Created
February 28, 2021 11:20
-
-
Save oieduardorabelo/0100bfaee9ec81ded17f5615e6d51085 to your computer and use it in GitHub Desktop.
Network and Database Layers Teample
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Creates one RDS PostgreSQL instance and RDS Proxy | |
# with connections allowed in ports 443 and 5432 | |
# | |
AWSTemplateFormatVersion: "2010-09-09" | |
Transform: AWS::Serverless-2016-10-31 | |
Description: "Database Layer" | |
Parameters: | |
VpcId: | |
Type: String | |
Description: Network Layer VPC Id | |
PrivateSubnetAId: | |
Type: String | |
Description: Network Layer Private SubnetA Id | |
PrivateSubnetBId: | |
Type: String | |
Description: Network Layer Private SubnetB Id | |
Resources: | |
DatabaseSecret: | |
Type: AWS::SecretsManager::Secret | |
Properties: | |
GenerateSecretString: | |
ExcludePunctuation: true | |
GenerateStringKey: password | |
IncludeSpace: false | |
SecretStringTemplate: '{"username":"postgres"}' | |
DatabaseSecretAttachment: | |
Type: AWS::SecretsManager::SecretTargetAttachment | |
Properties: | |
SecretId: !Ref DatabaseSecret | |
TargetId: !Ref PostgresInstance | |
TargetType: AWS::RDS::DBInstance | |
PostgresSecurityGroup: | |
Type: AWS::EC2::SecurityGroup | |
Properties: | |
GroupDescription: Postgres Instance Security Group | |
VpcId: !Ref VpcId | |
PostgresSecurityGroupIngressPostgres: | |
Type: AWS::EC2::SecurityGroupIngress | |
Properties: | |
GroupId: !Ref PostgresSecurityGroup | |
IpProtocol: tcp | |
FromPort: 5432 | |
ToPort: 5432 | |
SourceSecurityGroupId: !Ref PostgresSecurityGroup | |
PostgresSecurityGroupIngressHttps: | |
Type: AWS::EC2::SecurityGroupIngress | |
Properties: | |
GroupId: !Ref PostgresSecurityGroup | |
IpProtocol: tcp | |
FromPort: 443 | |
ToPort: 443 | |
SourceSecurityGroupId: !Ref PostgresSecurityGroup | |
PostgresSecurityGroupEgressPostgres: | |
Type: AWS::EC2::SecurityGroupEgress | |
Properties: | |
GroupId: !Ref PostgresSecurityGroup | |
IpProtocol: tcp | |
FromPort: 5432 | |
ToPort: 5432 | |
CidrIp: "0.0.0.0/0" | |
PostgresSecurityGroupEgressHttps: | |
Type: AWS::EC2::SecurityGroupEgress | |
Properties: | |
GroupId: !Ref PostgresSecurityGroup | |
IpProtocol: tcp | |
FromPort: 443 | |
ToPort: 443 | |
CidrIp: "0.0.0.0/0" | |
PostgresInstanceSubnetGroup: | |
Type: AWS::RDS::DBSubnetGroup | |
Properties: | |
DBSubnetGroupDescription: Subnet group for PostgresInstance database | |
SubnetIds: | |
- !Ref PrivateSubnetAId | |
- !Ref PrivateSubnetBId | |
PostgresInstance: | |
Type: AWS::RDS::DBInstance | |
Properties: | |
BackupRetentionPeriod: 0 | |
DBInstanceClass: db.t2.small | |
AllocatedStorage: "20" | |
AllowMajorVersionUpgrade: false | |
DBSubnetGroupName: !Ref PostgresInstanceSubnetGroup | |
Engine: postgres | |
EngineVersion: "11.5" | |
MasterUsername: !Join | |
- "" | |
- - "{{resolve:secretsmanager:" | |
- Ref: DatabaseSecret | |
- ":SecretString:username::}}" | |
MasterUserPassword: !Join | |
- "" | |
- - "{{resolve:secretsmanager:" | |
- Ref: DatabaseSecret | |
- ":SecretString:password::}}" | |
PubliclyAccessible: false | |
StorageType: gp2 | |
StorageEncrypted: true | |
VPCSecurityGroups: | |
- !GetAtt PostgresSecurityGroup.GroupId | |
ProxyPostgresRole: | |
Type: 'AWS::IAM::Role' | |
Properties: | |
AssumeRolePolicyDocument: | |
Version: "2012-10-17" | |
Statement: | |
- Effect: Allow | |
Action: sts:AssumeRole | |
Principal: | |
Service: rds.amazonaws.com | |
Path: / | |
Policies: | |
- PolicyName: !Sub ${AWS::StackName}-proxyPostgresRole | |
PolicyDocument: | |
Version: "2012-10-17" | |
Statement: | |
- Effect: Allow | |
Action: | |
- secretsmanager:GetSecretValue | |
- secretsmanager:DescribeSecret | |
Resource: !Ref DatabaseSecret | |
ProxyPostgresInstance: | |
Type: AWS::RDS::DBProxy | |
Properties: | |
Auth: | |
- AuthScheme: SECRETS | |
IAMAuth: DISABLED | |
SecretArn: !Ref DatabaseSecret | |
DBProxyName: !Sub ${PostgresInstance}-proxy | |
EngineFamily: POSTGRESQL | |
IdleClientTimeout: 30 | |
RequireTLS: true | |
RoleArn: !GetAtt ProxyPostgresRole.Arn | |
VpcSecurityGroupIds: | |
- !GetAtt PostgresSecurityGroup.GroupId | |
VpcSubnetIds: | |
- !Ref PrivateSubnetAId | |
- !Ref PrivateSubnetBId | |
ProxyTargetGroup: | |
Type: AWS::RDS::DBProxyTargetGroup | |
Properties: | |
DBProxyName: !Ref ProxyPostgresInstance | |
DBInstanceIdentifiers: | |
- !Ref PostgresInstance | |
TargetGroupName: default | |
ConnectionPoolConfigurationInfo: | |
MaxConnectionsPercent: 100 | |
MaxIdleConnectionsPercent: 50 | |
ConnectionBorrowTimeout: 120 | |
Outputs: | |
DatabaseSecretArn: | |
Value: !Ref DatabaseSecret | |
PostgresSecurityGroupId: | |
Value: !GetAtt PostgresSecurityGroup.GroupId | |
PostgresProxyUrl: | |
Value: !GetAtt ProxyPostgresInstance.Endpoint |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Creates one VPC with two public and two private subnets | |
# | |
AWSTemplateFormatVersion: "2010-09-09" | |
Transform: AWS::Serverless-2016-10-31 | |
Description: "Network Layer" | |
Resources: | |
VPC: | |
Type: AWS::EC2::VPC | |
Properties: | |
CidrBlock: 10.0.0.0/16 | |
EnableDnsSupport: true | |
EnableDnsHostnames: true | |
Tags: | |
- Key: Name | |
Value: !Ref AWS::StackName | |
InternetGateway: | |
Type: AWS::EC2::InternetGateway | |
Properties: | |
Tags: | |
- Key: Name | |
Value: !Ref AWS::StackName | |
InternetGatewayAttachment: | |
Type: AWS::EC2::VPCGatewayAttachment | |
Properties: | |
InternetGatewayId: !Ref InternetGateway | |
VpcId: !Ref VPC | |
PublicSubnetA: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VPC | |
AvailabilityZone: !Select [ 0, !GetAZs '' ] | |
CidrBlock: 10.0.0.0/28 | |
MapPublicIpOnLaunch: true | |
Tags: | |
- Key: Name | |
Value: !Sub ${AWS::StackName} Public Subnet (AZ1) | |
PublicSubnetB: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VPC | |
AvailabilityZone: !Select [ 1, !GetAZs '' ] | |
CidrBlock: 10.0.0.82/28 | |
MapPublicIpOnLaunch: true | |
Tags: | |
- Key: Name | |
Value: !Sub ${AWS::StackName} Public Subnet (AZ2) | |
PrivateSubnetA: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VPC | |
AvailabilityZone: !Select [ 0, !GetAZs '' ] | |
CidrBlock: 10.0.1.0/24 | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: !Sub ${AWS::StackName} Private Subnet (AZ1) | |
PrivateSubnetB: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VPC | |
AvailabilityZone: !Select [ 1, !GetAZs '' ] | |
CidrBlock: 10.0.2.0/24 | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: !Sub ${AWS::StackName} Private Subnet (AZ2) | |
NatGatewayAEIP: | |
Type: AWS::EC2::EIP | |
DependsOn: InternetGatewayAttachment | |
Properties: | |
Domain: vpc | |
NatGatewayBEIP: | |
Type: AWS::EC2::EIP | |
DependsOn: InternetGatewayAttachment | |
Properties: | |
Domain: vpc | |
NatGatewayA: | |
Type: AWS::EC2::NatGateway | |
Properties: | |
AllocationId: !GetAtt NatGatewayAEIP.AllocationId | |
SubnetId: !Ref PublicSubnetA | |
NatGatewayB: | |
Type: AWS::EC2::NatGateway | |
Properties: | |
AllocationId: !GetAtt NatGatewayBEIP.AllocationId | |
SubnetId: !Ref PublicSubnetB | |
PublicRouteTable: | |
Type: AWS::EC2::RouteTable | |
Properties: | |
VpcId: !Ref VPC | |
Tags: | |
- Key: Name | |
Value: !Sub ${AWS::StackName} Public Routes | |
DefaultPublicRoute: | |
Type: AWS::EC2::Route | |
DependsOn: InternetGatewayAttachment | |
Properties: | |
RouteTableId: !Ref PublicRouteTable | |
DestinationCidrBlock: 0.0.0.0/0 | |
GatewayId: !Ref InternetGateway | |
PublicSubnetARouteTableAssociation: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
Properties: | |
RouteTableId: !Ref PublicRouteTable | |
SubnetId: !Ref PublicSubnetA | |
PublicSubnetBRouteTableAssociation: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
Properties: | |
RouteTableId: !Ref PublicRouteTable | |
SubnetId: !Ref PublicSubnetB | |
PrivateRouteTableA: | |
Type: AWS::EC2::RouteTable | |
Properties: | |
VpcId: !Ref VPC | |
Tags: | |
- Key: Name | |
Value: !Sub ${AWS::StackName} Private Routes (AZ1) | |
DefaultPrivateRouteA: | |
Type: AWS::EC2::Route | |
Properties: | |
RouteTableId: !Ref PrivateRouteTableA | |
DestinationCidrBlock: 0.0.0.0/0 | |
NatGatewayId: !Ref NatGatewayA | |
PrivateSubnetARouteTableAssociation: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
Properties: | |
RouteTableId: !Ref PrivateRouteTableA | |
SubnetId: !Ref PrivateSubnetA | |
PrivateRouteTableB: | |
Type: AWS::EC2::RouteTable | |
Properties: | |
VpcId: !Ref VPC | |
Tags: | |
- Key: Name | |
Value: !Sub ${AWS::StackName} Private Routes (AZ2) | |
DefaultPrivateRouteB: | |
Type: AWS::EC2::Route | |
Properties: | |
RouteTableId: !Ref PrivateRouteTableB | |
DestinationCidrBlock: 0.0.0.0/0 | |
NatGatewayId: !Ref NatGatewayB | |
PrivateSubnetBRouteTableAssociation: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
Properties: | |
RouteTableId: !Ref PrivateRouteTableB | |
SubnetId: !Ref PrivateSubnetB | |
Outputs: | |
VpcId: | |
Value: !Ref VPC | |
PublicSubnetAId: | |
Value: !Ref PublicSubnetA | |
PublicSubnetBId: | |
Value: !Ref PublicSubnetB | |
PrivateSubnetAId: | |
Value: !Ref PrivateSubnetA | |
PrivateSubnetBId: | |
Value: !Ref PrivateSubnetB |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment