AWSTemplateFormatVersion: '2010-09-09' Description: "Amazon Aurora PostgreSQL, Do Not Remove Apache License Version 2.0 (qs-1pj6s43e3) July,23,2019" Metadata: LICENSE: Apache License Version 2.0 cfn-lint: config: ignore_checks: - E9101 - W3011 - W2030 - E3002 - E1019 ############################################################################### # Parameter groups ############################################################################### AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Database Network configuration Parameters: - VPCID - Subnet1ID - Subnet2ID - CustomDBSecurityGroup - DBAccessCIDR - PubliclyAccessible - Label: default: Database General configuration Parameters: - DBEngineVersion - DBInstanceClass - MinACUs - MaxACUs - DBPort - DBName - DBMasterUsername - ManageMasterUserPassword - DBMasterUserPassword - DBMultiAZ - DBAutoMinorVersionUpgrade - DBBackupRetentionPeriod - EnableIAMDBAuth - Label: default: Database Storage configuration Parameters: - DBAllocatedStorageEncrypted - StorageType - Label: default: Database Monitoring configuration Parameters: - DBExportLogToCloudwatch - EnablePerformanceInsights - PerformanceInsightsRetentionPeriod - EnableEnhancedMonitoring - MonitoringInterval - EnableEventSubscription - NotificationList - Label: default: Database tags (optional) Parameters: - EnvironmentStage - Application - ApplicationVersion - ProjectCostCenter - Confidentiality - Compliance ############################################################################### # Parameter labels ############################################################################### ParameterLabels: Application: default: Application name ApplicationVersion: default: Application version Compliance: default: Compliance classifier Confidentiality: default: Confidentiality classifier CustomDBSecurityGroup: default: Custom security group ID DBAccessCIDR: default: Database connection CIDR DBAllocatedStorageEncrypted: default: Database encryption enabled DBAutoMinorVersionUpgrade: default: Database auto minor version upgrade DBBackupRetentionPeriod: default: Database backup retention period DBEngineVersion: default: Database Engine Version DBExportLogToCloudwatch: default: Export Database Log to CloudWatch DBInstanceClass: default: Database instance class DBMasterUsername: default: Database master username DBMasterUserPassword: default: Database master password DBMultiAZ: default: Multi-AZ deployment DBName: default: Database name DBPort: default: Database port EnableEnhancedMonitoring: default: Enable Enhanced Monitoring EnableEventSubscription: default: Enable Event Subscription EnableIAMDBAuth: default: Enable IAM Database Authentication EnablePerformanceInsights: default: Enable RDS Performance Insights EnvironmentStage: default: Environment stage ManageMasterUserPassword: default: Manage DB master user password with AWS Secrets Manager MaxACUs: default: Maximum Aurora Serverless v2 capacity units (ACUs) MinACUs: default: Minimum Aurora Serverless v2 capacity units (ACUs) MonitoringInterval: default: Enhanced monitoring interval NotificationList: default: SNS notification email PerformanceInsightsRetentionPeriod: default: Number of days to retain Performance Insights data ProjectCostCenter: default: Project cost center PubliclyAccessible: default: Publicly Accessible Subnet1ID: default: Private subnet 1 ID Subnet2ID: default: Private subnet 2 ID StorageType: default: Aurora Storage Type VPCID: default: VPC ID ############################################################################### # Mappings ############################################################################### Mappings: DBFamilyMap: '11.13': family: aurora-postgresql11 '11.14': family: aurora-postgresql11 '11.15': family: aurora-postgresql11 '11.16': family: aurora-postgresql11 '11.17': family: aurora-postgresql11 '11.18': family: aurora-postgresql11 '11.19': family: aurora-postgresql11 '12.8': family: aurora-postgresql12 '12.9': family: aurora-postgresql12 '12.10': family: aurora-postgresql12 '12.11': family: aurora-postgresql12 '12.12': family: aurora-postgresql12 '12.13': family: aurora-postgresql12 '12.14': family: aurora-postgresql12 '13.4': family: aurora-postgresql13 '13.5': family: aurora-postgresql13 '13.6': family: aurora-postgresql13 '13.7': family: aurora-postgresql13 '13.8': family: aurora-postgresql13 '13.9': family: aurora-postgresql13 '13.10': family: aurora-postgresql13 '14.3': family: aurora-postgresql14 '14.4': family: aurora-postgresql14 '14.5': family: aurora-postgresql14 '14.6': family: aurora-postgresql14 '14.7': family: aurora-postgresql14 '15.2': family: aurora-postgresql15 ############################################################################### # Conditions ############################################################################### Conditions: CreateSecurityGroup: !Equals - !Ref CustomDBSecurityGroup - '' CreateKMSKey: !Or - !Condition UseDatabaseEncryption - !Condition UseSecretsManager - !Condition EnablePI DoCreateDatabase: !Not - !Equals - !Ref DBName - '' EnableDBLogExport: !Equals - !Ref DBExportLogToCloudwatch - "true" IsASV2: !Equals - !Ref DBInstanceClass - 'db.serverless' IsDBMultiAZ: !Equals - !Ref DBMultiAZ - 'true' EventSubscription: !Equals - !Ref EnableEventSubscription - 'true' EnableEM: !Equals - !Ref EnableEnhancedMonitoring - 'true' EnablePI: !Equals - !Ref EnablePerformanceInsights - 'true' UseDatabaseEncryption: !Equals - !Ref DBAllocatedStorageEncrypted - "true" UseSecretsManager: !Equals - !Ref ManageMasterUserPassword - "true" ############################################################################### # Rules ############################################################################### Rules: SubnetsInVPC: Assertions: - Assert: !Equals [!ValueOf ["Subnet1ID", "VpcId"], !Ref VPCID] AssertDescription: "Private subnet 1 ID doesn't belong to the specified VPC" - Assert: !Equals [!ValueOf ["Subnet2ID", "VpcId"], !Ref VPCID] AssertDescription: "Private subnet 2 ID doesn't belong to the specified VPC" SubnetsUnique: Assertions: - Assert: !Not [!Equals [!Ref Subnet1ID, !Ref Subnet2ID]] AssertDescription: "Please provide 2 distinct private subnets" ############################################################################### # Outputs ############################################################################### Outputs: DBName: Condition: DoCreateDatabase Description: "Amazon Aurora database name" Value: !Ref DBName DBMasterUsername: Description: "Amazon Aurora database master username" Value: !Ref DBMasterUsername MasterUserSecret: Condition: UseSecretsManager Description: "Master Credentials ARN" Value: !Sub "${AuroraDBCluster.MasterUserSecret.SecretArn}" RDSEndPointAddress: Description: "Amazon Aurora write endpoint" Value: !Sub ${AuroraDBCluster.Endpoint.Address} RDSReadEndPointAddress: Description: "Amazon Aurora read endpoint" Value: !Sub ${AuroraDBCluster.ReadEndpoint.Address} RDSEndPointPort: Description: "Amazon Aurora port" Value: !Sub ${AuroraDBCluster.Endpoint.Port} RDSEndPoints: Description: "Full Amazon Aurora write endpoint" Value: !If [DoCreateDatabase, !Sub "${AuroraDBCluster.Endpoint.Address}:${AuroraDBCluster.Endpoint.Port}/${DBName}", !Sub "${AuroraDBCluster.Endpoint.Address}:${AuroraDBCluster.Endpoint.Port}/postgres"] RDSEncryptionKey: Condition: UseDatabaseEncryption Description: The alias of the encryption key created for RDS Value: !Ref EncryptionKeyAlias ############################################################################### # Parameters ############################################################################### Parameters: Application: Type: String Default: '' Description: Designates the application of the associated AWS resource. (Optional) ApplicationVersion: Type: String Description: Designates the specific version of the application. (Optional) Default: '' Compliance: Type: String Default: '' Description: Designates the compliance level for the AWS resource. (Optional) AllowedValues: - hipaa - sox - fips - other - '' Confidentiality: Type: String Default: '' Description: Designates the confidentiality classification of the data that is associated with the resource. (Optional) AllowedValues: - public - private - confidential - pii/phi - '' CustomDBSecurityGroup: Description: "ID of the security group (e.g., sg-0234se). One will be created for you if left empty." Type: String Default: '' DBAccessCIDR: AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$" ConstraintDescription: "CIDR block parameter must be in the form x.x.x.x/x" Description: "Allowed CIDR block for external access (use VPC CIDR)." Type: String Default: 10.0.0.0/16 DBAllocatedStorageEncrypted: Default: "true" AllowedValues: - "true" - "false" Description: Whether or not to encrypt the database. Type: String DBAutoMinorVersionUpgrade: AllowedValues: - "true" - "false" Default: "false" Description: "Select true to set up auto minor version upgrade." Type: String DBBackupRetentionPeriod: Default: 35 Description: "The number of days for which automatic database snapshots are retained." Type: Number MinValue: 0 MaxValue: 35 DBEngineVersion: Description: >- Select Database Engine Version. Aurora Serverless v2 with Aurora PostgreSQL is available in v13.6 & higher, v14.3 & higher, and v15.2 & higher. Aurora I/O-Optimized configuration is available in Aurora PostgreSQL v13.10 and higher, v14.7 and higher, and v15.2 and higher. For supported engines and Region availability for Aurora Serverless v2 with Aurora PostgreSQL, refer https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.Aurora_Fea_Regions_DB-eng.Feature.ServerlessV2.html Type: String Default: 14.7 AllowedValues: - 11.13 - 11.14 - 11.15 - 11.16 - 11.17 - 11.18 - 11.19 - 12.8 - 12.9 - 12.10 - 12.11 - 12.12 - 12.13 - 12.14 - 13.4 - 13.5 - 13.6 - 13.7 - 13.8 - 13.9 - 13.10 - 14.3 - 14.4 - 14.5 - 14.6 - 14.7 - 15.2 DBExportLogToCloudwatch: Default: "true" AllowedValues: - "true" - "false" Description: Whether or not to export Database logs to CloudWatch Type: String DBInstanceClass: Default: db.r6g.2xlarge Description: >- The database instance type. Please see supported instance types for the Aurora PostgreSQL version selected https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.DBInstanceClass.html. Type: String AllowedValues: - db.r5.12xlarge - db.r5.16xlarge - db.r5.24xlarge - db.r5.2xlarge - db.r5.4xlarge - db.r5.8xlarge - db.r5.large - db.r5.xlarge - db.r6g.12xlarge - db.r6g.16xlarge - db.r6g.2xlarge - db.r6g.4xlarge - db.r6g.8xlarge - db.r6g.large - db.r6g.xlarge - db.r6i.12xlarge - db.r6i.16xlarge - db.r6i.24xlarge - db.r6i.2xlarge - db.r6i.32xlarge - db.r6i.4xlarge - db.r6i.8xlarge - db.r6i.large - db.r6i.xlarge - db.r7g.12xlarge - db.r7g.16xlarge - db.r7g.2xlarge - db.r7g.4xlarge - db.r7g.8xlarge - db.r7g.large - db.r7g.xlarge - db.serverless - db.t3.large - db.t3.medium - db.t4g.large - db.t4g.medium - db.x2g.12xlarge - db.x2g.16xlarge - db.x2g.2xlarge - db.x2g.4xlarge - db.x2g.8xlarge - db.x2g.large - db.x2g.xlarge DBMasterUsername: AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*" ConstraintDescription: "Must begin with a letter and contain only alphanumeric characters." Default: pgadmin Description: "The database master username." MaxLength: "16" MinLength: "1" Type: String DBMasterUserPassword: AllowedPattern: >- ^(?=^.{8,255}$)(?=.*[a-z])(?=.*[A-Z])(?=.*\d)((?=.*[^A-Za-z0-9])(?!.*[@/"'])).*$ ConstraintDescription: >- Min 8 chars. Must include 1 uppercase, 1 lowercase, 1 number, 1 (non / @ " ') symbol Default: "Gjht56Ft$" Description: The database master user password. Required if "Manage DB master user password with AWS Secrets Manager" option is set to false. MaxLength: "64" MinLength: "8" NoEcho: "True" Type: String DBMultiAZ: AllowedValues: - "true" - "false" Default: "true" Description: "Specifies if the database instance is a multiple Availability Zone deployment." Type: String DBName: AllowedPattern: "[a-zA-Z0-9]*" Description: "Name of the initial PostgreSQL database to create." MaxLength: "64" MinLength: "0" Default: 'sampleapp' Type: String DBPort: Default: 5432 Description: "The port the instance will listen for connections on." Type: Number ConstraintDescription: 'Must be in the range [1150-65535].' MinValue: 1150 MaxValue: 65535 EnableEnhancedMonitoring: AllowedValues: - "true" - "false" Default: "true" Description: "Enables RDS Performance Insights" Type: String EnableEventSubscription: AllowedValues: - "true" - "false" Default: "true" Description: "Enables event subscription to Notification List" Type: String EnableIAMDBAuth: AllowedValues: - "true" - "false" Default: "true" Description: "Enables IAM Database Authentication" Type: String EnablePerformanceInsights: AllowedValues: - "true" - "false" Default: "true" Description: "Enables RDS Performance Insights" Type: String EnvironmentStage: Type: String Description: Designates the environment stage of the associated AWS resource. (Optional) AllowedValues: - dev - test - pre-prod - prod - none Default: none ManageMasterUserPassword: AllowedValues: - "true" - "false" Default: "true" Description: "Set to true to manage the master user password with AWS Secrets Manager." Type: String MaxACUs: Default: "64" Description: >- Required if "db.serverless" is choosen as the database instance class. Specify maximum Aurora Serverless v2 Capacity Units (ACUs) in the range of 1 to 128 in increments of 0.5. 1 ACU provides 2 GiB of memory and corresponding compute and networking. Type: String MinACUs: Default: "8" Description: >- Required if "db.serverless" is choosen as the database instance class. Specify minumum Aurora Serverless v2 Capacity Units (ACUs) in the range of 0.5 to 128 in increments of 0.5. 1 ACU provides 2 GiB of memory and corresponding compute and networking. Type: String MonitoringInterval: Default: 10 Description: "The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the database." Type: Number AllowedValues: - 1 - 5 - 10 - 15 - 30 - 60 ConstraintDescription: Valid values are 0, 1, 5, 10, 15, 30, 60 seconds. NotificationList: Type: String Default: 'db-ops@domain.com' Description: The email notification used to configure an SNS topic for sending CloudWatch alarm and RDS event notifications. AllowedPattern: '^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$' ConstraintDescription: Provide a valid email address. PerformanceInsightsRetentionPeriod: Default: 7 Description: "The number of days for which automatic database snapshots are retained. Specify days based on (month * 31), where month is a number of months from 1-23" Type: Number MinValue: 7 MaxValue: 713 ProjectCostCenter: Type: String Default: '' Description: Designates the cost center associated with the project of the given AWS resource. (Optional) PubliclyAccessible: AllowedValues: - "true" - "false" Default: "false" Description: "Indicates whether the DB instance is an internet-facing instance" Type: String StorageType: Type: String Description: >- Designates the storage type to associate with the Aurora DB cluster. Choose aurora-iopt1 for Aurora I/O Optimized storage. For details refer https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html#aurora-storage-type AllowedValues: - aurora - aurora-iopt1 Default: aurora Subnet1ID: Description: The ID of the private subnet in Availability Zone 1. Type: 'AWS::EC2::Subnet::Id' Subnet2ID: Description: The ID of the private subnet in Availability Zone 2. Type: 'AWS::EC2::Subnet::Id' VPCID: Description: "ID of the VPC you are deploying Aurora into (e.g., vpc-0343606e)." Type: 'AWS::EC2::VPC::Id' Default: '' ############################################################################### # Resources ############################################################################### Resources: AuroraDBSubnetGroup: Properties: DBSubnetGroupDescription: "Subnets available for the Amazon Aurora database cluster" SubnetIds: - !Ref Subnet1ID - !Ref Subnet2ID Type: "AWS::RDS::DBSubnetGroup" RDSSecurityGroup: Condition: CreateSecurityGroup Properties: GroupDescription: "Allow access to database port" SecurityGroupEgress: - CidrIp: 0.0.0.0/0 FromPort: -1 IpProtocol: '-1' ToPort: -1 SecurityGroupIngress: - CidrIp: !Ref DBAccessCIDR FromPort: !Ref DBPort IpProtocol: tcp ToPort: !Ref DBPort VpcId: !Ref VPCID Tags: - Key: Name Value: !Sub RDSSecurityGroup-${AWS::StackName} Type: "AWS::EC2::SecurityGroup" RDSSecurityGroupIngress: Condition: CreateSecurityGroup Properties: GroupId: !GetAtt 'RDSSecurityGroup.GroupId' IpProtocol: '-1' SourceSecurityGroupId: !Ref RDSSecurityGroup Description: 'Self Reference' Type: 'AWS::EC2::SecurityGroupIngress' DBSNSTopic: Type: AWS::SNS::Topic Properties: Subscription: - Endpoint: !Ref NotificationList Protocol: email EncryptionKey: Metadata: cfn-lint: config: ignore_checks: - EIAMPolicyActionWildcard ignore_reasons: - EIAMPolicyActionWildcard: "All KMS actions allowed by design" Condition: CreateKMSKey DeletionPolicy: Retain Type: AWS::KMS::Key Properties: EnableKeyRotation: true KeyPolicy: Version: 2012-10-17 Id: !Ref AWS::StackName Statement: - Effect: Allow Principal: AWS: - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" Action: 'kms:*' Resource: '*' Tags: - Key: Name Value: !Ref AWS::StackName EncryptionKeyAlias: Condition: UseDatabaseEncryption Type: AWS::KMS::Alias Properties: AliasName: !Sub "alias/${AWS::StackName}" TargetKeyId: !Ref EncryptionKey MRole: Type: AWS::IAM::Role Condition: EnableEM Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "monitoring.rds.amazonaws.com" Action: - "sts:AssumeRole" Path: "/" ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole APGDBPG: Type: AWS::RDS::DBParameterGroup Properties: Description: !Join [ "- ", [ "Aurora PG Database Instance Parameter Group for Cloudformation Stack ", !Ref AWS::StackName ] ] Family: !FindInMap [DBFamilyMap, !Ref DBEngineVersion, "family"] Parameters: log_rotation_age: '1440' log_rotation_size: '102400' APGDBCPG: Type: AWS::RDS::DBClusterParameterGroup Properties: Description: !Join [ "- ", [ "Aurora PG Cluster Parameter Group for Cloudformation Stack ", !Ref AWS::StackName ] ] Family: !FindInMap [DBFamilyMap, !Ref DBEngineVersion, "family"] Parameters: rds.force_ssl: 0 AuroraDBCluster: Metadata: cfn-lint: config: ignore_checks: - ERDSStorageEncryptionEnabled - E2521 ignore_reasons: - ERDSStorageEncryptionEnabled: "StorageEncryption is conditional" - E2521: "When ManageMasterUserPassword is set to true, MasterUserPassword is ignored" Type: "AWS::RDS::DBCluster" DeletionPolicy: Snapshot UpdateReplacePolicy: Snapshot Properties: BackupRetentionPeriod: !Ref DBBackupRetentionPeriod DatabaseName: !If - DoCreateDatabase - !Ref DBName - !Ref AWS::NoValue DBClusterIdentifier: !Sub apg-${AWS::StackName} DBClusterParameterGroupName: !Ref APGDBCPG DBSubnetGroupName: !Ref AuroraDBSubnetGroup EnableCloudwatchLogsExports: - !If [EnableDBLogExport, postgresql, !Ref 'AWS::NoValue'] EnableIAMDatabaseAuthentication: !Ref EnableIAMDBAuth Engine: aurora-postgresql EngineVersion: !Ref DBEngineVersion KmsKeyId: !If [UseDatabaseEncryption, !GetAtt EncryptionKey.Arn, !Ref 'AWS::NoValue'] MasterUsername: !Ref DBMasterUsername ManageMasterUserPassword: !Ref ManageMasterUserPassword MasterUserPassword: !If [UseSecretsManager, !Ref 'AWS::NoValue', !Ref DBMasterUserPassword] MasterUserSecret: KmsKeyId: !If [UseSecretsManager, !Ref EncryptionKey, !Ref 'AWS::NoValue'] Port: !Ref DBPort ServerlessV2ScalingConfiguration: MinCapacity: !If [IsASV2, !Ref MinACUs, !Ref 'AWS::NoValue'] MaxCapacity: !If [IsASV2, !Ref MaxACUs, !Ref 'AWS::NoValue'] StorageEncrypted: !If [UseDatabaseEncryption, !Ref DBAllocatedStorageEncrypted, !Ref 'AWS::NoValue'] StorageType: !Ref StorageType Tags: - Key: Name Value: !Sub APG-${AWS::StackName} - Key: EnvironmentStage Value: !Ref EnvironmentStage - Key: Application Value: !Ref Application - Key: ApplicationVersion Value: !Ref ApplicationVersion - Key: ProjectCostCenter Value: !Ref ProjectCostCenter - Key: Confidentiality Value: !Ref Confidentiality - Key: Compliance Value: !Ref Compliance VpcSecurityGroupIds: !If - CreateSecurityGroup - [!Ref RDSSecurityGroup] - [!Ref CustomDBSecurityGroup] Inst1: Type: "AWS::RDS::DBInstance" Metadata: cfn-lint: config: ignore_checks: - ERDSDBInstancePubliclyAccessible ignore_reasons: - ERDSDBInstancePubliclyAccessible: "PubliclyAccessible is false by default" Properties: AutoMinorVersionUpgrade: !Ref DBAutoMinorVersionUpgrade DBClusterIdentifier: !Ref AuroraDBCluster DBInstanceClass: !Ref DBInstanceClass DBParameterGroupName: !Ref APGDBPG EnablePerformanceInsights: !Ref EnablePerformanceInsights Engine: aurora-postgresql MonitoringInterval: !If [EnableEM, !Ref MonitoringInterval, !Ref 'AWS::NoValue'] MonitoringRoleArn: !If [EnableEM, !GetAtt MRole.Arn, !Ref 'AWS::NoValue'] PerformanceInsightsKMSKeyId: !If [EnablePI, !Ref EncryptionKey, !Ref 'AWS::NoValue'] PerformanceInsightsRetentionPeriod: !If [EnablePI, !Ref PerformanceInsightsRetentionPeriod, !Ref 'AWS::NoValue'] PubliclyAccessible: !Ref PubliclyAccessible Tags: - Key: Name Value: !Sub APG-${AWS::StackName} - Key: EnvironmentStage Value: !Ref EnvironmentStage - Key: Application Value: !Ref Application - Key: ApplicationVersion Value: !Ref ApplicationVersion - Key: ProjectCostCenter Value: !Ref ProjectCostCenter - Key: Confidentiality Value: !Ref Confidentiality - Key: Compliance Value: !Ref Compliance Inst2: Type: "AWS::RDS::DBInstance" Condition: IsDBMultiAZ Metadata: cfn-lint: config: ignore_checks: - ERDSDBInstancePubliclyAccessible ignore_reasons: - ERDSDBInstancePubliclyAccessible: "PubliclyAccessible is false by default" Properties: AutoMinorVersionUpgrade: !Ref DBAutoMinorVersionUpgrade DBClusterIdentifier: !Ref AuroraDBCluster DBInstanceClass: !Ref DBInstanceClass DBParameterGroupName: !Ref APGDBPG EnablePerformanceInsights: !Ref EnablePerformanceInsights Engine: aurora-postgresql MonitoringInterval: !If [EnableEM, !Ref MonitoringInterval, !Ref 'AWS::NoValue'] MonitoringRoleArn: !If [EnableEM, !GetAtt MRole.Arn, !Ref 'AWS::NoValue'] PerformanceInsightsKMSKeyId: !If [EnablePI, !Ref EncryptionKey, !Ref 'AWS::NoValue'] PerformanceInsightsRetentionPeriod: !If [EnablePI, !Ref PerformanceInsightsRetentionPeriod, !Ref 'AWS::NoValue'] PubliclyAccessible: !Ref PubliclyAccessible Tags: - Key: Name Value: !Sub APG-${AWS::StackName} - Key: EnvironmentStage Value: !Ref EnvironmentStage - Key: Application Value: !Ref Application - Key: ApplicationVersion Value: !Ref ApplicationVersion - Key: ProjectCostCenter Value: !Ref ProjectCostCenter - Key: Confidentiality Value: !Ref Confidentiality - Key: Compliance Value: !Ref Compliance CPUUtilizationAlarm1: Type: "AWS::CloudWatch::Alarm" Properties: ActionsEnabled: true AlarmActions: - Ref: DBSNSTopic AlarmDescription: 'CPU_Utilization' Dimensions: - Name: DBInstanceIdentifier Value: Ref: Inst1 MetricName: CPUUtilization Statistic: Maximum Namespace: 'AWS/RDS' Threshold: 80 Unit: Percent ComparisonOperator: 'GreaterThanOrEqualToThreshold' Period: 60 EvaluationPeriods: 5 TreatMissingData: 'notBreaching' CPUUtilizationAlarm2: Condition: IsDBMultiAZ Type: "AWS::CloudWatch::Alarm" Properties: ActionsEnabled: true AlarmActions: - Ref: DBSNSTopic AlarmDescription: 'CPU_Utilization' Dimensions: - Name: DBInstanceIdentifier Value: Ref: Inst2 MetricName: CPUUtilization Statistic: Maximum Namespace: 'AWS/RDS' Threshold: 80 Unit: Percent ComparisonOperator: 'GreaterThanOrEqualToThreshold' Period: 60 EvaluationPeriods: 5 TreatMissingData: 'notBreaching' MaxUsedTxIDsAlarm1: Type: "AWS::CloudWatch::Alarm" Properties: ActionsEnabled: true AlarmActions: - Ref: DBSNSTopic AlarmDescription: 'Maximum Used Transaction IDs' Dimensions: - Name: DBInstanceIdentifier Value: Ref: Inst1 MetricName: 'MaximumUsedTransactionIDs' Statistic: Average Namespace: 'AWS/RDS' Threshold: 600000000 Unit: Count ComparisonOperator: 'GreaterThanOrEqualToThreshold' Period: 60 EvaluationPeriods: 5 TreatMissingData: 'notBreaching' MaxUsedTxIDsAlarm2: Condition: IsDBMultiAZ Type: "AWS::CloudWatch::Alarm" Properties: ActionsEnabled: true AlarmActions: - Ref: DBSNSTopic AlarmDescription: 'Maximum Used Transaction IDs' Dimensions: - Name: DBInstanceIdentifier Value: Ref: Inst2 MetricName: 'MaximumUsedTransactionIDs' Statistic: Average Namespace: 'AWS/RDS' Threshold: 600000000 Unit: Count ComparisonOperator: 'GreaterThanOrEqualToThreshold' Period: 60 EvaluationPeriods: 5 TreatMissingData: 'notBreaching' FreeLocalStorageAlarm1: Type: "AWS::CloudWatch::Alarm" Properties: ActionsEnabled: true AlarmActions: - Ref: DBSNSTopic AlarmDescription: 'Free Local Storage' Dimensions: - Name: DBInstanceIdentifier Value: Ref: Inst1 MetricName: 'FreeLocalStorage' Statistic: Average Namespace: 'AWS/RDS' Threshold: 5368709120 Unit: Bytes ComparisonOperator: 'LessThanOrEqualToThreshold' Period: 60 EvaluationPeriods: 5 TreatMissingData: 'notBreaching' FreeLocalStorageAlarm2: Condition: IsDBMultiAZ Type: "AWS::CloudWatch::Alarm" Properties: ActionsEnabled: true AlarmActions: - Ref: DBSNSTopic AlarmDescription: 'Free Local Storage' Dimensions: - Name: DBInstanceIdentifier Value: Ref: Inst2 MetricName: 'FreeLocalStorage' Statistic: Average Namespace: 'AWS/RDS' Threshold: 5368709120 Unit: Bytes ComparisonOperator: 'LessThanOrEqualToThreshold' Period: 60 EvaluationPeriods: 5 TreatMissingData: 'notBreaching' DatabaseClusterEventSubscription: Condition: EventSubscription Type: 'AWS::RDS::EventSubscription' Properties: EventCategories: - configuration change - creation - deletion - failover - failure - maintenance - notification SnsTopicArn: !Ref DBSNSTopic SourceIds: [!Ref AuroraDBCluster] SourceType: 'db-cluster' DatabaseInstanceEventSubscription: Condition: EventSubscription Type: 'AWS::RDS::EventSubscription' Properties: EventCategories: - availability - configuration change - creation - deletion - failure - low storage - maintenance - notification - recovery - security patching SnsTopicArn: !Ref DBSNSTopic SourceIds: - !Ref Inst1 - !If [IsDBMultiAZ, !Ref Inst2, !Ref "AWS::NoValue"] SourceType: 'db-instance' DBParameterGroupEventSubscription: Condition: EventSubscription Type: 'AWS::RDS::EventSubscription' Properties: EventCategories: - "configuration change" SnsTopicArn: !Ref DBSNSTopic SourceIds: - !Ref APGDBPG SourceType: 'db-parameter-group'