AWSTemplateFormatVersion: '2010-09-09' Description: Workload Discovery on AWS Neptune DB Stack Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Tags Parameters: - AppName - User - Owner - Tier - Version - Storage - Label: default: Neptune Database Parameters Parameters: - DBInstanceClass - MajorVersionUpgrade - MinorVersionUpgrade - NeptuneQueryTimeout - StorageEncrypted - NeptuneDBSubnetGroupName - GremlinRequestsPerSecThreshold - SparqlRequestsPerSecThreshold - Label: default: Neptune Security Group Parameters Parameters: - Port - Label: default: Neptune Backup and Monitoring Parameters Parameters: - HighCpuAlarmThreshold - LowMemoryAlarmThreshold - UploadAuditLogs - BackupRetentionPeriod - NeptuneDBClusterPreferredMaintenanceWindow - NeptuneDBInstancePreferredMaintenanceWindow - NeptuneDBClusterPreferredBackupWindow Parameters: AppName: Description: Application name Type: String User: Description: Please specify the User. Used for tagging Type: String Default: test Owner: Description: Please specify the Owner. Used for tagging Type: String Default: '' Tier: Description: Please specify the Tier. Used for tagging Type: String Default: '' Version: Description: Please specify the Application Version. Used for tagging Type: String Default: '' Storage: Description: Please specify the Storage Type. Used for tagging Type: String Default: ebs AllowedValues: - ebs - efs - s3 DBInstanceClass: Description: Neptune DB instance class that will be used for primary and all replicas Type: String Default: db.r5.large Port: Description: Port used to connect to the Neptune cluster. Must be a valid port number between Type: String Default: 8182 NeptuneQueryTimeout: Description: Neptune DB parameters. Allowed values "10-2147483647" Type: String Default: 120000 StorageEncrypted: Description: Data-at-rest encryption Type: String Default: true AllowedValues: - true - false NeptuneDBSubnetGroupName: Description: The name for the DB Subnet Group. This value is stored as a lowercase string. Constraints, Must contain no more than 255 letters, numbers, periods, underscores, spaces, or hyphens. Must not be default. Type: String Default: perspective-dev-sng HighCpuAlarmThreshold: Description: High CPU alarm threshold. Alert when CPU goes above this value. In percentage used Type: String AllowedPattern: (100|[1-9]?[0-9])$ Default: 80 LowMemoryAlarmThreshold: Description: Low memory alarm threshold. Alert when memory falls below this value. In bytes Type: Number Default: 700000000 GremlinRequestsPerSecThreshold: Description: Gremlin Requests Per Sec alarm threshold. Alert when Gremlin Requests Per Sec goes above this value. In percentage used Type: String Default: 10000 SparqlRequestsPerSecThreshold: Description: Sparql Requests Per Sec alarm threshold. Alert when Sparql Requests Per Sec goes above this value. In percentage used Type: String Default: 10000 UploadAuditLogs: Description: Enable upload of audit logs? Type: String Default: true AllowedValues: - true - false BackupRetentionPeriod: Description: Backup retention period (in days). Must be between 1 - 35 Type: String AllowedPattern: ([1-9]|[12][0-9]|3[0-5]) Default: 31 NeptuneDBClusterPreferredMaintenanceWindow: Description: Neptune DB cluster preferred maintenance window. Format - ddd:hh24:mi-ddd:hh24:mi. Valid Days - Mon, Tue, Wed, Thu, Fri, Sat, Sun. Constraints - Minimum 30-minute window. Type: String Default: mon:03:00-mon:04:00 NeptuneDBInstancePreferredMaintenanceWindow: Description: Neptune DB instance preferred maintenance window. Format - ddd:hh24:mi-ddd:hh24:mi. Valid Days - Mon, Tue, Wed, Thu, Fri, Sat, Sun. Constraints - Minimum 30-minute window. Type: String Default: mon:03:00-mon:04:00 NeptuneDBClusterPreferredBackupWindow: Description: Neptune DB cluster preferred backup window. Constrains - Must be in the format hh24:mi-hh24:mi. Must be in Universal Coordinated Time (UTC). Must not conflict with the preferred maintenance window. Must be at least 30 minutes. Type: String Default: 02:00-03:00 MajorVersionUpgrade: Description: Neptune DB major version upgrade Type: String Default: true AllowedValues: - true - false MinorVersionUpgrade: Description: Neptune DB minor version upgrade Type: String Default: true AllowedValues: - true - false ## Passed from main template ## PerspectiveVpcCidr: Description: VPC CIDR Type: String AvailabilityZone0: Type: String AvailabilityZone1: Type: String PrivateSubnet0: Description: Private Subnet Type: String PrivateSubnet1: Description: Private Subnet Type: String PerspectiveVPCId: Description: VPCId of VPC Type: AWS::EC2::VPC::Id CreateNeptuneReplica: Description: Create a replica instance in another !GetAZs region Type: String Default: 'No' Conditions: EnableAuditLogUpload: Fn::Equals: - Ref: UploadAuditLogs - true CreateInstanceReplica: Fn::Equals: - Ref: CreateNeptuneReplica - 'Yes' Resources: NeptuneDbSg: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security group governing access to Neptune instance SecurityGroupEgress: - Description: Explicit egress group locking down outbound access for Neptune CidrIp: !Ref PerspectiveVpcCidr IpProtocol: tcp ToPort: !Ref Port FromPort: !Ref Port VpcId: Ref: PerspectiveVPCId Tags: - Key: Name Value: !Sub ${AWS::StackName}-neptune-sg WDNeptuneDBCluster: Type: AWS::Neptune::DBCluster Properties: BackupRetentionPeriod: Ref: BackupRetentionPeriod DBSubnetGroupName: Ref: NeptuneDBSubnetGroup IamAuthEnabled: true Port: Ref: Port PreferredBackupWindow: Ref: NeptuneDBClusterPreferredBackupWindow PreferredMaintenanceWindow: Ref: NeptuneDBClusterPreferredMaintenanceWindow StorageEncrypted: Ref: StorageEncrypted VpcSecurityGroupIds: - Ref: NeptuneDbSg Tags: - Key: Name Value: Fn::Sub: ${AppName}-Cluster - Key: App Value: Fn::Sub: ${AppName} - Key: User Value: Fn::Sub: ${User} - Key: Owner Value: Fn::Sub: ${Owner} - Key: Tier Value: Fn::Sub: ${Tier} - Key: Version Value: Fn::Sub: ${Version} - Key: Storage Value: Fn::Sub: ${Storage} NeptuneDBInstance: Type: AWS::Neptune::DBInstance Properties: AvailabilityZone: !Ref AvailabilityZone0 AllowMajorVersionUpgrade: Ref: MajorVersionUpgrade AutoMinorVersionUpgrade: Ref: MinorVersionUpgrade DBClusterIdentifier: Ref: WDNeptuneDBCluster DBInstanceClass: Ref: DBInstanceClass DBSubnetGroupName: Ref: NeptuneDBSubnetGroup PreferredMaintenanceWindow: Ref: NeptuneDBInstancePreferredMaintenanceWindow Tags: - Key: Name Value: Fn::Sub: ${AppName}-Instance - Key: App Value: Fn::Sub: ${AppName} - Key: User Value: Fn::Sub: ${User} - Key: Owner Value: Fn::Sub: ${Owner} - Key: Tier Value: Fn::Sub: ${Tier} - Key: Version Value: Fn::Sub: ${Version} - Key: Storage Value: Fn::Sub: ${Storage} NeptuneReplicaDBInstance: Type: AWS::Neptune::DBInstance Condition: CreateInstanceReplica Properties: AvailabilityZone: !Ref AvailabilityZone1 AllowMajorVersionUpgrade: Ref: MajorVersionUpgrade AutoMinorVersionUpgrade: Ref: MinorVersionUpgrade DBClusterIdentifier: Ref: WDNeptuneDBCluster DBInstanceClass: Ref: DBInstanceClass DBSubnetGroupName: Ref: NeptuneDBSubnetGroup PreferredMaintenanceWindow: Ref: NeptuneDBInstancePreferredMaintenanceWindow Tags: - Key: Name Value: Fn::Sub: ${AppName}-Instance - Key: App Value: Fn::Sub: ${AppName} - Key: User Value: Fn::Sub: ${User} - Key: Owner Value: Fn::Sub: ${Owner} - Key: Tier Value: Fn::Sub: ${Tier} - Key: Version Value: Fn::Sub: ${Version} - Key: Storage Value: Fn::Sub: ${Storage} NeptuneDBSubnetGroup: Type: AWS::Neptune::DBSubnetGroup Properties: DBSubnetGroupDescription: Fn::Sub: CloudFormation managed Neptune DB Subnet Group - ${AppName}-subnet-group DBSubnetGroupName: Ref: NeptuneDBSubnetGroupName SubnetIds: - Ref: PrivateSubnet0 - Ref: PrivateSubnet1 Tags: - Key: Name Value: Fn::Sub: ${AppName}-subnet-group - Key: App Value: Fn::Sub: ${AppName} - Key: User Value: Fn::Sub: ${User} - Key: Owner Value: Fn::Sub: ${Owner} - Key: Tier Value: Fn::Sub: ${Tier} - Key: Version Value: Fn::Sub: ${Version} - Key: Storage Value: Fn::Sub: ${Storage} NeptuneRole: Type: AWS::IAM::Role Condition: EnableAuditLogUpload Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - monitoring.rds.amazonaws.com - rds.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - Ref: NeptuneCloudWatchPolicy - Ref: NeptuneS3Policy NeptuneCloudWatchPolicy: Type: AWS::IAM::ManagedPolicy Properties: Description: Default policy for CloudWatch logs PolicyDocument: Version: 2012-10-17 Statement: - Sid: EnableLogGroups Effect: Allow Action: - logs:CreateLogGroup - logs:PutRetentionPolicy Resource: - Fn::Sub: arn:${AWS::Partition}:logs:*:*:log-group:/aws/neptune/* - Sid: EnableLogStreams Effect: Allow Action: - logs:CreateLogStream - logs:PutLogEvents - logs:DescriptLogStreams - logs:GetLogEvents Resource: - Fn::Sub: arn:${AWS::Partition}:logs:*:*:log-group:/aws/neptune/*:log-stream:* NeptuneS3Policy: Type: AWS::IAM::ManagedPolicy Properties: Description: Neptune default policy for S3 access for data load PolicyDocument: Version: 2012-10-17 Statement: - Sid: AllowNeptuneAccessToS3 Effect: Allow Action: - s3:Get* - s3:List* Resource: arn:aws:s3:::* NeptunePrimaryCpuAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmDescription: Fn::Sub: ${AppName} primary DB CPU over ${HighCpuAlarmThreshold}% Namespace: AWS/Neptune MetricName: CPUUtilization Unit: Percent Statistic: Average Period: 300 EvaluationPeriods: 2 Threshold: Ref: HighCpuAlarmThreshold ComparisonOperator: GreaterThanOrEqualToThreshold Dimensions: - Name: DBClusterIdentifier Value: Ref: WDNeptuneDBCluster NeptunePrimaryMemoryAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmDescription: Fn::Sub: ${AppName} primary DB memory under ${LowMemoryAlarmThreshold} bytes Namespace: AWS/Neptune MetricName: FreeableMemory Unit: Bytes Statistic: Average Period: 300 EvaluationPeriods: 2 Threshold: Ref: LowMemoryAlarmThreshold ComparisonOperator: LessThanOrEqualToThreshold Dimensions: - Name: DBClusterIdentifier Value: Ref: WDNeptuneDBCluster NeptunePrimaryGremlinRequestsPerSecAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmDescription: Fn::Sub: ${AppName} primary DB Gremlin Requests Per Second Namespace: AWS/Neptune MetricName: GremlinRequestsPerSec Statistic: Average Period: 300 EvaluationPeriods: 2 Threshold: Ref: GremlinRequestsPerSecThreshold ComparisonOperator: GreaterThanOrEqualToThreshold Dimensions: - Name: DBClusterIdentifier Value: gremlin-cluster NeptunePrimarySparqlRequestsPerSecAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmDescription: Fn::Sub: ${AppName} primary DB Sparql Requests Per Second Namespace: AWS/Neptune MetricName: SparqlRequestsPerSec Statistic: Average Period: 300 EvaluationPeriods: 2 Threshold: Ref: SparqlRequestsPerSecThreshold ComparisonOperator: GreaterThanOrEqualToThreshold Dimensions: - Name: DBClusterIdentifier Value: Ref: WDNeptuneDBCluster Outputs: NeptuneDbSg: Description: Neptune Security Group Value: Ref: NeptuneDbSg NeptuneEndpointAddress: Description: Neptune DB endpoint address Value: Fn::GetAtt: - WDNeptuneDBCluster - Endpoint NeptuneEndpointPort: Description: Neptune DB endpoint address Value: Fn::GetAtt: - WDNeptuneDBCluster - Port NeptuneReadEndpointAddress: Description: Neptune DB read-only endpoint address Value: Fn::GetAtt: - WDNeptuneDBCluster - ReadEndpoint NeptuneDBSubnetGroupName: Description: Neptune Subnet Group Value: Ref: NeptuneDBSubnetGroupName NeptuneClusterResourceId: Description: Endpoint port Value: !GetAtt WDNeptuneDBCluster.ClusterResourceId