example.yml

AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  DBUser:
    Description: Username for master RDS user
    Type: String
    Default: INVALID
    NoEcho: true
    AllowedPattern: ^[A-Za-z][A-Za-z0-9_]{1,62}$
    ConstraintDescription: Must contain 1 to 63 alphanumeric characters. First character
      must be a letter.
  DBPass:
    Description: Password for master RDS user
    Type: String
    AllowedPattern: ^[^"@/]{8,128}$
    Default: INVALID-INVALID
    NoEcho: true

Resources:
  RDSDB:
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: F23
            reason: false alarm - DBPass is NoEcho, never default
          - id: F24
            reason: false alarm - DBUser is NoEcho, never default
    Type: AWS::RDS::DBInstance
    DeletionPolicy: Snapshot
    UpdateReplacePolicy: Snapshot
    Properties:
      AllocatedStorage: '100'
      VPCSecurityGroups:
        - sg-00000000
      DBInstanceClass: db.t3.small
      Engine: postgres
      EngineVersion: '9.6'
      StorageType: gp2
      DBSubnetGroupName: abc123
      DBParameterGroupName: def345
      MasterUsername: !Ref DBUser
      MasterUserPassword: !Ref DBPass