AWSTemplateFormatVersion: '2010-09-09' Description: Create an IAM Role for the RDS Proxy to access the Simple Book Store Aurora Postgres Database Parameters: AuroraVPCStackName: Description: Name of the Aurora Database VPC Cloudformation stack Type: String ProxyName: Description: Name of the RDS proxy Type: String Default: SOBRDSProxy AuroraDBClusterId: Description: Cluster ID of the Aurora Database Type: String AuroraDBSecretArn: Description: ARN of the Aurora Database Secret Type: String Resources: SOBRDSProxy: Type: AWS::RDS::DBProxy Properties: DBProxyName: !Ref ProxyName EngineFamily: POSTGRESQL RequireTLS: true RoleArn: !GetAtt SOBRDSProxyIamRole.Arn Auth: - {AuthScheme: SECRETS, SecretArn: !Ref AuroraDBSecretArn, IAMAuth: DISABLED, Description: sob-db-proxy-auth} VpcSecurityGroupIds: [{'Fn::ImportValue': !Sub '${AuroraVPCStackName}-SecretRotationLambdaSecurityGroup'}] VpcSubnetIds: !Split [',', {'Fn::ImportValue': !Sub '${AuroraVPCStackName}-SubnetsPrivate'}] SOBRDSProxyIamRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - rds.amazonaws.com Action: sts:AssumeRole Path: / Policies: - PolicyName: rds-proxy-policy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - secretsmanager:GetSecretValue - secretsmanager:PutResourcePolicy - secretsmanager:PutSecretValue - secretsmanager:DeleteSecret - secretsmanager:DescribeSecret - secretsmanager:TagResource - secretsmanager:CreateSecret - secretsmanager:ListSecrets - secretsmanager:GetRandomPassword Resource: !Ref AuroraDBSecretArn SOBRDSProxyTargetGroup: Type: AWS::RDS::DBProxyTargetGroup Properties: DBClusterIdentifiers: - !Ref AuroraDBClusterId DBProxyName: !Ref SOBRDSProxy TargetGroupName: default Outputs: SimpleOnlineBookstoreRDSProxyRole: Description: Simple Online Bookstore RDS Proxy IAM Role Value: !Ref SOBRDSProxyIamRole Export: Name: !Sub '${AWS::StackName}-SOBRDSProxyIamRole' SimpleOnlineBookstoreRDSProxyEndpoint: Description: Simple Online Bookstore RDS Proxy Endpoint Value: !GetAtt SOBRDSProxy.Endpoint Export: Name: !Sub '${AWS::StackName}-SOBRDSProxyEndpoint' SimpleOnlineBookstoreRDSProxyArn: Description: Simple Online Bookstore RDS Proxy Arn Value: !GetAtt SOBRDSProxy.DBProxyArn Export: Name: !Sub '${AWS::StackName}-SOBRDSProxyArn'