Demo Replacing hardcoded values with a pseudo parameter

In this guide you’ll replace a hardcoded VPC ID in a CloudFormation template with a parameter typed as AWS::EC2::VPC::Id. Using this parameter type makes the template region-aware: when you create or update a stack, the CloudFormation console presents a dropdown of VPCs that exist in the selected region instead of requiring you to edit the template for each region. Understanding the two related CloudFormation concepts:

Pseudo-parameters (for example, AWS::Region, AWS::AccountId) are automatic, built-in values you can reference without declaring them.
Typed parameters (for example, AWS::EC2::VPC::Id) tell the console to present a list of existing resource identifiers from the region where the stack runs. This demo uses a typed parameter so you don’t need to hardcode a VPC ID.

Use the parameter type AWS::EC2::VPC::Id to let the CloudFormation console show available VPCs for the region where the stack runs. This is different from pseudo-parameters like AWS::Region.

Quick reference: parameter type behavior

Parameter Type	What it does	When to use it
AWS::EC2::VPC::Id	Console shows a dropdown of VPC IDs for the selected region	When you want the user to pick an existing VPC
AWS::EC2::Subnet::Id	Console shows available subnet IDs for the selected region	When the stack needs a subnet ID input
Pseudo-parameters (e.g. AWS::Region)	Built-in values, no user input required	When a value is always derived from the stack environment

References:

Initial template excerpt — instance type parameter and a resource placeholder:

Parameters:
  MyInstanceType:
    Type: String
    Description: Select your EC2 instance type
    AllowedValues:
      - t3.micro
      - t3.small

Resources:
  MyInstance:
    Type: AWS::EC2::Instance

Example of the resource that originally used a hardcoded VPC ID:

Resources:
  MySecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow HTTP and SSH access
      VpcId: vpc-0f5d3d6445abf20b5
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80

Add a typed parameter for VPC selection

Define a new parameter named MyVPC with Type: AWS::EC2::VPC::Id.
Reference the parameter using !Ref where the VpcId is required.

Parameter addition:

Parameters:
  MyInstanceType:
    AllowedValues:
      - t3.micro
      - t3.small
  MyVPC:
    Type: AWS::EC2::VPC::Id
    Description: Select the VPC to launch the EC2 instance in

Update the security group to reference the new parameter (note the explicit CIDR entries for ingress rules):

Resources:
  MySecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow HTTP and SSH access
      VpcId: !Ref MyVPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0

Consolidated parameters section with descriptions (save this change before updating the stack):

Parameters:
  MyInstanceType:
    Type: String
    Description: Select your EC2 instance type
    AllowedValues:
      - t3.micro
      - t3.small
  MyVPC:
    Type: AWS::EC2::VPC::Id
    Description: Select the VPC to launch the EC2 instance in

Update the stack in the CloudFormation console

Choose “Replace current template” → Upload the updated template or paste it into the console.
On the stack details page, the MyVPC parameter will appear as a dropdown populated with VPCs from the selected region.

Screenshot of the AWS CloudFormation console on the "Update stack" page. It shows the "Prerequisite - Prepare template" panel with options to use an existing template, replace it, or edit in Infrastructure Composer.

On the “Specify stack details” step you can choose the VPC from the dropdown; the console shows both the VPC ID and its CIDR block to help selection:

A screenshot of the AWS CloudFormation console on the "Update stack – Specify stack details" step showing template parameters. The MyInstanceType is set to "t3.micro" and the MyVPC dropdown is open showing a VPC ID and its CIDR (172.31.0.0/16).

Proceed through the update workflow (Next → Next → Submit). The console prepares a change set and then applies the update.

Screenshot of the AWS CloudFormation console showing a "Change set preview" page with an empty/ loading Changes panel. Buttons at the bottom include "View change set", "Cancel", "Previous", and an orange "Submit" button.

If you select a different VPC than the one currently used by the stack, CloudFormation may need to replace resources that cannot move between VPCs (for example, security groups). Resource replacements can take longer than a quick update—review the change set carefully before submitting.

Behavior notes

If you choose the same VPC that was already in use, the update may complete quickly because no effective resource changes are required.
If you choose a different VPC, CloudFormation might recreate resources that are VPC-specific (security groups, network interfaces, etc.), which can increase update time.

Final consolidated example (contextual template excerpt):

Metadata:
  Purpose: Basic EC2 instance with HTTP and SSH access

Parameters:
  MyInstanceType:
    Type: String
    Description: Select your EC2 instance type
    AllowedValues:
      - t3.micro
      - t3.small
  MyVPC:
    Type: AWS::EC2::VPC::Id
    Description: Select the VPC to launch the EC2 instance in

Resources:
  MySecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow HTTP and SSH access
      VpcId: !Ref MyVPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0

  MyInstance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: !Ref MyInstanceType
      SecurityGroupIds:
        - !Ref MySecurityGroup
      # Note: For a complete, deployable template you must also specify ImageId (AMI) and any other required properties.

That’s it — using the AWS::EC2::VPC::Id parameter type makes your CloudFormation template region-aware for VPC selection and removes the need to embed region-specific VPC IDs in your template.

Watch Video

Demo Using a CloudFormation template to provision a complete EC2 Instance

Demo Managing and working with multiple regions Part 1

Course Introduction

Cloud Service Models

Code Editor Setup and Source Code

AWS CloudFormation Introduction

Resources

From Template to Stack

Metadata and Tags

Intrinsic Functions

Parameters

Mappings

CloudFormation - Conditions and Policies

Outputs

Infrastructure Composer

EC2 Instance Setup With an HTTP Server

AWS CLI

Access Control

Drift Detection

Nested Stacks

StackSets

Deployment Modes

SSM Parameters

CFN init and Resource Imports

Automation and Integration

Registry

Conclusion

Demo Replacing hardcoded values with a pseudo parameter

Watch Video