├── .DS_Store ├── .gitmodules ├── .metadata ├── .nojekyll ├── .taskcat.yml ├── CODEOWNERS ├── LICENSE.txt ├── NOTICE.txt ├── README.md ├── ci ├── amazon-aurora-mysql.json └── taskcat.yml ├── docs ├── generated │ ├── parameters │ │ └── index.adoc │ ├── regions │ │ └── index.adoc │ └── services │ │ ├── index.adoc │ │ └── metadata.adoc ├── images │ ├── aurora-mysql-architecture-diagram.pptx │ ├── aurora-mysql-architecture_diagram.png │ ├── aws-quickstart-graphic.png │ ├── cfn_outputs.png │ ├── image1.png │ ├── image2.png │ ├── image3.png │ ├── image4.png │ ├── image5.png │ ├── image6.png │ └── image7.png └── partner_editable │ ├── _settings.adoc │ ├── additional_info.adoc │ ├── architecture.adoc │ ├── deploy_steps.adoc │ ├── deployment_options.adoc │ ├── faq_troubleshooting.adoc │ ├── licenses.adoc │ ├── overview_target_and_usage.adoc │ ├── pre-reqs.adoc │ ├── product_description.adoc │ ├── regions.adoc │ ├── service_limits.adoc │ └── specialized_knowledge.adoc ├── functions └── packages │ └── SSMRotateLambda │ └── lambda.zip ├── scripts └── scripts_userdata.sh └── templates ├── aurora_mysql-main.template.yaml └── aurora_mysql.template.yaml /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-quickstart/quickstart-amazon-aurora-mysql/c55e755a5cabcbe7b5c8fdf426dad529a263108a/.DS_Store -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "submodules/quickstart-aws-vpc"] 2 | path = submodules/quickstart-aws-vpc 3 | url = https://github.com/aws-quickstart/quickstart-aws-vpc.git 4 | branch = main 5 | [submodule "submodules/quickstart-linux-bastion"] 6 | path = submodules/quickstart-linux-bastion 7 | url = https://github.com/aws-quickstart/quickstart-linux-bastion 8 | branch = main 9 | [submodule "docs/boilerplate"] 10 | path = docs/boilerplate 11 | url = https://github.com/aws-quickstart/quickstart-documentation-base-common.git 12 | branch = main 13 | -------------------------------------------------------------------------------- /.metadata: -------------------------------------------------------------------------------- 1 | language_type: cloudformation 2 | -------------------------------------------------------------------------------- /.nojekyll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-quickstart/quickstart-amazon-aurora-mysql/c55e755a5cabcbe7b5c8fdf426dad529a263108a/.nojekyll -------------------------------------------------------------------------------- /.taskcat.yml: -------------------------------------------------------------------------------- 1 | project: 2 | name: quickstart-amazon-aurora-mysql 3 | owner: quickstart-eng@amazon.com 4 | package_lambda: false 5 | regions: 6 | - ap-northeast-1 7 | - ap-south-1 8 | - ap-southeast-1 9 | - ap-southeast-2 10 | - ca-central-1 11 | - eu-central-1 12 | - eu-west-1 13 | - us-east-1 14 | - us-east-2 15 | # - us-west-1 16 | - us-west-2 17 | tests: 18 | aurora-mysql: 19 | parameters: 20 | AvailabilityZones: $[taskcat_genaz_2] 21 | #@ DBEngineVersion: Aurora-MySQL5.7.12 22 | DBMasterUsername: "pgadmin" 23 | DBMasterUserPassword: Passw0rd1! 24 | DBMultiAZ: "false" 25 | EnableBastion: "false" 26 | KeyPairName: override 27 | QSS3BucketName: $[taskcat_autobucket] 28 | QSS3BucketRegion: $[taskcat_current_region] 29 | RemoteAccessCIDR: 10.0.0.0/16 30 | template: ./templates/aurora_mysql-main.template.yaml 31 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @davmayd @aws-quickstart/aws_quickstart_team 2 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | 203 | -------------------------------------------------------------------------------- /NOTICE.txt: -------------------------------------------------------------------------------- 1 | Copyright 2016-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at 4 | 5 | http://aws.amazon.com/apache2.0/ 6 | 7 | or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. 8 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # quickstart-amazon-aurora-mysql 2 | ## Deprecation Notice 3 | 4 | :x: This repository is subject to deprecation in Q4 2024. For more details, [please review this announcement](https://github.com/aws-ia/.announcements/issues/1). 5 | 6 | ## This repository has been deprecated in favor of https://github.com/aws-ia/cfn-ps-amazon-aurora-mysql. 7 | ***We will archive this repository and keep it publicly available until May 1, 2024.*** 8 | -------------------------------------------------------------------------------- /ci/amazon-aurora-mysql.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ParameterKey": "AvailabilityZones", 4 | "ParameterValue": "$[taskcat_genaz_2]" 5 | }, 6 | { 7 | "ParameterKey": "KeyPairName", 8 | "ParameterValue": "override" 9 | }, 10 | { 11 | "ParameterKey": "QSS3BucketName", 12 | "ParameterValue": "$[taskcat_autobucket]" 13 | }, 14 | { 15 | "ParameterKey": "RemoteAccessCIDR", 16 | "ParameterValue": "10.0.0.0/16" 17 | }, 18 | { 19 | "ParameterKey": "DBMultiAZ", 20 | "ParameterValue": "false" 21 | }, 22 | { 23 | "ParameterKey": "EnableBastion", 24 | "ParameterValue": "false" 25 | }, 26 | { 27 | "ParameterKey": "DBEngineVersion", 28 | "ParameterValue": "Aurora-MySQL5.7.12" 29 | }, 30 | { 31 | "ParameterKey": "DBMasterUserPassword", 32 | "ParameterValue": "$[taskcat_genpass_8S]" 33 | }, 34 | { 35 | "ParameterKey": "QSS3BucketRegion", 36 | "ParameterValue": "$[taskcat_current_region]" 37 | } 38 | ] 39 | -------------------------------------------------------------------------------- /ci/taskcat.yml: -------------------------------------------------------------------------------- 1 | global: 2 | marketplace-ami: false 3 | owner: quickstart-eng@amazon.com 4 | qsname: quickstart-amazon-aurora-mysql 5 | regions: 6 | - ap-northeast-1 7 | - ap-northeast-2 8 | - ap-south-1 9 | - ap-southeast-1 10 | - ap-southeast-2 11 | - ca-central-1 12 | - eu-central-1 13 | - eu-west-1 14 | # - sa-east-1 15 | - us-east-1 16 | - us-east-2 17 | - us-west-1 18 | - us-west-2 19 | reporting: true 20 | 21 | tests: 22 | aurora-mysql: 23 | parameter_input: amazon-aurora-mysql.json 24 | template_file: aurora_mysql-master.template.yaml 25 | 26 | -------------------------------------------------------------------------------- /docs/generated/parameters/index.adoc: -------------------------------------------------------------------------------- 1 | // placeholder 2 | -------------------------------------------------------------------------------- /docs/generated/regions/index.adoc: -------------------------------------------------------------------------------- 1 | // placeholder 2 | -------------------------------------------------------------------------------- /docs/generated/services/index.adoc: -------------------------------------------------------------------------------- 1 | // placeholder 2 | -------------------------------------------------------------------------------- /docs/generated/services/metadata.adoc: -------------------------------------------------------------------------------- 1 | // placeholder 2 | -------------------------------------------------------------------------------- /docs/images/aurora-mysql-architecture-diagram.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-quickstart/quickstart-amazon-aurora-mysql/c55e755a5cabcbe7b5c8fdf426dad529a263108a/docs/images/aurora-mysql-architecture-diagram.pptx -------------------------------------------------------------------------------- /docs/images/aurora-mysql-architecture_diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-quickstart/quickstart-amazon-aurora-mysql/c55e755a5cabcbe7b5c8fdf426dad529a263108a/docs/images/aurora-mysql-architecture_diagram.png -------------------------------------------------------------------------------- /docs/images/aws-quickstart-graphic.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-quickstart/quickstart-amazon-aurora-mysql/c55e755a5cabcbe7b5c8fdf426dad529a263108a/docs/images/aws-quickstart-graphic.png -------------------------------------------------------------------------------- /docs/images/cfn_outputs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-quickstart/quickstart-amazon-aurora-mysql/c55e755a5cabcbe7b5c8fdf426dad529a263108a/docs/images/cfn_outputs.png -------------------------------------------------------------------------------- /docs/images/image1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-quickstart/quickstart-amazon-aurora-mysql/c55e755a5cabcbe7b5c8fdf426dad529a263108a/docs/images/image1.png -------------------------------------------------------------------------------- /docs/images/image2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-quickstart/quickstart-amazon-aurora-mysql/c55e755a5cabcbe7b5c8fdf426dad529a263108a/docs/images/image2.png -------------------------------------------------------------------------------- /docs/images/image3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-quickstart/quickstart-amazon-aurora-mysql/c55e755a5cabcbe7b5c8fdf426dad529a263108a/docs/images/image3.png -------------------------------------------------------------------------------- /docs/images/image4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-quickstart/quickstart-amazon-aurora-mysql/c55e755a5cabcbe7b5c8fdf426dad529a263108a/docs/images/image4.png -------------------------------------------------------------------------------- /docs/images/image5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-quickstart/quickstart-amazon-aurora-mysql/c55e755a5cabcbe7b5c8fdf426dad529a263108a/docs/images/image5.png -------------------------------------------------------------------------------- /docs/images/image6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-quickstart/quickstart-amazon-aurora-mysql/c55e755a5cabcbe7b5c8fdf426dad529a263108a/docs/images/image6.png -------------------------------------------------------------------------------- /docs/images/image7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-quickstart/quickstart-amazon-aurora-mysql/c55e755a5cabcbe7b5c8fdf426dad529a263108a/docs/images/image7.png -------------------------------------------------------------------------------- /docs/partner_editable/_settings.adoc: -------------------------------------------------------------------------------- 1 | :quickstart-project-name: quickstart-amazon-aurora-mysql 2 | :partner-product-name: Amazon Aurora MySQL Database 3 | :partner-product-short-name: Aurora MySQL 4 | //:partner-company-name: Example Company Name, Ltd. 5 | :doc-month: March 6 | :doc-year: 2021 7 | :partner-contributors: Arabinda Pani, AWS PSA Database Specialist team 8 | :quickstart-contributors: Dave May, AWS Quick Start team 9 | :deployment_time: 30 minutes 10 | :default_deployment_region: us-east-1 11 | :parameters_as_appendix: 12 | // Uncomment these two attributes if you are leveraging 13 | // - an AWS Marketplace listing. 14 | // Additional content will be auto-generated based on these attributes. 15 | // :marketplace_subscription: 16 | // :marketplace_listing_url: https://example.com/ 17 | -------------------------------------------------------------------------------- /docs/partner_editable/additional_info.adoc: -------------------------------------------------------------------------------- 1 | // Add steps as necessary for accessing the software, post-configuration, and testing. Don’t include full usage instructions for your software, but add links to your product documentation for that information. 2 | //Should any sections not be applicable, remove them 3 | 4 | == Test the deployment 5 | 6 | To test the deployment, confirm that the MySQL database is accepting connections by following these steps. This optional test requires that you have bastion-host access with TCP forwarding capabilities (the parameters `EnableBastion` and `EnableTCPForwarding` are both set to "true"). 7 | 8 | . Download the latest version of https://www.mysql.com/products/workbench/[MySQL Workbench^], and install it on the workstation from which you will be connecting to the Aurora MySQL DB cluster. 9 | . From the AWS CloudFormation console, on the BastionStack *Outputs* tab, note the value for `EIP1`, as shown in <>. 10 | + 11 | [#additional1] 12 | .BastionStack outputs 13 | [link=images/image1.png] 14 | image::../images/image1.png[additional1] 15 | 16 | [start=3] 17 | . From the AWS CloudFormation console, on the AuroraStack *Outputs* tab, note the values of `DBName`, `DBMasterUsername`, `AuroraClusterEndpoint`, and `AuroraClusterPort`, as shown in <>. 18 | + 19 | [#additional2] 20 | .AuroraStack outputs 21 | [link=images/image2.png] 22 | image::../images/image2.png[additional2] 23 | 24 | [start=4] 25 | . Create an SSH tunnel to the bastion host using the following command, filling in the values for the bracketed terms. For , enter the path for the EC2 key pair that you specified for the `KeyPairName` parameter while creating the AWS CloudFormation stack. 26 | + 27 | ---- 28 | ssh -N -L :: ec2-user@EIP1 -i 29 | ---- 30 | + 31 | A message appears indicating that you've connected to the bastion host. 32 | + 33 | [start=5] 34 | . Launch MySQL Workbench on your workstation. 35 | . On the *Database* menu, choose *Connect to Database*, as shown in <>. 36 | + 37 | [#additional3] 38 | .Connecting to the database using MySQL Workbench 39 | [link=images/image3.png] 40 | image::../images/image3.png[additional3] 41 | 42 | [start=7] 43 | . Enter the following in the *Connect to Database* dialog box, shown in <>. 44 | .. In the *Hostname* field, enter *127.0.0.1* 45 | .. In *Port* field, enter the value for the `AuroraClusterPort` parameter. 46 | .. In *Username*, enter the value for the `DBMasterUsername` parameter. 47 | .. Choose *OK*. 48 | + 49 | [#additional4] 50 | .Database connection options 51 | [link=images/image4.png] 52 | image::../images/image4.png[additional4] 53 | 54 | [start=8] 55 | . In the *Connect to MySQL Server* dialog box, shown in <>, enter the administrator password (`DBMasterUserPassword`) that you entered during stack creation. If the `RotateDBPassword` parameter was set to *true* during stack creation, the administrator password for Aurora MySQL was rotated after creation. In this case, retrieve the new password as follows: 56 | .. From the AWS CloudFormation console, on the AuroraStack *Outputs* tab, note the values for `AuroraMasterUserSecret`. 57 | .. On the AWS Secrets Manager console, choose the secret you noted above. 58 | .. Choose *Retrieve Secret Value*, and copy the password. 59 | + 60 | [#additional5] 61 | .Entering the database password 62 | [link=images/image5.png] 63 | image::../images/image5.png[additional5] 64 | + 65 | A MySQL Workbench dashboard appears, as shown in <>. 66 | + 67 | [#additional6] 68 | .MySQL Workbench dashboard after successful connection to the database 69 | [link=images/image6.png] 70 | image::../images/image6.png[additional6] 71 | 72 | [start=9] 73 | . In the *Navigator* pane, under *PERFORMANCE*, choose *Dashboard*. Database-performance metrics appear, as shown in <>. 74 | + 75 | [#additional7] 76 | .Database-performance metrics 77 | [link=images/image7.png] 78 | image::../images/image7.png[additional7] 79 | 80 | [start=10] 81 | . Terminate the SSH tunnel by pressing Ctrl+C. You've completed the testing. -------------------------------------------------------------------------------- /docs/partner_editable/architecture.adoc: -------------------------------------------------------------------------------- 1 | Deploying this Quick Start for a new virtual private cloud (VPC) with 2 | default parameters builds the following {partner-product-short-name} environment in the 3 | AWS Cloud. 4 | 5 | // Replace this example diagram with your own. Send us your source PowerPoint file. Be sure to follow our guidelines here : http://(we should include these points on our contributors giude) 6 | [#architecture1] 7 | .Quick Start architecture for _{partner-product-short-name}_ on AWS 8 | image::../images/aurora-mysql-architecture_diagram.png[Architecture] 9 | 10 | As shown in Figure 1, the Quick Start sets up the following: 11 | 12 | * A highly available architecture that spans two Availability Zones.* 13 | * A virtual private cloud (VPC) configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.* 14 | * In the public subnets: 15 | ** Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.* 16 | ** A Linux bastion host in an Auto Scaling group to allow inbound Secure Shell (SSH) access to resources in the private subnets.* 17 | * In the private subnets, an Aurora database (DB) cluster in a security group, including one DB reader and one DB writer. 18 | * An Amazon CloudWatch alarm to monitor the CPU on the bastion host and send alarm notifications using Amazon Simple Notification Service (Amazon SNS). 19 | * An encryption key using AWS Key Management Service (AWS KMS). The key enables encryption at rest for the Aurora DB cluster. 20 | 21 | [.small]#*The template that deploys the Quick Start into an existing VPC skips 22 | the components marked by asterisks and prompts you for your existing VPC 23 | configuration.# -------------------------------------------------------------------------------- /docs/partner_editable/deploy_steps.adoc: -------------------------------------------------------------------------------- 1 | // We need to work around Step numbers here if we are going to potentially exclude the AMI subscription 2 | === Sign in to your AWS account 3 | 4 | . Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has the necessary permissions. For details, see link:#_planning_the_deployment[Planning the deployment], earlier in this guide. 5 | . Ensure that your AWS account is configured correctly, as discussed in the link:#_technical_requirements[Technical requirements] section. 6 | 7 | // Optional based on Marketplace listing. Not to be edited 8 | ifdef::marketplace_subscription[] 9 | === Subscribe to the {partner-product-short-name} AMI 10 | 11 | This Quick Start requires a subscription to the AMI for {partner-product-short-name} in AWS Marketplace. 12 | 13 | . Sign in to your AWS account. 14 | . {marketplace_listing_url}[Open the page for the {partner-product-short-name} AMI in AWS Marketplace], and then choose *Continue to Subscribe*. 15 | . Review the terms and conditions for software usage, and then choose *Accept Terms*. + 16 | A confirmation page loads, and an email confirmation is sent to the account owner. For detailed subscription instructions, see the https://aws.amazon.com/marketplace/help/200799470[AWS Marketplace Buyer Guide^]. 17 | 18 | . When the subscription process completes, exit AWS Marketplace without further action. 19 | 20 | IMPORTANT: Do not provision the software from AWS Marketplace—the Quick Start deploys the AMI for you. 21 | 22 | endif::marketplace_subscription[] 23 | // \Not to be edited 24 | 25 | === Launch the Quick Start 26 | 27 | WARNING: This Quick Start does not support https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html[shared subnets^]. If you’re deploying {partner-product-short-name} into an existing VPC, ensure that your VPC has two private subnets in different Availability Zones for the workload instances. And ensure that the subnets aren’t shared. These subnets require https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html[NAT gateways^] in their route tables to allow the instances to download packages and software without exposing them to the internet. 28 | 29 | Each deployment takes about {deployment_time} to complete. 30 | 31 | . Sign in to your AWS account, and choose one of the following options to launch the AWS CloudFormation template. For help with choosing an option, see link:#_deployment_options[Deployment options], earlier in this guide. 32 | 33 | [cols="3,1"] 34 | |=== 35 | ^|https://fwd.aws/gYqDp[Deploy {partner-product-short-name} into a new VPC on AWS^] 36 | ^|https://fwd.aws/bXw6E[View template^] 37 | 38 | ^|https://fwd.aws/JkrdW[Deploy {partner-product-short-name} into an existing VPC on AWS^] 39 | ^|https://fwd.aws/RzWjB[View template^] 40 | |=== 41 | 42 | [start=2] 43 | . Check the AWS Region that’s displayed in the upper-right corner of the navigation bar, and change it if necessary. This is where the network infrastructure for {partner-product-short-name} is built. The template launches in the {default_deployment_region} Region by default. For other choices, see https://docs.aws.amazon.com/general/latest/gr/aurora.html[Amazon Aurora endpoints and quotas^]. 44 | 45 | // *Note:* This deployment includes Amazon EFS, which isn’t currently supported in all AWS Regions. For a current list of supported Regions, see the https://docs.aws.amazon.com/general/latest/gr/elasticfilesystem.html[endpoints and quotas webpage]. 46 | 47 | [start=3] 48 | . On the *Create stack* page, keep the default setting for the template URL, and then choose *Next*. 49 | . On the *Specify stack details* page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. 50 | 51 | // In the following tables, parameters are listed by category and described separately for the two deployment options: 52 | 53 | // * Parameters for deploying {partner-product-short-name} into a new VPC 54 | // * Parameters for deploying {partner-product-short-name} into an existing VPC -------------------------------------------------------------------------------- /docs/partner_editable/deployment_options.adoc: -------------------------------------------------------------------------------- 1 | // There are generally two deployment options. If additional are required, add them here 2 | 3 | This Quick Start provides two deployment options: 4 | 5 | * *Deploy {partner-product-short-name} into a new VPC*. This option builds a new AWS environment consisting of the VPC, subnets, NAT gateways, a security group, bastion hosts, and other infrastructure components. It then deploys {partner-product-short-name} into this new VPC. 6 | * *Deploy {partner-product-short-name} into an existing VPC*. This option provisions {partner-product-short-name} in your existing AWS infrastructure. 7 | 8 | This Quick Start provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and {partner-product-short-name} settings, as discussed later in this guide. -------------------------------------------------------------------------------- /docs/partner_editable/faq_troubleshooting.adoc: -------------------------------------------------------------------------------- 1 | // Add any tips or answers to anticipated questions. This could include the following troubleshooting information. If you don’t have any other Q&A to add, change “FAQ” to “Troubleshooting.” 2 | 3 | == FAQ 4 | 5 | *Q.* I encountered a *CREATE_FAILED* error when I launched the Quick Start. 6 | 7 | *A.* If AWS CloudFormation fails to create the stack, we recommend that you relaunch the template with *Rollback on failure* set to *Disabled*. (This setting is under *Advanced* in the AWS CloudFormation console, *Options* page.) With this setting, the stack’s state is retained so you can troubleshoot the issue. 8 | 9 | WARNING: When you set *Rollback on failure* to *Disabled*, you continue to incur AWS charges for the stack. Delete the stack when you finish troubleshooting. 10 | 11 | For more information, see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/troubleshooting.html[Troubleshooting AWS CloudFormation^]. 12 | 13 | *Q.* I encountered a size limitation error when I deployed the AWS CloudFormation templates. 14 | 15 | *A.* Launch the Quick Start templates from the links in this guide or from another S3 bucket. If you deploy the templates from a local copy on your computer, or from a location other than an S3 bucket, you might encounter template size limitations. For more information, see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html[AWS CloudFormation quotas^]. 16 | -------------------------------------------------------------------------------- /docs/partner_editable/licenses.adoc: -------------------------------------------------------------------------------- 1 | // Include details about the license and how they can sign up. If no license is required, clarify that. 2 | 3 | MySQL is free and open-source, so no license is required to use this Quick Start. 4 | -------------------------------------------------------------------------------- /docs/partner_editable/overview_target_and_usage.adoc: -------------------------------------------------------------------------------- 1 | // Replace the content in <> 2 | // Identify your target audience and explain how/why they would use this Quick Start. 3 | //Avoid borrowing text from third-party websites (copying text from AWS service documentation is fine). Also, avoid marketing-speak, focusing instead on the technical aspect. 4 | 5 | This guide provides instructions for deploying the {partner-product-name} Quick Start reference architecture on the AWS Cloud with high availability and failover support. This Quick Start is for users who are looking for a repeatable, customizable reference architecture for {partner-product-short-name} using AWS CloudFormation. 6 | 7 | You can also use this Quick Start as a building block for other automated deployments. To do this, use the existing-VPC deployment option, which creates only the Aurora database components. The template for this option plugs in to your existing AWS CloudFormation templates and replaces your MySQL database. 8 | -------------------------------------------------------------------------------- /docs/partner_editable/pre-reqs.adoc: -------------------------------------------------------------------------------- 1 | // If no preperation is required, remove all content from here 2 | 3 | ==== Requirements for deploying Aurora into an existing VPC 4 | 5 | If you plan to deploy Aurora into an existing VPC, check the following: 6 | 7 | * Your VPC must have two private subnets in different Availability Zones for the database 8 | instances. This Quick Start does not support https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html[shared subnets^]. 9 | * To download packages and software without exposing instances to the internet, the private subnets require https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html[NAT gateways^] in their route tables. 10 | * The domain name must be configured in the Dynamic Host Configuration Protocol (DHCP) options. For more information, see https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html[DHCP options sets^]. 11 | * You must have a Linux bastion host to run the tests discussed in the link:#_test_the_deployment[Test the deployment] section. To install the bastion host, launch the https://github.com/aws-quickstart/quickstart-linux-bastion/blob/main/templates/linux-bastion.template[AWS CloudFormation template^] that we provide for an existing subnet. When you launch the Quick Start, you are prompted for your VPC settings. 12 | 13 | If you don’t have an existing VPC that satisfies these requirements, use the new-VPC deployment option so that the Quick Start builds a VPC for you in addition to deploying {partner-product-short-name}. -------------------------------------------------------------------------------- /docs/partner_editable/product_description.adoc: -------------------------------------------------------------------------------- 1 | // Replace the content in <> 2 | // Briefly describe the software. Use consistent and clear branding. 3 | // Include the benefits of using the software on AWS, and provide details on usage scenarios. 4 | 5 | https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/CHAP_AuroraOverview.html[Amazon Aurora^] is a fully managed relational database engine that's compatible with MySQL and PostgreSQL. With Aurora, you can use the code, tools, and applications you use today with your existing MySQL and PostgreSQL databases. For some workloads, Aurora can deliver up to five times the throughput of MySQL without requiring changes to most of your existing applications. 6 | 7 | As part of Amazon Relational Database Service (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html[Amazon RDS^]), Aurora takes advantage of Amazon RDS features for database management and administration. It eliminates the need to maintain database infrastructure: servers, replication, backups, and so on. -------------------------------------------------------------------------------- /docs/partner_editable/regions.adoc: -------------------------------------------------------------------------------- 1 | For a list of Regions supported by this Quick Start, see https://docs.aws.amazon.com/general/latest/gr/aurora.html[Amazon Aurora endpoints and quotas^]. 2 | -------------------------------------------------------------------------------- /docs/partner_editable/service_limits.adoc: -------------------------------------------------------------------------------- 1 | // Replace the in each row to specify the number of resources used in this deployment. Remove the rows for resources that aren’t used. 2 | |=== 3 | |Resource |This deployment uses 4 | 5 | // Space needed to maintain table headers 6 | |VPCs |1 7 | |AWS Identity and Access Management (IAM) security groups |2 8 | |IAM roles |1 9 | |Auto Scaling groups |1 10 | |db.r4.large instances |2 11 | |t2.micro instances |1 12 | |=== 13 | -------------------------------------------------------------------------------- /docs/partner_editable/specialized_knowledge.adoc: -------------------------------------------------------------------------------- 1 | // Replace the content in <> 2 | // Describe or link to specific knowledge requirements; for example: “familiarity with basic concepts in the areas of networking, database operations, and data encryption” or “familiarity with .” 3 | 4 | This Quick Start assumes familiarity with database concepts and usage as described in the following documentation: 5 | 6 | * https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html[What is Amazon Relational Database Service (Amazon RDS)?^] 7 | * https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/CHAP_AuroraOverview.html[What is Amazon Aurora?^] 8 | * https://aws.amazon.com/rds/aurora/mysql-features/[Amazon Aurora Features: MySQL-Compatible Edition^] 9 | -------------------------------------------------------------------------------- /functions/packages/SSMRotateLambda/lambda.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-quickstart/quickstart-amazon-aurora-mysql/c55e755a5cabcbe7b5c8fdf426dad529a263108a/functions/packages/SSMRotateLambda/lambda.zip -------------------------------------------------------------------------------- /scripts/scripts_userdata.sh: -------------------------------------------------------------------------------- 1 | #UserData and or scripts should be stored here, but only for source code revision purposes and CloudFormation templates should always refer to 'quickstart-reference' S3 bucket 2 | -------------------------------------------------------------------------------- /templates/aurora_mysql-main.template.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | Description: "AWS VPC + Linux bastion host + Aurora MySQL, Do Not Remove Apache License Version 2.0 (qs-1r51947bu) Jun,15,2019" 3 | Metadata: 4 | LICENSE: Apache License Version 2.0 5 | cfn-lint: 6 | config: 7 | ignore_checks: 8 | - W9006 9 | - E9101 10 | 11 | ############################################################################### 12 | # Parameter groups 13 | ############################################################################### 14 | AWS::CloudFormation::Interface: 15 | ParameterGroups: 16 | - Label: 17 | default: Network configuration 18 | Parameters: 19 | - AvailabilityZones 20 | - VPCCIDR 21 | - PrivateSubnet1CIDR 22 | - PrivateSubnet2CIDR 23 | - PublicSubnet1CIDR 24 | - PublicSubnet2CIDR 25 | - Label: 26 | default: Linux Bastion Host configuration 27 | Parameters: 28 | - EnableBastion 29 | - KeyPairName 30 | - RemoteAccessCIDR 31 | - EnableTCPForwarding 32 | - Label: 33 | default: Database General configuration 34 | Parameters: 35 | - DBEngineVersion 36 | - DBInstanceClass 37 | - ServerlessMinCapacity 38 | - ServerlessMaxCapacity 39 | - DBPort 40 | - DBName 41 | - DBMasterUsername 42 | - ManageMasterUserPassword 43 | - DBMasterUserPassword 44 | - DBMultiAZ 45 | - DBAutoMinorVersionUpgrade 46 | - DBBackupRetentionPeriod 47 | - EnableIAMDBAuth 48 | - DBBackTrack 49 | - Label: 50 | default: Database Storage configuration 51 | Parameters: 52 | - DBStorageEncrypted 53 | - StorageType 54 | - Label: 55 | default: Database Monitoring configuration 56 | Parameters: 57 | - DBExportLogToCloudwatch 58 | - EnablePerformanceInsights 59 | - PerformanceInsightsRetentionPeriod 60 | - EnableEnhancedMonitoring 61 | - MonitoringInterval 62 | - EnableEventSubscription 63 | - NotificationList 64 | - Label: 65 | default: "[Optional] Database tags" 66 | Parameters: 67 | - EnvironmentStage 68 | - Application 69 | - ApplicationVersion 70 | - ProjectCostCenter 71 | - Confidentiality 72 | - Compliance 73 | - Label: 74 | default: Quick Start configuration 75 | Parameters: 76 | - QSS3BucketName 77 | - QSS3BucketRegion 78 | - QSS3KeyPrefix 79 | 80 | ############################################################################### 81 | # Parameter labels 82 | ############################################################################### 83 | ParameterLabels: 84 | 85 | #VPC stack related parameter labels 86 | AvailabilityZones: 87 | default: Availability Zones 88 | PrivateSubnet1CIDR: 89 | default: Private subnet 1 CIDR 90 | PrivateSubnet2CIDR: 91 | default: Private subnet 2 CIDR 92 | PublicSubnet1CIDR: 93 | default: Public subnet 1 CIDR 94 | PublicSubnet2CIDR: 95 | default: Public subnet 2 CIDR 96 | VPCCIDR: 97 | default: VPC CIDR 98 | 99 | #Bastion host related parameter labels 100 | EnableBastion: 101 | default: Create bastion stack 102 | EnableTCPForwarding: 103 | default: Enable TCP Forwarding 104 | KeyPairName: 105 | default: Key Name 106 | RemoteAccessCIDR: 107 | default: Permitted IP range 108 | 109 | #Quickstart related parameter labels 110 | QSS3BucketName: 111 | default: Quick Start S3 bucket name 112 | QSS3BucketRegion: 113 | default: Quick Start S3 bucket region 114 | QSS3KeyPrefix: 115 | default: Quick Start S3 key prefix 116 | 117 | #Aurora related parameter labels 118 | Application: 119 | default: Application name 120 | ApplicationVersion: 121 | default: Application version 122 | Compliance: 123 | default: Compliance classifier 124 | Confidentiality: 125 | default: Confidentiality classifier 126 | DBAutoMinorVersionUpgrade: 127 | default: Database auto minor version upgrade 128 | DBBackTrack: 129 | default: Backtrack window 130 | DBBackupRetentionPeriod: 131 | default: Database backup retention period 132 | DBEngineVersion: 133 | default: Database Engine Version 134 | DBExportLogToCloudwatch: 135 | default: Export Database Logs to CloudWatch 136 | DBInstanceClass: 137 | default: Database instance class 138 | DBMasterUsername: 139 | default: Database master username 140 | DBMasterUserPassword: 141 | default: Database master password 142 | DBMultiAZ: 143 | default: Multi-AZ deployment 144 | DBName: 145 | default: Database name 146 | DBPort: 147 | default: Database port 148 | DBStorageEncrypted: 149 | default: Database encryption enabled 150 | EnableEnhancedMonitoring: 151 | default: Enable Enhanced Monitoring 152 | EnableEventSubscription: 153 | default: Enable Event Subscription 154 | EnableIAMDBAuth: 155 | default: Enable IAM Database Authentication 156 | EnablePerformanceInsights: 157 | default: Enable RDS Performance Insights 158 | EnvironmentStage: 159 | default: Environment stage 160 | ManageMasterUserPassword: 161 | default: Manage DB master user password with AWS Secrets Manager 162 | MonitoringInterval: 163 | default: Enhanced monitoring interval 164 | NotificationList: 165 | default: SNS notification email 166 | PerformanceInsightsRetentionPeriod: 167 | default: Number of days to retain Performance Insights data 168 | ProjectCostCenter: 169 | default: Project cost center 170 | ServerlessMinCapacity: 171 | default: Minimum Aurora Serverless v2 capacity units (ACUs) 172 | ServerlessMaxCapacity: 173 | default: Maximum Aurora Serverless v2 capacity units (ACUs) 174 | StorageType: 175 | default: Aurora Storage Type 176 | 177 | ############################################################################### 178 | # Parameters 179 | ############################################################################### 180 | Parameters: 181 | 182 | #VPC stack related parameters 183 | AvailabilityZones: 184 | Description: >- 185 | List of Availability Zones to use for the subnets in the VPC. Only two 186 | Availability Zones are used for this deployment, and the logical order of 187 | your selections is preserved. 188 | Type: 'List' 189 | PrivateSubnet1CIDR: 190 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 191 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 192 | Default: 10.0.0.0/19 193 | Description: CIDR block for private subnet 1 located in Availability Zone 1. 194 | Type: String 195 | PrivateSubnet2CIDR: 196 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 197 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 198 | Default: 10.0.32.0/19 199 | Description: CIDR block for private subnet 2 located in Availability Zone 2. 200 | Type: String 201 | PublicSubnet1CIDR: 202 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 203 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 204 | Default: 10.0.128.0/20 205 | Description: CIDR block for the public subnet 1 located in Availability Zone 1. 206 | Type: String 207 | PublicSubnet2CIDR: 208 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 209 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 210 | Default: 10.0.144.0/20 211 | Description: CIDR block for the public subnet 2 located in Availability Zone 2. 212 | Type: String 213 | VPCCIDR: 214 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 215 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 216 | Default: 10.0.0.0/16 217 | Description: CIDR block for the VPC. 218 | Type: String 219 | 220 | #Bastion host related parameters 221 | EnableBastion: 222 | AllowedValues: 223 | - "true" 224 | - "false" 225 | Default: "true" 226 | Description: "If 'true', a bastion stack will be created." 227 | Type: String 228 | EnableTCPForwarding: 229 | Type: String 230 | Description: "Enable/Disable TCP Forwarding for the bastion host." 231 | Default: 'false' 232 | AllowedValues: 233 | - 'true' 234 | - 'false' 235 | KeyPairName: 236 | ConstraintDescription: "Name of an existing EC2 key pair." 237 | Description: "Name of an existing public/private key pair, for connecting to the bastion host." 238 | Type: AWS::EC2::KeyPair::KeyName 239 | RemoteAccessCIDR: 240 | AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$" 241 | ConstraintDescription: "CIDR block parameter must be in the form x.x.x.x/x" 242 | Description: "Allowed CIDR block for external SSH access to the bastion host." 243 | Default: 10.0.0.0/16 244 | Type: String 245 | 246 | #Quickstart related parameters 247 | QSS3BucketName: 248 | AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$" 249 | ConstraintDescription: "Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-)." 250 | Default: aws-quickstart 251 | Description: "S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-)." 252 | Type: String 253 | QSS3BucketRegion: 254 | Default: us-east-1 255 | Description: 'The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.' 256 | Type: String 257 | QSS3KeyPrefix: 258 | AllowedPattern: "^[0-9a-zA-Z-/]*$" 259 | ConstraintDescription: "Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/)." 260 | Default: quickstart-amazon-aurora-mysql/ 261 | Description: "S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/)." 262 | Type: String 263 | 264 | #Aurora related parameters 265 | DBStorageEncrypted: 266 | Default: "true" 267 | AllowedValues: 268 | - "true" 269 | - "false" 270 | Description: "To disable database encryption, choose 'false'." 271 | Type: String 272 | DBAutoMinorVersionUpgrade: 273 | AllowedValues: 274 | - "true" 275 | - "false" 276 | Default: "false" 277 | Description: "Select 'true' to set up auto minor version upgrade." 278 | Type: String 279 | DBBackTrack: 280 | Description: "The target backtrack window, in seconds. To disable backtracking, set this value to 0." 281 | Type: Number 282 | Default: 0 283 | MinValue: 0 284 | MaxValue: 259200 285 | DBBackupRetentionPeriod: 286 | Default: 35 287 | Description: "The number of days for which automatic database snapshots are retained." 288 | Type: Number 289 | MinValue: 0 290 | MaxValue: 35 291 | DBEngineVersion: 292 | Description: >- 293 | Select Database Engine Version. 294 | Aurora Serverless v2 with Aurora MySQL is supported for versions 3.02.0 and higher. 295 | Aurora I/O-Optimized configuration is available in Aurora MySQL version 3.03.1 and higher. 296 | For supported engines and Region availability for Aurora Serverless v2 with Aurora MySQL, refer https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.Aurora_Fea_Regions_DB-eng.Feature.ServerlessV2.html 297 | Type: String 298 | Default: Aurora-MySQL-3.04.0-MySQL8.0.28 299 | AllowedValues: 300 | - Aurora-MySQL5.7-2.07.9 301 | - Aurora-MySQL5.7-2.07.10 302 | - Aurora-MySQL5.7-2.11.1 303 | - Aurora-MySQL5.7-2.11.2 304 | - Aurora-MySQL5.7-2.11.3 305 | - Aurora-MySQL5.7-2.12.0 306 | - Aurora-MySQL-3.01.0-MySQL8.0.23 307 | - Aurora-MySQL-3.01.1-MySQL8.0.23 308 | - Aurora-MySQL-3.02.0-MySQL8.0.23 309 | - Aurora-MySQL-3.02.1-MySQL8.0.23 310 | - Aurora-MySQL-3.02.2-MySQL8.0.23 311 | - Aurora-MySQL-3.02.3-MySQL8.0.23 312 | - Aurora-MySQL-3.03.0-MySQL8.0.26 313 | - Aurora-MySQL-3.03.1-MySQL8.0.26 314 | - Aurora-MySQL-3.04.0-MySQL8.0.28 315 | DBExportLogToCloudwatch: 316 | Default: '' 317 | Description: "Specify the comma-delimited list of database logs (error, slowquery, audit, general) to export to CloudWatch Logs." 318 | Type: CommaDelimitedList 319 | DBInstanceClass: 320 | Description: >- 321 | The database instance type. 322 | Please see supported instance types for the MySQL version selected https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.DBInstanceClass.html#Concepts.DBInstanceClass.SupportAurora 323 | Type: String 324 | Default: db.r6g.2xlarge 325 | AllowedValues: 326 | - db.r5.12xlarge 327 | - db.r5.16xlarge 328 | - db.r5.24xlarge 329 | - db.r5.2xlarge 330 | - db.r5.4xlarge 331 | - db.r5.8xlarge 332 | - db.r5.large 333 | - db.r5.xlarge 334 | - db.r6g.12xlarge 335 | - db.r6g.16xlarge 336 | - db.r6g.2xlarge 337 | - db.r6g.4xlarge 338 | - db.r6g.8xlarge 339 | - db.r6g.large 340 | - db.r6g.xlarge 341 | - db.r6i.12xlarge 342 | - db.r6i.16xlarge 343 | - db.r6i.24xlarge 344 | - db.r6i.2xlarge 345 | - db.r6i.32xlarge 346 | - db.r6i.4xlarge 347 | - db.r6i.8xlarge 348 | - db.r6i.large 349 | - db.r6i.xlarge 350 | - db.r7g.12xlarge 351 | - db.r7g.16xlarge 352 | - db.r7g.2xlarge 353 | - db.r7g.4xlarge 354 | - db.r7g.8xlarge 355 | - db.r7g.large 356 | - db.r7g.xlarge 357 | - db.serverless 358 | - db.t3.large 359 | - db.t3.medium 360 | - db.t3.small 361 | - db.t4g.large 362 | - db.t4g.medium 363 | - db.x2g.12xlarge 364 | - db.x2g.16xlarge 365 | - db.x2g.2xlarge 366 | - db.x2g.4xlarge 367 | - db.x2g.8xlarge 368 | - db.x2g.large 369 | - db.x2g.xlarge 370 | DBMasterUsername: 371 | AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*" 372 | ConstraintDescription: "Must begin with a letter and contain only alphanumeric characters." 373 | Description: (Required) The database master username. Must begin with a letter and contain only alphanumeric characters. 374 | MaxLength: "16" 375 | MinLength: "1" 376 | Type: String 377 | DBMasterUserPassword: 378 | AllowedPattern: ^(?=^.{8,255}$)(?=.*[a-z])(?=.*[A-Z])(?=.*\d)((?=.*[^A-Za-z0-9])(?!.*[@/"'])).*$ 379 | ConstraintDescription: Min 8 chars. Must include 1 uppercase, 1 lowercase, 1 number, 1 (non / @ " ') symbol 380 | Description: (Required) The database master user password. Min 8 chars. Must include 1 uppercase, 1 lowercase, 1 number, 1 (non / @ " ') symbol. Ignored if 'Manage DB master user password with AWS Secrets Manager' option is set to 'true'. 381 | MaxLength: "41" 382 | MinLength: "8" 383 | NoEcho: "True" 384 | Type: String 385 | DBMultiAZ: 386 | AllowedValues: 387 | - "true" 388 | - "false" 389 | Default: "true" 390 | Description: "Specifies if the database instance is a multiple Availability Zone deployment." 391 | Type: String 392 | DBName: 393 | AllowedPattern: "[a-zA-Z0-9]*" 394 | Description: "Name of the initial Aurora MySQL database to create." 395 | MaxLength: "64" 396 | MinLength: "0" 397 | Default: 'sampleapp' 398 | Type: String 399 | DBPort: 400 | Default: 3306 401 | Description: "The port the instance will listen for connections on." 402 | Type: Number 403 | ConstraintDescription: "Must be in the range [1150-65535]." 404 | MinValue: 1150 405 | MaxValue: 65535 406 | EnableEnhancedMonitoring: 407 | AllowedValues: 408 | - "true" 409 | - "false" 410 | Default: "true" 411 | Description: "Set to 'true' to enable Enahanced Monitoring." 412 | Type: String 413 | EnableEventSubscription: 414 | AllowedValues: 415 | - "true" 416 | - "false" 417 | Default: "true" 418 | Description: "Enables event subscription to Notification List." 419 | Type: String 420 | EnableIAMDBAuth: 421 | AllowedValues: 422 | - "true" 423 | - "false" 424 | Default: "true" 425 | Description: "Enables IAM Database Authentication." 426 | Type: String 427 | EnablePerformanceInsights: 428 | AllowedValues: 429 | - "true" 430 | - "false" 431 | Default: "true" 432 | Description: "Enables RDS Performance Insights." 433 | Type: String 434 | ManageMasterUserPassword: 435 | AllowedValues: 436 | - "true" 437 | - "false" 438 | Default: "true" 439 | Description: "Set to 'true' to manage the master user password with AWS Secrets Manager." 440 | Type: String 441 | MonitoringInterval: 442 | Default: 10 443 | Description: "The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the database." 444 | Type: Number 445 | AllowedValues: 446 | - 1 447 | - 5 448 | - 10 449 | - 15 450 | - 30 451 | - 60 452 | ConstraintDescription: Valid values are 0, 1, 5, 10, 15, 30, 60 seconds. 453 | NotificationList: 454 | Type: String 455 | Default: 'db-ops@domain.com' 456 | Description: The email notification used to configure an SNS topic for sending CloudWatch alarm and RDS event notifications. 457 | AllowedPattern: '^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$' 458 | ConstraintDescription: Provide a valid email address. 459 | PerformanceInsightsRetentionPeriod: 460 | Default: 7 461 | Description: "The number of days for which automatic database snapshots are retained. Specify days based on (month * 31), where month is a number of months from 1-23." 462 | Type: Number 463 | MinValue: 7 464 | MaxValue: 713 465 | ServerlessMinCapacity: 466 | Default: 8 467 | Description: >- 468 | Required if "db.serverless" is chosen as the database instance class. 469 | Specify minimum Aurora Serverless v2 Capacity Units (ACUs) in the range of 0.5 to 128 in increments of 0.5. 470 | 1 ACU provides 2 GiB of memory and corresponding compute and networking. 471 | Type: String 472 | AllowedPattern: ([0-9]?(\.(0|5))?|[1-8][0-9](\.(0|5))?|9[0-9]|1[01][0-9](\.(0|5))?|12[0-7](\.(0|5))?|128) 473 | ConstraintDescription: "Only values from 0.5 to 128, in increments of 0.5" 474 | ServerlessMaxCapacity: 475 | Default: 64 476 | Description: >- 477 | Required if "db.serverless" is chosen as the database instance class. 478 | Specify maximum Aurora Serverless v2 Capacity Units (ACUs) in the range of 1 to 128 in increments of 0.5. 479 | 1 ACU provides 2 GiB of memory and corresponding compute and networking. 480 | Type: String 481 | AllowedPattern: ([1-9]?(\.(0|5))?|[1-8][0-9](\.(0|5))?|9[0-9]|1[01][0-9](\.(0|5))?|12[0-7](\.(0|5))?|128) 482 | ConstraintDescription: "Only values from 1 to 128, in increments of 0.5" 483 | StorageType: 484 | Type: String 485 | Description: >- 486 | Designates the storage type to associate with the Aurora DB cluster. Choose aurora-iopt1 for Aurora I/O Optimized storage. 487 | For details refer https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html#aurora-storage-type 488 | AllowedValues: 489 | - aurora 490 | - aurora-iopt1 491 | Default: aurora 492 | 493 | #Optional parameters 494 | Application: 495 | Type: String 496 | Default: "" 497 | Description: "[Optional] Name of the application for the associated AWS resource." 498 | ApplicationVersion: 499 | Type: String 500 | Description: "[Optional] Version of the application." 501 | Default: "" 502 | Compliance: 503 | Type: String 504 | Default: "" 505 | Description: "[Optional] Compliance level for the AWS resource." 506 | AllowedValues: 507 | - hipaa 508 | - sox 509 | - fips 510 | - other 511 | - "" 512 | Confidentiality: 513 | Type: String 514 | Default: "" 515 | Description: "[Optional] Confidentiality classification of the data that is associated with the AWS resource." 516 | AllowedValues: 517 | - public 518 | - private 519 | - confidential 520 | - pii/phi 521 | - none 522 | - "" 523 | EnvironmentStage: 524 | Type: String 525 | Description: "[Optional] Environment stage of the associated AWS resource." 526 | AllowedValues: 527 | - dev 528 | - test 529 | - pre-prod 530 | - prod 531 | - none 532 | Default: none 533 | ProjectCostCenter: 534 | Type: String 535 | Default: "" 536 | Description: "[Optional] Designates the cost center associated with the project of the given AWS resource." 537 | 538 | ############################################################################### 539 | # Conditions 540 | ############################################################################### 541 | Conditions: 542 | EnableBastionAccess: !Equals 543 | - !Ref EnableBastion 544 | - "true" 545 | UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] 546 | 547 | ############################################################################### 548 | # Resources 549 | ############################################################################### 550 | Resources: 551 | 552 | VPCStack: 553 | Type: 'AWS::CloudFormation::Stack' 554 | Properties: 555 | TemplateURL: 556 | Fn::Sub: 557 | - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml' 558 | - S3Region: !If 559 | - UsingDefaultBucket 560 | - !Ref AWS::Region 561 | - !Ref QSS3BucketRegion 562 | S3Bucket: !If 563 | - UsingDefaultBucket 564 | - !Sub '${QSS3BucketName}-${AWS::Region}' 565 | - !Ref QSS3BucketName 566 | Parameters: 567 | AvailabilityZones: !Join 568 | - ',' 569 | - !Ref AvailabilityZones 570 | NumberOfAZs: '2' 571 | PrivateSubnet1ACIDR: !Ref PrivateSubnet1CIDR 572 | PrivateSubnet2ACIDR: !Ref PrivateSubnet2CIDR 573 | PublicSubnet1CIDR: !Ref PublicSubnet1CIDR 574 | PublicSubnet2CIDR: !Ref PublicSubnet2CIDR 575 | VPCCIDR: !Ref VPCCIDR 576 | 577 | BastionStack: 578 | Condition: EnableBastionAccess 579 | Type: 'AWS::CloudFormation::Stack' 580 | Properties: 581 | TemplateURL: 582 | !Sub 583 | - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-linux-bastion/templates/linux-bastion-entrypoint-existing-vpc.template.yaml' 584 | - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] 585 | S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] 586 | Parameters: 587 | KeyPairName: !Ref KeyPairName 588 | PublicSubnet1ID: !GetAtt 589 | - VPCStack 590 | - Outputs.PublicSubnet1ID 591 | PublicSubnet2ID: !GetAtt 592 | - VPCStack 593 | - Outputs.PublicSubnet2ID 594 | EnableTCPForwarding: !Ref EnableTCPForwarding 595 | RemoteAccessCIDR: !Ref RemoteAccessCIDR 596 | VPCID: !GetAtt 597 | - VPCStack 598 | - Outputs.VPCID 599 | QSS3BucketName: !Ref QSS3BucketName 600 | QSS3BucketRegion: !Ref QSS3BucketRegion 601 | QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-linux-bastion/ 602 | 603 | AMSNS: 604 | Type: AWS::CloudFormation::Stack 605 | Properties: 606 | TemplateURL: 607 | !Sub 608 | - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/aurora_mysql.template.yaml' 609 | - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] 610 | S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] 611 | Parameters: 612 | #Database Network configuration 613 | VPCID: 614 | Fn::GetAtt: 615 | - VPCStack 616 | - Outputs.VPCID 617 | Subnet1ID: 618 | Fn::GetAtt: 619 | - VPCStack 620 | - Outputs.PrivateSubnet1AID 621 | Subnet2ID: 622 | Fn::GetAtt: 623 | - VPCStack 624 | - Outputs.PrivateSubnet2AID 625 | DBAccessCIDR: !Ref VPCCIDR 626 | #Database General configuration 627 | DBEngineVersion: !Ref DBEngineVersion 628 | DBInstanceClass: !Ref DBInstanceClass 629 | ServerlessMinCapacity: !Ref ServerlessMinCapacity 630 | ServerlessMaxCapacity: !Ref ServerlessMaxCapacity 631 | DBPort: !Ref DBPort 632 | DBName: !Ref DBName 633 | DBMasterUsername: !Ref DBMasterUsername 634 | ManageMasterUserPassword: !Ref ManageMasterUserPassword 635 | DBMasterUserPassword: !Ref DBMasterUserPassword 636 | DBMultiAZ: !Ref DBMultiAZ 637 | DBAutoMinorVersionUpgrade: !Ref DBAutoMinorVersionUpgrade 638 | DBBackupRetentionPeriod: !Ref DBBackupRetentionPeriod 639 | EnableIAMDBAuth: !Ref EnableIAMDBAuth 640 | DBBackTrack: !Ref DBBackTrack 641 | #Database Storage configuration 642 | DBStorageEncrypted: !Ref DBStorageEncrypted 643 | StorageType: !Ref StorageType 644 | #Database Monitoring configuration 645 | DBExportLogToCloudwatch: !Join 646 | - ',' 647 | - !Ref DBExportLogToCloudwatch 648 | EnablePerformanceInsights: !Ref EnablePerformanceInsights 649 | PerformanceInsightsRetentionPeriod: !Ref PerformanceInsightsRetentionPeriod 650 | EnableEnhancedMonitoring: !Ref EnableEnhancedMonitoring 651 | MonitoringInterval: !Ref MonitoringInterval 652 | EnableEventSubscription: !Ref EnableEventSubscription 653 | NotificationList: !Ref NotificationList 654 | #Database tags (optional) 655 | EnvironmentStage: !Ref EnvironmentStage 656 | Application: !Ref Application 657 | ApplicationVersion: !Ref ApplicationVersion 658 | ProjectCostCenter: !Ref ProjectCostCenter 659 | Confidentiality: !Ref Confidentiality 660 | Compliance: !Ref Compliance 661 | -------------------------------------------------------------------------------- /templates/aurora_mysql.template.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: '2010-09-09' 2 | Description: "Amazon Aurora MySQL, Do Not Remove Apache License Version 2.0 (qs-1r51947et) Jun,15,2019" 3 | Metadata: 4 | LICENSE: Apache License Version 2.0 5 | cfn-lint: 6 | config: 7 | ignore_checks: 8 | - E9101 9 | - W3011 10 | - W2030 11 | - E3002 12 | - E1019 13 | 14 | ############################################################################### 15 | # Parameter groups 16 | ############################################################################### 17 | AWS::CloudFormation::Interface: 18 | ParameterGroups: 19 | - Label: 20 | default: Database Network configuration 21 | Parameters: 22 | - VPCID 23 | - Subnet1ID 24 | - Subnet2ID 25 | - CustomDBSecurityGroup 26 | - DBAccessCIDR 27 | - PubliclyAccessible 28 | - Label: 29 | default: Database General configuration 30 | Parameters: 31 | - DBEngineVersion 32 | - DBInstanceClass 33 | - ServerlessMinCapacity 34 | - ServerlessMaxCapacity 35 | - DBPort 36 | - DBName 37 | - DBMasterUsername 38 | - ManageMasterUserPassword 39 | - DBMasterUserPassword 40 | - DBMultiAZ 41 | - DBAutoMinorVersionUpgrade 42 | - DBBackupRetentionPeriod 43 | - EnableIAMDBAuth 44 | - DBBackTrack 45 | - Label: 46 | default: Database Storage configuration 47 | Parameters: 48 | - DBStorageEncrypted 49 | - StorageType 50 | - Label: 51 | default: Database Monitoring configuration 52 | Parameters: 53 | - DBExportLogToCloudwatch 54 | - EnablePerformanceInsights 55 | - PerformanceInsightsRetentionPeriod 56 | - EnableEnhancedMonitoring 57 | - MonitoringInterval 58 | - EnableEventSubscription 59 | - NotificationList 60 | - Label: 61 | default: "[Optional] Database tags" 62 | Parameters: 63 | - EnvironmentStage 64 | - Application 65 | - ApplicationVersion 66 | - ProjectCostCenter 67 | - Confidentiality 68 | - Compliance 69 | 70 | ############################################################################### 71 | # Parameter labels 72 | ############################################################################### 73 | ParameterLabels: 74 | Application: 75 | default: Application name 76 | ApplicationVersion: 77 | default: Application version 78 | Compliance: 79 | default: Compliance classifier 80 | Confidentiality: 81 | default: Confidentiality classifier 82 | CustomDBSecurityGroup: 83 | default: Custom security group ID 84 | DBAccessCIDR: 85 | default: Database connection CIDR 86 | DBAutoMinorVersionUpgrade: 87 | default: Database auto minor version upgrade 88 | DBBackTrack: 89 | default: Backtrack window 90 | DBBackupRetentionPeriod: 91 | default: Database backup retention period 92 | DBEngineVersion: 93 | default: Database Engine Version 94 | DBExportLogToCloudwatch: 95 | default: Export Database Logs to CloudWatch 96 | DBInstanceClass: 97 | default: Database instance class 98 | DBMasterUsername: 99 | default: Database master username 100 | DBMasterUserPassword: 101 | default: Database master password 102 | DBMultiAZ: 103 | default: Multi-AZ deployment 104 | DBName: 105 | default: Database name 106 | DBPort: 107 | default: Database port 108 | DBStorageEncrypted: 109 | default: Database encryption enabled 110 | EnableEnhancedMonitoring: 111 | default: Enable Enhanced Monitoring 112 | EnableEventSubscription: 113 | default: Enable Event Subscription 114 | EnableIAMDBAuth: 115 | default: Enable IAM Database Authentication 116 | EnablePerformanceInsights: 117 | default: Enable RDS Performance Insights 118 | EnvironmentStage: 119 | default: Environment stage 120 | ManageMasterUserPassword: 121 | default: Manage DB master user password with AWS Secrets Manager 122 | MonitoringInterval: 123 | default: Enhanced monitoring interval 124 | NotificationList: 125 | default: SNS notification email 126 | PerformanceInsightsRetentionPeriod: 127 | default: Number of days to retain Performance Insights data 128 | ProjectCostCenter: 129 | default: Project cost center 130 | PubliclyAccessible: 131 | default: Publicly Accessible 132 | ServerlessMinCapacity: 133 | default: Minimum Aurora Serverless v2 capacity units (ACUs) 134 | ServerlessMaxCapacity: 135 | default: Maximum Aurora Serverless v2 capacity units (ACUs) 136 | Subnet1ID: 137 | default: Private subnet 1 ID 138 | Subnet2ID: 139 | default: Private subnet 2 ID 140 | StorageType: 141 | default: Aurora Storage Type 142 | VPCID: 143 | default: VPC ID 144 | 145 | ############################################################################### 146 | # Parameters 147 | ############################################################################### 148 | Parameters: 149 | CustomDBSecurityGroup: 150 | Description: "ID of the security group (e.g., sg-0234se). One will be created for you if left empty." 151 | Type: String 152 | Default: '' 153 | DBAccessCIDR: 154 | AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$" 155 | ConstraintDescription: "CIDR block parameter must be in the form x.x.x.x/x" 156 | Description: "Allowed CIDR block for external access (use VPC CIDR)." 157 | Type: String 158 | Default: 10.0.0.0/16 159 | DBAutoMinorVersionUpgrade: 160 | AllowedValues: 161 | - "true" 162 | - "false" 163 | Default: "false" 164 | Description: "Select 'true' to set up auto minor version upgrade." 165 | Type: String 166 | DBBackTrack: 167 | Description: "The target backtrack window, in seconds. To disable backtracking, set this value to 0." 168 | Type: Number 169 | Default: 0 170 | MinValue: 0 171 | MaxValue: 259200 172 | DBBackupRetentionPeriod: 173 | Default: 35 174 | Description: "The number of days for which automatic database snapshots are retained." 175 | Type: Number 176 | MinValue: 0 177 | MaxValue: 35 178 | DBEngineVersion: 179 | Description: >- 180 | Select Database Engine Version. 181 | Aurora Serverless v2 with Aurora MySQL is supported for versions 3.02.0 and higher. 182 | Aurora I/O-Optimized configuration is available in Aurora MySQL version 3.03.1 and higher. 183 | For supported engines and Region availability for Aurora Serverless v2 with Aurora MySQL, refer https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.Aurora_Fea_Regions_DB-eng.Feature.ServerlessV2.html 184 | Type: String 185 | Default: Aurora-MySQL-3.04.0-MySQL8.0.28 186 | AllowedValues: 187 | - Aurora-MySQL5.7-2.07.9 188 | - Aurora-MySQL5.7-2.07.10 189 | - Aurora-MySQL5.7-2.11.1 190 | - Aurora-MySQL5.7-2.11.2 191 | - Aurora-MySQL5.7-2.11.3 192 | - Aurora-MySQL5.7-2.12.0 193 | - Aurora-MySQL-3.01.0-MySQL8.0.23 194 | - Aurora-MySQL-3.01.1-MySQL8.0.23 195 | - Aurora-MySQL-3.02.0-MySQL8.0.23 196 | - Aurora-MySQL-3.02.1-MySQL8.0.23 197 | - Aurora-MySQL-3.02.2-MySQL8.0.23 198 | - Aurora-MySQL-3.02.3-MySQL8.0.23 199 | - Aurora-MySQL-3.03.0-MySQL8.0.26 200 | - Aurora-MySQL-3.03.1-MySQL8.0.26 201 | - Aurora-MySQL-3.04.0-MySQL8.0.28 202 | DBExportLogToCloudwatch: 203 | Default: '' 204 | Description: "Specify the comma-delimited list of database logs (error, slowquery, audit, general) to export to CloudWatch Logs." 205 | Type: CommaDelimitedList 206 | DBInstanceClass: 207 | Description: >- 208 | The database instance type. 209 | Please see supported instance types for the MySQL version selected https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.DBInstanceClass.html#Concepts.DBInstanceClass.SupportAurora 210 | Type: String 211 | Default: db.r6g.2xlarge 212 | AllowedValues: 213 | - db.r5.12xlarge 214 | - db.r5.16xlarge 215 | - db.r5.24xlarge 216 | - db.r5.2xlarge 217 | - db.r5.4xlarge 218 | - db.r5.8xlarge 219 | - db.r5.large 220 | - db.r5.xlarge 221 | - db.r6g.12xlarge 222 | - db.r6g.16xlarge 223 | - db.r6g.2xlarge 224 | - db.r6g.4xlarge 225 | - db.r6g.8xlarge 226 | - db.r6g.large 227 | - db.r6g.xlarge 228 | - db.r6i.12xlarge 229 | - db.r6i.16xlarge 230 | - db.r6i.24xlarge 231 | - db.r6i.2xlarge 232 | - db.r6i.32xlarge 233 | - db.r6i.4xlarge 234 | - db.r6i.8xlarge 235 | - db.r6i.large 236 | - db.r6i.xlarge 237 | - db.r7g.12xlarge 238 | - db.r7g.16xlarge 239 | - db.r7g.2xlarge 240 | - db.r7g.4xlarge 241 | - db.r7g.8xlarge 242 | - db.r7g.large 243 | - db.r7g.xlarge 244 | - db.serverless 245 | - db.t3.large 246 | - db.t3.medium 247 | - db.t3.small 248 | - db.t4g.large 249 | - db.t4g.medium 250 | - db.x2g.12xlarge 251 | - db.x2g.16xlarge 252 | - db.x2g.2xlarge 253 | - db.x2g.4xlarge 254 | - db.x2g.8xlarge 255 | - db.x2g.large 256 | - db.x2g.xlarge 257 | DBMasterUsername: 258 | AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*" 259 | ConstraintDescription: "Must begin with a letter and contain only alphanumeric characters." 260 | Description: (Required) The database master username. Must begin with a letter and contain only alphanumeric characters. 261 | MaxLength: "16" 262 | MinLength: "1" 263 | Type: String 264 | DBMasterUserPassword: 265 | AllowedPattern: ^(?=^.{8,255}$)(?=.*[a-z])(?=.*[A-Z])(?=.*\d)((?=.*[^A-Za-z0-9])(?!.*[@/"'])).*$ 266 | ConstraintDescription: Min 8 chars. Must include 1 uppercase, 1 lowercase, 1 number, 1 (non / @ " ') symbol 267 | Description: (Required) The database master user password. Min 8 chars. Must include 1 uppercase, 1 lowercase, 1 number, 1 (non / @ " ') symbol. Ignored if 'Manage DB master user password with AWS Secrets Manager' option is set to 'true'. 268 | MaxLength: "41" 269 | MinLength: "8" 270 | NoEcho: "True" 271 | Type: String 272 | DBMultiAZ: 273 | AllowedValues: 274 | - "true" 275 | - "false" 276 | Default: "true" 277 | Description: "Specifies if the database instance is a multiple Availability Zone deployment." 278 | Type: String 279 | DBName: 280 | AllowedPattern: "[a-zA-Z0-9]*" 281 | Description: "Name of the initial Aurora MySQL database to create." 282 | MaxLength: "64" 283 | MinLength: "0" 284 | Default: 'sampleapp' 285 | Type: String 286 | DBPort: 287 | Default: 3306 288 | Description: "The port the instance will listen for connections on." 289 | Type: Number 290 | ConstraintDescription: 'Must be in the range [1150-65535].' 291 | MinValue: 1150 292 | MaxValue: 65535 293 | DBStorageEncrypted: 294 | Default: "true" 295 | AllowedValues: 296 | - "true" 297 | - "false" 298 | Description: "To disable database encryption, choose 'false'." 299 | Type: String 300 | EnableEnhancedMonitoring: 301 | AllowedValues: 302 | - "true" 303 | - "false" 304 | Default: "true" 305 | Description: "Set to 'true' to enable Enahanced Monitoring." 306 | Type: String 307 | EnableEventSubscription: 308 | AllowedValues: 309 | - "true" 310 | - "false" 311 | Default: "true" 312 | Description: "Enables event subscription to Notification List." 313 | Type: String 314 | EnableIAMDBAuth: 315 | AllowedValues: 316 | - "true" 317 | - "false" 318 | Default: "true" 319 | Description: "Enables IAM Database Authentication." 320 | Type: String 321 | EnablePerformanceInsights: 322 | AllowedValues: 323 | - "true" 324 | - "false" 325 | Default: "true" 326 | Description: "Enables RDS Performance Insights." 327 | Type: String 328 | ManageMasterUserPassword: 329 | AllowedValues: 330 | - "true" 331 | - "false" 332 | Default: "true" 333 | Description: "Set to 'true' to manage the master user password with AWS Secrets Manager." 334 | Type: String 335 | MonitoringInterval: 336 | Default: 10 337 | Description: "The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the database." 338 | Type: Number 339 | AllowedValues: 340 | - 1 341 | - 5 342 | - 10 343 | - 15 344 | - 30 345 | - 60 346 | ConstraintDescription: Valid values are 0, 1, 5, 10, 15, 30, 60 seconds. 347 | NotificationList: 348 | Type: String 349 | Default: 'db-ops@domain.com' 350 | Description: The email notification used to configure an SNS topic for sending CloudWatch alarm and RDS event notifications. 351 | AllowedPattern: '^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$' 352 | ConstraintDescription: Provide a valid email address. 353 | PerformanceInsightsRetentionPeriod: 354 | Default: 7 355 | Description: "The number of days for which automatic database snapshots are retained. Specify days based on (month * 31), where month is a number of months from 1-23." 356 | Type: Number 357 | MinValue: 7 358 | MaxValue: 713 359 | PubliclyAccessible: 360 | AllowedValues: 361 | - "true" 362 | - "false" 363 | Default: "false" 364 | Description: "Indicates whether the DB instance is an internet-facing instance." 365 | Type: String 366 | ServerlessMinCapacity: 367 | Default: 8 368 | Description: >- 369 | Required if "db.serverless" is chosen as the database instance class. 370 | Specify minimum Aurora Serverless v2 Capacity Units (ACUs) in the range of 0.5 to 128 in increments of 0.5. 371 | 1 ACU provides 2 GiB of memory and corresponding compute and networking. 372 | Type: String 373 | AllowedPattern: ([0-9]?(\.(0|5))?|[1-8][0-9](\.(0|5))?|9[0-9]|1[01][0-9](\.(0|5))?|12[0-7](\.(0|5))?|128) 374 | ConstraintDescription: "Only values from 0.5 to 128, in increments of 0.5" 375 | ServerlessMaxCapacity: 376 | Default: 64 377 | Description: >- 378 | Required if "db.serverless" is chosen as the database instance class. 379 | Specify maximum Aurora Serverless v2 Capacity Units (ACUs) in the range of 1 to 128 in increments of 0.5. 380 | 1 ACU provides 2 GiB of memory and corresponding compute and networking. 381 | Type: String 382 | AllowedPattern: ([1-9]?(\.(0|5))?|[1-8][0-9](\.(0|5))?|9[0-9]|1[01][0-9](\.(0|5))?|12[0-7](\.(0|5))?|128) 383 | ConstraintDescription: "Only values from 1 to 128, in increments of 0.5" 384 | StorageType: 385 | Type: String 386 | Description: >- 387 | Designates the storage type to associate with the Aurora DB cluster. Choose aurora-iopt1 for Aurora I/O Optimized storage. 388 | For details refer https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Overview.StorageReliability.html#aurora-storage-type 389 | AllowedValues: 390 | - aurora 391 | - aurora-iopt1 392 | Default: aurora 393 | Subnet1ID: 394 | Description: The ID of the private subnet in Availability Zone 1. 395 | Type: 'AWS::EC2::Subnet::Id' 396 | Subnet2ID: 397 | Description: The ID of the private subnet in Availability Zone 2. 398 | Type: 'AWS::EC2::Subnet::Id' 399 | VPCID: 400 | Description: "ID of the VPC you are deploying Aurora into (e.g., vpc-0343606e)." 401 | Type: 'AWS::EC2::VPC::Id' 402 | Default: '' 403 | 404 | #Optional parameters 405 | Application: 406 | Type: String 407 | Default: "" 408 | Description: "[Optional] Name of the application for the associated AWS resource." 409 | ApplicationVersion: 410 | Type: String 411 | Description: "[Optional] Version of the application." 412 | Default: "" 413 | Compliance: 414 | Type: String 415 | Default: "" 416 | Description: "[Optional] Compliance level for the AWS resource." 417 | AllowedValues: 418 | - hipaa 419 | - sox 420 | - fips 421 | - other 422 | - "" 423 | Confidentiality: 424 | Type: String 425 | Default: "" 426 | Description: "[Optional] Confidentiality classification of the data that is associated with the AWS resource." 427 | AllowedValues: 428 | - public 429 | - private 430 | - confidential 431 | - pii/phi 432 | - none 433 | - "" 434 | EnvironmentStage: 435 | Type: String 436 | Description: "[Optional] Environment stage of the associated AWS resource." 437 | AllowedValues: 438 | - dev 439 | - test 440 | - pre-prod 441 | - prod 442 | - none 443 | Default: none 444 | ProjectCostCenter: 445 | Type: String 446 | Default: "" 447 | Description: "[Optional] Designates the cost center associated with the project of the given AWS resource." 448 | 449 | ############################################################################### 450 | # Mappings 451 | ############################################################################### 452 | 453 | Mappings: 454 | DBFamilyMap: 455 | "Aurora-MySQL5.7-2.07.9": 456 | "family": "aurora-mysql5.7" 457 | "Aurora-MySQL5.7-2.07.10": 458 | "family": "aurora-mysql5.7" 459 | "Aurora-MySQL5.7-2.11.1": 460 | "family": "aurora-mysql5.7" 461 | "Aurora-MySQL5.7-2.11.2": 462 | "family": "aurora-mysql5.7" 463 | "Aurora-MySQL5.7-2.11.3": 464 | "family": "aurora-mysql5.7" 465 | "Aurora-MySQL5.7-2.12.0": 466 | "family": "aurora-mysql5.7" 467 | "Aurora-MySQL-3.01.0-MySQL8.0.23": 468 | "family": "aurora-mysql8.0" 469 | "Aurora-MySQL-3.01.1-MySQL8.0.23": 470 | "family": "aurora-mysql8.0" 471 | "Aurora-MySQL-3.02.0-MySQL8.0.23": 472 | "family": "aurora-mysql8.0" 473 | "Aurora-MySQL-3.02.1-MySQL8.0.23": 474 | "family": "aurora-mysql8.0" 475 | "Aurora-MySQL-3.02.2-MySQL8.0.23": 476 | "family": "aurora-mysql8.0" 477 | "Aurora-MySQL-3.02.3-MySQL8.0.23": 478 | "family": "aurora-mysql8.0" 479 | "Aurora-MySQL-3.03.0-MySQL8.0.26": 480 | "family": "aurora-mysql8.0" 481 | "Aurora-MySQL-3.03.1-MySQL8.0.26": 482 | "family": "aurora-mysql8.0" 483 | "Aurora-MySQL-3.04.0-MySQL8.0.28": 484 | "family": "aurora-mysql8.0" 485 | 486 | DBEngineVersionMap: 487 | "Aurora-MySQL5.7-2.07.9": 488 | "engineversion": "5.7.mysql_aurora.2.07.9" 489 | "Aurora-MySQL5.7-2.07.10": 490 | "engineversion": "5.7.mysql_aurora.2.07.10" 491 | "Aurora-MySQL5.7-2.11.1": 492 | "engineversion": "5.7.mysql_aurora.2.11.1" 493 | "Aurora-MySQL5.7-2.11.2": 494 | "engineversion": "5.7.mysql_aurora.2.11.2" 495 | "Aurora-MySQL5.7-2.11.3": 496 | "engineversion": "5.7.mysql_aurora.2.11.3" 497 | "Aurora-MySQL5.7-2.12.0": 498 | "engineversion": "5.7.mysql_aurora.2.12.0" 499 | "Aurora-MySQL-3.01.0-MySQL8.0.23": 500 | "engineversion": "8.0.mysql_aurora.3.01.0" 501 | "Aurora-MySQL-3.01.1-MySQL8.0.23": 502 | "engineversion": "8.0.mysql_aurora.3.01.1" 503 | "Aurora-MySQL-3.02.0-MySQL8.0.23": 504 | "engineversion": "8.0.mysql_aurora.3.02.0" 505 | "Aurora-MySQL-3.02.1-MySQL8.0.23": 506 | "engineversion": "8.0.mysql_aurora.3.02.1" 507 | "Aurora-MySQL-3.02.2-MySQL8.0.23": 508 | "engineversion": "8.0.mysql_aurora.3.02.2" 509 | "Aurora-MySQL-3.02.3-MySQL8.0.23": 510 | "engineversion": "8.0.mysql_aurora.3.02.3" 511 | "Aurora-MySQL-3.03.0-MySQL8.0.26": 512 | "engineversion": "8.0.mysql_aurora.3.03.0" 513 | "Aurora-MySQL-3.03.1-MySQL8.0.26": 514 | "engineversion": "8.0.mysql_aurora.3.03.1" 515 | "Aurora-MySQL-3.04.0-MySQL8.0.28": 516 | "engineversion": "8.0.mysql_aurora.3.04.0" 517 | 518 | ############################################################################### 519 | # Conditions 520 | ############################################################################### 521 | Conditions: 522 | CreateSecurityGroup: !Equals 523 | - !Ref CustomDBSecurityGroup 524 | - '' 525 | CreateKMSKey: !Or 526 | - !Condition UseDatabaseEncryption 527 | - !Condition UseSecretsManager 528 | - !Condition EnablePI 529 | DoCreateDatabase: 530 | !Not 531 | - !Equals 532 | - !Ref DBName 533 | - '' 534 | isExportCWLogs: !Not 535 | - !Equals 536 | - !Join ["", !Ref DBExportLogToCloudwatch] 537 | - '' 538 | IsASV2: 539 | !Equals 540 | - !Ref DBInstanceClass 541 | - 'db.serverless' 542 | IsDBMultiAZ: !Equals 543 | - !Ref DBMultiAZ 544 | - 'true' 545 | EventSubscription: !Equals 546 | - !Ref EnableEventSubscription 547 | - 'true' 548 | EnableEM: !Equals 549 | - !Ref EnableEnhancedMonitoring 550 | - 'true' 551 | EnablePI: !Equals 552 | - !Ref EnablePerformanceInsights 553 | - 'true' 554 | UseDatabaseEncryption: !Equals 555 | - !Ref DBStorageEncrypted 556 | - "true" 557 | UseSecretsManager: !Equals 558 | - !Ref ManageMasterUserPassword 559 | - "true" 560 | 561 | ############################################################################### 562 | # Rules 563 | ############################################################################### 564 | Rules: 565 | SubnetsInVPC: 566 | Assertions: 567 | - Assert: !Equals [!ValueOf ["Subnet1ID", "VpcId"], !Ref VPCID] 568 | AssertDescription: "Private subnet 1 ID doesn't belong to the specified VPC" 569 | - Assert: !Equals [!ValueOf ["Subnet2ID", "VpcId"], !Ref VPCID] 570 | AssertDescription: "Private subnet 2 ID doesn't belong to the specified VPC" 571 | SubnetsUnique: 572 | Assertions: 573 | - Assert: !Not [!Equals [!Ref Subnet1ID, !Ref Subnet2ID]] 574 | AssertDescription: "Please provide 2 distinct private subnets" 575 | 576 | ############################################################################### 577 | # Resources 578 | ############################################################################### 579 | Resources: 580 | 581 | AuroraDBSubnetGroup: 582 | Properties: 583 | DBSubnetGroupDescription: "Subnets available for the Amazon Aurora database cluster" 584 | SubnetIds: 585 | - !Ref Subnet1ID 586 | - !Ref Subnet2ID 587 | Type: "AWS::RDS::DBSubnetGroup" 588 | 589 | RDSSecurityGroup: 590 | Condition: CreateSecurityGroup 591 | Properties: 592 | GroupDescription: "Allow access to database port" 593 | SecurityGroupEgress: 594 | - 595 | CidrIp: 0.0.0.0/0 596 | FromPort: -1 597 | IpProtocol: '-1' 598 | ToPort: -1 599 | Description: Allows all outbound traffic 600 | SecurityGroupIngress: 601 | - 602 | CidrIp: !Ref DBAccessCIDR 603 | FromPort: !Ref DBPort 604 | IpProtocol: tcp 605 | ToPort: !Ref DBPort 606 | Description: Access from the DBAccessCIDR specified 607 | VpcId: !Ref VPCID 608 | Tags: 609 | - Key: Name 610 | Value: !Sub RDSSecurityGroup-${AWS::StackName} 611 | Type: "AWS::EC2::SecurityGroup" 612 | 613 | RDSSecurityGroupIngress: 614 | Condition: CreateSecurityGroup 615 | Properties: 616 | GroupId: !GetAtt 'RDSSecurityGroup.GroupId' 617 | IpProtocol: '-1' 618 | SourceSecurityGroupId: !Ref RDSSecurityGroup 619 | Description: 'Self Reference' 620 | Type: 'AWS::EC2::SecurityGroupIngress' 621 | 622 | DBSNSTopic: 623 | Type: AWS::SNS::Topic 624 | Properties: 625 | KmsMasterKeyId: !If [UseDatabaseEncryption, !Ref EncryptionKey, !Ref 'AWS::NoValue'] 626 | Subscription: 627 | - Endpoint: !Ref NotificationList 628 | Protocol: email 629 | 630 | EncryptionKey: 631 | Metadata: 632 | cfn-lint: 633 | config: 634 | ignore_checks: 635 | - EIAMPolicyActionWildcard 636 | ignore_reasons: 637 | - EIAMPolicyActionWildcard: "All KMS actions allowed by design" 638 | Condition: CreateKMSKey 639 | DeletionPolicy: Retain 640 | UpdateReplacePolicy: Retain 641 | Type: AWS::KMS::Key 642 | Properties: 643 | Description: !Join [ "- ", [ "KMS Key for Cloudformation Stack ", !Ref AWS::StackName ] ] 644 | EnableKeyRotation: true 645 | KeyPolicy: 646 | Version: 2012-10-17 647 | Id: !Ref AWS::StackName 648 | Statement: 649 | - Sid: Enable IAM User Permissions 650 | Effect: Allow 651 | Principal: 652 | AWS: 653 | - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" 654 | Action: 'kms:*' 655 | Resource: '*' 656 | - Sid: Enable RDS and CloudWatch Service Permissions 657 | Effect: Allow 658 | Principal: 659 | Service: 660 | - 'events.rds.amazonaws.com' 661 | - 'cloudwatch.amazonaws.com' 662 | - 'events.amazonaws.com' 663 | Action: 664 | - 'kms:GenerateDataKey*' 665 | - 'kms:Decrypt' 666 | Resource: '*' 667 | Tags: 668 | - Key: Name 669 | Value: !Ref AWS::StackName 670 | 671 | EncryptionKeyAlias: 672 | Type: AWS::KMS::Alias 673 | Condition: CreateKMSKey 674 | Properties: 675 | AliasName: !Sub "alias/${AWS::StackName}" 676 | TargetKeyId: !Ref EncryptionKey 677 | 678 | MRole: 679 | Type: AWS::IAM::Role 680 | Condition: EnableEM 681 | Properties: 682 | AssumeRolePolicyDocument: 683 | Version: "2012-10-17" 684 | Statement: 685 | - 686 | Effect: "Allow" 687 | Principal: 688 | Service: 689 | - "monitoring.rds.amazonaws.com" 690 | Action: 691 | - "sts:AssumeRole" 692 | Path: "/" 693 | ManagedPolicyArns: 694 | - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole 695 | 696 | AMSDBCPG: 697 | Type: AWS::RDS::DBClusterParameterGroup 698 | Properties: 699 | Description: !Join [ "- ", [ "Aurora MySQL Cluster Parameter Group for Cloudformation Stack ", !Ref AWS::StackName ] ] 700 | Family: !FindInMap [DBFamilyMap, !Ref DBEngineVersion, "family"] 701 | Parameters: 702 | time_zone: UTC 703 | server_audit_logging: 1 704 | server_audit_events: 'QUERY_DCL,QUERY_DDL,CONNECT' 705 | 706 | AMSDBPG: 707 | Type: AWS::RDS::DBParameterGroup 708 | Properties: 709 | Description: !Join [ "- ", [ "Aurora MySQL Database Instance Parameter Group for Cloudformation Stack ", !Ref AWS::StackName ] ] 710 | Family: !FindInMap [DBFamilyMap, !Ref DBEngineVersion, "family"] 711 | Parameters: 712 | slow_query_log: 1 713 | long_query_time: 5 714 | log_output: 'FILE' 715 | innodb_print_all_deadlocks: 1 716 | 717 | AuroraDBCluster: 718 | Metadata: 719 | cfn-lint: 720 | config: 721 | ignore_checks: 722 | - ERDSStorageEncryptionEnabled 723 | - E2521 724 | ignore_reasons: 725 | - ERDSStorageEncryptionEnabled: "StorageEncryption is conditional" 726 | - E2521: "When ManageMasterUserPassword is set to true, MasterUserPassword is ignored" 727 | Type: AWS::RDS::DBCluster 728 | DeletionPolicy: Snapshot 729 | UpdateReplacePolicy: Snapshot 730 | Properties: 731 | BackupRetentionPeriod: !Ref DBBackupRetentionPeriod 732 | BacktrackWindow: !Ref DBBackTrack 733 | DatabaseName: 734 | !If 735 | - DoCreateDatabase 736 | - !Ref DBName 737 | - !Ref AWS::NoValue 738 | DBClusterIdentifier: !Sub ams-${AWS::StackName} 739 | DBClusterParameterGroupName: !Ref AMSDBCPG 740 | DBSubnetGroupName: !Ref AuroraDBSubnetGroup 741 | EnableCloudwatchLogsExports: !If [isExportCWLogs, !Ref DBExportLogToCloudwatch, !Ref "AWS::NoValue"] 742 | EnableIAMDatabaseAuthentication: !Ref EnableIAMDBAuth 743 | Engine: aurora-mysql 744 | EngineVersion: !FindInMap [DBEngineVersionMap, !Ref DBEngineVersion, "engineversion"] 745 | KmsKeyId: !If [UseDatabaseEncryption, !GetAtt EncryptionKey.Arn, !Ref 'AWS::NoValue'] 746 | MasterUsername: !Ref DBMasterUsername 747 | ManageMasterUserPassword: !Ref ManageMasterUserPassword 748 | MasterUserPassword: !If [UseSecretsManager, !Ref 'AWS::NoValue', !Ref DBMasterUserPassword] 749 | MasterUserSecret: 750 | KmsKeyId: !If [UseSecretsManager, !Ref EncryptionKey, !Ref 'AWS::NoValue'] 751 | Port: !Ref DBPort 752 | ServerlessV2ScalingConfiguration: 753 | MinCapacity: !If [IsASV2, !Ref ServerlessMinCapacity, !Ref 'AWS::NoValue'] 754 | MaxCapacity: !If [IsASV2, !Ref ServerlessMaxCapacity, !Ref 'AWS::NoValue'] 755 | StorageEncrypted: !If [UseDatabaseEncryption, !Ref DBStorageEncrypted, !Ref 'AWS::NoValue'] 756 | StorageType: !Ref StorageType 757 | Tags: 758 | - 759 | Key: Name 760 | Value: !Sub AMS-${AWS::StackName} 761 | - 762 | Key: EnvironmentStage 763 | Value: !Ref EnvironmentStage 764 | - 765 | Key: Application 766 | Value: !Ref Application 767 | - 768 | Key: ApplicationVersion 769 | Value: !Ref ApplicationVersion 770 | - 771 | Key: ProjectCostCenter 772 | Value: !Ref ProjectCostCenter 773 | - 774 | Key: Confidentiality 775 | Value: !Ref Confidentiality 776 | - 777 | Key: Compliance 778 | Value: !Ref Compliance 779 | VpcSecurityGroupIds: 780 | !If 781 | - CreateSecurityGroup 782 | - [!Ref RDSSecurityGroup] 783 | - [!Ref CustomDBSecurityGroup] 784 | 785 | Inst1: 786 | Type: AWS::RDS::DBInstance 787 | Metadata: 788 | cfn-lint: 789 | config: 790 | ignore_checks: 791 | - ERDSDBInstancePubliclyAccessible 792 | - I3011 793 | ignore_reasons: 794 | - ERDSDBInstancePubliclyAccessible: "PubliclyAccessible is false by default" 795 | - I3011: "Update/Deletion policy is set at the cluster level for Amazon Aurora" 796 | Properties: 797 | AutoMinorVersionUpgrade: !Ref DBAutoMinorVersionUpgrade 798 | DBClusterIdentifier: !Ref AuroraDBCluster 799 | DBInstanceClass: !Ref DBInstanceClass 800 | DBParameterGroupName: !Ref AMSDBPG 801 | EnablePerformanceInsights: !Ref EnablePerformanceInsights 802 | Engine: aurora-mysql 803 | MonitoringInterval: !If [EnableEM, !Ref MonitoringInterval, !Ref 'AWS::NoValue'] 804 | MonitoringRoleArn: !If [EnableEM, !GetAtt MRole.Arn, !Ref 'AWS::NoValue'] 805 | PerformanceInsightsKMSKeyId: !If [EnablePI, !Ref EncryptionKey, !Ref 'AWS::NoValue'] 806 | PerformanceInsightsRetentionPeriod: !If [EnablePI, !Ref PerformanceInsightsRetentionPeriod, !Ref 'AWS::NoValue'] 807 | PubliclyAccessible: !Ref PubliclyAccessible 808 | Tags: 809 | - 810 | Key: Name 811 | Value: !Sub AMS-${AWS::StackName} 812 | - 813 | Key: EnvironmentStage 814 | Value: !Ref EnvironmentStage 815 | - 816 | Key: Application 817 | Value: !Ref Application 818 | - 819 | Key: ApplicationVersion 820 | Value: !Ref ApplicationVersion 821 | - 822 | Key: ProjectCostCenter 823 | Value: !Ref ProjectCostCenter 824 | - 825 | Key: Confidentiality 826 | Value: !Ref Confidentiality 827 | - 828 | Key: Compliance 829 | Value: !Ref Compliance 830 | 831 | Inst2: 832 | Type: AWS::RDS::DBInstance 833 | Condition: IsDBMultiAZ 834 | Metadata: 835 | cfn-lint: 836 | config: 837 | ignore_checks: 838 | - ERDSDBInstancePubliclyAccessible 839 | - I3011 840 | ignore_reasons: 841 | - ERDSDBInstancePubliclyAccessible: "PubliclyAccessible is false by default" 842 | - I3011: "Update/Deletion policy is set at the cluster level for Amazon Aurora" 843 | Properties: 844 | AutoMinorVersionUpgrade: !Ref DBAutoMinorVersionUpgrade 845 | DBClusterIdentifier: !Ref AuroraDBCluster 846 | DBInstanceClass: !Ref DBInstanceClass 847 | DBParameterGroupName: !Ref AMSDBPG 848 | EnablePerformanceInsights: !Ref EnablePerformanceInsights 849 | Engine: aurora-mysql 850 | MonitoringInterval: !If [EnableEM, !Ref MonitoringInterval, !Ref 'AWS::NoValue'] 851 | MonitoringRoleArn: !If [EnableEM, !GetAtt MRole.Arn, !Ref 'AWS::NoValue'] 852 | PerformanceInsightsKMSKeyId: !If [EnablePI, !Ref EncryptionKey, !Ref 'AWS::NoValue'] 853 | PerformanceInsightsRetentionPeriod: !If [EnablePI, !Ref PerformanceInsightsRetentionPeriod, !Ref 'AWS::NoValue'] 854 | PubliclyAccessible: !Ref PubliclyAccessible 855 | Tags: 856 | - 857 | Key: Name 858 | Value: !Sub AMS-${AWS::StackName} 859 | - 860 | Key: EnvironmentStage 861 | Value: !Ref EnvironmentStage 862 | - 863 | Key: Application 864 | Value: !Ref Application 865 | - 866 | Key: ApplicationVersion 867 | Value: !Ref ApplicationVersion 868 | - 869 | Key: ProjectCostCenter 870 | Value: !Ref ProjectCostCenter 871 | - 872 | Key: Confidentiality 873 | Value: !Ref Confidentiality 874 | - 875 | Key: Compliance 876 | Value: !Ref Compliance 877 | 878 | CPUUtilizationAlarm1: 879 | Type: "AWS::CloudWatch::Alarm" 880 | Properties: 881 | ActionsEnabled: true 882 | AlarmActions: 883 | - Ref: DBSNSTopic 884 | AlarmDescription: 'CPU_Utilization' 885 | Dimensions: 886 | - Name: DBInstanceIdentifier 887 | Value: 888 | Ref: Inst1 889 | MetricName: CPUUtilization 890 | Statistic: Maximum 891 | Namespace: 'AWS/RDS' 892 | Threshold: 80 893 | Unit: Percent 894 | ComparisonOperator: 'GreaterThanOrEqualToThreshold' 895 | Period: 60 896 | EvaluationPeriods: 5 897 | TreatMissingData: 'notBreaching' 898 | 899 | CPUUtilizationAlarm2: 900 | Condition: IsDBMultiAZ 901 | Type: "AWS::CloudWatch::Alarm" 902 | Properties: 903 | ActionsEnabled: true 904 | AlarmActions: 905 | - Ref: DBSNSTopic 906 | AlarmDescription: 'CPU_Utilization' 907 | Dimensions: 908 | - Name: DBInstanceIdentifier 909 | Value: 910 | Ref: Inst2 911 | MetricName: CPUUtilization 912 | Statistic: Maximum 913 | Namespace: 'AWS/RDS' 914 | Threshold: 80 915 | Unit: Percent 916 | ComparisonOperator: 'GreaterThanOrEqualToThreshold' 917 | Period: 60 918 | EvaluationPeriods: 5 919 | TreatMissingData: 'notBreaching' 920 | 921 | FreeLocalStorageAlarm1: 922 | Type: "AWS::CloudWatch::Alarm" 923 | Properties: 924 | ActionsEnabled: true 925 | AlarmActions: 926 | - Ref: DBSNSTopic 927 | AlarmDescription: 'Free Local Storage' 928 | Dimensions: 929 | - Name: DBInstanceIdentifier 930 | Value: 931 | Ref: Inst1 932 | MetricName: 'FreeLocalStorage' 933 | Statistic: Average 934 | Namespace: 'AWS/RDS' 935 | Threshold: 5368709120 936 | Unit: Bytes 937 | ComparisonOperator: 'LessThanOrEqualToThreshold' 938 | Period: 60 939 | EvaluationPeriods: 5 940 | TreatMissingData: 'notBreaching' 941 | 942 | FreeLocalStorageAlarm2: 943 | Condition: IsDBMultiAZ 944 | Type: "AWS::CloudWatch::Alarm" 945 | Properties: 946 | ActionsEnabled: true 947 | AlarmActions: 948 | - Ref: DBSNSTopic 949 | AlarmDescription: 'Free Local Storage' 950 | Dimensions: 951 | - Name: DBInstanceIdentifier 952 | Value: 953 | Ref: Inst2 954 | MetricName: 'FreeLocalStorage' 955 | Statistic: Average 956 | Namespace: 'AWS/RDS' 957 | Threshold: 5368709120 958 | Unit: Bytes 959 | ComparisonOperator: 'LessThanOrEqualToThreshold' 960 | Period: 60 961 | EvaluationPeriods: 5 962 | TreatMissingData: 'notBreaching' 963 | 964 | DatabaseClusterEventSubscription: 965 | Condition: EventSubscription 966 | Type: 'AWS::RDS::EventSubscription' 967 | Properties: 968 | EventCategories: 969 | - configuration change 970 | - creation 971 | - deletion 972 | - failover 973 | - failure 974 | - maintenance 975 | - notification 976 | SnsTopicArn: !Ref DBSNSTopic 977 | SourceIds: [!Ref AuroraDBCluster] 978 | SourceType: 'db-cluster' 979 | 980 | DatabaseInstanceEventSubscription: 981 | Condition: EventSubscription 982 | Type: 'AWS::RDS::EventSubscription' 983 | Properties: 984 | EventCategories: 985 | - availability 986 | - configuration change 987 | - creation 988 | - deletion 989 | - failure 990 | - low storage 991 | - maintenance 992 | - notification 993 | - recovery 994 | - security patching 995 | SnsTopicArn: !Ref DBSNSTopic 996 | SourceIds: 997 | - !Ref Inst1 998 | - !If [IsDBMultiAZ, !Ref Inst2, !Ref "AWS::NoValue"] 999 | SourceType: 'db-instance' 1000 | 1001 | DBParameterGroupEventSubscription: 1002 | Condition: EventSubscription 1003 | Type: 'AWS::RDS::EventSubscription' 1004 | Properties: 1005 | EventCategories: 1006 | - "configuration change" 1007 | SnsTopicArn: !Ref DBSNSTopic 1008 | SourceIds: 1009 | - !Ref AMSDBPG 1010 | SourceType: 'db-parameter-group' 1011 | 1012 | ############################################################################### 1013 | # Outputs 1014 | ############################################################################### 1015 | Outputs: 1016 | DBName: 1017 | Condition: DoCreateDatabase 1018 | Description: "Amazon Aurora database name" 1019 | Value: !Ref DBName 1020 | DBMasterUsername: 1021 | Description: "Amazon Aurora database master username" 1022 | Value: !Ref DBMasterUsername 1023 | MasterUserSecret: 1024 | Condition: UseSecretsManager 1025 | Description: "Master Credentials ARN" 1026 | Value: !Sub "${AuroraDBCluster.MasterUserSecret.SecretArn}" 1027 | RDSEndPointAddress: 1028 | Description: "Amazon Aurora write endpoint" 1029 | Value: !Sub "${AuroraDBCluster.Endpoint.Address}" 1030 | RDSReadEndPointAddress: 1031 | Description: "Amazon Aurora read endpoint" 1032 | Value: !Sub "${AuroraDBCluster.ReadEndpoint.Address}" 1033 | RDSEndPointPort: 1034 | Description: "Amazon Aurora port" 1035 | Value: !Sub "${AuroraDBCluster.Endpoint.Port}" 1036 | RDSEndPoints: 1037 | Description: "Full Amazon Aurora write endpoint" 1038 | Value: !If [DoCreateDatabase, !Sub "${AuroraDBCluster.Endpoint.Address}:${AuroraDBCluster.Endpoint.Port}/${DBName}", !Sub "${AuroraDBCluster.Endpoint.Address}:${AuroraDBCluster.Endpoint.Port}/mysql"] 1039 | RDSEncryptionKey: 1040 | Condition: UseDatabaseEncryption 1041 | Description: "The alias of the encryption key created for RDS" 1042 | Value: !Ref EncryptionKeyAlias --------------------------------------------------------------------------------