Created
October 4, 2020 20:40
-
-
Save efekarakus/1ab9a34f6d4c80f6b035be4b8198d00e to your computer and use it in GitHub Desktop.
Aurora Serverless Template for Addons
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Parameters: | |
App: | |
Type: String | |
Description: Your application's name. | |
Env: | |
Type: String | |
Description: The environment name your service, job, or workflow is being deployed to. | |
Name: | |
Type: String | |
Description: The name of the service, job, or workflow being deployed. | |
Resources: | |
AuroraKMSCMK: | |
Type: 'AWS::KMS::Key' | |
DeletionPolicy: Retain | |
Properties: | |
KeyPolicy: | |
Version: '2012-10-17' | |
Statement: | |
- Effect: Allow | |
Principal: | |
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root' | |
Action: 'kms:*' | |
Resource: '*' | |
- Effect: Allow | |
Principal: | |
AWS: '*' | |
Action: | |
- 'kms:Encrypt' | |
- 'kms:Decrypt' | |
- 'kms:ReEncrypt*' | |
- 'kms:GenerateDataKey*' | |
- 'kms:CreateGrant' | |
- 'kms:ListGrants' | |
- 'kms:DescribeKey' | |
Resource: '*' | |
Condition: | |
StringEquals: | |
'kms:CallerAccount': !Ref 'AWS::AccountId' | |
'kms:ViaService': !Sub 'rds.${AWS::Region}.amazonaws.com' | |
AuroraKMSCMKAlias: | |
Type: 'AWS::KMS::Alias' | |
DeletionPolicy: Retain | |
DependsOn: ['AuroraDBCluster'] | |
Properties: | |
AliasName: !Sub 'alias/${AuroraDBCluster}' | |
TargetKeyId: !Ref AuroraKMSCMK | |
DBSubnetGroup: | |
Type: 'AWS::RDS::DBSubnetGroup' | |
Properties: | |
DBSubnetGroupDescription: !Ref 'AWS::StackName' | |
SubnetIds: !Split [ ',', { 'Fn::ImportValue': !Sub '${App}-${Env}-PrivateSubnets' } ] | |
ClusterSecurityGroup: | |
Type: 'AWS::EC2::SecurityGroup' | |
Properties: | |
GroupDescription: !Ref 'AWS::StackName' | |
SecurityGroupIngress: | |
- IpProtocol: tcp | |
FromPort: 5432 | |
ToPort: 5432 | |
SourceSecurityGroupId: { 'Fn::ImportValue': !Sub '${App}-${Env}-EnvironmentSecurityGroup' } | |
Description: 'Access to environment security group' | |
VpcId: { 'Fn::ImportValue': !Sub '${App}-${Env}-VpcId' } | |
DBClusterParameterGroup: | |
Type: 'AWS::RDS::DBClusterParameterGroup' | |
Properties: | |
Description: !Ref 'AWS::StackName' | |
Family: 'aurora-postgresql10' | |
Parameters: | |
client_encoding: 'UTF8' | |
AuroraMasterSecret: | |
Type: AWS::SecretsManager::Secret | |
Properties: | |
Name: !Join [ '/', [ !Ref App, !Ref Env, !Ref Name, 'aurora-pg' ] ] | |
Description: !Join [ '', [ 'Aurora PostgreSQL Master User Secret ', 'for CloudFormation Stack ', !Ref 'AWS::StackName' ] ] | |
GenerateSecretString: | |
SecretStringTemplate: '{"username": "postgres"}' | |
GenerateStringKey: "password" | |
ExcludeCharacters: '"@/\' | |
PasswordLength: 16 | |
SecretAuroraClusterAttachment: | |
Type: AWS::SecretsManager::SecretTargetAttachment | |
Properties: | |
SecretId: !Ref AuroraMasterSecret | |
TargetId: !Ref AuroraDBCluster | |
TargetType: AWS::RDS::DBCluster | |
AuroraDBCluster: | |
Type: 'AWS::RDS::DBCluster' | |
Properties: | |
MasterUsername: !Join ['', ['{{resolve:secretsmanager:', !Ref AuroraMasterSecret, ':SecretString:username}}' ]] | |
MasterUserPassword: !Join ['', ['{{resolve:secretsmanager:', !Ref AuroraMasterSecret, ':SecretString:password}}' ]] | |
DatabaseName: 'votes' | |
Engine: aurora-postgresql | |
EngineVersion: '10.7' | |
EngineMode: serverless | |
StorageEncrypted: true | |
KmsKeyId: !Ref AuroraKMSCMK | |
DBClusterParameterGroupName: !Ref DBClusterParameterGroup | |
DBSubnetGroupName: !Ref DBSubnetGroup | |
VpcSecurityGroupIds: | |
- !Ref ClusterSecurityGroup | |
ScalingConfiguration: | |
AutoPause: true | |
MinCapacity: 2 | |
MaxCapacity: 8 | |
SecondsUntilAutoPause: 1000 | |
Outputs: | |
RdsEndpoint: # injected as RDS_ENDPOINT environment variable by Copilot. | |
Description: 'The connection endpoint for the DB cluster.' | |
Value: !GetAtt 'AuroraDBCluster.Endpoint.Address' | |
RdsSecret: # injected as RDS_SECRET environment variable by Copilot. | |
Description: 'The secret that username and password.' | |
Value: !Ref AuroraMasterSecret |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment