AWSTemplateFormatVersion: '2010-09-09' Description: "Amazon RDS SQLServer,Do Not Remove Apache License Version 2.0 (qs-1u8od96fj) Jun,06,2023" Metadata: LICENSE: Apache License Version 2.0 cfn-lint: config: ignore_checks: - E9101 - W3011 AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Database Network configuration Parameters: - VPCID - Subnet1ID - Subnet2ID - Subnet3ID - CustomDBSecurityGroup - DBAccessCIDR - PubliclyAccessible - Label: default: Database General configuration Parameters: - DBEngine - DBEngineVersion - DBInstanceClass - DBPort - DBMasterUsername - ManageMasterUserPassword - DBMasterUserPassword - DBMultiAZ - DBAutoMinorVersionUpgrade - DBBackupRetentionPeriod - Label: default: Database Storage configuration Parameters: - DBStorageType - DBAllocatedStorage - DBAllocatedStorageEncrypted - StorageIOPS - StorageThroughput - Label: default: Database Monitoring configuration Parameters: - DBExportLogToCloudwatch - EnablePerformanceInsights - PerformanceInsightsRetentionPeriod - EnableEnhancedMonitoring - MonitoringInterval - EnableEventSubscription - NotificationList - Label: default: Database tags (optional) Parameters: - EnvironmentStage - Application - ApplicationVersion - ProjectCostCenter - Confidentiality - Compliance ParameterLabels: Application: default: Application name ApplicationVersion: default: Application version Compliance: default: Compliance classifier Confidentiality: default: Confidentiality classifier CustomDBSecurityGroup: default: Custom security group ID DBAccessCIDR: default: Database connection CIDR DBAllocatedStorage: default: Database allocated storage size in GiB DBAllocatedStorageEncrypted: default: Database encryption enabled DBAutoMinorVersionUpgrade: default: Database auto minor version upgrade DBBackupRetentionPeriod: default: Database backup retention period Engine: default: SQL Server edition type DBEngineVersion: default: Database Engine Version DBExportLogToCloudwatch: default: Export Database Log to CloudWatch DBInstanceClass: default: Database instance class DBMasterUsername: default: Database master username DBMasterUserPassword: default: Database master password DBMultiAZ: default: RDS Multi-AZ DB Instance deployment DBPort: default: Database port DBStorageType: default: Database storage type EnableEnhancedMonitoring: default: Enable Enhanced Monitoring EnableEventSubscription: default: Enable Event Subscription EnablePerformanceInsights: default: Enable RDS Performance Insights EnvironmentStage: default: Environment stage ManageMasterUserPassword: default: Manage DB master user password with AWS Secrets Manager MonitoringInterval: default: Enhanced monitoring interval NotificationList: default: SNS notification email PerformanceInsightsRetentionPeriod: default: Number of days to retain Performance Insights data ProjectCostCenter: default: Project cost center PubliclyAccessible: default: Publicly Accessible StorageIOPS: default: Provisioned IOPS for gp3/io1 storage type StorageThroughput: default: Provisioned Throughput for gp3 storage type in MiBps Subnet1ID: default: Private subnet 1 ID Subnet2ID: default: Private subnet 2 ID Subnet3ID: default: Private subnet 3 ID VPCID: default: VPC ID Mappings: DBFamilyMap: 12.00.6293.0.v1: sqlserveree: sqlserver-ee-12.0 sqlserverse: sqlserver-se-12.0 sqlserverex: sqlserver-ex-12.0 sqlserverweb: sqlserver-web-12.0 15.00.4236.7.v1: sqlserveree: sqlserver-ee-15.0 sqlserverse: sqlserver-se-15.0 sqlserverex: sqlserver-ex-15.0 sqlserverweb: sqlserver-web-15.0 DBEngineEdition: sqlserver-se: 'Edition': sqlserverse sqlserver-ee: 'Edition': sqlserveree sqlserver-ex: 'Edition': sqlserverex sqlserver-web: 'Edition': sqlserverweb DBFlavour: sqlserver-se: 'Flavour': sqlserver sqlserver-ee: 'Flavour': sqlserver sqlserver-ex: 'Flavour': sqlserver sqlserver-web: 'Flavour': sqlserver Conditions: CreateSecurityGroup: !Equals - !Ref CustomDBSecurityGroup - '' CreateKMSKey: !Or - !Condition UseDatabaseEncryption - !Condition UseSecretsManager - !Condition EnablePI EnableDBLogExport: !Not - !Equals - !Join ["",!Ref DBExportLogToCloudwatch] - '' isDBInstance: !Equals - !FindInMap [DBFlavour,!Ref DBEngine,Flavour] - 'sqlserver' EventSubscription: !Equals - !Ref EnableEventSubscription - 'true' EventSubscriptionDBInstance: !And - !Condition EventSubscription - !Condition isDBInstance EnableEM: !Equals - !Ref EnableEnhancedMonitoring - 'true' EnablePI: !Equals - !Ref EnablePerformanceInsights - 'true' isGP2: !Equals - !Ref DBStorageType - 'gp2' isGP3: !Equals - !Ref DBStorageType - 'gp3' UseDatabaseEncryption: !Equals - !Ref DBAllocatedStorageEncrypted - "true" UseSecretsManager: !Equals - !Ref ManageMasterUserPassword - "true" NAStorageIOPS: !Equals - !Ref StorageIOPS - '0' NAStorageThrougput: !Equals - !Ref StorageThroughput - '0' Rules: SubnetsInVPC: Assertions: - Assert: !Equals [!ValueOf ["Subnet1ID", "VpcId"], !Ref VPCID] AssertDescription: "Private subnet 1 ID doesn't belong to the specified VPC" - Assert: !Equals [!ValueOf ["Subnet2ID", "VpcId"], !Ref VPCID] AssertDescription: "Private subnet 2 ID doesn't belong to the specified VPC" - Assert: !Equals [!ValueOf ["Subnet3ID", "VpcId"], !Ref VPCID] AssertDescription: "Private subnet 3 ID doesn't belong to the specified VPC" SubnetsUnique: Assertions: - Assert: !Not [!Equals [!Ref Subnet1ID, !Ref Subnet2ID]] AssertDescription: "Please provide 3 distinct private subnets" - Assert: !Not [!Equals [!Ref Subnet1ID, !Ref Subnet3ID]] AssertDescription: "Please provide 3 distinct private subnets" - Assert: !Not [!Equals [!Ref Subnet2ID, !Ref Subnet3ID]] AssertDescription: "Please provide 3 distinct private subnets" IOPSForIO1: Assertions: - Assert: !Or [!Not [!Equals [!Ref DBStorageType, 'io1']], !Not [!Equals [!Ref StorageIOPS, '0']]] AssertDescription: "For io1 storage type, you must specify provisioned IOPS" Outputs: DBMasterUsername: Description: "Amazon RDS database master username" Value: !Ref DBMasterUsername MasterUserSecret: Condition: UseSecretsManager Description: "Master Credentials ARN" Value: !Sub ${MAZDBI.MasterUserSecret.SecretArn} RDSEndPointAddress: Description: "Amazon RDS write endpoint" Value: !Sub ${MAZDBI.Endpoint.Address} RDSMAZInstEndPoints: Condition: isDBInstance Description: "Full Amazon RDS write endpoint" Value: !Sub "${MAZDBI.Endpoint.Address}:${MAZDBI.Endpoint.Port}" RDSEncryptionKey: Condition: UseDatabaseEncryption Description: The alias of the encryption key created for RDS Value: !Ref EncryptionKeyAlias Parameters: Application: Type: String Default: '' Description: Designates the application of the associated AWS resource. (Optional) ApplicationVersion: Type: String Description: Designates the specific version of the application. (Optional) Default: '' Compliance: Type: String Default: '' Description: Designates the compliance level for the AWS resource. (Optional) AllowedValues: - hipaa - sox - fips - other - '' Confidentiality: Type: String Default: '' Description: Designates the confidentiality classification of the data that is associated with the resource. (Optional) AllowedValues: - public - private - confidential - pii/phi - '' CustomDBSecurityGroup: Description: "ID of the security group (e.g., sg-0234se). One will be created for you if left empty." Type: String Default: '' DBAccessCIDR: AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$" ConstraintDescription: "CIDR block parameter must be in the form x.x.x.x/x" Description: "Allowed CIDR block for external access (use VPC CIDR)." Type: String Default: 10.0.0.0/16 DBAllocatedStorage: Default: 100 Description: Allocated storage size in GiB. For gp2 and gp3, must be an integer from 20 to 16384. For io1, must be an integer from 100 to 16384. Type: Number MinValue: 20 MaxValue: 65536 ConstraintDescription: Must be an integer from 20 to 16384 for gp2/gp3 and 100 to 16384 for io1. DBAllocatedStorageEncrypted: Default: "true" AllowedValues: - "true" - "false" Description: Whether or not to encrypt the database. Type: String DBAutoMinorVersionUpgrade: AllowedValues: - "true" - "false" Default: "true" Description: "Select true to set up auto minor version upgrade." Type: String DBBackupRetentionPeriod: Default: 35 Description: "The number of days for which automatic database snapshots are retained." Type: Number MinValue: 0 MaxValue: 35 DBEngine: Default: sqlserver-se Type: String AllowedValues: - "sqlserver-se" - "sqlserver-ee" - "sqlserver-web" - "sqlserver-ex" Description: "Select the desired SQL server editon" DBEngineVersion: Description: Select Database Engine Version Type: String Default: 15.00.4236.7.v1 AllowedValues: - 12.00.6293.0.v1 - 12.00.6329.1.v1 - 12.00.6433.1.v1 - 12.00.6439.10.v1 - 13.00.6300.2.v1 - 13.00.6419.1.v1 - 14.00.3281.6.v1 - 14.00.3294.2.v1 - 14.00.3356.20.v1 - 14.00.3381.3.v1 - 14.00.3401.7.v1 - 14.00.3421.10.v1 - 14.00.3451.2.v1 - 15.00.4043.16.v1 - 15.00.4073.23.v1 - 15.00.4153.1.v1 - 15.00.4198.2.v1 - 15.00.4236.7.v1 DBExportLogToCloudwatch: Default: '' Description: "Specify the comma-delimited list of database logs (error, agent) to export to CloudWatch Logs." Type: CommaDelimitedList DBInstanceClass: Default: db.r5.large Description: >- The database instance type. Please see supported instance types for the SQLServer version selected https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.DBInstanceClass.html. For RDS Multi-AZ cluster supported instance class, please refer https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/create-multi-az-db-cluster.html#create-multi-az-db-cluster-settings. Type: String AllowedValues: - db.m4.10xlarge - db.m4.2xlarge - db.m4.4xlarge - db.m4.large - db.m4.xlarge - db.m5.12xlarge - db.m5.16xlarge - db.m5.24xlarge - db.m5.2xlarge - db.m5.4xlarge - db.m5.8xlarge - db.m5d.12xlarge - db.m5d.16xlarge - db.m5d.24xlarge - db.m5d.2xlarge - db.m5d.4xlarge - db.m5d.8xlarge - db.m5d.large - db.m5d.xlarge - db.m5.large - db.m5.xlarge - db.m6i.2xlarge - db.m6i.4xlarge - db.m6i.8xlarge - db.m6i.large - db.m6i.xlarge - db.r4.2xlarge - db.r4.4xlarge - db.r4.8xlarge - db.r4.large - db.r4.xlarge - db.r5.12xlarge - db.r5.16xlarge - db.r5.24xlarge - db.r5.2xlarge - db.r5.4xlarge - db.r5.8xlarge - db.r5b.12xlarge - db.r5b.16xlarge - db.r5b.24xlarge - db.r5b.2xlarge - db.r5b.4xlarge - db.r5b.8xlarge - db.r5b.large - db.r5b.xlarge - db.r5d.12xlarge - db.r5d.16xlarge - db.r5d.24xlarge - db.r5d.2xlarge - db.r5d.4xlarge - db.r5d.8xlarge - db.r5d.large - db.r5d.xlarge - db.r5.large - db.r5.xlarge - db.r6i.2xlarge - db.r6i.4xlarge - db.r6i.8xlarge - db.r6i.large - db.r6i.xlarge - db.t3.2xlarge - db.t3.xlarge - db.x1e.16xlarge - db.x1e.2xlarge - db.x1e.32xlarge - db.x1e.4xlarge - db.x1e.8xlarge - db.x1e.xlarge - db.m4.16xlarge - db.r4.16xlarge - db.x1.16xlarge - db.x1.32xlarge - db.z1d.12xlarge - db.z1d.2xlarge - db.z1d.3xlarge - db.z1d.6xlarge - db.z1d.large - db.z1d.xlarge DBMasterUsername: AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*" ConstraintDescription: "Must begin with a letter and contain only alphanumeric characters." Default: sqlsa Description: "The database master username." MaxLength: "16" MinLength: "1" Type: String DBMasterUserPassword: AllowedPattern: >- ^(?=^.{8,255}$)(?=.*[a-z])(?=.*[A-Z])(?=.*\d)((?=.*[^A-Za-z0-9])(?!.*[@/"'])).*$ ConstraintDescription: >- Min 8 chars. Must include 1 uppercase, 1 lowercase, 1 number, 1 (non / @ " ') symbol Default: "Gjht56Ft$" Description: The database master user password. Required if "Manage DB master user password with AWS Secrets Manager" option is set to false. MaxLength: "64" MinLength: "8" NoEcho: "True" Type: String DBMultiAZ: AllowedValues: - "true" - "false" Default: "false" Description: "Select true to deploy a RDS Multi-AZ DB instance." Type: String DBPort: Default: 1433 Description: "The port the instance will listen for connections on." Type: Number ConstraintDescription: 'Must be in the range [1150-65535].' MinValue: 1150 MaxValue: 65535 DBStorageType: Default: io1 Description: Select the EBS storage type for the RDS SQLServer database. RDS Multi-AZ DB Cluster deployment only supports io1 storage type. Type: String AllowedValues: - gp2 - gp3 - io1 EnableEnhancedMonitoring: AllowedValues: - "true" - "false" Default: "true" Description: "Enables RDS Performance Insights" Type: String EnableEventSubscription: AllowedValues: - "true" - "false" Default: "true" Description: "Enables event subscription to Notification List" Type: String EnablePerformanceInsights: AllowedValues: - "true" - "false" Default: "true" Description: "Enables RDS Performance Insights" Type: String EnvironmentStage: Type: String Description: Designates the environment stage of the associated AWS resource. (Optional) AllowedValues: - dev - test - pre-prod - prod - none Default: none ManageMasterUserPassword: AllowedValues: - "true" - "false" Default: "true" Description: "Set to true to manage the master user password with AWS Secrets Manager." Type: String MonitoringInterval: Default: 10 Description: "The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the database." Type: Number AllowedValues: - 1 - 5 - 10 - 15 - 30 - 60 ConstraintDescription: Valid values are 0, 1, 5, 10, 15, 30, 60 seconds. NotificationList: Type: String Default: 'db-ops@domain.com' Description: The email notification used to configure an SNS topic for sending CloudWatch alarm and RDS event notifications. AllowedPattern: '^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$' ConstraintDescription: Provide a valid email address. PerformanceInsightsRetentionPeriod: Default: 7 Description: "The number of days for which automatic database snapshots are retained. Specify days based on (month * 31), where month is a number of months from 1-23" Type: Number MinValue: 7 MaxValue: 713 ProjectCostCenter: Type: String Default: '' Description: Designates the cost center associated with the project of the given AWS resource. (Optional) PubliclyAccessible: AllowedValues: - "true" - "false" Default: "false" Description: "Indicates whether the DB instance is an internet-facing instance" Type: String StorageIOPS: Default: '0' Description: >- If you choose gp3 (and allocate >= 400 GiB) or io1, you must specify provisioned IOPS. Leave at default value otherwise. For io1, the ratio of provisioned IOPS to allocated storage (in GiB) must be from 0.5 to 50. For gp3, the maximum ratio of provisioned IOPS to allocated storage (in GiB) is 500. For details, refer https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html Type: String StorageThroughput: Default: '0' Description: >- Provisioned throughput in MiBps. If you choose gp3 (and allocate >= 400 GiB) as storage type, you must specify provisioned throughput. Leave at default value otherwise. The maximum ratio of provisioned storage throughput (in MiBps) to IOPS is 0.25. For details, refer https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html Type: String Subnet1ID: Description: The ID of the private subnet in Availability Zone 1. Type: 'AWS::EC2::Subnet::Id' Subnet2ID: Description: The ID of the private subnet in Availability Zone 2. Type: 'AWS::EC2::Subnet::Id' Subnet3ID: Description: The ID of the private subnet in Availability Zone 3. Type: 'AWS::EC2::Subnet::Id' VPCID: Description: "ID of the VPC you are deploying RDS into (e.g., vpc-0343606e)." Type: 'AWS::EC2::VPC::Id' Default: '' Resources: RDSDBSubnetGroup: Properties: DBSubnetGroupDescription: "Subnets available for the Amazon RDS database instance" SubnetIds: - !Ref Subnet1ID - !Ref Subnet2ID - !Ref Subnet3ID Type: "AWS::RDS::DBSubnetGroup" RDSSecurityGroup: Condition: CreateSecurityGroup Properties: GroupDescription: "Allow access to database port" SecurityGroupEgress: - CidrIp: 0.0.0.0/0 FromPort: -1 IpProtocol: '-1' ToPort: -1 SecurityGroupIngress: - CidrIp: !Ref DBAccessCIDR FromPort: !Ref DBPort IpProtocol: tcp ToPort: !Ref DBPort VpcId: !Ref VPCID Tags: - Key: Name Value: !Sub RDSSecurityGroup-${AWS::StackName} Type: "AWS::EC2::SecurityGroup" RDSSecurityGroupIngress: Condition: CreateSecurityGroup Properties: GroupId: !GetAtt 'RDSSecurityGroup.GroupId' IpProtocol: '-1' SourceSecurityGroupId: !Ref RDSSecurityGroup Description: 'Self Reference' Type: 'AWS::EC2::SecurityGroupIngress' DBSNSTopic: Type: AWS::SNS::Topic Properties: Subscription: - Endpoint: !Ref NotificationList Protocol: email EncryptionKey: Metadata: cfn-lint: config: ignore_checks: - EIAMPolicyActionWildcard ignore_reasons: - EIAMPolicyActionWildcard: "All KMS actions allowed by design" DeletionPolicy: Retain Type: AWS::KMS::Key Condition: CreateKMSKey Properties: EnableKeyRotation: true KeyPolicy: Version: 2012-10-17 Id: !Ref AWS::StackName Statement: - Effect: Allow Principal: AWS: - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" Action: 'kms:*' Resource: '*' Tags: - Key: Name Value: !Ref AWS::StackName EncryptionKeyAlias: Type: AWS::KMS::Alias Condition: CreateKMSKey Properties: AliasName: !Sub "alias/${AWS::StackName}" TargetKeyId: !Ref EncryptionKey MRole: Type: AWS::IAM::Role Condition: EnableEM Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "monitoring.rds.amazonaws.com" Action: - "sts:AssumeRole" Path: "/" ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole RDSDBSQL: Type: AWS::RDS::DBParameterGroup Condition: isDBInstance Properties: Description: !Join [ "- ", [ "RDS SQL Database Instance Parameter Group for Cloudformation Stack ", !Ref AWS::StackName ] ] Family: !FindInMap [DBFamilyMap, !Ref DBEngineVersion, !FindInMap [DBEngineEdition,!Ref DBEngine,Edition]] Parameters: "1222": '1' "1204": '1' MAZDBI: Type: "AWS::RDS::DBInstance" Condition: isDBInstance DeletionPolicy: Snapshot UpdateReplacePolicy: Snapshot Properties: AllocatedStorage: !Ref DBAllocatedStorage AutoMinorVersionUpgrade: !Ref DBAutoMinorVersionUpgrade BackupRetentionPeriod: !Ref DBBackupRetentionPeriod DBInstanceClass: !Ref DBInstanceClass DBParameterGroupName: !Ref RDSDBSQL DBSubnetGroupName: !Ref RDSDBSubnetGroup EnableCloudwatchLogsExports: !If [EnableDBLogExport, !Ref DBExportLogToCloudwatch, !Ref "AWS::NoValue"] EnablePerformanceInsights: !Ref EnablePerformanceInsights LicenseModel: "license-included" Engine: !Ref DBEngine EngineVersion: !Ref DBEngineVersion #IOPS property is only valid for io1 and gp2 (>=400GB) Iops: !If [isGP2, !Ref "AWS::NoValue", !If [NAStorageIOPS, !Ref 'AWS::NoValue', !Ref StorageIOPS]] KmsKeyId: !If [UseDatabaseEncryption, !GetAtt EncryptionKey.Arn, !Ref 'AWS::NoValue'] MasterUsername: !Ref DBMasterUsername ManageMasterUserPassword: !Ref ManageMasterUserPassword MasterUserPassword: !If [UseSecretsManager, !Ref 'AWS::NoValue', !Ref DBMasterUserPassword] MasterUserSecret: KmsKeyId: !If [UseSecretsManager, !Ref EncryptionKey, !Ref 'AWS::NoValue'] MonitoringInterval: !If [EnableEM, !Ref MonitoringInterval, !Ref 'AWS::NoValue'] MonitoringRoleArn: !If [EnableEM, !GetAtt MRole.Arn, !Ref 'AWS::NoValue'] MultiAZ: !Ref DBMultiAZ PerformanceInsightsKMSKeyId: !If [EnablePI, !Ref EncryptionKey, !Ref 'AWS::NoValue'] PerformanceInsightsRetentionPeriod: !If [EnablePI, !Ref PerformanceInsightsRetentionPeriod, !Ref 'AWS::NoValue'] Port: !Ref DBPort PubliclyAccessible: !Ref PubliclyAccessible StorageType: !Ref DBStorageType StorageEncrypted: !If [UseDatabaseEncryption, !Ref DBAllocatedStorageEncrypted, !Ref 'AWS::NoValue'] #StorageThroughput property is only valid for gp3 (>=400GB) StorageThroughput: !If [isGP3, !If [NAStorageThrougput, !Ref "AWS::NoValue", !Ref StorageThroughput], !Ref "AWS::NoValue"] Tags: - Key: Name Value: !Sub MAZDBI-${AWS::StackName} - Key: EnvironmentStage Value: !Ref EnvironmentStage - Key: Application Value: !Ref Application - Key: ApplicationVersion Value: !Ref ApplicationVersion - Key: ProjectCostCenter Value: !Ref ProjectCostCenter - Key: Confidentiality Value: !Ref Confidentiality - Key: Compliance Value: !Ref Compliance VPCSecurityGroups: !If - CreateSecurityGroup - [!Ref RDSSecurityGroup] - [!Ref CustomDBSecurityGroup] CPUUtilizationAlarm1: Type: "AWS::CloudWatch::Alarm" Properties: ActionsEnabled: true AlarmActions: - Ref: DBSNSTopic AlarmDescription: 'CPU_Utilization' Dimensions: - Name: DBInstanceIdentifier Value: !Ref MAZDBI MetricName: CPUUtilization Statistic: Maximum Namespace: 'AWS/RDS' Threshold: 80 Unit: Percent ComparisonOperator: 'GreaterThanOrEqualToThreshold' Period: 60 EvaluationPeriods: 5 TreatMissingData: 'notBreaching' DatabaseInstanceEventSubscription: Condition: EventSubscription Type: 'AWS::RDS::EventSubscription' Properties: EventCategories: - availability - backup - configuration change - creation - deletion - failover - failure - low storage - maintenance - notification - read replica - recovery - security patching SnsTopicArn: !Ref DBSNSTopic SourceIds: - !Ref MAZDBI SourceType: 'db-instance' DBParameterGroupEventSubscription: Condition: EventSubscriptionDBInstance Type: 'AWS::RDS::EventSubscription' Properties: EventCategories: - "configuration change" SnsTopicArn: !Ref DBSNSTopic SourceIds: - !Ref RDSDBSQL SourceType: 'db-parameter-group'