Cloudformation template for a postgreSQL AWS RDS database for use with SonarQube with a generated secret stored in AWS Secrets Manager

rds.yaml

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::SecretsManager-2020-07-23
Description: PostgreSQL DB RDS Instance for SonarQube
Parameters:
  DBInstanceIdentifier:
    Description: Name of the RDS Instance.
    Type: String
    MinLength: '1'
    MaxLength: '255'
    Default: sonarqube
  DBName:
    Description: Name of the database
    Type: String
    MinLength: '1'
    MaxLength: '255'
    Default: sonarqube
  DBInstanceType:
    Description: Type of the DB instance
    Type: String
    Default: db.t3.micro
  DBInstanceMasterUsername:
    Description: Master username
    Type: String
    MinLength: '0'
    MaxLength: '255'
    Default: sonarqube
  DBEngine:
    Description: DB Engine
    Type: String
    MinLength: '1'
    MaxLength: '255'
    Default: postgres
  DBEngineVersion:
    Description: PostgreSQL version.
    Type: String
    Default: '15.2'
  DBAllocatedStorage:
    Type: Number
    Default: 20
  DBBackupRetentionPeriod:
    Type: Number
    Default: 7
  DBPreferredBackupWindow:
    Description: The daily time range in UTC during which you want to create automated backups.
    Type: String
    Default: '06:00-06:30'
  DBPreferredMaintenanceWindow:
    Description: The weekly time range (in UTC) during which system maintenance can occur.
    Type: String
    Default: 'mon:07:00-mon:07:30'
  DBMultiAZ:
    Description: Specifies if the database instance is deployed to multiple Availability Zones
    Type: String
    Default: false
    AllowedValues: [true, false]
  DBParameterGroup:
    Description: Parameter Group
    Type: String
    MinLength: '1'
    MaxLength: '255'
    Default: 'default.postgres15'

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: DB Details
      Parameters:
      - DBEngineVersion
      - DBInstanceType
      - DBParameterGroup
    - Label:
        default: DB Configuration
      Parameters:
      - DBInstanceIdentifier
      - DBName
      - DBInstanceMasterUsername
      - DBMultiAZ
    - Label:
        default: DB Storage
      Parameters:
      - DBAllocatedStorage
    - Label:
        default: DB Backup Retention
      Parameters:
      - DBPreferredMaintenanceWindow
      - DBPreferredBackupWindow
      - DBBackupRetentionPeriod

Resources:
  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: !Sub "${DBInstanceIdentifier}-rds-sg"
      GroupDescription: 'RDS security group'
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 5432
          ToPort: 5432
          CidrIp: !ImportValue vpc-cidr
          Description: Postgresql default port (Internal) for access via bastion host
      VpcId: !ImportValue 'vpc-id'

  DBSubnetGroup:
    Type: AWS::RDS::DBSubnetGroup
    Properties:
      DBSubnetGroupDescription: !Sub "${DBInstanceIdentifier}-subnetgroup"
      DBSubnetGroupName: !Sub "${DBInstanceIdentifier}-subnetgroup"
      SubnetIds:
        - !ImportValue subnet-private-a
        - !ImportValue subnet-private-b
        - !ImportValue subnet-private-c

  DBInstancePassword:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: !Sub "${DBInstanceIdentifier}-db-password"
      Description: !Sub "The master instance password for the ${DBInstanceIdentifier} RDS database"
      GenerateSecretString:
        SecretStringTemplate: !Sub '{"username": "${DBInstanceMasterUsername}"}'
        GenerateStringKey: "password"
        PasswordLength: 20
        ExcludeCharacters: ':/@"\;`%$'''

  SecretDBInstanceAttachment:
    DependsOn: DBInstancePassword
    Type: AWS::SecretsManager::SecretTargetAttachment
    Properties:
      SecretId:
        Ref: DBInstancePassword
      TargetId:
        Ref: DBInstance
      TargetType: AWS::RDS::DBInstance

  DBInstance:
    DependsOn: DBInstancePassword
    Type: AWS::RDS::DBInstance
    Properties:
      AllocatedStorage: !Ref DBAllocatedStorage
      AllowMajorVersionUpgrade: false
      AutoMinorVersionUpgrade: true
      BackupRetentionPeriod: !Ref DBBackupRetentionPeriod
      CACertificateIdentifier: rds-ca-rsa2048-g1
      CopyTagsToSnapshot: True
      DBInstanceClass: !Ref DBInstanceType
      DBName: !Ref DBName
      DBInstanceIdentifier: !Ref DBInstanceIdentifier
      DBParameterGroupName: !Ref DBParameterGroup
      DBSubnetGroupName: !Ref DBSubnetGroup
      DeletionProtection: true
      Engine: postgres
      EngineVersion: !Ref DBEngineVersion
      MasterUsername: !Ref DBInstanceMasterUsername
      MasterUserPassword: !Join [ '', [ '{{resolve:secretsmanager:', !Ref DBInstancePassword, ':SecretString:password}}' ] ]
      MasterUserSecret: 
        SecretArn: !Ref DBInstancePassword
      MonitoringInterval: 60
      MonitoringRoleArn: !Join [ "", [ "arn:aws:iam::", !Ref "AWS::AccountId", ":role/rds-monitoring-role" ] ]
      MultiAZ: !Ref DBMultiAZ
      PreferredBackupWindow: !Ref DBPreferredBackupWindow
      PreferredMaintenanceWindow: !Ref DBPreferredMaintenanceWindow
      PubliclyAccessible: false
      StorageEncrypted: true
      StorageType: gp3
      VPCSecurityGroups:
        - !Ref SecurityGroup
      Tags:
        - Key: Project
          Value: SonarQube
        - Key: Application
          Value: SonarQube

Outputs:
  SonarQubeRDSSG:
    Description: The security group for the RDS instance
    Value: !Ref SecurityGroup
    Export:
      Name: SonarQubeRDSSG
  SonarQubeDBInstanceEndpointAddress:
    Description: The endpoint address of the RDS instance
    Value: !GetAtt DBInstance.Endpoint.Address
    Export:
      Name: SonarQubeDBInstanceEndpointAddress
  SonarQubeDBInstanceName:
    Description: The name of the database
    Value: !Ref DBName
    Export:
      Name: SonarQubeDBInstanceName