Skip to content

Instantly share code, notes, and snippets.

@efekarakus
Created October 4, 2020 20:40
Show Gist options
  • Save efekarakus/1ab9a34f6d4c80f6b035be4b8198d00e to your computer and use it in GitHub Desktop.
Save efekarakus/1ab9a34f6d4c80f6b035be4b8198d00e to your computer and use it in GitHub Desktop.
Aurora Serverless Template for Addons
Parameters:
App:
Type: String
Description: Your application's name.
Env:
Type: String
Description: The environment name your service, job, or workflow is being deployed to.
Name:
Type: String
Description: The name of the service, job, or workflow being deployed.
Resources:
AuroraKMSCMK:
Type: 'AWS::KMS::Key'
DeletionPolicy: Retain
Properties:
KeyPolicy:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Action: 'kms:*'
Resource: '*'
- Effect: Allow
Principal:
AWS: '*'
Action:
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:ReEncrypt*'
- 'kms:GenerateDataKey*'
- 'kms:CreateGrant'
- 'kms:ListGrants'
- 'kms:DescribeKey'
Resource: '*'
Condition:
StringEquals:
'kms:CallerAccount': !Ref 'AWS::AccountId'
'kms:ViaService': !Sub 'rds.${AWS::Region}.amazonaws.com'
AuroraKMSCMKAlias:
Type: 'AWS::KMS::Alias'
DeletionPolicy: Retain
DependsOn: ['AuroraDBCluster']
Properties:
AliasName: !Sub 'alias/${AuroraDBCluster}'
TargetKeyId: !Ref AuroraKMSCMK
DBSubnetGroup:
Type: 'AWS::RDS::DBSubnetGroup'
Properties:
DBSubnetGroupDescription: !Ref 'AWS::StackName'
SubnetIds: !Split [ ',', { 'Fn::ImportValue': !Sub '${App}-${Env}-PrivateSubnets' } ]
ClusterSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: !Ref 'AWS::StackName'
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 5432
ToPort: 5432
SourceSecurityGroupId: { 'Fn::ImportValue': !Sub '${App}-${Env}-EnvironmentSecurityGroup' }
Description: 'Access to environment security group'
VpcId: { 'Fn::ImportValue': !Sub '${App}-${Env}-VpcId' }
DBClusterParameterGroup:
Type: 'AWS::RDS::DBClusterParameterGroup'
Properties:
Description: !Ref 'AWS::StackName'
Family: 'aurora-postgresql10'
Parameters:
client_encoding: 'UTF8'
AuroraMasterSecret:
Type: AWS::SecretsManager::Secret
Properties:
Name: !Join [ '/', [ !Ref App, !Ref Env, !Ref Name, 'aurora-pg' ] ]
Description: !Join [ '', [ 'Aurora PostgreSQL Master User Secret ', 'for CloudFormation Stack ', !Ref 'AWS::StackName' ] ]
GenerateSecretString:
SecretStringTemplate: '{"username": "postgres"}'
GenerateStringKey: "password"
ExcludeCharacters: '"@/\'
PasswordLength: 16
SecretAuroraClusterAttachment:
Type: AWS::SecretsManager::SecretTargetAttachment
Properties:
SecretId: !Ref AuroraMasterSecret
TargetId: !Ref AuroraDBCluster
TargetType: AWS::RDS::DBCluster
AuroraDBCluster:
Type: 'AWS::RDS::DBCluster'
Properties:
MasterUsername: !Join ['', ['{{resolve:secretsmanager:', !Ref AuroraMasterSecret, ':SecretString:username}}' ]]
MasterUserPassword: !Join ['', ['{{resolve:secretsmanager:', !Ref AuroraMasterSecret, ':SecretString:password}}' ]]
DatabaseName: 'votes'
Engine: aurora-postgresql
EngineVersion: '10.7'
EngineMode: serverless
StorageEncrypted: true
KmsKeyId: !Ref AuroraKMSCMK
DBClusterParameterGroupName: !Ref DBClusterParameterGroup
DBSubnetGroupName: !Ref DBSubnetGroup
VpcSecurityGroupIds:
- !Ref ClusterSecurityGroup
ScalingConfiguration:
AutoPause: true
MinCapacity: 2
MaxCapacity: 8
SecondsUntilAutoPause: 1000
Outputs:
RdsEndpoint: # injected as RDS_ENDPOINT environment variable by Copilot.
Description: 'The connection endpoint for the DB cluster.'
Value: !GetAtt 'AuroraDBCluster.Endpoint.Address'
RdsSecret: # injected as RDS_SECRET environment variable by Copilot.
Description: 'The secret that username and password.'
Value: !Ref AuroraMasterSecret
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment