Created
March 24, 2024 00:55
-
-
Save dgt0011/a9ee822bd990ce50bc72cec33f530f15 to your computer and use it in GitHub Desktop.
Cloudformation template for a postgreSQL AWS RDS database for use with SonarQube with a generated secret stored in AWS Secrets Manager
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: '2010-09-09' | |
Transform: AWS::SecretsManager-2020-07-23 | |
Description: PostgreSQL DB RDS Instance for SonarQube | |
Parameters: | |
DBInstanceIdentifier: | |
Description: Name of the RDS Instance. | |
Type: String | |
MinLength: '1' | |
MaxLength: '255' | |
Default: sonarqube | |
DBName: | |
Description: Name of the database | |
Type: String | |
MinLength: '1' | |
MaxLength: '255' | |
Default: sonarqube | |
DBInstanceType: | |
Description: Type of the DB instance | |
Type: String | |
Default: db.t3.micro | |
DBInstanceMasterUsername: | |
Description: Master username | |
Type: String | |
MinLength: '0' | |
MaxLength: '255' | |
Default: sonarqube | |
DBEngine: | |
Description: DB Engine | |
Type: String | |
MinLength: '1' | |
MaxLength: '255' | |
Default: postgres | |
DBEngineVersion: | |
Description: PostgreSQL version. | |
Type: String | |
Default: '15.2' | |
DBAllocatedStorage: | |
Type: Number | |
Default: 20 | |
DBBackupRetentionPeriod: | |
Type: Number | |
Default: 7 | |
DBPreferredBackupWindow: | |
Description: The daily time range in UTC during which you want to create automated backups. | |
Type: String | |
Default: '06:00-06:30' | |
DBPreferredMaintenanceWindow: | |
Description: The weekly time range (in UTC) during which system maintenance can occur. | |
Type: String | |
Default: 'mon:07:00-mon:07:30' | |
DBMultiAZ: | |
Description: Specifies if the database instance is deployed to multiple Availability Zones | |
Type: String | |
Default: false | |
AllowedValues: [true, false] | |
DBParameterGroup: | |
Description: Parameter Group | |
Type: String | |
MinLength: '1' | |
MaxLength: '255' | |
Default: 'default.postgres15' | |
Metadata: | |
AWS::CloudFormation::Interface: | |
ParameterGroups: | |
- Label: | |
default: DB Details | |
Parameters: | |
- DBEngineVersion | |
- DBInstanceType | |
- DBParameterGroup | |
- Label: | |
default: DB Configuration | |
Parameters: | |
- DBInstanceIdentifier | |
- DBName | |
- DBInstanceMasterUsername | |
- DBMultiAZ | |
- Label: | |
default: DB Storage | |
Parameters: | |
- DBAllocatedStorage | |
- Label: | |
default: DB Backup Retention | |
Parameters: | |
- DBPreferredMaintenanceWindow | |
- DBPreferredBackupWindow | |
- DBBackupRetentionPeriod | |
Resources: | |
SecurityGroup: | |
Type: AWS::EC2::SecurityGroup | |
Properties: | |
GroupName: !Sub "${DBInstanceIdentifier}-rds-sg" | |
GroupDescription: 'RDS security group' | |
SecurityGroupIngress: | |
- IpProtocol: tcp | |
FromPort: 5432 | |
ToPort: 5432 | |
CidrIp: !ImportValue vpc-cidr | |
Description: Postgresql default port (Internal) for access via bastion host | |
VpcId: !ImportValue 'vpc-id' | |
DBSubnetGroup: | |
Type: AWS::RDS::DBSubnetGroup | |
Properties: | |
DBSubnetGroupDescription: !Sub "${DBInstanceIdentifier}-subnetgroup" | |
DBSubnetGroupName: !Sub "${DBInstanceIdentifier}-subnetgroup" | |
SubnetIds: | |
- !ImportValue subnet-private-a | |
- !ImportValue subnet-private-b | |
- !ImportValue subnet-private-c | |
DBInstancePassword: | |
Type: AWS::SecretsManager::Secret | |
Properties: | |
Name: !Sub "${DBInstanceIdentifier}-db-password" | |
Description: !Sub "The master instance password for the ${DBInstanceIdentifier} RDS database" | |
GenerateSecretString: | |
SecretStringTemplate: !Sub '{"username": "${DBInstanceMasterUsername}"}' | |
GenerateStringKey: "password" | |
PasswordLength: 20 | |
ExcludeCharacters: ':/@"\;`%$''' | |
SecretDBInstanceAttachment: | |
DependsOn: DBInstancePassword | |
Type: AWS::SecretsManager::SecretTargetAttachment | |
Properties: | |
SecretId: | |
Ref: DBInstancePassword | |
TargetId: | |
Ref: DBInstance | |
TargetType: AWS::RDS::DBInstance | |
DBInstance: | |
DependsOn: DBInstancePassword | |
Type: AWS::RDS::DBInstance | |
Properties: | |
AllocatedStorage: !Ref DBAllocatedStorage | |
AllowMajorVersionUpgrade: false | |
AutoMinorVersionUpgrade: true | |
BackupRetentionPeriod: !Ref DBBackupRetentionPeriod | |
CACertificateIdentifier: rds-ca-rsa2048-g1 | |
CopyTagsToSnapshot: True | |
DBInstanceClass: !Ref DBInstanceType | |
DBName: !Ref DBName | |
DBInstanceIdentifier: !Ref DBInstanceIdentifier | |
DBParameterGroupName: !Ref DBParameterGroup | |
DBSubnetGroupName: !Ref DBSubnetGroup | |
DeletionProtection: true | |
Engine: postgres | |
EngineVersion: !Ref DBEngineVersion | |
MasterUsername: !Ref DBInstanceMasterUsername | |
MasterUserPassword: !Join [ '', [ '{{resolve:secretsmanager:', !Ref DBInstancePassword, ':SecretString:password}}' ] ] | |
MasterUserSecret: | |
SecretArn: !Ref DBInstancePassword | |
MonitoringInterval: 60 | |
MonitoringRoleArn: !Join [ "", [ "arn:aws:iam::", !Ref "AWS::AccountId", ":role/rds-monitoring-role" ] ] | |
MultiAZ: !Ref DBMultiAZ | |
PreferredBackupWindow: !Ref DBPreferredBackupWindow | |
PreferredMaintenanceWindow: !Ref DBPreferredMaintenanceWindow | |
PubliclyAccessible: false | |
StorageEncrypted: true | |
StorageType: gp3 | |
VPCSecurityGroups: | |
- !Ref SecurityGroup | |
Tags: | |
- Key: Project | |
Value: SonarQube | |
- Key: Application | |
Value: SonarQube | |
Outputs: | |
SonarQubeRDSSG: | |
Description: The security group for the RDS instance | |
Value: !Ref SecurityGroup | |
Export: | |
Name: SonarQubeRDSSG | |
SonarQubeDBInstanceEndpointAddress: | |
Description: The endpoint address of the RDS instance | |
Value: !GetAtt DBInstance.Endpoint.Address | |
Export: | |
Name: SonarQubeDBInstanceEndpointAddress | |
SonarQubeDBInstanceName: | |
Description: The name of the database | |
Value: !Ref DBName | |
Export: | |
Name: SonarQubeDBInstanceName |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment