# © Copyright 2018 Micro Focus or one of its affiliates # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. AWSTemplateFormatVersion: 2010-09-09 Description: >- "This template deploys a Micro Focus Enterprise Server Database instance in private subnets. **WARNING** This template creates EC2 instances and related resources. You will be billed for the AWS resources used if you create a stack from this template. Micro Focus Enterprise Server is licensed separately, please review the terms and conditions here (https://www.microfocus.com/about/legal/) for further details. (qs-1qeg3mkqr)" Metadata: cfn-lint: config: ignore_checks: - E9101 - W9004 'AWS::CloudFormation::Interface': ParameterGroups: - Label: default: Network Configuration Parameters: - VPCID - PrivateSubnet1AID - PrivateSubnet2AID - Label: default: Microsoft Active Directory Configuration Parameters: - DirectoryServiceID - Label: default: Enterprise Server Database Configuration Parameters: - DBInstanceClass - DBMasterUsername - DBMasterUserPassword - ESClientAccessSGID - NotificationARN - ESResourceNamePrefix ParameterLabels: DBInstanceClass: default: Database Instance Class DBMasterUsername: default: Database Master Username DBMasterUserPassword: default: Database Master User password DirectoryServiceID: default: Directory Service ID ESClientAccessSGID: default: ES Client Access Security Group ID ESResourceNamePrefix: default: Resource 'Name' Prefix NotificationARN: default: Notification ARN PrivateSubnet1AID: default: Private Subnet 1A ID PrivateSubnet2AID: default: Private Subnet 2A ID VPCID: default: VPC ID Parameters: DBInstanceClass: AllowedValues: - db.r4.large - db.r4.xlarge - db.r4.2xlarge - db.r4.4xlarge - db.r4.8xlarge Default: db.r4.large Type: String Description: DB instance class DBMasterUsername: Description: The master user name for the DB instance. Type: String Default: DBAdmin DBMasterUserPassword: Description: The password for the master user. Type: String NoEcho: true DirectoryServiceID: Type: String ESClientAccessSGID: Type: 'AWS::EC2::SecurityGroup::Id' ESResourceNamePrefix: Type: String Default: 'AWS::StackName' NotificationARN: Description: >- An existing Amazon SNS topic where notifications about are sent, e.g., email notifications Type: String Default: '' PrivateSubnet1AID: Description: 'ID of private subnet A in Availability Zone 1 (e.g., subnet-a0246dcd)' Type: 'AWS::EC2::Subnet::Id' PrivateSubnet2AID: Description: >- ID of private subnet A in Availability Zone 2 (e.g., subnet-01a43dc1ca1fa7f9b) Type: 'AWS::EC2::Subnet::Id' VPCID: Description: ID of your existing VPC for deployment Type: 'AWS::EC2::VPC::Id' Rules: SubnetsInVPC: Assertions: - Assert: 'Fn::EachMemberIn': - 'Fn::ValueOfAll': - 'AWS::EC2::Subnet::Id' - VpcId - 'Fn::RefAll': 'AWS::EC2::VPC::Id' AssertDescription: All subnets must in the VPC Conditions: NamePrefixIaUndefined: !Equals - !Ref ESResourceNamePrefix - '' NamePrefixIsAWSStackname: !Equals - !Ref ESResourceNamePrefix - 'AWS::StackName' HaveDirectoryService: !Not - !Equals - !Ref DirectoryServiceID - '' HaveNotificationARN: !Not - !Equals - !Ref NotificationARN - '' Resources: ESDatabaseSG: Type: 'AWS::EC2::SecurityGroup' Properties: GroupDescription: Enterprise Server SQL Server Security Group VpcId: !Ref VPCID SecurityGroupIngress: - Description: Allow client access IpProtocol: tcp FromPort: 5432 ToPort: 5432 SourceSecurityGroupId: !Ref ESClientAccessSGID ESDatabaseADIAMRole: Type: 'AWS::IAM::Role' Condition: HaveDirectoryService Properties: AssumeRolePolicyDocument: Statement: - Action: - 'sts:AssumeRole' Effect: Allow Principal: Service: - rds.amazonaws.com Path: / ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonRDSDirectoryServiceAccess DatabaseSubnetGroup: Type: AWS::RDS::DBSubnetGroup Properties: DBSubnetGroupDescription: Database subnet group SubnetIds: - !Ref PrivateSubnet1AID - !Ref PrivateSubnet2AID AuroraCluster: Type: AWS::RDS::DBCluster Metadata: cfn-lint: config: ignore_checks: - ERDSStorageEncryptionEnabled ignore_reasons: - ERDSStorageEncryptionEnabled: "Encryption disabled by design" Properties: Engine: aurora-postgresql EngineVersion: "10" MasterUsername: !Ref DBMasterUsername MasterUserPassword: !Ref DBMasterUserPassword DBSubnetGroupName: !Ref DatabaseSubnetGroup StorageEncrypted: false DatabaseName: mydb DBClusterParameterGroupName: default.aurora-postgresql10 Port: 5432 VpcSecurityGroupIds: - !Ref ESDatabaseSG BackupRetentionPeriod: 30 ESDatabase: Type: 'AWS::RDS::DBInstance' DeletionPolicy: Delete Properties: DBSubnetGroupName: !Ref DatabaseSubnetGroup DBClusterIdentifier: !Ref AuroraCluster AllowMajorVersionUpgrade: false AutoMinorVersionUpgrade: true Engine: aurora-postgresql DBInstanceClass: !Ref DBInstanceClass PubliclyAccessible: false Tags: - Key: Name Value: !Sub - '${StackNamePrefix}SQLServer Database' - StackNamePrefix: !If - NamePrefixIaUndefined - '' - !If - NamePrefixIsAWSStackname - !Sub '${AWS::StackName}-' - !Sub '${ESResourceNamePrefix}-' ESDatabaseEventSubscriptions: Type: 'AWS::RDS::EventSubscription' Condition: HaveNotificationARN Properties: Enabled: true EventCategories: - configuration change - failure - deletion SnsTopicArn: !Ref NotificationARN SourceIds: - !Ref ESDatabase SourceType: db-instance Outputs: ESPACDatabaseEndpointAddress: Description: The connection endpoint for the database Value: !GetAtt ESDatabase.Endpoint.Address ESDatabaseEndpointPort: Description: The port number on which the database accepts connections Value: !GetAtt ESDatabase.Endpoint.Port