From f29cbd4fa38db475fd176b9034c52a262b3d8584 Mon Sep 17 00:00:00 2001 From: wasims-git <91148416+wasims-git@users.noreply.github.com> Date: Wed, 26 Apr 2023 12:20:56 -0400 Subject: [PATCH] RDS SQL Server Refresh --- rds-sqlserver-main.template.yaml | 691 ++++++++++++++++++++++++++ rds-sqlserver.template.yaml | 818 +++++++++++++++++++++++++++++++ 2 files changed, 1509 insertions(+) create mode 100644 rds-sqlserver-main.template.yaml create mode 100644 rds-sqlserver.template.yaml diff --git a/rds-sqlserver-main.template.yaml b/rds-sqlserver-main.template.yaml new file mode 100644 index 0000000..e56bfa4 --- /dev/null +++ b/rds-sqlserver-main.template.yaml @@ -0,0 +1,691 @@ +Description: "AWS VPC + Linux bastion host + RDS SQLServer" +Metadata: + LICENSE: Apache License Version 2.0 + cfn-lint: + config: + ignore_checks: + - E9101 + - I3011 + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Network configuration + Parameters: + - AvailabilityZones + - VPCCIDR + - PrivateSubnet1CIDR + - PrivateSubnet2CIDR + - PrivateSubnet3CIDR + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PublicSubnet3CIDR + - Label: + default: Linux Bastion Host configuration + Parameters: + - EnableBastion + - KeyPairName + - RemoteAccessCIDR + - EnableTCPForwarding + - Label: + default: Database General configuration + Parameters: + - Engine + - DBEngineVersion + - DBInstanceClass + - DBPort + - DBMasterUsername + - ManageMasterUserPassword + - DBMasterUserPassword + - DBMultiAZ + - DBAutoMinorVersionUpgrade + - DBBackupRetentionPeriod + - Label: + default: Database Storage configuration + Parameters: + - DBStorageType + - DBAllocatedStorage + - DBAllocatedStorageEncrypted + - StorageIOPS + - StorageThroughput + - Label: + default: Database Monitoring configuration + Parameters: + - DBExportLogToCloudwatch + - EnablePerformanceInsights + - PerformanceInsightsRetentionPeriod + - EnableEnhancedMonitoring + - MonitoringInterval + - EnableEventSubscription + - NotificationList + - Label: + default: Database tags (optional) + Parameters: + - EnvironmentStage + - Application + - ApplicationVersion + - ProjectCostCenter + - Confidentiality + - Compliance + - Label: + default: Quick Start configuration + Parameters: + - QSS3BucketName + - QSS3BucketRegion + - QSS3KeyPrefix + ParameterLabels: + + #VPC stack related parameter labels + AvailabilityZones: + default: Availability Zones + VPCCIDR: + default: VPC CIDR + PrivateSubnet1CIDR: + default: Private subnet 1 CIDR + PrivateSubnet2CIDR: + default: Private subnet 2 CIDR + PrivateSubnet3CIDR: + default: Private subnet 3 CIDR + PublicSubnet1CIDR: + default: Public subnet 1 CIDR + PublicSubnet2CIDR: + default: Public subnet 2 CIDR + PublicSubnet3CIDR: + default: Public subnet 3 CIDR + + #Bastion host related parameter labels + EnableBastion: + default: Create bastion stack + KeyPairName: + default: Key Name + RemoteAccessCIDR: + default: Permitted IP range + EnableTCPForwarding: + default: Enable TCP Forwarding + + #Quickstart related parameter labels + QSS3BucketName: + default: Quick Start S3 bucket name + QSS3BucketRegion: + default: Quick Start S3 bucket region + QSS3KeyPrefix: + default: Quick Start S3 key prefix + + #RDS related parameter labels + Application: + default: Application name + ApplicationVersion: + default: Application version + Compliance: + default: Compliance classifier + Confidentiality: + default: Confidentiality classifier + DBAllocatedStorage: + default: Database allocated storage size in GiB + DBAllocatedStorageEncrypted: + default: Database encryption enabled + DBAutoMinorVersionUpgrade: + default: Database auto minor version upgrade + DBBackupRetentionPeriod: + default: Database backup retention period + Engine: + default: SQL Server edition type + DBEngineVersion: + default: Database Engine Version + DBExportLogToCloudwatch: + default: Export Database Log to CloudWatch + DBInstanceClass: + default: Database instance class + DBMasterUsername: + default: Database master username + DBMasterUserPassword: + default: Database master password + DBMultiAZ: + default: RDS Multi-AZ DB Instance deployment + DBPort: + default: Database port + DBStorageType: + default: Database storage type + EnableEnhancedMonitoring: + default: Enable Enhanced Monitoring + EnableEventSubscription: + default: Enable Event Subscription + EnablePerformanceInsights: + default: Enable RDS Performance Insights + EnvironmentStage: + default: Environment stage + ManageMasterUserPassword: + default: Manage DB master user password with AWS Secrets Manager + MonitoringInterval: + default: Enhanced monitoring interval + NotificationList: + default: SNS notification email + PerformanceInsightsRetentionPeriod: + default: Number of days to retain Performance Insights data + ProjectCostCenter: + default: Project cost center + StorageIOPS: + default: Provisioned IOPS for gp3/io1 storage type + StorageThroughput: + default: Provisioned Throughput for gp3 storage type in MiBps + +Parameters: + + #VPC stack related parameters + AvailabilityZones: + Description: >- + List of Availability Zones to use for the subnets in the VPC. Only three + Availability Zones are used for this deployment, and the logical order of + your selections is preserved. + Type: 'List' + PrivateSubnet1CIDR: + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + Default: 10.0.0.0/19 + Description: CIDR block for private subnet 1 located in Availability Zone 1. + Type: String + PrivateSubnet2CIDR: + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + Default: 10.0.32.0/19 + Description: CIDR block for private subnet 2 located in Availability Zone 2. + Type: String + PrivateSubnet3CIDR: + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + Default: 10.0.64.0/19 + Description: CIDR block for private subnet 3 located in Availability Zone 3. + Type: String + PublicSubnet1CIDR: + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + Default: 10.0.96.0/20 + Description: CIDR block for the public subnet 1 located in Availability Zone 1. + Type: String + PublicSubnet2CIDR: + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + Default: 10.0.128.0/20 + Description: CIDR block for the public subnet 2 located in Availability Zone 2. + Type: String + PublicSubnet3CIDR: + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + Default: 10.0.160.0/20 + Description: CIDR block for the public subnet 3 located in Availability Zone 3. + Type: String + VPCCIDR: + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + Default: 10.0.0.0/16 + Description: CIDR block for the VPC. + Type: String + + #Bastion host related parameters + EnableBastion: + AllowedValues: + - "true" + - "false" + Default: "true" + Description: "If true, a bastion stack will be created." + Type: String + EnableTCPForwarding: + Type: String + Description: Enable/Disable TCP Forwarding for the bastion host + Default: 'false' + AllowedValues: + - 'true' + - 'false' + KeyPairName: + ConstraintDescription: "Name of an existing EC2 key pair." + Description: Name of an existing public/private key pair, for connecting to the bastion host. + Type: "AWS::EC2::KeyPair::KeyName" + RemoteAccessCIDR: + AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$" + ConstraintDescription: "CIDR block parameter must be in the form x.x.x.x/x" + Description: "Allowed CIDR block for external SSH access to the bastion host." + Default: 10.0.0.0/16 + Type: String + + #Quickstart related parameters + QSS3BucketName: + AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$" + ConstraintDescription: "Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-)." + Default: aws-quickstart + Description: "S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-)." + Type: String + QSS3BucketRegion: + Default: 'us-east-1' + Description: 'The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.' + Type: String + QSS3KeyPrefix: + AllowedPattern: "^[0-9a-zA-Z-/]*$" + ConstraintDescription: "Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/)." + Default: quickstart-amazon-aurora-postgresql/ + Description: "S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/)." + Type: String + + #RDS related parameters + Application: + Type: String + Default: '' + Description: Designates the application of the associated AWS resource. (Optional) + ApplicationVersion: + Type: String + Description: Designates the specific version of the application. (Optional) + Default: '' + Compliance: + Type: String + Default: '' + Description: Designates the compliance level for the AWS resource. (Optional) + AllowedValues: + - hipaa + - sox + - fips + - other + - '' + Confidentiality: + Type: String + Default: '' + Description: Designates the confidentiality classification of the data that is associated with the resource. (Optional) + AllowedValues: + - public + - private + - confidential + - pii/phi + - '' + DBAllocatedStorage: + Default: 100 + Description: Allocated storage size in GiB. For gp2 and gp3, must be an integer from 20 to 16384. For io1, must be an integer from 100 to 16384. + Type: Number + MinValue: 20 + MaxValue: 16384 + ConstraintDescription: Must be an integer from 20 to 16384 for gp2/gp3 and 100 to 16384 for io1. + DBAllocatedStorageEncrypted: + Default: "true" + AllowedValues: + - "true" + - "false" + Description: Whether or not to encrypt the database. + Type: String + DBAutoMinorVersionUpgrade: + AllowedValues: + - "true" + - "false" + Default: "true" + Description: "Select true to set up auto minor version upgrade." + Type: String + DBBackupRetentionPeriod: + Default: 35 + Description: "The number of days for which automatic database snapshots are retained." + Type: Number + MinValue: 0 + MaxValue: 35 + Engine: + Default: sqlserver-se + Type: String + AllowedValues: + - "sqlserver-se" + - "sqlserver-ee" + - "sqlserver-web" + - "sqlserver-ex" + Description: "Select the desired SQL server editon" + DBEngineVersion: + Description: Select Database Engine Version + Type: String + Default: 15.00.4236.7.v1 + AllowedValues: + - 12.00.6293.0.v1 + - 12.00.6329.1.v1 + - 12.00.6433.1.v1 + - 12.00.6439.10.v1 + - 13.00.6300.2.v1 + - 13.00.6419.1.v1 + - 14.00.3281.6.v1 + - 14.00.3294.2.v1 + - 14.00.3356.20.v1 + - 14.00.3381.3.v1 + - 14.00.3401.7.v1 + - 14.00.3421.10.v1 + - 14.00.3451.2.v1 + - 15.00.4043.16.v1 + - 15.00.4073.23.v1 + - 15.00.4153.1.v1 + - 15.00.4198.2.v1 + - 15.00.4236.7.v1 + DBExportLogToCloudwatch: + Default: '' + Description: "Specify the comma-delimited list of database logs (error, agent) to export to CloudWatch Logs." + Type: CommaDelimitedList + DBInstanceClass: + Default: db.r5.large + Description: >- + The database instance type. Please note Enterprise Editon will need instance with minimum 4 vCPU's like db.r5.xlarge or db.m5.xlarge or higher + Please see supported instance types for the SQLServer version selected https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.DBInstanceClass.html + Type: String + AllowedValues: + - db.m4.10xlarge + - db.m4.2xlarge + - db.m4.4xlarge + - db.m4.large + - db.m4.xlarge + - db.m5.12xlarge + - db.m5.16xlarge + - db.m5.24xlarge + - db.m5.2xlarge + - db.m5.4xlarge + - db.m5.8xlarge + - db.m5d.12xlarge + - db.m5d.16xlarge + - db.m5d.24xlarge + - db.m5d.2xlarge + - db.m5d.4xlarge + - db.m5d.8xlarge + - db.m5d.large + - db.m5d.xlarge + - db.m5.large + - db.m5.xlarge + - db.m6i.2xlarge + - db.m6i.4xlarge + - db.m6i.8xlarge + - db.m6i.large + - db.m6i.xlarge + - db.r4.2xlarge + - db.r4.4xlarge + - db.r4.8xlarge + - db.r4.large + - db.r4.xlarge + - db.r5.12xlarge + - db.r5.16xlarge + - db.r5.24xlarge + - db.r5.2xlarge + - db.r5.4xlarge + - db.r5.8xlarge + - db.r5b.12xlarge + - db.r5b.16xlarge + - db.r5b.24xlarge + - db.r5b.2xlarge + - db.r5b.4xlarge + - db.r5b.8xlarge + - db.r5b.large + - db.r5b.xlarge + - db.r5d.12xlarge + - db.r5d.16xlarge + - db.r5d.24xlarge + - db.r5d.2xlarge + - db.r5d.4xlarge + - db.r5d.8xlarge + - db.r5d.large + - db.r5d.xlarge + - db.r5.large + - db.r5.xlarge + - db.r6i.2xlarge + - db.r6i.4xlarge + - db.r6i.8xlarge + - db.r6i.large + - db.r6i.xlarge + - db.t3.2xlarge + - db.t3.xlarge + - db.x1e.16xlarge + - db.x1e.2xlarge + - db.x1e.32xlarge + - db.x1e.4xlarge + - db.x1e.8xlarge + - db.x1e.xlarge + - db.m4.16xlarge + - db.r4.16xlarge + - db.x1.16xlarge + - db.x1.32xlarge + - db.z1d.12xlarge + - db.z1d.2xlarge + - db.z1d.3xlarge + - db.z1d.6xlarge + - db.z1d.large + - db.z1d.xlarge + DBMasterUsername: + AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*" + ConstraintDescription: "Must begin with a letter and contain only alphanumeric characters." + Default: sqlsa + Description: "The database master username." + MaxLength: "16" + MinLength: "1" + Type: String + DBMasterUserPassword: + AllowedPattern: >- + ^(?=^.{8,255}$)(?=.*[a-z])(?=.*[A-Z])(?=.*\d)((?=.*[^A-Za-z0-9])(?!.*[@/"'])).*$ + ConstraintDescription: >- + Min 8 chars. Must include 1 uppercase, 1 lowercase, 1 number, 1 (non / @ " ') symbol + Default: "Gjht56Ft$" + Description: "The database master user password. Required if _Manage DB master user password with AWS Secrets Manager_ option is set to false." + MaxLength: "64" + MinLength: "8" + NoEcho: "True" + Type: String + DBMultiAZ: + AllowedValues: + - "true" + - "false" + Default: "false" + Description: "Select true to deploy a RDS Multi-AZ DB instance." + Type: String + DBPort: + Default: 1433 + Description: "The port the instance will listen for connections on." + Type: Number + ConstraintDescription: 'Must be in the range [1150-65535].' + MinValue: 1150 + MaxValue: 65535 + DBStorageType: + Default: io1 + Description: Select the EBS storage type for the RDS SQLServer database. + Type: String + AllowedValues: + - gp2 + - gp3 + - io1 + EnableEnhancedMonitoring: + AllowedValues: + - "true" + - "false" + Default: "true" + Description: "Enables RDS Performance Insights" + Type: String + EnableEventSubscription: + AllowedValues: + - "true" + - "false" + Default: "true" + Description: "Enables event subscription to Notification List" + Type: String + EnablePerformanceInsights: + AllowedValues: + - "true" + - "false" + Default: "true" + Description: "Enables RDS Performance Insights" + Type: String + EnvironmentStage: + Type: String + Description: Designates the environment stage of the associated AWS resource. (Optional) + AllowedValues: + - dev + - test + - pre-prod + - prod + - none + Default: none + ManageMasterUserPassword: + AllowedValues: + - "true" + - "false" + Default: "true" + Description: "Set to true to manage the master user password with AWS Secrets Manager." + Type: String + MonitoringInterval: + Default: 10 + Description: "The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the database." + Type: Number + AllowedValues: + - 1 + - 5 + - 10 + - 15 + - 30 + - 60 + ConstraintDescription: Valid values are 0, 1, 5, 10, 15, 30, 60 seconds. + NotificationList: + Type: String + Default: 'db-ops@domain.com' + Description: The email notification used to configure an SNS topic for sending CloudWatch alarm and RDS event notifications. + AllowedPattern: '^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$' + ConstraintDescription: Provide a valid email address. + PerformanceInsightsRetentionPeriod: + Default: 7 + Description: "The number of days for which automatic database snapshots are retained. Specify days based on (month * 31), where month is a number of months from 1-23" + Type: Number + MinValue: 7 + MaxValue: 713 + ProjectCostCenter: + Type: String + Default: '' + Description: Designates the cost center associated with the project of the given AWS resource. (Optional) + StorageIOPS: + Default: '0' + Description: >- + If you choose gp3 (and allocate >= 400 GiB) or io1, you must specify provisioned IOPS. Leave at default value otherwise. + For io1, the ratio of provisioned IOPS to allocated storage (in GiB) must be from 0.5 to 50. + For gp3, the maximum ratio of provisioned IOPS to allocated storage (in GiB) is 500. + For details, refer https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html + Type: String + StorageThroughput: + Default: '0' + Description: >- + Provisioned throughput in MiBps. + If you choose gp3 (and allocate >= 400 GiB) as storage type, you must specify provisioned throughput. Leave at default value otherwise. + The maximum ratio of provisioned storage throughput (in MiBps) to IOPS is 0.25. + For details, refer https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html + Type: String + +Conditions: + EnableBastionAccess: !Equals + - !Ref EnableBastion + - "true" + UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] + +Rules: + IOPSForIO1: + Assertions: + - Assert: !Or [!Not [!Equals [!Ref DBStorageType, 'io1']], !Not [!Equals [!Ref StorageIOPS, '0']]] + AssertDescription: "For io1 storage type, you must specify provisioned IOPS" + +Resources: + + VPCStack: + Type: 'AWS::CloudFormation::Stack' + Properties: + TemplateURL: + Fn::Sub: + - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml' + - S3Region: !If + - UsingDefaultBucket + - !Ref AWS::Region + - !Ref QSS3BucketRegion + S3Bucket: !If + - UsingDefaultBucket + - !Sub '${QSS3BucketName}-${AWS::Region}' + - !Ref QSS3BucketName + Parameters: + AvailabilityZones: !Join + - ',' + - !Ref AvailabilityZones + NumberOfAZs: '3' + PrivateSubnet1ACIDR: !Ref PrivateSubnet1CIDR + PrivateSubnet2ACIDR: !Ref PrivateSubnet2CIDR + PrivateSubnet3ACIDR: !Ref PrivateSubnet3CIDR + PublicSubnet1CIDR: !Ref PublicSubnet1CIDR + PublicSubnet2CIDR: !Ref PublicSubnet2CIDR + PublicSubnet3CIDR: !Ref PublicSubnet3CIDR + VPCCIDR: !Ref VPCCIDR + + BastionStack: + Condition: EnableBastionAccess + Type: 'AWS::CloudFormation::Stack' + Properties: + TemplateURL: + !Sub + - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-linux-bastion/templates/linux-bastion.template' + - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] + S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] + Parameters: + KeyPairName: !Ref KeyPairName + PublicSubnet1ID: !GetAtt + - VPCStack + - Outputs.PublicSubnet1ID + PublicSubnet2ID: !GetAtt + - VPCStack + - Outputs.PublicSubnet2ID + EnableTCPForwarding: !Ref EnableTCPForwarding + RemoteAccessCIDR: !Ref RemoteAccessCIDR + VPCID: !GetAtt + - VPCStack + - Outputs.VPCID + QSS3BucketName: !Ref QSS3BucketName + QSS3BucketRegion: !Ref QSS3BucketRegion + QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-linux-bastion/ + + RDSNS: + Type: AWS::CloudFormation::Stack + Properties: + #Update the following to the S3 staging location + TemplateURL: https://aws-isv-pnp-cfn-templates.s3.us-west-2.amazonaws.com/rds-service-catalog/rds/rds-sqlserver.template.yaml + Parameters: + #Database Network configuration + VPCID: + Fn::GetAtt: + - VPCStack + - Outputs.VPCID + Subnet1ID: + Fn::GetAtt: + - VPCStack + - Outputs.PrivateSubnet1AID + Subnet2ID: + Fn::GetAtt: + - VPCStack + - Outputs.PrivateSubnet2AID + Subnet3ID: + Fn::GetAtt: + - VPCStack + - Outputs.PrivateSubnet3AID + DBAccessCIDR: !Ref VPCCIDR + #Database General configuration + DBEngineVersion: !Ref DBEngineVersion + DBInstanceClass: !Ref DBInstanceClass + DBPort: !Ref DBPort + DBMasterUsername: !Ref DBMasterUsername + ManageMasterUserPassword: !Ref ManageMasterUserPassword + DBMasterUserPassword: !Ref DBMasterUserPassword + DBMultiAZ: !Ref DBMultiAZ + DBAutoMinorVersionUpgrade: !Ref DBAutoMinorVersionUpgrade + DBBackupRetentionPeriod: !Ref DBBackupRetentionPeriod + #Database Storage configuration + DBStorageType: !Ref DBStorageType + DBAllocatedStorage: !Ref DBAllocatedStorage + DBAllocatedStorageEncrypted: !Ref DBAllocatedStorageEncrypted + StorageIOPS: !Ref StorageIOPS + StorageThroughput: !Ref StorageThroughput + #Database Monitoring configuration + DBExportLogToCloudwatch: !Join + - ',' + - !Ref DBExportLogToCloudwatch + EnablePerformanceInsights: !Ref EnablePerformanceInsights + PerformanceInsightsRetentionPeriod: !Ref PerformanceInsightsRetentionPeriod + EnableEnhancedMonitoring: !Ref EnableEnhancedMonitoring + MonitoringInterval: !Ref MonitoringInterval + EnableEventSubscription: !Ref EnableEventSubscription + NotificationList: !Ref NotificationList + #Database tags (optional) + EnvironmentStage: !Ref EnvironmentStage + Application: !Ref Application + ApplicationVersion: !Ref ApplicationVersion + ProjectCostCenter: !Ref ProjectCostCenter + Confidentiality: !Ref Confidentiality + Compliance: !Ref Compliance \ No newline at end of file diff --git a/rds-sqlserver.template.yaml b/rds-sqlserver.template.yaml new file mode 100644 index 0000000..5d64c1b --- /dev/null +++ b/rds-sqlserver.template.yaml @@ -0,0 +1,818 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: "Amazon RDS SQLServer" +Metadata: + LICENSE: Apache License Version 2.0 + cfn-lint: + config: + ignore_checks: + - E9101 + - W3011 + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Database Network configuration + Parameters: + - VPCID + - Subnet1ID + - Subnet2ID + - Subnet3ID + - CustomDBSecurityGroup + - DBAccessCIDR + - PubliclyAccessible + - Label: + default: Database General configuration + Parameters: + - DBEngine + - DBEngineVersion + - DBInstanceClass + - DBPort + - DBMasterUsername + - ManageMasterUserPassword + - DBMasterUserPassword + - DBMultiAZ + - DBAutoMinorVersionUpgrade + - DBBackupRetentionPeriod + - Label: + default: Database Storage configuration + Parameters: + - DBStorageType + - DBAllocatedStorage + - DBAllocatedStorageEncrypted + - StorageIOPS + - StorageThroughput + - Label: + default: Database Monitoring configuration + Parameters: + - DBExportLogToCloudwatch + - EnablePerformanceInsights + - PerformanceInsightsRetentionPeriod + - EnableEnhancedMonitoring + - MonitoringInterval + - EnableEventSubscription + - NotificationList + - Label: + default: Database tags (optional) + Parameters: + - EnvironmentStage + - Application + - ApplicationVersion + - ProjectCostCenter + - Confidentiality + - Compliance + ParameterLabels: + Application: + default: Application name + ApplicationVersion: + default: Application version + Compliance: + default: Compliance classifier + Confidentiality: + default: Confidentiality classifier + CustomDBSecurityGroup: + default: Custom security group ID + DBAccessCIDR: + default: Database connection CIDR + DBAllocatedStorage: + default: Database allocated storage size in GiB + DBAllocatedStorageEncrypted: + default: Database encryption enabled + DBAutoMinorVersionUpgrade: + default: Database auto minor version upgrade + DBBackupRetentionPeriod: + default: Database backup retention period + Engine: + default: SQL Server edition type + DBEngineVersion: + default: Database Engine Version + DBExportLogToCloudwatch: + default: Export Database Log to CloudWatch + DBInstanceClass: + default: Database instance class + DBMasterUsername: + default: Database master username + DBMasterUserPassword: + default: Database master password + DBMultiAZ: + default: RDS Multi-AZ DB Instance deployment + DBPort: + default: Database port + DBStorageType: + default: Database storage type + EnableEnhancedMonitoring: + default: Enable Enhanced Monitoring + EnableEventSubscription: + default: Enable Event Subscription + EnablePerformanceInsights: + default: Enable RDS Performance Insights + EnvironmentStage: + default: Environment stage + ManageMasterUserPassword: + default: Manage DB master user password with AWS Secrets Manager + MonitoringInterval: + default: Enhanced monitoring interval + NotificationList: + default: SNS notification email + PerformanceInsightsRetentionPeriod: + default: Number of days to retain Performance Insights data + ProjectCostCenter: + default: Project cost center + PubliclyAccessible: + default: Publicly Accessible + StorageIOPS: + default: Provisioned IOPS for gp3/io1 storage type + StorageThroughput: + default: Provisioned Throughput for gp3 storage type in MiBps + Subnet1ID: + default: Private subnet 1 ID + Subnet2ID: + default: Private subnet 2 ID + Subnet3ID: + default: Private subnet 3 ID + VPCID: + default: VPC ID + +Mappings: + DBFamilyMap: + 12.00.6293.0.v1: + sqlserveree: sqlserver-ee-12.0 + sqlserverse: sqlserver-se-12.0 + sqlserverex: sqlserver-ex-12.0 + sqlserverweb: sqlserver-web-12.0 + 15.00.4236.7.v1: + sqlserveree: sqlserver-ee-15.0 + sqlserverse: sqlserver-se-15.0 + sqlserverex: sqlserver-ex-15.0 + sqlserverweb: sqlserver-web-15.0 + + + DBEngineEdition: + sqlserver-se: + 'Edition': sqlserverse + sqlserver-ee: + 'Edition': sqlserveree + sqlserver-ex: + 'Edition': sqlserverex + sqlserver-web: + 'Edition': sqlserverweb + + + DBFlavour: + sqlserver-se: + 'Flavour': sqlserver + sqlserver-ee: + 'Flavour': sqlserver + sqlserver-ex: + 'Flavour': sqlserver + sqlserver-web: + 'Flavour': sqlserver + +Conditions: + CreateSecurityGroup: !Equals + - !Ref CustomDBSecurityGroup + - '' + CreateKMSKey: !Or + - !Condition UseDatabaseEncryption + - !Condition UseSecretsManager + - !Condition EnablePI + EnableDBLogExport: !Not + - !Equals + - !Join ["",!Ref DBExportLogToCloudwatch] + - '' + isDBInstance: !Equals + - !FindInMap [DBFlavour,!Ref DBEngine,Flavour] + - 'sqlserver' + EventSubscription: !Equals + - !Ref EnableEventSubscription + - 'true' + EventSubscriptionDBInstance: !And + - !Condition EventSubscription + - !Condition isDBInstance + EnableEM: !Equals + - !Ref EnableEnhancedMonitoring + - 'true' + EnablePI: !Equals + - !Ref EnablePerformanceInsights + - 'true' + isGP2: !Equals + - !Ref DBStorageType + - 'gp2' + isGP3: !Equals + - !Ref DBStorageType + - 'gp3' + UseDatabaseEncryption: !Equals + - !Ref DBAllocatedStorageEncrypted + - "true" + UseSecretsManager: !Equals + - !Ref ManageMasterUserPassword + - "true" + NAStorageIOPS: !Equals + - !Ref StorageIOPS + - '0' + NAStorageThrougput: !Equals + - !Ref StorageThroughput + - '0' + +Rules: + SubnetsInVPC: + Assertions: + - Assert: !Equals [!ValueOf ["Subnet1ID", "VpcId"], !Ref VPCID] + AssertDescription: "Private subnet 1 ID doesn't belong to the specified VPC" + - Assert: !Equals [!ValueOf ["Subnet2ID", "VpcId"], !Ref VPCID] + AssertDescription: "Private subnet 2 ID doesn't belong to the specified VPC" + - Assert: !Equals [!ValueOf ["Subnet3ID", "VpcId"], !Ref VPCID] + AssertDescription: "Private subnet 3 ID doesn't belong to the specified VPC" + SubnetsUnique: + Assertions: + - Assert: !Not [!Equals [!Ref Subnet1ID, !Ref Subnet2ID]] + AssertDescription: "Please provide 3 distinct private subnets" + - Assert: !Not [!Equals [!Ref Subnet1ID, !Ref Subnet3ID]] + AssertDescription: "Please provide 3 distinct private subnets" + - Assert: !Not [!Equals [!Ref Subnet2ID, !Ref Subnet3ID]] + AssertDescription: "Please provide 3 distinct private subnets" + IOPSForIO1: + Assertions: + - Assert: !Or [!Not [!Equals [!Ref DBStorageType, 'io1']], !Not [!Equals [!Ref StorageIOPS, '0']]] + AssertDescription: "For io1 storage type, you must specify provisioned IOPS" + +Outputs: + DBMasterUsername: + Description: "Amazon RDS database master username" + Value: !Ref DBMasterUsername + MasterUserSecret: + Condition: UseSecretsManager + Description: "Master Credentials ARN" + Value: !Sub ${MAZDBI.MasterUserSecret.SecretArn} + RDSEndPointAddress: + Description: "Amazon RDS write endpoint" + Value: !Sub ${MAZDBI.Endpoint.Address} + RDSMAZInstEndPoints: + Condition: isDBInstance + Description: "Full Amazon RDS write endpoint" + Value: !Sub "${MAZDBI.Endpoint.Address}:${MAZDBI.Endpoint.Port}" + RDSEncryptionKey: + Condition: UseDatabaseEncryption + Description: The alias of the encryption key created for RDS + Value: !Ref EncryptionKeyAlias + +Parameters: + Application: + Type: String + Default: '' + Description: Designates the application of the associated AWS resource. (Optional) + ApplicationVersion: + Type: String + Description: Designates the specific version of the application. (Optional) + Default: '' + Compliance: + Type: String + Default: '' + Description: Designates the compliance level for the AWS resource. (Optional) + AllowedValues: + - hipaa + - sox + - fips + - other + - '' + Confidentiality: + Type: String + Default: '' + Description: Designates the confidentiality classification of the data that is associated with the resource. (Optional) + AllowedValues: + - public + - private + - confidential + - pii/phi + - '' + CustomDBSecurityGroup: + Description: "ID of the security group (e.g., sg-0234se). One will be created for you if left empty." + Type: String + Default: '' + DBAccessCIDR: + AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$" + ConstraintDescription: "CIDR block parameter must be in the form x.x.x.x/x" + Description: "Allowed CIDR block for external access (use VPC CIDR)." + Type: String + Default: 10.0.0.0/16 + DBAllocatedStorage: + Default: 100 + Description: Allocated storage size in GiB. For gp2 and gp3, must be an integer from 20 to 16384. For io1, must be an integer from 100 to 16384. + Type: Number + MinValue: 20 + MaxValue: 65536 + ConstraintDescription: Must be an integer from 20 to 16384 for gp2/gp3 and 100 to 16384 for io1. + DBAllocatedStorageEncrypted: + Default: "true" + AllowedValues: + - "true" + - "false" + Description: Whether or not to encrypt the database. + Type: String + DBAutoMinorVersionUpgrade: + AllowedValues: + - "true" + - "false" + Default: "true" + Description: "Select true to set up auto minor version upgrade." + Type: String + DBBackupRetentionPeriod: + Default: 35 + Description: "The number of days for which automatic database snapshots are retained." + Type: Number + MinValue: 0 + MaxValue: 35 + DBEngine: + Default: sqlserver-se + Type: String + AllowedValues: + - "sqlserver-se" + - "sqlserver-ee" + - "sqlserver-web" + - "sqlserver-ex" + Description: "Select the desired SQL server editon" + DBEngineVersion: + Description: Select Database Engine Version + Type: String + Default: 15.00.4236.7.v1 + AllowedValues: + - 12.00.6293.0.v1 + - 12.00.6329.1.v1 + - 12.00.6433.1.v1 + - 12.00.6439.10.v1 + - 13.00.6300.2.v1 + - 13.00.6419.1.v1 + - 14.00.3281.6.v1 + - 14.00.3294.2.v1 + - 14.00.3356.20.v1 + - 14.00.3381.3.v1 + - 14.00.3401.7.v1 + - 14.00.3421.10.v1 + - 14.00.3451.2.v1 + - 15.00.4043.16.v1 + - 15.00.4073.23.v1 + - 15.00.4153.1.v1 + - 15.00.4198.2.v1 + - 15.00.4236.7.v1 + DBExportLogToCloudwatch: + Default: '' + Description: "Specify the comma-delimited list of database logs (error, agent) to export to CloudWatch Logs." + Type: CommaDelimitedList + DBInstanceClass: + Default: db.r5.large + Description: >- + The database instance type. + Please see supported instance types for the SQLServer version selected https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.DBInstanceClass.html. + For RDS Multi-AZ cluster supported instance class, please refer https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/create-multi-az-db-cluster.html#create-multi-az-db-cluster-settings. + Type: String + AllowedValues: + - db.m4.10xlarge + - db.m4.2xlarge + - db.m4.4xlarge + - db.m4.large + - db.m4.xlarge + - db.m5.12xlarge + - db.m5.16xlarge + - db.m5.24xlarge + - db.m5.2xlarge + - db.m5.4xlarge + - db.m5.8xlarge + - db.m5d.12xlarge + - db.m5d.16xlarge + - db.m5d.24xlarge + - db.m5d.2xlarge + - db.m5d.4xlarge + - db.m5d.8xlarge + - db.m5d.large + - db.m5d.xlarge + - db.m5.large + - db.m5.xlarge + - db.m6i.2xlarge + - db.m6i.4xlarge + - db.m6i.8xlarge + - db.m6i.large + - db.m6i.xlarge + - db.r4.2xlarge + - db.r4.4xlarge + - db.r4.8xlarge + - db.r4.large + - db.r4.xlarge + - db.r5.12xlarge + - db.r5.16xlarge + - db.r5.24xlarge + - db.r5.2xlarge + - db.r5.4xlarge + - db.r5.8xlarge + - db.r5b.12xlarge + - db.r5b.16xlarge + - db.r5b.24xlarge + - db.r5b.2xlarge + - db.r5b.4xlarge + - db.r5b.8xlarge + - db.r5b.large + - db.r5b.xlarge + - db.r5d.12xlarge + - db.r5d.16xlarge + - db.r5d.24xlarge + - db.r5d.2xlarge + - db.r5d.4xlarge + - db.r5d.8xlarge + - db.r5d.large + - db.r5d.xlarge + - db.r5.large + - db.r5.xlarge + - db.r6i.2xlarge + - db.r6i.4xlarge + - db.r6i.8xlarge + - db.r6i.large + - db.r6i.xlarge + - db.t3.2xlarge + - db.t3.xlarge + - db.x1e.16xlarge + - db.x1e.2xlarge + - db.x1e.32xlarge + - db.x1e.4xlarge + - db.x1e.8xlarge + - db.x1e.xlarge + - db.m4.16xlarge + - db.r4.16xlarge + - db.x1.16xlarge + - db.x1.32xlarge + - db.z1d.12xlarge + - db.z1d.2xlarge + - db.z1d.3xlarge + - db.z1d.6xlarge + - db.z1d.large + - db.z1d.xlarge + DBMasterUsername: + AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*" + ConstraintDescription: "Must begin with a letter and contain only alphanumeric characters." + Default: sqlsa + Description: "The database master username." + MaxLength: "16" + MinLength: "1" + Type: String + DBMasterUserPassword: + AllowedPattern: >- + ^(?=^.{8,255}$)(?=.*[a-z])(?=.*[A-Z])(?=.*\d)((?=.*[^A-Za-z0-9])(?!.*[@/"'])).*$ + ConstraintDescription: >- + Min 8 chars. Must include 1 uppercase, 1 lowercase, 1 number, 1 (non / @ " ') symbol + Default: "Gjht56Ft$" + Description: The database master user password. Required if "Manage DB master user password with AWS Secrets Manager" option is set to false. + MaxLength: "64" + MinLength: "8" + NoEcho: "True" + Type: String + DBMultiAZ: + AllowedValues: + - "true" + - "false" + Default: "false" + Description: "Select true to deploy a RDS Multi-AZ DB instance." + Type: String + + DBPort: + Default: 1433 + Description: "The port the instance will listen for connections on." + Type: Number + ConstraintDescription: 'Must be in the range [1150-65535].' + MinValue: 1150 + MaxValue: 65535 + DBStorageType: + Default: io1 + Description: Select the EBS storage type for the RDS SQLServer database. RDS Multi-AZ DB Cluster deployment only supports io1 storage type. + Type: String + AllowedValues: + - gp2 + - gp3 + - io1 + EnableEnhancedMonitoring: + AllowedValues: + - "true" + - "false" + Default: "true" + Description: "Enables RDS Performance Insights" + Type: String + EnableEventSubscription: + AllowedValues: + - "true" + - "false" + Default: "true" + Description: "Enables event subscription to Notification List" + Type: String + EnablePerformanceInsights: + AllowedValues: + - "true" + - "false" + Default: "true" + Description: "Enables RDS Performance Insights" + Type: String + EnvironmentStage: + Type: String + Description: Designates the environment stage of the associated AWS resource. (Optional) + AllowedValues: + - dev + - test + - pre-prod + - prod + - none + Default: none + ManageMasterUserPassword: + AllowedValues: + - "true" + - "false" + Default: "true" + Description: "Set to true to manage the master user password with AWS Secrets Manager." + Type: String + MonitoringInterval: + Default: 10 + Description: "The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the database." + Type: Number + AllowedValues: + - 1 + - 5 + - 10 + - 15 + - 30 + - 60 + ConstraintDescription: Valid values are 0, 1, 5, 10, 15, 30, 60 seconds. + NotificationList: + Type: String + Default: 'db-ops@domain.com' + Description: The email notification used to configure an SNS topic for sending CloudWatch alarm and RDS event notifications. + AllowedPattern: '^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$' + ConstraintDescription: Provide a valid email address. + PerformanceInsightsRetentionPeriod: + Default: 7 + Description: "The number of days for which automatic database snapshots are retained. Specify days based on (month * 31), where month is a number of months from 1-23" + Type: Number + MinValue: 7 + MaxValue: 713 + ProjectCostCenter: + Type: String + Default: '' + Description: Designates the cost center associated with the project of the given AWS resource. (Optional) + PubliclyAccessible: + AllowedValues: + - "true" + - "false" + Default: "false" + Description: "Indicates whether the DB instance is an internet-facing instance" + Type: String + StorageIOPS: + Default: '0' + Description: >- + If you choose gp3 (and allocate >= 400 GiB) or io1, you must specify provisioned IOPS. Leave at default value otherwise. + For io1, the ratio of provisioned IOPS to allocated storage (in GiB) must be from 0.5 to 50. + For gp3, the maximum ratio of provisioned IOPS to allocated storage (in GiB) is 500. + For details, refer https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html + Type: String + StorageThroughput: + Default: '0' + Description: >- + Provisioned throughput in MiBps. + If you choose gp3 (and allocate >= 400 GiB) as storage type, you must specify provisioned throughput. Leave at default value otherwise. + The maximum ratio of provisioned storage throughput (in MiBps) to IOPS is 0.25. + For details, refer https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html + Type: String + Subnet1ID: + Description: The ID of the private subnet in Availability Zone 1. + Type: 'AWS::EC2::Subnet::Id' + Subnet2ID: + Description: The ID of the private subnet in Availability Zone 2. + Type: 'AWS::EC2::Subnet::Id' + Subnet3ID: + Description: The ID of the private subnet in Availability Zone 3. + Type: 'AWS::EC2::Subnet::Id' + VPCID: + Description: "ID of the VPC you are deploying RDS into (e.g., vpc-0343606e)." + Type: 'AWS::EC2::VPC::Id' + Default: '' + +Resources: + + RDSDBSubnetGroup: + Properties: + DBSubnetGroupDescription: "Subnets available for the Amazon RDS database instance" + SubnetIds: + - !Ref Subnet1ID + - !Ref Subnet2ID + - !Ref Subnet3ID + Type: "AWS::RDS::DBSubnetGroup" + + RDSSecurityGroup: + Condition: CreateSecurityGroup + Properties: + GroupDescription: "Allow access to database port" + SecurityGroupEgress: + - + CidrIp: 0.0.0.0/0 + FromPort: -1 + IpProtocol: '-1' + ToPort: -1 + SecurityGroupIngress: + - + CidrIp: !Ref DBAccessCIDR + FromPort: !Ref DBPort + IpProtocol: tcp + ToPort: !Ref DBPort + VpcId: !Ref VPCID + Tags: + - Key: Name + Value: !Sub RDSSecurityGroup-${AWS::StackName} + Type: "AWS::EC2::SecurityGroup" + + RDSSecurityGroupIngress: + Condition: CreateSecurityGroup + Properties: + GroupId: !GetAtt 'RDSSecurityGroup.GroupId' + IpProtocol: '-1' + SourceSecurityGroupId: !Ref RDSSecurityGroup + Description: 'Self Reference' + Type: 'AWS::EC2::SecurityGroupIngress' + + DBSNSTopic: + Type: AWS::SNS::Topic + Properties: + Subscription: + - Endpoint: !Ref NotificationList + Protocol: email + + EncryptionKey: + Metadata: + cfn-lint: + config: + ignore_checks: + - EIAMPolicyActionWildcard + ignore_reasons: + - EIAMPolicyActionWildcard: "All KMS actions allowed by design" + DeletionPolicy: Retain + Type: AWS::KMS::Key + Condition: CreateKMSKey + Properties: + EnableKeyRotation: true + KeyPolicy: + Version: 2012-10-17 + Id: !Ref AWS::StackName + Statement: + - Effect: Allow + Principal: + AWS: + - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" + Action: 'kms:*' + Resource: '*' + Tags: + - Key: Name + Value: !Ref AWS::StackName + + EncryptionKeyAlias: + Type: AWS::KMS::Alias + Condition: CreateKMSKey + Properties: + AliasName: !Sub "alias/${AWS::StackName}" + TargetKeyId: !Ref EncryptionKey + + MRole: + Type: AWS::IAM::Role + Condition: EnableEM + Properties: + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - + Effect: "Allow" + Principal: + Service: + - "monitoring.rds.amazonaws.com" + Action: + - "sts:AssumeRole" + Path: "/" + ManagedPolicyArns: + - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole + + RDSDBSQL: + Type: AWS::RDS::DBParameterGroup + Condition: isDBInstance + Properties: + Description: !Join [ "- ", [ "RDS SQL Database Instance Parameter Group for Cloudformation Stack ", !Ref AWS::StackName ] ] + Family: !FindInMap [DBFamilyMap, !Ref DBEngineVersion, !FindInMap [DBEngineEdition,!Ref DBEngine,Edition]] + Parameters: + "1222": '1' + "1204": '1' + + MAZDBI: + Type: "AWS::RDS::DBInstance" + Condition: isDBInstance + DeletionPolicy: Snapshot + UpdateReplacePolicy: Snapshot + Properties: + AllocatedStorage: !Ref DBAllocatedStorage + AutoMinorVersionUpgrade: !Ref DBAutoMinorVersionUpgrade + BackupRetentionPeriod: !Ref DBBackupRetentionPeriod + DBInstanceClass: !Ref DBInstanceClass + DBParameterGroupName: !Ref RDSDBSQL + DBSubnetGroupName: !Ref RDSDBSubnetGroup + EnableCloudwatchLogsExports: !If [EnableDBLogExport, !Ref DBExportLogToCloudwatch, !Ref "AWS::NoValue"] + EnablePerformanceInsights: !Ref EnablePerformanceInsights + LicenseModel: "license-included" + Engine: !Ref DBEngine + EngineVersion: !Ref DBEngineVersion + #IOPS property is only valid for io1 and gp2 (>=400GB) + Iops: !If [isGP2, !Ref "AWS::NoValue", !If [NAStorageIOPS, !Ref 'AWS::NoValue', !Ref StorageIOPS]] + KmsKeyId: !If [UseDatabaseEncryption, !GetAtt EncryptionKey.Arn, !Ref 'AWS::NoValue'] + MasterUsername: !Ref DBMasterUsername + ManageMasterUserPassword: !Ref ManageMasterUserPassword + MasterUserPassword: !If [UseSecretsManager, !Ref 'AWS::NoValue', !Ref DBMasterUserPassword] + MasterUserSecret: + KmsKeyId: !If [UseSecretsManager, !Ref EncryptionKey, !Ref 'AWS::NoValue'] + MonitoringInterval: !If [EnableEM, !Ref MonitoringInterval, !Ref 'AWS::NoValue'] + MonitoringRoleArn: !If [EnableEM, !GetAtt MRole.Arn, !Ref 'AWS::NoValue'] + MultiAZ: !Ref DBMultiAZ + PerformanceInsightsKMSKeyId: !If [EnablePI, !Ref EncryptionKey, !Ref 'AWS::NoValue'] + PerformanceInsightsRetentionPeriod: !If [EnablePI, !Ref PerformanceInsightsRetentionPeriod, !Ref 'AWS::NoValue'] + Port: !Ref DBPort + PubliclyAccessible: !Ref PubliclyAccessible + StorageType: !Ref DBStorageType + StorageEncrypted: !If [UseDatabaseEncryption, !Ref DBAllocatedStorageEncrypted, !Ref 'AWS::NoValue'] + #StorageThroughput property is only valid for gp3 (>=400GB) + StorageThroughput: !If [isGP3, !If [NAStorageThrougput, !Ref "AWS::NoValue", !Ref StorageThroughput], !Ref "AWS::NoValue"] + Tags: + - + Key: Name + Value: !Sub MAZDBI-${AWS::StackName} + - + Key: EnvironmentStage + Value: !Ref EnvironmentStage + - + Key: Application + Value: !Ref Application + - + Key: ApplicationVersion + Value: !Ref ApplicationVersion + - + Key: ProjectCostCenter + Value: !Ref ProjectCostCenter + - + Key: Confidentiality + Value: !Ref Confidentiality + - + Key: Compliance + Value: !Ref Compliance + VPCSecurityGroups: + !If + - CreateSecurityGroup + - [!Ref RDSSecurityGroup] + - [!Ref CustomDBSecurityGroup] + + CPUUtilizationAlarm1: + Type: "AWS::CloudWatch::Alarm" + Properties: + ActionsEnabled: true + AlarmActions: + - Ref: DBSNSTopic + AlarmDescription: 'CPU_Utilization' + Dimensions: + - Name: DBInstanceIdentifier + Value: + !Ref MAZDBI + MetricName: CPUUtilization + Statistic: Maximum + Namespace: 'AWS/RDS' + Threshold: 80 + Unit: Percent + ComparisonOperator: 'GreaterThanOrEqualToThreshold' + Period: 60 + EvaluationPeriods: 5 + TreatMissingData: 'notBreaching' + + DatabaseInstanceEventSubscription: + Condition: EventSubscription + Type: 'AWS::RDS::EventSubscription' + Properties: + EventCategories: + - availability + - backup + - configuration change + - creation + - deletion + - failover + - failure + - low storage + - maintenance + - notification + - read replica + - recovery + - security patching + SnsTopicArn: !Ref DBSNSTopic + SourceIds: + - !Ref MAZDBI + SourceType: 'db-instance' + + DBParameterGroupEventSubscription: + Condition: EventSubscriptionDBInstance + Type: 'AWS::RDS::EventSubscription' + Properties: + EventCategories: + - "configuration change" + SnsTopicArn: !Ref DBSNSTopic + SourceIds: + - !Ref RDSDBSQL + SourceType: 'db-parameter-group' \ No newline at end of file