Created
September 3, 2019 00:18
-
-
Save mludvig/5e6e56e2b8c0e82eabeb97c49eb1cae6 to your computer and use it in GitHub Desktop.
Standalone AWS Aurora template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: '2010-09-09' | |
| Description: PostgreSQL Aurora Cluster | |
| Metadata: | |
| Author: Michael Ludvig <michael.ludvig@enterpriseit.co.nz> | |
| Parameters: | |
| DbName: | |
| Type: String | |
| Description: Master user name and main database name | |
| DbInstanceType: | |
| Type: String | |
| Default: db.r4.large | |
| AccessCidr: | |
| Type: String | |
| Default: 172.31.0.0/16 | |
| VpcId: | |
| Type: AWS::EC2::VPC::Id | |
| SubnetIds: | |
| Type: List<AWS::EC2::Subnet::Id> | |
| Description: Two subnets in two different availability zones of the same VPC. | |
| Resources: | |
| DbSubnetGroup: | |
| Type: AWS::RDS::DBSubnetGroup | |
| Properties: | |
| DBSubnetGroupDescription: DbSubnetGroup | |
| SubnetIds: !Ref SubnetIds | |
| DbCluster: | |
| Type: AWS::RDS::DBCluster | |
| Properties: | |
| Engine: aurora-postgresql | |
| EngineVersion: 10.7 | |
| DBClusterParameterGroupName: default.aurora-postgresql10 | |
| DatabaseName: !Ref DbName | |
| MasterUsername: !Sub "{{resolve:secretsmanager:${DatabaseMasterSecret}:SecretString:username}}" | |
| MasterUserPassword: !Sub "{{resolve:secretsmanager:${DatabaseMasterSecret}:SecretString:password}}" | |
| KmsKeyId: !Ref KMS | |
| StorageEncrypted: true | |
| BackupRetentionPeriod: 14 | |
| DBSubnetGroupName: !Ref DbSubnetGroup | |
| Port: 5432 | |
| VpcSecurityGroupIds: | |
| - !Ref DbSecurityGroup | |
| DbClusterInstance1: | |
| Type: AWS::RDS::DBInstance | |
| Properties: | |
| DBSubnetGroupName: !Ref DbSubnetGroup | |
| Engine: aurora-postgresql | |
| DBClusterIdentifier: !Ref DbCluster | |
| AvailabilityZone: !Select [ 0, { "Fn::GetAZs": "" } ] | |
| DBInstanceClass: !Ref DbInstanceType | |
| EnablePerformanceInsights: true | |
| PerformanceInsightsKMSKeyId: !Ref KMS | |
| PerformanceInsightsRetentionPeriod: 731 | |
| DbClusterInstance2: | |
| Type: AWS::RDS::DBInstance | |
| Properties: | |
| DBSubnetGroupName: !Ref DbSubnetGroup | |
| Engine: aurora-postgresql | |
| DBClusterIdentifier: !Ref DbCluster | |
| AvailabilityZone: !Select [ 1, { "Fn::GetAZs": "" } ] | |
| DBInstanceClass: !Ref DbInstanceType | |
| EnablePerformanceInsights: true | |
| PerformanceInsightsKMSKeyId: !Ref KMS | |
| PerformanceInsightsRetentionPeriod: 731 | |
| DbSecurityGroup: | |
| Type: AWS::EC2::SecurityGroup | |
| Properties: | |
| GroupDescription: Aurora Security Group | |
| VpcId: !Ref VpcId | |
| SecurityGroupIngress: | |
| - IpProtocol: tcp | |
| FromPort: 5432 | |
| ToPort: 5432 | |
| CidrIp: !Ref AccessCidr | |
| # === Store credentials in Parameter store / Secrets store === | |
| DatabaseMasterSecret: | |
| Type: AWS::SecretsManager::Secret | |
| Properties: | |
| Description: !Sub "${AWS::StackName} DB master password" | |
| GenerateSecretString: | |
| ExcludePunctuation: true | |
| SecretStringTemplate: !Sub '{"username": "${DbName}"}' | |
| GenerateStringKey: "password" | |
| KmsKeyId: !Ref KMS | |
| DatabaseUrlAll: | |
| Type: AWS::SSM::Parameter | |
| Properties: | |
| Description: Database URL in standard format | |
| Name: !Sub "/database/${DbName}/db-url-all" | |
| Type: String | |
| Value: !Sub "postgresql://${DbCluster.Endpoint.Address}:${DbCluster.Endpoint.Port},${DbCluster.ReadEndpoint.Address}:${DbCluster.Endpoint.Port}/${DbName}" | |
| DatabaseUrlReadWrite: | |
| Type: AWS::SSM::Parameter | |
| Properties: | |
| Description: Database URL in standard format - read only node | |
| Name: !Sub "/database/${DbName}/db-url-rw" | |
| Type: String | |
| Value: !Sub "postgresql://${DbCluster.Endpoint.Address}:${DbCluster.Endpoint.Port}/${DbName}" | |
| DatabaseUrlReadOnly: | |
| Type: AWS::SSM::Parameter | |
| Properties: | |
| Description: Database URL in standard format - read only node | |
| Name: !Sub "/database/${DbName}/db-url-ro" | |
| Type: String | |
| Value: !Sub "postgresql://${DbCluster.ReadEndpoint.Address}:${DbCluster.Endpoint.Port}/${DbName}" | |
| # === KMS configuration === | |
| KMS: | |
| Type: AWS::KMS::Key | |
| Properties: | |
| Description: !Sub "${AWS::StackName} KMS Key" | |
| EnableKeyRotation: false | |
| Enabled: true | |
| KeyPolicy: | |
| Version: "2012-10-17" | |
| Id: "key-default-1" | |
| Statement: | |
| - Sid: "Enable IAM User Permissions" | |
| Effect: "Allow" | |
| Principal: | |
| AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" | |
| Action: "kms:*" | |
| Resource: "*" | |
| KeyUsage: ENCRYPT_DECRYPT | |
| Tags: | |
| - Key: Name | |
| Value: !Ref AWS::StackName | |
| KMSAlias: | |
| Type: AWS::KMS::Alias | |
| Properties: | |
| AliasName: !Sub "alias/${AWS::StackName}" | |
| TargetKeyId: !Ref KMS | |
| ## ====== Outputs ====== | |
| Outputs: | |
| DbEndpoint: | |
| Value: !GetAtt DbCluster.Endpoint.Address | |
| DbEndpointReadOnly: | |
| Value: !GetAtt DbCluster.ReadEndpoint.Address | |
| DatabaseMasterSecret: | |
| Value: !Ref DatabaseMasterSecret | |
| DatabaseUrlParamAll: | |
| Value: !Ref DatabaseUrlAll | |
| DatabaseUrlReadWriteParameter: | |
| Value: !Ref DatabaseUrlReadWrite | |
| DatabaseUrlReadOnlyParameter: | |
| Value: !Ref DatabaseUrlReadOnly |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment