Skip to content

Instantly share code, notes, and snippets.

@homoluctus

homoluctus/rds_proxy.yml

Created August 16, 2020 22:36
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save homoluctus/92939c6c9442ebba51f2fa8094124439 to your computer and use it in GitHub Desktop.
Save homoluctus/92939c6c9442ebba51f2fa8094124439 to your computer and use it in GitHub Desktop.
Download ZIP
RDS Proxy CloudFormation Template
Raw
rds_proxy.yml
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
# DB Proxy
ProxyName:
Type: String
ProxyEngineFamily:
Type: String
AllowedValues:
- MYSQL
- POSTGRESQL
ProxyIdleClientTimeout:
Type: Number
ProxyRequireTLS:
Type: String
AllowedValues:
- true
- false
Default: false
ProxyVpcSecurityGroupIds:
Type: List<AWS::EC2::SecurityGroup::Id>
ProxyVpcSubnetIds:
Type: List<AWS::EC2::Subnet::Id>
# DB Proxy Target Group
ProxyTargetConnectionBorrowTimeout:
Type: Number
ProxyTargetMaxConnectionsPercent:
Type: Number
ProxyTargetMaxIdleConnectionsPercent:
Type: Number
ProxyTargetDBClusterIdentifiers:
Type: CommaDelimitedList
# Secrets Manager
SecretsManagerRoleName:
Type: String
SecretsManagerName:
Type: String
SecretsManagerKMSKeyId:
Type: String
SecretsManagerManagedPolicyName:
Type: String
Resources:
RDSProxy:
Type: "AWS::RDS::DBProxy"
Properties:
Auth:
- AuthScheme: SECRETS
IAMAuth: DISABLED
SecretArn: !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${SecretsManagerName}"
DBProxyName: !Ref ProxyName
EngineFamily: !Ref ProxyEngineFamily
IdleClientTimeout: !Ref ProxyIdleClientTimeout
RequireTLS: !Ref ProxyRequireTLS
RoleArn: !GetAtt SecretsManagerRole.Arn
VpcSecurityGroupIds: !Ref ProxyVpcSecurityGroupIds
VpcSubnetIds: !Ref ProxyVpcSubnetIds
RDSProxyTargetGroup:
Type: "AWS::RDS::DBProxyTargetGroup"
Properties:
ConnectionPoolConfigurationInfo:
ConnectionBorrowTimeout: !Ref ProxyTargetConnectionBorrowTimeout
MaxConnectionsPercent: !Ref ProxyTargetMaxConnectionsPercent
MaxIdleConnectionsPercent: !Ref ProxyTargetMaxIdleConnectionsPercent
DBClusterIdentifiers: !Ref ProxyTargetDBClusterIdentifiers
DBProxyName: !Ref RDSProxy
TargetGroupName: default
SecretsManagerRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- "rds.amazonaws.com"
Action:
- "sts:AssumeRole"
Description: "Use for RDS Proxy"
ManagedPolicyArns:
- !Ref SecretsManagerManagedPolicy
Path: /
RoleName: !Ref SecretsManagerRoleName
SecretsManagerManagedPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
Description: "Get values from Secrets Manager"
ManagedPolicyName: !Ref SecretsManagerManagedPolicyName
Path: /
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "secretsmanager:GetSecretValue"
Resource: !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${SecretsManagerName}"
- Effect: Allow
Action:
- "kms:Decrypt"
Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${SecretsManagerKMSKeyId}"
Condition:
StringEquals:
kms:ViaService: !Sub "secretsmanager.${AWS::Region}.amazonaws.com"
@phat-ng-eroad
Copy link

hi Anand

Try this template:

{
   "RdsCluster":{
      "Type":"AWS::RDS::DBCluster",
      "Properties":{
         "VpcSecurityGroupIds":[
            {
               "Fn::ImportValue":{
                  "Fn::Sub":"${Environment}-xxxx"
               }
            },
            {
               "Ref":"SecurityGroupRds"
            }
         ]
      }
   },
   "SecurityGroupRds":{
      "Type":"AWS::EC2::SecurityGroup",
      "Properties":{
         "GroupDescription":"RDS Security Group",
         "SecurityGroupEgress":[
            {
               "CidrIp":"127.0.0.1/32",
               "IpProtocol":"-1"
            }
         ],
         "SecurityGroupIngress":[
            {
               
            }
         ]
      }
   },
   "MyRDSProxy":{
      "Condition":"EnableRDSProxy",
      "Type":"AWS::RDS::DBProxy",
      "Properties":{
         
      },
      "VpcSecurityGroupIds":[
         {
            "Fn::ImportValue":{
               "Fn::Sub":"${Environment}-xxxx"
            }
         },
         {
            "Ref":"SecurityGroupRds"
         }
      ],
      "VpcSubnetIds":[
         {
            "Fn::ImportValue":{
               "Fn::Sub":"${Environment}-base-PrivateSubnetA"
            }
         },
         {
            "Fn::ImportValue":{
               "Fn::Sub":"${Environment}-base-PrivateSubnetB"
            }
         }
      ]
   },
   "RdsSelfReferencing":{
      "Condition":"EnableRDSProxy",
      "Type":"AWS::EC2::SecurityGroupIngress",
      "Properties":{
         "GroupId":{
            "Ref":"SecurityGroupRds"
         },
         "IpProtocol":"tcp",
         "FromPort":5432,
         "ToPort":5432,
         "SourceSecurityGroupId":{
            "Fn::GetAtt":[
               "SecurityGroupRds",
               "GroupId"
            ]
         }
      }
   },
   "RDSProxyTargetGroup":{
      "Condition":"EnableRDSProxy",
      "Type":"AWS::RDS::DBProxyTargetGroup",
      "Properties":{
         "ConnectionPoolConfigurationInfo":{
            "MaxConnectionsPercent":{
               "Ref":"RdsProxyMaxConnectionsPercent"
            },
            "MaxIdleConnectionsPercent":{
               "Ref":"RdsProxyMaxIdleConnectionsPercent"
            },
            "ConnectionBorrowTimeout":{
               "Ref":"RdsProxyConnectionBorrowTimeout"
            }
         },
         "DBClusterIdentifiers":[
            {
               "Ref":"RdsCluster"
            }
         ],
         "DBProxyName":{
            "Ref":"MyRDSProxy"
         },
         "TargetGroupName":"default"
      }
   }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment