Skip to content

Instantly share code, notes, and snippets.

@dgt0011
Created March 24, 2024 00:55
Show Gist options
  • Save dgt0011/a9ee822bd990ce50bc72cec33f530f15 to your computer and use it in GitHub Desktop.
Save dgt0011/a9ee822bd990ce50bc72cec33f530f15 to your computer and use it in GitHub Desktop.
Cloudformation template for a postgreSQL AWS RDS database for use with SonarQube with a generated secret stored in AWS Secrets Manager
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::SecretsManager-2020-07-23
Description: PostgreSQL DB RDS Instance for SonarQube
Parameters:
DBInstanceIdentifier:
Description: Name of the RDS Instance.
Type: String
MinLength: '1'
MaxLength: '255'
Default: sonarqube
DBName:
Description: Name of the database
Type: String
MinLength: '1'
MaxLength: '255'
Default: sonarqube
DBInstanceType:
Description: Type of the DB instance
Type: String
Default: db.t3.micro
DBInstanceMasterUsername:
Description: Master username
Type: String
MinLength: '0'
MaxLength: '255'
Default: sonarqube
DBEngine:
Description: DB Engine
Type: String
MinLength: '1'
MaxLength: '255'
Default: postgres
DBEngineVersion:
Description: PostgreSQL version.
Type: String
Default: '15.2'
DBAllocatedStorage:
Type: Number
Default: 20
DBBackupRetentionPeriod:
Type: Number
Default: 7
DBPreferredBackupWindow:
Description: The daily time range in UTC during which you want to create automated backups.
Type: String
Default: '06:00-06:30'
DBPreferredMaintenanceWindow:
Description: The weekly time range (in UTC) during which system maintenance can occur.
Type: String
Default: 'mon:07:00-mon:07:30'
DBMultiAZ:
Description: Specifies if the database instance is deployed to multiple Availability Zones
Type: String
Default: false
AllowedValues: [true, false]
DBParameterGroup:
Description: Parameter Group
Type: String
MinLength: '1'
MaxLength: '255'
Default: 'default.postgres15'
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: DB Details
Parameters:
- DBEngineVersion
- DBInstanceType
- DBParameterGroup
- Label:
default: DB Configuration
Parameters:
- DBInstanceIdentifier
- DBName
- DBInstanceMasterUsername
- DBMultiAZ
- Label:
default: DB Storage
Parameters:
- DBAllocatedStorage
- Label:
default: DB Backup Retention
Parameters:
- DBPreferredMaintenanceWindow
- DBPreferredBackupWindow
- DBBackupRetentionPeriod
Resources:
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: !Sub "${DBInstanceIdentifier}-rds-sg"
GroupDescription: 'RDS security group'
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 5432
ToPort: 5432
CidrIp: !ImportValue vpc-cidr
Description: Postgresql default port (Internal) for access via bastion host
VpcId: !ImportValue 'vpc-id'
DBSubnetGroup:
Type: AWS::RDS::DBSubnetGroup
Properties:
DBSubnetGroupDescription: !Sub "${DBInstanceIdentifier}-subnetgroup"
DBSubnetGroupName: !Sub "${DBInstanceIdentifier}-subnetgroup"
SubnetIds:
- !ImportValue subnet-private-a
- !ImportValue subnet-private-b
- !ImportValue subnet-private-c
DBInstancePassword:
Type: AWS::SecretsManager::Secret
Properties:
Name: !Sub "${DBInstanceIdentifier}-db-password"
Description: !Sub "The master instance password for the ${DBInstanceIdentifier} RDS database"
GenerateSecretString:
SecretStringTemplate: !Sub '{"username": "${DBInstanceMasterUsername}"}'
GenerateStringKey: "password"
PasswordLength: 20
ExcludeCharacters: ':/@"\;`%$'''
SecretDBInstanceAttachment:
DependsOn: DBInstancePassword
Type: AWS::SecretsManager::SecretTargetAttachment
Properties:
SecretId:
Ref: DBInstancePassword
TargetId:
Ref: DBInstance
TargetType: AWS::RDS::DBInstance
DBInstance:
DependsOn: DBInstancePassword
Type: AWS::RDS::DBInstance
Properties:
AllocatedStorage: !Ref DBAllocatedStorage
AllowMajorVersionUpgrade: false
AutoMinorVersionUpgrade: true
BackupRetentionPeriod: !Ref DBBackupRetentionPeriod
CACertificateIdentifier: rds-ca-rsa2048-g1
CopyTagsToSnapshot: True
DBInstanceClass: !Ref DBInstanceType
DBName: !Ref DBName
DBInstanceIdentifier: !Ref DBInstanceIdentifier
DBParameterGroupName: !Ref DBParameterGroup
DBSubnetGroupName: !Ref DBSubnetGroup
DeletionProtection: true
Engine: postgres
EngineVersion: !Ref DBEngineVersion
MasterUsername: !Ref DBInstanceMasterUsername
MasterUserPassword: !Join [ '', [ '{{resolve:secretsmanager:', !Ref DBInstancePassword, ':SecretString:password}}' ] ]
MasterUserSecret:
SecretArn: !Ref DBInstancePassword
MonitoringInterval: 60
MonitoringRoleArn: !Join [ "", [ "arn:aws:iam::", !Ref "AWS::AccountId", ":role/rds-monitoring-role" ] ]
MultiAZ: !Ref DBMultiAZ
PreferredBackupWindow: !Ref DBPreferredBackupWindow
PreferredMaintenanceWindow: !Ref DBPreferredMaintenanceWindow
PubliclyAccessible: false
StorageEncrypted: true
StorageType: gp3
VPCSecurityGroups:
- !Ref SecurityGroup
Tags:
- Key: Project
Value: SonarQube
- Key: Application
Value: SonarQube
Outputs:
SonarQubeRDSSG:
Description: The security group for the RDS instance
Value: !Ref SecurityGroup
Export:
Name: SonarQubeRDSSG
SonarQubeDBInstanceEndpointAddress:
Description: The endpoint address of the RDS instance
Value: !GetAtt DBInstance.Endpoint.Address
Export:
Name: SonarQubeDBInstanceEndpointAddress
SonarQubeDBInstanceName:
Description: The name of the database
Value: !Ref DBName
Export:
Name: SonarQubeDBInstanceName
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment