AWSTemplateFormatVersion: '2010-09-09' Description: "Amazon Aurora MySQL, Do Not Remove Apache License Version 2.0 (qs-1r51947et) Jun,15,2019" Metadata: LICENSE: Apache License Version 2.0 cfn-lint: config: ignore_checks: - E9101 - W3011 - W2030 - E3002 - E1019 ############################################################################### # Parameter groups ############################################################################### AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Database Network configuration Parameters: - VPCID - Subnet1ID - Subnet2ID - CustomDBSecurityGroup - DBAccessCIDR - PubliclyAccessible - Label: default: Database General configuration Parameters: - DBEngineVersion - DBInstanceClass - ServerlessMinCapacity - ServerlessMaxCapacity - DBPort - DBName - DBMasterUsername - ManageMasterUserPassword - DBMasterUserPassword - DBMultiAZ - DBAutoMinorVersionUpgrade - DBBackupRetentionPeriod - EnableIAMDBAuth - DBBackTrack - Label: default: Database Storage configuration Parameters: - DBStorageEncrypted - StorageType - Label: default: Database Monitoring configuration Parameters: - DBExportLogToCloudwatch - EnablePerformanceInsights - PerformanceInsightsRetentionPeriod - EnableEnhancedMonitoring - MonitoringInterval - EnableEventSubscription - NotificationList - Label: default: Database tags (optional) Parameters: - EnvironmentStage - Application - ApplicationVersion - ProjectCostCenter - Confidentiality - Compliance ############################################################################### # Parameter labels ############################################################################### ParameterLabels: Application: default: Application name ApplicationVersion: default: Application version Compliance: default: Compliance classifier Confidentiality: default: Confidentiality classifier CustomDBSecurityGroup: default: Custom security group ID DBAccessCIDR: default: Database connection CIDR DBAutoMinorVersionUpgrade: default: Database auto minor version upgrade DBBackTrack: default: Backtrack window DBBackupRetentionPeriod: default: Database backup retention period DBEngineVersion: default: Database Engine Version DBExportLogToCloudwatch: default: Export database logs to CloudWatch DBInstanceClass: default: Database instance class DBMasterUsername: default: Database master username DBMasterUserPassword: default: Database master password DBMultiAZ: default: RDS Multi-AZ DB Instance deployment DBName: default: Database name DBPort: default: Database port DBStorageEncrypted: default: Database encryption enabled EnableEnhancedMonitoring: default: Enable Enhanced Monitoring EnableEventSubscription: default: Enable Event Subscription EnableIAMDBAuth: default: Enable IAM Database Authentication EnablePerformanceInsights: default: Enable RDS Performance Insights EnvironmentStage: default: Environment stage ManageMasterUserPassword: default: Manage DB master user password with AWS Secrets Manager MonitoringInterval: default: Enhanced monitoring interval NotificationList: default: SNS notification email PerformanceInsightsRetentionPeriod: default: Number of days to retain Performance Insights data ProjectCostCenter: default: Project cost center PubliclyAccessible: default: Publicly Accessible ServerlessMinCapacity: default: Minimum ACUs ServerlessMaxCapacity: default: Maximum ACUs Subnet1ID: default: Private subnet 1 ID Subnet2ID: default: Private subnet 2 ID StorageType: default: Aurora Storage Type VPCID: default: VPC ID ############################################################################### # Mappings ############################################################################### Mappings: DBFamilyMap: "Aurora-MySQL5.7-2.07.9": "family": "aurora-mysql5.7" "Aurora-MySQL5.7-2.11.1": "family": "aurora-mysql5.7" "Aurora-MySQL5.7-2.11.2": "family": "aurora-mysql5.7" "Aurora-MySQL5.7-2.11.3": "family": "aurora-mysql5.7" "Aurora-MySQL-3.01.0-MySQL8.0.23": "family": "aurora-mysql8.0" "Aurora-MySQL-3.01.1-MySQL8.0.23": "family": "aurora-mysql8.0" "Aurora-MySQL-3.02.0-MySQL8.0.23": "family": "aurora-mysql8.0" "Aurora-MySQL-3.02.1-MySQL8.0.23": "family": "aurora-mysql8.0" "Aurora-MySQL-3.02.2-MySQL8.0.23": "family": "aurora-mysql8.0" "Aurora-MySQL-3.02.3-MySQL8.0.23": "family": "aurora-mysql8.0" "Aurora-MySQL-3.03.0-MySQL8.0.23": "family": "aurora-mysql8.0" "Aurora-MySQL-3.03.1-MySQL8.0.23": "family": "aurora-mysql8.0" DBEngineVersionMap: "Aurora-MySQL5.7-2.07.9": "engineversion": "5.7.mysql_aurora.2.07.9" "Aurora-MySQL5.7-2.11.1": "engineversion": "5.7.mysql_aurora.2.11.1" "Aurora-MySQL5.7-2.11.2": "engineversion": "5.7.mysql_aurora.2.11.2" "Aurora-MySQL5.7-2.11.3": "engineversion": "5.7.mysql_aurora.2.11.3" "Aurora-MySQL-3.01.0-MySQL8.0.23": "engineversion": "8.0.mysql_aurora.3.01.0" "Aurora-MySQL-3.01.1-MySQL8.0.23": "engineversion": "8.0.mysql_aurora.3.01.1" "Aurora-MySQL-3.02.0-MySQL8.0.23": "engineversion": "8.0.mysql_aurora.3.02.0" "Aurora-MySQL-3.02.1-MySQL8.0.23": "engineversion": "8.0.mysql_aurora.3.02.1" "Aurora-MySQL-3.02.2-MySQL8.0.23": "engineversion": "8.0.mysql_aurora.3.02.2" "Aurora-MySQL-3.02.3-MySQL8.0.23": "engineversion": "8.0.mysql_aurora.3.02.3" "Aurora-MySQL-3.03.0-MySQL8.0.23": "engineversion": "8.0.mysql_aurora.3.03.0" "Aurora-MySQL-3.03.1-MySQL8.0.23": "engineversion": "8.0.mysql_aurora.3.03.1" ############################################################################### # Conditions ############################################################################### Conditions: CreateSecurityGroup: !Equals - !Ref CustomDBSecurityGroup - '' CreateKMSKey: !Or - !Condition UseDatabaseEncryption - !Condition UseSecretsManager - !Condition EnablePI DoCreateDatabase: !Not - !Equals - !Ref DBName - '' isExportCWLogs: !Not - !Equals - !Join ["", !Ref DBExportLogToCloudwatch] - '' IsASV2: !Equals - !Ref DBInstanceClass - 'db.serverless' isReplica: !Equals - !Ref DBMultiAZ - 'true' EventSubscription: !Equals - !Ref EnableEventSubscription - 'true' EnableEM: !Equals - !Ref EnableEnhancedMonitoring - 'true' EnablePI: !Equals - !Ref EnablePerformanceInsights - 'true' UseDatabaseEncryption: !Equals - !Ref DBStorageEncrypted - "true" UseSecretsManager: !Equals - !Ref ManageMasterUserPassword - "true" ############################################################################### # Rules ############################################################################### Rules: SubnetsInVPC: Assertions: - Assert: !Equals [!ValueOf ["Subnet1ID", "VpcId"], !Ref VPCID] AssertDescription: "Private subnet 1 ID doesn't belong to the specified VPC" - Assert: !Equals [!ValueOf ["Subnet2ID", "VpcId"], !Ref VPCID] AssertDescription: "Private subnet 2 ID doesn't belong to the specified VPC" SubnetsUnique: Assertions: - Assert: !Not [!Equals [!Ref Subnet1ID, !Ref Subnet2ID]] AssertDescription: "Please provide 2 distinct private subnets" ############################################################################### # Outputs ############################################################################### Outputs: DBName: Condition: DoCreateDatabase Description: "Amazon Aurora database name" Value: !Ref DBName DBMasterUsername: Description: "Amazon Aurora database master username" Value: !Ref DBMasterUsername MasterUserSecret: Condition: UseSecretsManager Description: "Master Credentials ARN" Value: !Sub "${AuroraDBCluster.MasterUserSecret.SecretArn}" RDSEndPointAddress: Description: "Amazon Aurora write endpoint" Value: !Sub "${AuroraDBCluster.Endpoint.Address}" RDSReadEndPointAddress: Description: "Amazon Aurora read endpoint" Value: !Sub "${AuroraDBCluster.ReadEndpoint.Address}" RDSEndPointPort: Description: "Amazon Aurora port" Value: !Sub "${AuroraDBCluster.Endpoint.Port}" RDSEndPoints: Description: "Full Amazon Aurora write endpoint" Value: !If [DoCreateDatabase, !Sub "${AuroraDBCluster.Endpoint.Address}:${AuroraDBCluster.Endpoint.Port}/${DBName}", !Sub "${AuroraDBCluster.Endpoint.Address}:${AuroraDBCluster.Endpoint.Port}/mysql"] RDSEncryptionKey: Condition: UseDatabaseEncryption Description: "The alias of the encryption key created for RDS" Value: !Ref EncryptionKeyAlias ############################################################################### # Parameters ############################################################################### Parameters: Application: Type: String Default: '' Description: "[Optional] Name of the application for the associated AWS resource." ApplicationVersion: Type: String Description: "[Optional] Version of the application." Default: '' Compliance: Type: String Default: '' Description: "[Optional] Compliance level for the AWS resource." AllowedValues: - hipaa - sox - fips - other - '' Confidentiality: Type: String Default: '' Description: "[Optional] Confidentiality classification of the data that is associated with the AWS resource." AllowedValues: - public - private - confidential - pii/phi - '' CustomDBSecurityGroup: Description: "ID of the security group (e.g., sg-0234se). One will be created for you if left empty." Type: String Default: '' DBAccessCIDR: AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$" ConstraintDescription: "CIDR block parameter must be in the form x.x.x.x/x" Description: "Allowed CIDR block for external access (use VPC CIDR)." Type: String Default: 10.0.0.0/16 DBAutoMinorVersionUpgrade: AllowedValues: - "true" - "false" Default: "false" Description: "Select 'true' to set up auto minor version upgrade." Type: String DBBackTrack: Description: "The target backtrack window, in seconds. To disable backtracking, set this value to 0." Type: Number Default: 0 MinValue: 0 MaxValue: 259200 DBBackupRetentionPeriod: Default: 35 Description: "The number of days for which automatic database snapshots are retained." Type: Number MinValue: 0 MaxValue: 35 DBEngineVersion: Description: >- Select Database Engine Version. Aurora Serverless v2 with Aurora MySQL is supported for versions 3.02.0 and higher. Aurora I/O-Optimized configuration is available in Aurora MySQL version 3.03.1 and higher. For supported engines and Region availability for Aurora Serverless v2 with Aurora MySQL, refer https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.Aurora_Fea_Regions_DB-eng.Feature.ServerlessV2.html Type: String Default: Aurora-MySQL-3.03.1-MySQL8.0.23 AllowedValues: - Aurora-MySQL5.7-2.07.9 - Aurora-MySQL5.7-2.11.1 - Aurora-MySQL5.7-2.11.2 - Aurora-MySQL5.7-2.11.3 - Aurora-MySQL-3.01.0-MySQL8.0.23 - Aurora-MySQL-3.01.1-MySQL8.0.23 - Aurora-MySQL-3.02.0-MySQL8.0.23 - Aurora-MySQL-3.02.1-MySQL8.0.23 - Aurora-MySQL-3.02.2-MySQL8.0.23 - Aurora-MySQL-3.02.3-MySQL8.0.23 - Aurora-MySQL-3.03.0-MySQL8.0.23 - Aurora-MySQL-3.03.1-MySQL8.0.23 DBExportLogToCloudwatch: Default: '' Description: "Specify the comma-delimited list of database logs (error, slowquery, audit, general) to export to CloudWatch Logs." Type: CommaDelimitedList DBInstanceClass: Description: >- The database instance type. Please see supported instance types for the MySQL version selected: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.DBInstanceClass.html#Concepts.DBInstanceClass.SupportAurora Type: String Default: db.r6g.2xlarge AllowedValues: - db.r5.12xlarge - db.r5.16xlarge - db.r5.24xlarge - db.r5.2xlarge - db.r5.4xlarge - db.r5.8xlarge - db.r5.large - db.r5.xlarge - db.r6g.12xlarge - db.r6g.16xlarge - db.r6g.2xlarge - db.r6g.4xlarge - db.r6g.8xlarge - db.r6g.large - db.r6g.xlarge - db.r6i.12xlarge - db.r6i.16xlarge - db.r6i.24xlarge - db.r6i.2xlarge - db.r6i.32xlarge - db.r6i.4xlarge - db.r6i.8xlarge - db.r6i.large - db.r6i.xlarge - db.r7g.12xlarge - db.r7g.16xlarge - db.r7g.2xlarge - db.r7g.4xlarge - db.r7g.8xlarge - db.r7g.large - db.r7g.xlarge - db.serverless - db.t3.large - db.t3.medium - db.t3.small - db.t4g.large - db.t4g.medium - db.x2g.12xlarge - db.x2g.16xlarge - db.x2g.2xlarge - db.x2g.4xlarge - db.x2g.8xlarge - db.x2g.large - db.x2g.xlarge DBMasterUsername: AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*" ConstraintDescription: "Must begin with a letter and contain only alphanumeric characters." Default: admin Description: "Administrator user name for the database account." MaxLength: "16" MinLength: "1" Type: String DBMasterUserPassword: AllowedPattern: >- ^(?=^.{8,255}$)(?=.*[a-z])(?=.*[A-Z])(?=.*\d)((?=.*[^A-Za-z0-9])(?!.*[@/"'])).*$ ConstraintDescription: >- Min 8 chars. Must include 1 uppercase, 1 lowercase, 1 number, 1 (non / @ " ') symbol Default: "Gjht56Ft$" Description: "The database master user password. Required if _Manage DB master user password with AWS Secrets Manager_ option is set to false." MaxLength: "64" MinLength: "8" NoEcho: "True" Type: String DBMultiAZ: AllowedValues: - "true" - "false" Default: "true" Description: "Select 'true' to deploy a read-replica in another Availability Zone." Type: String DBName: AllowedPattern: "[a-zA-Z0-9]*" Description: "Name of the initial Aurora MySQL database to create." MaxLength: "64" MinLength: "0" Default: 'sampleapp' Type: String DBPort: Default: 3306 Description: "The port the instance will listen for connections on." Type: Number ConstraintDescription: "Must be in the range [1150-65535]." MinValue: 1150 MaxValue: 65535 DBStorageEncrypted: Default: "true" AllowedValues: - "true" - "false" Description: "To disable database encryption, choose 'false'." Type: String EnableEnhancedMonitoring: AllowedValues: - "true" - "false" Default: "true" Description: "Enables Enhanced Monitoring." Type: String EnableEventSubscription: AllowedValues: - "true" - "false" Default: "true" Description: "Enables event subscription to Notification List." Type: String EnableIAMDBAuth: AllowedValues: - "true" - "false" Default: "true" Description: "Enables IAM Database Authentication." Type: String EnablePerformanceInsights: AllowedValues: - "true" - "false" Default: "true" Description: "Enables RDS Performance Insights." Type: String EnvironmentStage: Type: String Description: "[Optional] Environment stage of the associated AWS resource." AllowedValues: - dev - test - pre-prod - prod - none Default: none ManageMasterUserPassword: AllowedValues: - "true" - "false" Default: "true" Description: "Set to 'true' to manage the master user password with AWS Secrets Manager." Type: String MonitoringInterval: Default: 10 Description: "The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the database." Type: Number AllowedValues: - 1 - 5 - 10 - 15 - 30 - 60 ConstraintDescription: "Valid values are 0, 1, 5, 10, 15, 30, 60 seconds." NotificationList: Type: String Default: 'db-ops@domain.com' Description: "The email notification used to configure an SNS topic for sending CloudWatch alarm and RDS event notifications." AllowedPattern: '^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$' ConstraintDescription: "Provide a valid email address." PerformanceInsightsRetentionPeriod: Default: 7 Description: "The number of days for which automatic database snapshots are retained. Specify days based on (month * 31), where month is a number of months from 1-23." Type: Number MinValue: 7 MaxValue: 713 ProjectCostCenter: Type: String Default: '' Description: "[Optional] Cost center associated with the project of the associated AWS resource." PubliclyAccessible: AllowedValues: - "true" - "false" Default: "false" Description: "Indicates whether the DB instance is an internet-facing instance." Type: String ServerlessMinCapacity: Default: 8 Description: >- Required if "db.serverless" is chosen as the database instance class. Specify maximum Aurora Serverless v2 Capacity Units (ACUs) in the range of 1 to 128 in increments of 0.5. 1 ACU provides 2 GiB of memory and corresponding compute and networking. Type: String AllowedPattern: ([0-9]?(\.(0|5))?|[1-8][0-9](\.(0|5))?|9[0-9]|1[01][0-9](\.(0|5))?|12[0-7](\.(0|5))?|128) ConstraintDescription: "Only values from 0.5 to 128, in increments of 0.5." ServerlessMaxCapacity: Default: 64 Description: >- Required if "db.serverless" is chosen as the database instance class. Specify maximum Aurora Serverless v2 Capacity Units (ACUs) in the range of 1 to 128 in increments of 0.5. 1 ACU provides 2 GiB of memory and corresponding compute and networking. Type: String AllowedPattern: ([1-9]?(\.(0|5))?|[1-8][0-9](\.(0|5))?|9[0-9]|1[01][0-9](\.(0|5))?|12[0-7](\.(0|5))?|128) ConstraintDescription: "Only values from 1 to 128, in increments of 0.5." StorageType: Type: String Description: >- Designates the storage type to associate with the Aurora DB cluster. Choose aurora-iopt1 for Aurora I/O Optimized storage. For details refer https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html#aurora-storage-type AllowedValues: - aurora - aurora-iopt1 Default: aurora Subnet1ID: Description: "ID of the private subnet in Availability Zone 1." Type: 'AWS::EC2::Subnet::Id' Subnet2ID: Description: "ID of the private subnet in Availability Zone 2." Type: 'AWS::EC2::Subnet::Id' VPCID: Description: "ID of the VPC you are deploying Aurora into (e.g., vpc-0343606e)." Type: 'AWS::EC2::VPC::Id' Default: '' ############################################################################### # Resources ############################################################################### Resources: RDSDBSubnetGroup: Properties: DBSubnetGroupDescription: "Subnets available for the Amazon RDS database instance" SubnetIds: - !Ref Subnet1ID - !Ref Subnet2ID Type: "AWS::RDS::DBSubnetGroup" RDSSecurityGroup: Condition: CreateSecurityGroup Properties: GroupDescription: "Allow access to database port" SecurityGroupEgress: - CidrIp: 0.0.0.0/0 FromPort: -1 IpProtocol: '-1' ToPort: -1 SecurityGroupIngress: - CidrIp: !Ref DBAccessCIDR FromPort: !Ref DBPort IpProtocol: tcp ToPort: !Ref DBPort VpcId: !Ref VPCID Tags: - Key: Name Value: !Sub RDSSecurityGroup-${AWS::StackName} Type: "AWS::EC2::SecurityGroup" RDSSecurityGroupIngress: Condition: CreateSecurityGroup Properties: GroupId: !GetAtt 'RDSSecurityGroup.GroupId' IpProtocol: '-1' SourceSecurityGroupId: !Ref RDSSecurityGroup Description: 'Self Reference' Type: 'AWS::EC2::SecurityGroupIngress' DBSNSTopic: Type: AWS::SNS::Topic Properties: Subscription: - Endpoint: !Ref NotificationList Protocol: email EncryptionKey: Metadata: cfn-lint: config: ignore_checks: - EIAMPolicyActionWildcard ignore_reasons: - EIAMPolicyActionWildcard: "All KMS actions allowed by design" DeletionPolicy: Retain Type: AWS::KMS::Key Condition: CreateKMSKey Properties: EnableKeyRotation: true KeyPolicy: Version: 2012-10-17 Id: !Ref AWS::StackName Statement: - Effect: Allow Principal: AWS: - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" Action: 'kms:*' Resource: '*' Tags: - Key: Name Value: !Ref AWS::StackName EncryptionKeyAlias: Type: AWS::KMS::Alias Condition: CreateKMSKey Properties: AliasName: !Sub "alias/${AWS::StackName}" TargetKeyId: !Ref EncryptionKey MRole: Type: AWS::IAM::Role Condition: EnableEM Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "monitoring.rds.amazonaws.com" Action: - "sts:AssumeRole" Path: "/" ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole RDSDBCPG: Type: AWS::RDS::DBClusterParameterGroup Properties: Description: !Join [ "- ", [ "Aurora MySQL Cluster Parameter Group for Cloudformation Stack ", !Ref DBName ] ] Family: !FindInMap [DBFamilyMap, !Ref DBEngineVersion, "family"] Parameters: time_zone: UTC server_audit_logging: 1 server_audit_events: 'QUERY_DCL,QUERY_DDL,CONNECT' RDSDBPG: Type: AWS::RDS::DBParameterGroup Properties: Description: !Join [ "- ", [ "Aurora MySQL Database Instance Parameter Group for Cloudformation Stack ", !Ref DBName ] ] Family: !FindInMap [DBFamilyMap, !Ref DBEngineVersion, "family"] Parameters: slow_query_log: 1 long_query_time: 5 log_output: 'FILE' innodb_print_all_deadlocks: 1 AuroraDBCluster: Metadata: cfn-lint: config: ignore_checks: - ERDSStorageEncryptionEnabled - E2521 ignore_reasons: - ERDSStorageEncryptionEnabled: "StorageEncryption is conditional" - E2521: "When ManageMasterUserPassword is set to true, MasterUserPassword is ignored" Type: AWS::RDS::DBCluster DeletionPolicy: Snapshot UpdateReplacePolicy: Snapshot Properties: BackupRetentionPeriod: !Ref DBBackupRetentionPeriod BacktrackWindow: !Ref DBBackTrack DatabaseName: !If - DoCreateDatabase - !Ref DBName - !Ref AWS::NoValue DBClusterIdentifier: !Sub ams-${AWS::StackName} DBClusterParameterGroupName: !Ref RDSDBCPG DBSubnetGroupName: !Ref RDSDBSubnetGroup EnableCloudwatchLogsExports: !If [isExportCWLogs, !Ref DBExportLogToCloudwatch, !Ref "AWS::NoValue"] EnableIAMDatabaseAuthentication: !Ref EnableIAMDBAuth Engine: aurora-mysql EngineVersion: !FindInMap [DBEngineVersionMap, !Ref DBEngineVersion, "engineversion"] KmsKeyId: !If [UseDatabaseEncryption, !GetAtt EncryptionKey.Arn, !Ref 'AWS::NoValue'] MasterUsername: !Ref DBMasterUsername ManageMasterUserPassword: !Ref ManageMasterUserPassword MasterUserPassword: !If [UseSecretsManager, !Ref 'AWS::NoValue', !Ref DBMasterUserPassword] MasterUserSecret: KmsKeyId: !If [UseSecretsManager, !Ref EncryptionKey, !Ref 'AWS::NoValue'] Port: !Ref DBPort ServerlessV2ScalingConfiguration: MinCapacity: !If [IsASV2, !Ref ServerlessMinCapacity, !Ref 'AWS::NoValue'] MaxCapacity: !If [IsASV2, !Ref ServerlessMaxCapacity, !Ref 'AWS::NoValue'] StorageEncrypted: !If [UseDatabaseEncryption, !Ref DBStorageEncrypted, !Ref 'AWS::NoValue'] StorageType: !Ref StorageType Tags: - Key: Name Value: !Sub AMS-${AWS::StackName} - Key: EnvironmentStage Value: !Ref EnvironmentStage - Key: Application Value: !Ref Application - Key: ApplicationVersion Value: !Ref ApplicationVersion - Key: ProjectCostCenter Value: !Ref ProjectCostCenter - Key: Confidentiality Value: !Ref Confidentiality - Key: Compliance Value: !Ref Compliance VpcSecurityGroupIds: !If - CreateSecurityGroup - [!Ref RDSSecurityGroup] - [!Ref CustomDBSecurityGroup] Inst1: Type: AWS::RDS::DBInstance Metadata: cfn-lint: config: ignore_checks: - ERDSDBInstancePubliclyAccessible ignore_reasons: - ERDSDBInstancePubliclyAccessible: "PubliclyAccessible is false by default" Properties: AutoMinorVersionUpgrade: !Ref DBAutoMinorVersionUpgrade DBClusterIdentifier: !Ref AuroraDBCluster DBInstanceClass: !Ref DBInstanceClass DBParameterGroupName: !Ref RDSDBPG EnablePerformanceInsights: !Ref EnablePerformanceInsights Engine: aurora-mysql MonitoringInterval: !If [EnableEM, !Ref MonitoringInterval, !Ref 'AWS::NoValue'] MonitoringRoleArn: !If [EnableEM, !GetAtt MRole.Arn, !Ref 'AWS::NoValue'] PerformanceInsightsKMSKeyId: !If [EnablePI, !Ref EncryptionKey, !Ref 'AWS::NoValue'] PerformanceInsightsRetentionPeriod: !If [EnablePI, !Ref PerformanceInsightsRetentionPeriod, !Ref 'AWS::NoValue'] PubliclyAccessible: !Ref PubliclyAccessible Tags: - Key: Name Value: !Sub AMS-${AWS::StackName} - Key: EnvironmentStage Value: !Ref EnvironmentStage - Key: Application Value: !Ref Application - Key: ApplicationVersion Value: !Ref ApplicationVersion - Key: ProjectCostCenter Value: !Ref ProjectCostCenter - Key: Confidentiality Value: !Ref Confidentiality - Key: Compliance Value: !Ref Compliance Inst2: Condition: isReplica Type: AWS::RDS::DBInstance Metadata: cfn-lint: config: ignore_checks: - ERDSDBInstancePubliclyAccessible ignore_reasons: - ERDSDBInstancePubliclyAccessible: "PubliclyAccessible is false by default" Properties: AutoMinorVersionUpgrade: !Ref DBAutoMinorVersionUpgrade DBClusterIdentifier: !Ref AuroraDBCluster DBInstanceClass: !Ref DBInstanceClass DBParameterGroupName: !Ref RDSDBPG EnablePerformanceInsights: !Ref EnablePerformanceInsights Engine: aurora-mysql MonitoringInterval: !If [EnableEM, !Ref MonitoringInterval, !Ref 'AWS::NoValue'] MonitoringRoleArn: !If [EnableEM, !GetAtt MRole.Arn, !Ref 'AWS::NoValue'] PerformanceInsightsKMSKeyId: !If [EnablePI, !Ref EncryptionKey, !Ref 'AWS::NoValue'] PerformanceInsightsRetentionPeriod: !If [EnablePI, !Ref PerformanceInsightsRetentionPeriod, !Ref 'AWS::NoValue'] PubliclyAccessible: !Ref PubliclyAccessible Tags: - Key: Name Value: !Sub AMS-${AWS::StackName} - Key: EnvironmentStage Value: !Ref EnvironmentStage - Key: Application Value: !Ref Application - Key: ApplicationVersion Value: !Ref ApplicationVersion - Key: ProjectCostCenter Value: !Ref ProjectCostCenter - Key: Confidentiality Value: !Ref Confidentiality - Key: Compliance Value: !Ref Compliance CPUUtilizationAlarm1: Type: "AWS::CloudWatch::Alarm" Properties: ActionsEnabled: true AlarmActions: - Ref: DBSNSTopic AlarmDescription: 'CPU_Utilization' Dimensions: - Name: DBInstanceIdentifier Value: Ref: Inst1 MetricName: CPUUtilization Statistic: Maximum Namespace: 'AWS/RDS' Threshold: 80 Unit: Percent ComparisonOperator: 'GreaterThanOrEqualToThreshold' Period: 60 EvaluationPeriods: 5 TreatMissingData: 'notBreaching' CPUUtilizationAlarm2: Condition: isReplica Type: "AWS::CloudWatch::Alarm" Properties: ActionsEnabled: true AlarmActions: - Ref: DBSNSTopic AlarmDescription: 'CPU_Utilization' Dimensions: - Name: DBInstanceIdentifier Value: Ref: Inst2 MetricName: CPUUtilization Statistic: Maximum Namespace: 'AWS/RDS' Threshold: 80 Unit: Percent ComparisonOperator: 'GreaterThanOrEqualToThreshold' Period: 60 EvaluationPeriods: 5 TreatMissingData: 'notBreaching' FreeLocalStorageAlarm1: Type: "AWS::CloudWatch::Alarm" Properties: ActionsEnabled: true AlarmActions: - Ref: DBSNSTopic AlarmDescription: 'Free Local Storage' Dimensions: - Name: DBInstanceIdentifier Value: Ref: Inst1 MetricName: 'FreeLocalStorage' Statistic: Average Namespace: 'AWS/RDS' Threshold: '5368709120' Unit: Bytes ComparisonOperator: 'LessThanOrEqualToThreshold' Period: '60' EvaluationPeriods: '5' TreatMissingData: 'notBreaching' FreeLocalStorageAlarm2: Condition: isReplica Type: "AWS::CloudWatch::Alarm" Properties: ActionsEnabled: true AlarmActions: - Ref: DBSNSTopic AlarmDescription: 'Free Local Storage' Dimensions: - Name: DBInstanceIdentifier Value: Ref: Inst2 MetricName: 'FreeLocalStorage' Statistic: Average Namespace: 'AWS/RDS' Threshold: '5368709120' Unit: Bytes ComparisonOperator: 'LessThanOrEqualToThreshold' Period: '60' EvaluationPeriods: '5' TreatMissingData: 'notBreaching' DatabaseClusterEventSubscription: Condition: EventSubscription Type: 'AWS::RDS::EventSubscription' Properties: EventCategories: - configuration change - creation - deletion - failover - failure - maintenance - notification SnsTopicArn: !Ref DBSNSTopic SourceIds: [!Ref AuroraDBCluster] SourceType: 'db-cluster' DatabaseInstanceEventSubscription: Condition: EventSubscription Type: 'AWS::RDS::EventSubscription' Properties: EventCategories: - availability - configuration change - creation - deletion - failure - low storage - maintenance - notification - recovery - security patching SnsTopicArn: !Ref DBSNSTopic SourceIds: - !Ref Inst1 - !If [isReplica, !Ref Inst2, !Ref "AWS::NoValue"] SourceType: 'db-instance' DBParameterGroupEventSubscription: Condition: EventSubscription Type: 'AWS::RDS::EventSubscription' Properties: EventCategories: - "configuration change" SnsTopicArn: !Ref DBSNSTopic SourceIds: [!Ref RDSDBPG] SourceType: 'db-parameter-group'