AWS CloudFormation mapping different environments between regions

Question

I'm fairly new to the CloudFormation process and now that I am making some progress but I want to base my mappings off of the environment parameter and region and I was thinking something like:

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Basic stack",
  "Parameters": {

    "EnvironmentType": {
      "Description": "Production or Development environment",
      "Type": "String",
      "AllowedValues": ["Prod", "Dev"],
      "ConstraintDescription": "Must be an allowed value"
    }
  },

  "Mappings":{
    "VPC": {
      "Prod": { 
        "us-east-1" : "vpc-12345678", 
        "eu-central-1" : "vpc-abcdefgh", 
        "ap-southeast-1" : "vpc-abcd1234" 
      },
      "Dev": { "us-east-1" : "vpc-1234efgh" }
    }
  },

  "Resources": {
    "ApplicationSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "VpcId": { 
          "Fn::FindInMap" : [ 
            "VPC", 
              { "Ref" : "EnvironmentType" }, 
              { "Ref": "AWS::Region" } 
           ] 
        },
        "SecurityGroupEgress": [
          {
            "IpProtocol": "tcp",
            "FromPort": "80",
            "ToPort": "80",
            "CidrIp": "0.0.0.0/0"
          },
          {
            "IpProtocol": "tcp",
            "FromPort": "443",
            "ToPort": "443",
            "CidrIp": "0.0.0.0/0"
          }
        ]
      }
    }
  }
}

However when I try this I get a Template Format error 'Mappings attribute name 'us-east-1' must contain only alphanumeric characters.'

How can I make this select the proper VPC id based off of environment and Region?

Answer 1

Try inverting your two mapping layers passed to Fn::FindInMap (AWS::Region followed by EnvironmentType):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Basic stack",
  "Parameters": {

    "EnvironmentType": {
      "Description": "Production or Development environment",
      "Type": "String",
      "AllowedValues": ["Prod", "Dev"],
      "ConstraintDescription": "Must be an allowed value"
    }
  },

  "Mappings":{
    "VPC": {
      "us-east-1": {
        "Prod": "vpc-12345678",
        "Dev": "vpc-1234efgh"
      },
      "eu-central-1": {
        "Prod": "vpc-abcdefgh"
      },
      "ap-southeast-1": {
        "Prod": "vpc-abcd1234"
      }
    }
  },

  "Resources": {
    "ApplicationSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "VpcId": {
          "Fn::FindInMap" : [
            "VPC",
            { "Ref": "AWS::Region" },
            { "Ref" : "EnvironmentType" }
          ]
        },
        "SecurityGroupEgress": [
          {
            "IpProtocol": "tcp",
            "FromPort": "80",
            "ToPort": "80",
            "CidrIp": "0.0.0.0/0"
          },
          {
            "IpProtocol": "tcp",
            "FromPort": "443",
            "ToPort": "443",
            "CidrIp": "0.0.0.0/0"
          }
        ]
      }
    }
  }
}