The Apply button becomes visible only when the plan includes at least one resource whose action is not none.

   • Click Apply to provision or update resources as per the plan.

   • MechCloud will execute the required operations and bring your AWS environment to match the desired state.

5. Verify Post-Apply State

   • Once the apply completes, click Plan again to re-run the comparison.

   • If all resources now display action: none, the desired and actual states are in sync.

   • In this case, the Apply button will not be visible because no further changes are required.

6. Handle Errors (If Any)

   • If any errors occur during the apply step, re-run Plan to refresh dependencies and reconcile state.

   • Then click Apply again to retry provisioning with the updated plan.