efekarakus/db.template.yaml

## db.template.yaml
Parameters:
  App:
    Type: String
    Description: Your application's name.
  Env:
    Type: String
    Description: The environment name your service, job, or workflow is being deployed to.
  Name:
    Type: String
    Description: The name of the service, job, or workflow being deployed.

Resources:
  AuroraKMSCMK:
    Type: 'AWS::KMS::Key'
    DeletionPolicy: Retain
    Properties:
      KeyPolicy:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
            Action: 'kms:*'
            Resource: '*'
          - Effect: Allow
            Principal:
              AWS: '*'
            Action:
              - 'kms:Encrypt'
              - 'kms:Decrypt'
              - 'kms:ReEncrypt*'
              - 'kms:GenerateDataKey*'
              - 'kms:CreateGrant'
              - 'kms:ListGrants'
              - 'kms:DescribeKey'
            Resource: '*'
            Condition:
              StringEquals:
                'kms:CallerAccount': !Ref 'AWS::AccountId'
                'kms:ViaService': !Sub 'rds.${AWS::Region}.amazonaws.com'

  AuroraKMSCMKAlias:
    Type: 'AWS::KMS::Alias'
    DeletionPolicy: Retain
    DependsOn: ['AuroraDBCluster']
    Properties:
      AliasName: !Sub 'alias/${AuroraDBCluster}'
      TargetKeyId: !Ref AuroraKMSCMK

  DBSubnetGroup:
    Type: 'AWS::RDS::DBSubnetGroup'
    Properties:
      DBSubnetGroupDescription: !Ref 'AWS::StackName'
      SubnetIds: !Split [ ',', { 'Fn::ImportValue': !Sub '${App}-${Env}-PrivateSubnets' } ]

  ClusterSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: !Ref 'AWS::StackName'
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 5432
          ToPort: 5432
          SourceSecurityGroupId: { 'Fn::ImportValue': !Sub '${App}-${Env}-EnvironmentSecurityGroup' }
          Description: 'Access to environment security group'
      VpcId: { 'Fn::ImportValue': !Sub '${App}-${Env}-VpcId' }

  DBClusterParameterGroup:
    Type: 'AWS::RDS::DBClusterParameterGroup'
    Properties:
      Description: !Ref 'AWS::StackName'
      Family: 'aurora-postgresql10'
      Parameters:
        client_encoding: 'UTF8'

  AuroraMasterSecret:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: !Join [ '/', [ !Ref App, !Ref Env, !Ref Name, 'aurora-pg' ] ]
      Description: !Join [ '', [ 'Aurora PostgreSQL Master User Secret ', 'for CloudFormation Stack ', !Ref 'AWS::StackName' ] ]
      GenerateSecretString:
        SecretStringTemplate: '{"username": "postgres"}'
        GenerateStringKey: "password"
        ExcludeCharacters: '"@/\'
        PasswordLength: 16

  SecretAuroraClusterAttachment:
    Type: AWS::SecretsManager::SecretTargetAttachment
    Properties:
      SecretId: !Ref AuroraMasterSecret
      TargetId: !Ref AuroraDBCluster
      TargetType: AWS::RDS::DBCluster

  AuroraDBCluster:
    Type: 'AWS::RDS::DBCluster'
    Properties:
      MasterUsername: !Join ['', ['{{resolve:secretsmanager:', !Ref AuroraMasterSecret, ':SecretString:username}}' ]]
      MasterUserPassword: !Join ['', ['{{resolve:secretsmanager:', !Ref AuroraMasterSecret, ':SecretString:password}}' ]]
      DatabaseName: 'votes'
      Engine: aurora-postgresql
      EngineVersion: '10.7'
      EngineMode: serverless
      StorageEncrypted: true
      KmsKeyId: !Ref AuroraKMSCMK
      DBClusterParameterGroupName: !Ref DBClusterParameterGroup
      DBSubnetGroupName: !Ref DBSubnetGroup
      VpcSecurityGroupIds:
        - !Ref ClusterSecurityGroup
      ScalingConfiguration:
        AutoPause: true
        MinCapacity: 2
        MaxCapacity: 8
        SecondsUntilAutoPause: 1000

Outputs:
  RdsEndpoint: # injected as RDS_ENDPOINT environment variable by Copilot.
    Description: 'The connection endpoint for the DB cluster.'
    Value: !GetAtt 'AuroraDBCluster.Endpoint.Address'

  RdsSecret: # injected as RDS_SECRET environment variable by Copilot.
    Description: 'The secret that username and password.'
    Value: !Ref AuroraMasterSecret
	Parameters:
	App:
	Type: String
	Description: Your application's name.
	Env:
	Type: String
	Description: The environment name your service, job, or workflow is being deployed to.
	Name:
	Type: String
	Description: The name of the service, job, or workflow being deployed.

	Resources:
	AuroraKMSCMK:
	Type: 'AWS::KMS::Key'
	DeletionPolicy: Retain
	Properties:
	KeyPolicy:
	Version: '2012-10-17'
	Statement:
	- Effect: Allow
	Principal:
	AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
	Action: 'kms:*'
	Resource: '*'
	- Effect: Allow
	Principal:
	AWS: '*'
	Action:
	- 'kms:Encrypt'
	- 'kms:Decrypt'
	- 'kms:ReEncrypt*'
	- 'kms:GenerateDataKey*'
	- 'kms:CreateGrant'
	- 'kms:ListGrants'
	- 'kms:DescribeKey'
	Resource: '*'
	Condition:
	StringEquals:
	'kms:CallerAccount': !Ref 'AWS::AccountId'
	'kms:ViaService': !Sub 'rds.${AWS::Region}.amazonaws.com'

	AuroraKMSCMKAlias:
	Type: 'AWS::KMS::Alias'
	DeletionPolicy: Retain
	DependsOn: ['AuroraDBCluster']
	Properties:
	AliasName: !Sub 'alias/${AuroraDBCluster}'
	TargetKeyId: !Ref AuroraKMSCMK

	DBSubnetGroup:
	Type: 'AWS::RDS::DBSubnetGroup'
	Properties:
	DBSubnetGroupDescription: !Ref 'AWS::StackName'
	SubnetIds: !Split [ ',', { 'Fn::ImportValue': !Sub '${App}-${Env}-PrivateSubnets' } ]

	ClusterSecurityGroup:
	Type: 'AWS::EC2::SecurityGroup'
	Properties:
	GroupDescription: !Ref 'AWS::StackName'
	SecurityGroupIngress:
	- IpProtocol: tcp
	FromPort: 5432
	ToPort: 5432
	SourceSecurityGroupId: { 'Fn::ImportValue': !Sub '${App}-${Env}-EnvironmentSecurityGroup' }
	Description: 'Access to environment security group'
	VpcId: { 'Fn::ImportValue': !Sub '${App}-${Env}-VpcId' }

	DBClusterParameterGroup:
	Type: 'AWS::RDS::DBClusterParameterGroup'
	Properties:
	Description: !Ref 'AWS::StackName'
	Family: 'aurora-postgresql10'
	Parameters:
	client_encoding: 'UTF8'

	AuroraMasterSecret:
	Type: AWS::SecretsManager::Secret
	Properties:
	Name: !Join [ '/', [ !Ref App, !Ref Env, !Ref Name, 'aurora-pg' ] ]
	Description: !Join [ '', [ 'Aurora PostgreSQL Master User Secret ', 'for CloudFormation Stack ', !Ref 'AWS::StackName' ] ]
	GenerateSecretString:
	SecretStringTemplate: '{"username": "postgres"}'
	GenerateStringKey: "password"
	ExcludeCharacters: '"@/\'
	PasswordLength: 16

	SecretAuroraClusterAttachment:
	Type: AWS::SecretsManager::SecretTargetAttachment
	Properties:
	SecretId: !Ref AuroraMasterSecret
	TargetId: !Ref AuroraDBCluster
	TargetType: AWS::RDS::DBCluster

	AuroraDBCluster:
	Type: 'AWS::RDS::DBCluster'
	Properties:
	MasterUsername: !Join ['', ['{{resolve:secretsmanager:', !Ref AuroraMasterSecret, ':SecretString:username}}' ]]
	MasterUserPassword: !Join ['', ['{{resolve:secretsmanager:', !Ref AuroraMasterSecret, ':SecretString:password}}' ]]
	DatabaseName: 'votes'
	Engine: aurora-postgresql
	EngineVersion: '10.7'
	EngineMode: serverless
	StorageEncrypted: true
	KmsKeyId: !Ref AuroraKMSCMK
	DBClusterParameterGroupName: !Ref DBClusterParameterGroup
	DBSubnetGroupName: !Ref DBSubnetGroup
	VpcSecurityGroupIds:
	- !Ref ClusterSecurityGroup
	ScalingConfiguration:
	AutoPause: true
	MinCapacity: 2
	MaxCapacity: 8
	SecondsUntilAutoPause: 1000

	Outputs:
	RdsEndpoint: # injected as RDS_ENDPOINT environment variable by Copilot.
	Description: 'The connection endpoint for the DB cluster.'
	Value: !GetAtt 'AuroraDBCluster.Endpoint.Address'

	RdsSecret: # injected as RDS_SECRET environment variable by Copilot.
	Description: 'The secret that username and password.'
	Value: !Ref AuroraMasterSecret